Chat with us, powered by LiveChat

AHCCCS Audit Notice Announced

Department of Health and Human Services (DHHS) Office of the Inspector General (OIG) Audit for IT System Security Notifies of AHCCCS Audits

Courtesy of DHHS

Courtesy of DHHS

 

HIPAA One® works with several Health Plans and Clinics that operate a Managed Care Organization (MCO)  in the great state of Arizona providing AHCCCS Audits pursuant to Policy 108 and HIPAA.  As such, we have helped these clients respond to several audits since Policy 108 took place back in 2013.

Yesterday the Arizona Health Care Cost Containment System (AHCCCS) was notified by the DHHS OIG they will be performing on-site audits of three Managed Care Organizations regarding IT system security.  To summarize the notice:

  1. The MCOs may begin the audits as soon as November 2, 2015.
  2. One MCO will be audited this year, and two more MCOs will likely be performed in 2016.
  3. DHHS OIG will provide a draft report with the combined findings to AHCCCS.
  4. A final report of the combined audit findings will be published with non-identifying information.
  5. The first MCO will be contacted Monday, October 19, 2015.

As of October 2013, the state of Arizona has joined forces with the federal Medicaid funding program to manage distribution of reimbursements. The Arizona Health Care Cost Containment System (AHCCCS) is the name of the Medicaid program in the state of Arizona. As with all Medicaid programs, this is a joint program between the state and the Centers for Medicare and Medicaid Services (CMS).

What this means, is any Covered Entities involved with Medicaid reimbursements, must use a third-party service to conduct a Data Security Audit.

In March of 2015, we posted an update to our AHCCCS blog with a responses to the annual guidance request by AHCCCS:

“Every standard should be reviewed every year.  We do the exact same thing ourselves.  Even those that were identified as the compliant ones should be reviewed to make sure there haven’t been any changes and they are still compliant…”

You can find the updated Policy 108 compliance guidance here, that states the audit needs to be done every year, and must be submitted using third-party attestation by June 1st:

 Policy 108 – AHCCCS SECURITY RULE COMPLIANCE

In Audit and Security circles, this is a HIPAA Security Risk Analysis update, which entails performing a full risk analysis on items that have changed and re-validating compliant items.

Using HIPAA One®, an update is significantly “easier” than last year’s full SRA because we can import last year’s work, including remediation updates, directly into this year’s interview questions.  This greatly reduces the effort needed on the user’s side because the survey questions are already pre-filled including attachments proving compliance/functional controls.  For those who need a full SRA report that has proven compliance for other AHCCCS Contractors, Modern Compliance Solutions can provide the third-party attestation with full documentation in HIPAA One®.

For more information, contact your AHCCCS representative, or us at info@hipaaone.com.

Think PCI Can Replace HIPAA? 6 Points That Will Change Your Mind

Outline:

  1. Health records are to be secured, exchanged and portable ,while credit card numbers are to be secured.
  2. Covered entities and their business associates (receiving any government reimbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.
  3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.
  4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.
  5. Meaningful Use helps address the most serious health care threats to electronic personal health information: theft, unauthorized access and loss.
  6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.

Steven Marco (smarco@moderncompliance.com) is the founder & CEO of Modern Compliance Solutions & HIPAA One® in Lindon, UT.

This is one of the questions that comes to mind when reading recent breaches in businesses that are PCI-compliant and HIPAA covered entities. According to a recent Identity Theft Resource Center data breach report for 2013, there were approximately 47,260,237 breaches for the business category and 4,659,965 breaches for the medical/healthcare category. Assuming the business category processes credit cards and the medical/healthcare category maintains protected health information, we have a case of PCI-compliant firms vs. organizations addressing HIPAA security compliance.

data breach chart

1. Health records are to be secured, exchanged and portable while credit card numbers are to be secured.

Health care covered entities (CE) and their business associates (BA) handle personal/protected health information (PHI) as part of an initiative to have a portable, secured and available electronic health record (EHR). PHI must be protected from unauthorized disclosure, yet be available on demand by the individual and shared (in some cases with and without the individual’s authorization such as treatment, payment and healthcare operations) appropriately but also restricted upon the individual’s request.

