The post HIPAA Audit: OCR Is On The Move appeared first on Aegify.

On Dec 1, 2015, a $3.5 million fine was levied against Triple-S Management Corporation, formerly known as American Health Medicare Inc., for HIPAA violations. OCR’