If hospitals and clinics adopt electronic PHI and shred their paper records, vast amounts of uniquely identifiable health records accumulate. According to the HIPAA One® security risk analysis database, even small clinics can acquire more than 10,000 patient records within 3 years.

The focus of the electronic health record revolution has traditionally been changing healthcare workflows using computers instead of paper charts. Now, information is freely exchanged between clinics, health plans, clearinghouses and health exchanges. Security has not been a focus. The top threat facing healthcare is loss and theft of ePHI, which is the No. 1 cause of breaches over 500 (according to the OCR’s current breach data reports as of July 2014).

Much like the example above referencing the number of patient records, aggregated data stemming from PHI can be used for valuable research improving health and raising ePHI security awareness.

If business and commerce — the exchange of goods and services for monetary enumeration — had adopted technology earlier, it would have more personal identifiable information (PII). The use of credit cards is globally adopted as a quick way to receive money electronically. As more merchants (businesses that accept credit cards) adopt e-commerce websites and connect their payment- processing systems (i.e. processors) to the Internet with growing consumer comfort with online purchasing, fraudsters are capitalizing on poorly protected systems to steal payment data, making payment care fraud more prevalent than ever before.

Unlike aggregated, de-identified PHI data, the approach to secure credit card numbers is to limit storage of credit card elements and make this information unavailable except in the event of a payment transaction.

source-payment

Source: Payment Card Industry (PCI) Data Security Standard, November 2013

2. Covered entities and their business associates (receiving any government imbursements for healthcare treatment, payment or operations) are required to comply with HIPAA.

Covered entities (i.e. hospitals, clinics, doctors, health plans and healthcare clearinghouses that use ePHI) and business associates (i.e. vendors providing services to covered entities that access [even incidentally]), as of September 13, 2013, store, modify or transmit ePHI under the enforcement jurisdiction of Health and Human Services.

In summary, any organization that receives reimbursements from Centers for Medicaid and Medicare Services is a covered entity. And any vendor that provides services to covered entities are business associates. Accountants, legal counsel and consultants are examples of groups that may encounter PHI while working with covered entities and fall into the business associate category.

To help define who is covered under HIPAA, guidance from CMS provides charts to help define most scenarios and to determine qualification, per the below image:

covered entity charts

Source: CMS Covered Entity Charts

Fines under HIPAA typically come in two forms: the Office of Civil Rights (OCR — the enforcement division of CMS) fines through self-reported breaches or through HIPAA violations found as a result of a patient complaint registered on the HHS website. The OCR, under the HITECH Act, may use proceeds from fines (called Civil Money Penalties – or CMPs) to fund further enforcement. OCR fines and settlements start at $50,000 and can easily exceed $1.5 million per investigation where willful neglect to comply with HIPAA is determined. Some forgiveness in terms of reduced fines is allocated for actions taken during the OCR audit, and all settlements are public domain according to the Freedom of Information Act.

Organizations that process credit cards, even a single transaction per year, must become compliant with the PCI Data Security Standard. Covered entities that process credit cards also become merchants under Payment Card Industry and must comply with the Data Security Standard, or PCI DSS.

Merchants are required to, at a minimum, provide an annual attestation of PCI compliance statement through their processor. Failure to pass all the requirements will result in monthly fines that are proportional to the volume of credit card transactions processed annually. They start at about $50 per month for small companies, and we have seen non-compliance fines in upwards of $3,000 per month for larger covered entities providing healthcare services.

PCI enforcement audits are typically triggered by self-reported breaches. Fines stemming from breach investigations are not typically applied to merchants but are applied for other non-compliance factors. See the PCI Standard website for a more detailed guide.

3. Unlike finite PCI requirements, HIPAA encompasses security, privacy and rights, safety, quality improvement and eliminating fraud, waste and abuse.

The PCI Security Standards Council has released an updated standard, called v. 3.0, to the PCI DSS requirements, which emphasizes the need for in-house vulnerability assessments, adds flexibility to password requirements and highlights the growing importance of provider compliance, as well as many other notable changes.

PCI was pioneered in the late 1990s, as Visa became the first credit card company to develop security standards for merchants conducting online transactions. The need stemmed from vast amounts of credit card fraud, which would need to be paid for by the credit card companies.

According to SearchSecurity, Visa and MasterCard reported credit card fraud losses totaling $750 million between 1988 and 1998.

Per the PCI website, “The major credit card issuers created PCI (Payment Card Industry) compliance standards to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This set of requirements is called the Payment Card Industry Data Security Standard (PCI DSS). All merchants (any entity that accepts payment cards from American Express, Discover, JCB, MasterCard or Visa as payment for goods and/or services) must comply with these standards. Failure to meet compliance standards can result in fines from credit card companies and banks and even the loss of the ability to process credit cards. The payment brands and acquirers are responsible for enforcing compliance, not the PCI council.

The Payment Card Industry Security Standards Council (PCI SSC) manages the PCI security standards.”

HIPAA was formed because of the following reasons:

  1. Growing numbers of uninsured
  2. Lack of rights for patients to obtain,review,amend and correct(if needed) their own health information (imagine mistakenly having an STD in your medical history entered by someone’s mistake)
  3. Rise of the Internet threatened privacy and confidentially
  1. Medical information could be used against individuals for non-medical reasons
  2. Healthcare dollars lost to fraud and waste
  3. Genetic information becoming available
  4. Different standards for medical record format sand PHI

It is also important to note that HIPAA has evolved and developed in many waves over the past 18 years to address the above concerns and is still very much a work in progress.

In terms of our ePHI data, there are 18+ elements that identify an individual which can be stored, shared and must be secured. Per 45 CFR 164.514 of the HIPAA Privacy Rule, they are:

(i) The following identifiers of the individual or of relatives, employers, or household members of the individual:

(A) Names;

(B) All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:

(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and

(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.

(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;

(D) Telephone numbers;

(E) Fax numbers;

(F) Electronic mail addresses; (G) Social security numbers;

(H) Medical record numbers;

(I) Health plan beneficiary numbers;

(J) Account numbers;

(K) Certificate/license numbers;

(L) Vehicle identifiers and serial numbers, including license plate numbers;

(M) Device identifiers and serial numbers;

(N) Web Universal Resource Locators (URLs);

(O) Internet Protocol (IP) address numbers;

(P) Biometric identifiers, including finger and voice prints;

(Q) Full face photographic images and any comparable images; and

(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section

4. HIPAA security compliance may include risk analysis, remediation progress and periodic vulnerability scans.

We don’t want to jump in too deep in this area, as compliance and security are subjective topics that need to stay relevant to the size and complexity of each organization.

HIPAA Compliance

For compliance, follow the Office for Civil Rights (OCR) as they are responsible for issuing periodic guidance on the provisions in the HIPAA Security Rule. (45 C.F.R. §§ 164.302 – 318.). For security, follow the National Institute of Standards and Technology (NIST) Special Publications. The OCR suggests methodology in their guidance materials is the NIST SP800-30.

Checklists that have workflows attached to each item are available in the form of spreadsheets, the OCR’s “SRAT” tool and, for more advanced collaboration, web-based solutions.

Based on our observations of the OCR, we have found, in summary, they look for the following in their audits:

  1. (Easy*)Performance of these checklists covering the 78 HIPAA Security Citations and provide the 9 steps identified in conducting a risk analysis in NIST SP800-30.
  2. (Difficult*)Ongoing updates to the results of the risk analysis conclusions (i.e. what risks were found, who is going to do what, by when to address the risk found) and risks results (i.e. tracking what activities have been performed since the risk analysis was performed)

*It is easier to identify HIPAA gaps in compliance and risk items to the organization. It is more difficult for organizations to react to the gaps and risks found as this requires resources, changes in process and increased administrative, technical and physical safeguards.

HIPAA Security

Like any other security assessment (gaps identified against an industry guidance) and risk analysis (calculating risk for the organization for any said gaps), security encompasses authorization (who is granted authorized access to

what data and reducing unauthorized access), integrity (timely and complete data), and availability (ability to restore damaged or lost ePHI and ability to continue operations during emergency scenarios).

To address common vulnerabilities and exploits (CVE), we recommend all security risk analysis include, as a base-requirement, the performance of an automated vulnerability analysis scan 164.308(a)(1)(ii)(A) from the Internet against any of the organization’s Internet-accessible systems.

The next level of this type of effort would include internal vulnerability scanning, which is like the external vulnerability scan but against all internal computers, servers and systems. We find most environments are like M&M candies — hard on the outside, but soft and easy to melt on the inside.

  1. a)  ePHI discovery and mapping (what databases, purpose and who is responsible)
  2. b)  Firewall configuration review (ensure only minimum ports are open, see if IPS/IDS is appropriate to detect malicious software communicating to the Internet from breached systems)
  3. c)  Penetration testing of all Internet-facing applications (especially if software is developed in-house)
  4. d)  Ethical hacking (such as testing various ways to gain administrative access to systems and firewalls)
  5. e)  Ongoing remediation consulting (having an external firm remind assignees of tasks to deadlines and update results documentation for potential audit response)

5. Meaningful Use helps address the most serious healthcare threats to electronic personal health information: theft, unauthorized access and loss.

The healthcare industry stores patient information for the treatment, payment and healthcare operations of medicine. This industry has historically been slow to adopt technology and computer systems. As such, the migration of our protected health information (PHI) from paper to electronic (ePHI) has been largely fueled by the Meaningful Use (MU) incentive program. To qualify for these MU funds, covered entities must adopt a certified electronic health record technology (CEHRT), or as the industry calls it, an “EMR program”, and use it in a meaningful way (e.g. complete demographics, allergy and prescription drug checks, make patient visits available to the patients, etc.).

Stage 1 of Meaningful Use was extended in December 2014, and stage 2 is being adopted for continued incentive payments. Part of the increased security measures for stage 2 includes the following CEHRT/EMR software features: additional audit logging capabilities (to combat unauthorized access), mandatory encryption/no temporary files being written that may contain ePHI and patient amendment tracking.

6. A health record with basic health insurance information is worth 10-20 times more than a U.S. credit card with a CVV code.

Dell SecureWorks recently uncovered numerous underground marketplaces where hackers are selling information packages that include bank account numbers and logins, social security numbers, health information and other PII. In the underground world, these electronic packages put together for identity theft and fraud are referred to as “fullz”. When “fullz” are sold along with counterfeit or custom manufactured physical documents relating to identity data, the packages are called “kitz”.

Below are the average fees for these packages:

“Kitz” — $1,200 – $1,300, which includes PII and faked papers

“Fullz” — $500, which includes PII faked documents

There are additional fees for health insurance credentials and U.S. credit cards with CVV codes.

Health insurance credentials cost $20 each, while credit cards are only $1 – $2 each. This tells us that people are willing to pay more for your health insurance information than for your credit card information — about 10-20 times more. Therefore, your health information is way more valuable than your credit card information, and it’s extremely important that your health information is kept safe and secure from hackers.

So what is the motivation of enforcing PCI and HIPAA? In the case of PCI – it is clearly the credit card companies suffering financial loss from fraud. In the case of HIPAA – the motivation is to ensure our rights to protect and have our health information secured, reduce waste and hold covered entities, as well as their business associates, accountable for providing basic security, privacy and breach notification requirements.

At the end of the day, after conducting thousands of risk analysis and security projects, a new question pops up from this discussion, “If security and compliance are too difficult for organizations, then why does it seem so easy for hackers to get into their systems?”

Why Dentists Should Be Concerned about HIPAA Laws and the Security of Their Patient Records

dental officeBack in 1996, HIPAA (Health Insurance Portability and Accountability Act) became federal law. The United States government acknowledged the need for people and businesses in healthcare fields to better protect patients’ healthcare records because they are sensitive documents and every patient has a right to privacy and security.

The Healthcare community, health insurance plans and subcontractors were not taking measures to ensure basic security controls and privacy protocols were in place.  Much like PCI established the PCI Security Council to oversee credit card account numbers were protected, the federal government established governance and protocols as a baseline to oversee patient rights to their records, disclosures and securing their personal identities contained in the health and dental records.

The Office of Civil Rights (OCR) is a division of Health and Human Services.  The OCR was placed in charge of enforcing HIPAA Security and Privacy laws starting in 2009 as part of the HITECH Act to ensure those storing health records are taking basic care to ensure confidentiality, authorization, availability and appropriate disclosures of personal health information (PHI).  The OCR is incentivized to enforce HIPAA through Civil Money Penalties (CMP) and publishing investigations and resulting settlements under the Freedom of Information Act.

Dentists can fall in the radar of a Security and Privacy audit in the following ways:

  1. A patient complains their data isn’t secured or reports a suspected violation of their privacy rights on the HHS website (i.e. Whistleblower complaints).
    1. The OCR is required to investigate each complaint.
    2. OCR’s continuing random audit program into 2014-2015.
    3. A Dental Office could be randomly selected for Meaningful Use audits.

HIPAA has four rules outlined below:

HIPAA Privacy Rule

Every patient has the right to control their personal health records, and each business and its employees are responsible for keeping any unauthorized person from viewing patient files. These health files are now written, stored and shared orally, electronically and on paper, so a lot has to be done to keep these records out of the wrong hands.

HIPAA Security Rule

This rule relates directly to electronic patient files and states each covered entity—which includes Dentists—must keep them safe from any unauthorized access during transit and storage.

HIPAA Breach Notification Rule

The breach notification rule requires all covered entities and business associates to give notification when a breach has occurred in relation to unsecured protected patient health information

Patient Safety Rule

The final rule protects identifiable patient health information from being used to analyze and improve patient safety and events relating to patient safety.

If Dentists don’t comply with HIPAA rules then are audited, they get penalized.

Dental records, in paper or electronic format, are considered Protected Health Information and are subject to the same Federal scrutiny for privacy and security as full medical records.

Dental records contain minimal medical information.  Demographic information such as:  name plus any numerical identifiers related to Dental health includes.  These include: address, birth date, phone numbers, insurance status, patient ID number, SSN,  etc.

Penalties vary and are determined by the seriousness of the security or privacy breach. Also taken into consideration are whether you knowingly or accidentally released patient records and private information. Either way, you’re held accountable. Penalties range from fines to being fired from your job to closing an office to potential jail time (in the event of knowingly losing 500+ PHI records and failing to report to HHS within 60 days).

So how can you and your dental office steer clear of these penalties?

First, you must understand and keep up-to-date with all HIPAA rules and regulations. You can also set up a HIPAA program in your office, perform consistent employee trainings, and conduct and document regular HIPAA risk analyses to evaluate and fix any potential problems.

Second, you must make sure that your dental practice management software is HIPAA compliant. Since this is where your patients’ dental records are stored, a breach can be detrimental to your office and can bring several fines.

If your practice is currently running on a practice management system, penetration testing can help you identify different threats and openings that hackers could exploit to gain access into your system. If you’re currently shopping for a software, make sure you choose a platform that is guaranteed to be HIPAA secure.

Complying with HIPAA laws and regulations is crucial so you and your dental practice don’t have to face penalties and to keep the trust and satisfaction of your patients by keeping their healthcare records safe and secure.

About the Authors

This post was co-authored by Steven Marco, the President of HIPAA One® and Modern Compliance Solutions as well as Trevor James, the marketing manager for Viive, a Mac-based dental practice management system, and Dentrix Ascend, a cloud-based dental practice management system.

Will You Be In Violation of HIPAA Laws By Running Windows XP?

windows xpWe are getting a lot of calls with respect to XP patch support ending April 8, 2014. This is mostly due to articles claiming HIPAA Violations for using Windows XP. Violation is a strong word, especially considering we find in almost all cases there are other devices that are end of life. The bigger issue is to ensure a holistic process to track patches for computer systems and network devices, particularly putting plans in place to replace end of life information system and network components.

The risk has to do with the particular environment, acceptable risk, mitigating controls and levels of due diligence in meeting the requirements of the OCR’s guidance on the HIPAA Security Rule. This means performing a risk analysis, identifying vulnerabilities and assessing the risk for all gaps in compliance.

For a reasonable amount of time, it’s our opinion that organizations can put mitigating controls in place, such as vendor-supported anti-virus and encryption, on XP machines. In the short term, compensating controls, like anti-virus, spam filters, web filters, patch management procedures, continuous monitoring, etc., will provide an acceptable level of risk for most organizations. In the long term, organizations should put a plan in place to upgrade these systems to Windows 7 or newer considering you cannot simply ignore the unsupported platforms.

In other words, don’t feel you are up on the edge of a cliff with respect to the April 8th deadline on XP support ending. Instead, perform a HIPAA Security Analysis based on the change in your environment (i.e. XP end of life), and for this particular item at 164.308(a)(5)(ii)(B), capture workstation updates, as well as firewalls, switches, routers, wireless access points, servers, mobile devices, etc.

And most importantly, plan an XP migration project with a reasonable and appropriate due date and a responsible person to ensure the project is implemented.

We at MCS have spent years automating and simplifying the HIPAA Gap Assessment and Security Risk Analysis process for a turbo-tax-like software solution called HIPAA One. HIPAA One can be used to self assess your own HIPAA Environment, perform a mock audit and provide training for staff on the HIPAA Security Officer’s responsibilities. Please contact us for a free review of your previous HIPAA Security Risk Analysis reporting.

Data Security Audits Required For Covered Entities Involved With Medicaid Reimbursements

arizona mapUPDATED 3/9/2015

For those who are unaware, as of October 2013, the state of Arizona has joined forces with the federal Medicaid funding program to manage distribution of reimbursements. The Arizona Health Care Cost Containment System (AHCCCS) is the name of the Medicaid program in the state of Arizona. As with all Medicaid programs, this is a joint program between the state and the Centers for Medicare and Medicaid Services (CMS).

What this means, is any Covered Entities involved with Medicaid reimbursements, must use a third-party service to conduct a Data Security Audit.

As part of the AHCCCS Security Rule Compliance steps, Contractors must conduct a Data Security Audit then submit an AHCCCS Security Compliance Report to the Division of Healthcare Management (DHCM) for review and approval by June 1.  This security audit needs to be performed by an independent third party on an annual basis.

We at MCS believe this is for purposes of accountability and segregation of duties.  We use the most simple, automated and affordable cloud-based HIPAA Security Compliance and Risk Analysis solution called HIPAA One®.  HIPAA One® provides several benefits including preparing for an OCR/OIG audit, HIPAA Security Officer training checklist/interviews, and ongoing remediation planning with reporting.

We can help conduct the Data Security Audit and attest per the AHCCCS Contractor Operations Manual, Chapter 100 – Administration, fill out Attachment A:  AHCCCS Security Rule Compliance Summary Checklist as part of our service.  We are already covering these items as part of the 78 HIPAA Security Citations in the OCR Audit Protocol, OCR’s Guidance on HIPAA Security, and for Meaningful Use Stage 2 requirements.

HIPAA One® can help – please contact us at 801-770-1199, email at support@hipaaone.com, or visit us at www.hipaaone.com for more information.

UPDATED 3/9/2015

MCS has just received word from AHCCCS in response to a 2015 guidance request:

Every standard should be reviewed every year.  We do the exact same thing ourselves.  Even those that were identified as the compliant ones should be reviewed to make sure there haven’t been any changes and they are still compliant…

You can find the updated Policy 108 compliance guidance here, that states theaudit needs to be done every year, and must be submitted using third-party attestation by June 1st:

108 – AHCCCS SECURITY RULE COMPLIANCE

In Audit and Security circles, this is a Security Risk Analysis update, which entails performing a full risk analysis on items that have changed and re-validating compliant items.

Using HIPAA One®, an update is significantly “easier” than last year’s full SRA because we can import last year’s work, including remediation updates, directly into this year’s interview questions.  This greatly reduces the effort needed on the user’s side because the survey questions are already pre-filled including attachments proving compliance/functional controls.  For those who need a full SRA report that has proven compliance for other AHCCCS Contractors, Modern Compliance Solutions can provide the third-party attestation with full documentation in HIPAA One®.

For more information, contact your AHCCCS representative, or us at info@hipaaone.com.

The Number of HIPAA Data Breaches Jumps 138 Percent Since 2012

When it comes to HIPAA Security and HIPAA Privacy, numbers do most of the talking and according to recent reports, the number of HIPAA data breaches have increased by 138% since 2012.

Another mind boggling statistic is that 29.2 million patient health records have been compromised in HIPAA data breaches since 2009, according to Redspin, which compiled these numbers in a February 2014 breach report.

But these numbers are skewed since not all breaches are reported. Any breach that involves fewer than 500 people’s health records isn’t required to be publicly reported. According to Lisa Gallagher, the senior director of privacy and security for HIMSS, said at the 2012 Boston Privacy and Security Forum that it’s more likely that 40-45 million patient health care records have been compromised. While she said that’s a more accurate number, it can’t be confirmed since all the data isn’t there.

Redspin also found the percentages of what’s accounted for the HIPAA privacy and security breaches since 2009: 83 percent because of theft, 35 for theft or loss of encrypted devices, 22 due to unauthorized access and 6 from hacking. Many of these breaches could be more easily avoided with consistent risk analysis. Risk analysis failures top the list for the most prevalent security issues for business associates and covered entities based on complaints received by OCR.

While business associates were involved in most of the larger-scale breaches from 2009-2012, only 10 percent were involved in 2013. Business associates and covered entities that violate HIPAA privacy and security rules can face up to $1.5 million in annual fines under the HIPAA Final Omnibus Rule. Only 17 of the 90,000 HIPAA breach cases received by OCR since 2003 have resulted in fines, but it’s anticipated that those numbers will go up, especially since the official audit program goes live this year.

Source: HealthCareITNews.com

What’s The Difference Between A Covered Entity & Business Associate?

Knowing the distinction between a covered entity and a business associate is essential because the Health Insurance Portability and Accountability Act Privacy Rule is administered differently between the two. If you understand the difference, then you understand who has access to your medical data and what authority they possess to do with that medical information.

The HIPAA Privacy Rule protects a person’s medical records and their other personal health information, as well as gives that patient rights to their health information. But it also applies to covered entities and business associates, in that it requires each to follow specific rules and sets restrictions and conditions on the use and disclosure of certain patient information.

Legally, the HIPAA Privacy Rule just applies to covered entities. A covered entity can be health plans, health care clearinghouses or health care providers that electronically transmit any type of health information. Examples of these are your doctor, hospital, insurance company and health insurance plan — no matter if it’s a private, employee, state or federal plan.

But it’s common for a lot of health care providers and health plans to use the services of other individuals or a business to help carry out their health care functions. Thus we get business associates.

More specifically, a business associate is an individual or entity that executes particular responsibilities that include the use or disclosure of protected health information in support of, or as a service to, a covered entity. A health plan, health care clearinghouse or covered health care provider could be a business associate for another covered entity, but a member of the covered entity’s personnel is not considered a business associate.

Possible business associates are an attorney, a CPA firm, an independent medical transcriptionist or a pharmacy benefits manager. Services provided by business associates can be accounting, billing, claims processing or data management. And of course, these are just a few examples of each.

Covered entities hold the responsibility for guaranteeing its business associates are safeguarding protected health information. The contract between a covered entity and its business associate must be HIPAA compliant, and if a business associate breaches its contract, then it’s up to the covered entity to correct that breach or terminate the contract.

Ready or Not, Here Come HIPAA Audits!

After running a successful pilot program in 2012 The Department of Health and Human Services’ Office for Civil Rights (OCR) is looking to launch a national HIPAA compliance audit program by the end of this year to ensure that all health care providers and business associates are compliant with HIPAA privacy and HIPAA security rules and regulations.

This announcement is causing panic in many of the health I.T. leaders as data security and privacy has become such a complex undertaking and many know that holes still exist but can’t pinpoint where they are. What’s really troublesome is the fact that the feds have proven through their Recovery Audit Contractors (RAC) program, that they are not hesitating to use a take-no-prisoners approach, especially when there’s a lot of money on the line.

To read more about this program, check out this press release.

OCR gives an important 2013 update on their HIPAA Security and Privacy Enforcement status

The resumption of the HIPAA compliance audit program is on hold while regulators analyze pilot audit project results and implement the HIPAA Omnibus Rule, says Susan McAndrew of the HHS Office for Civil Rights.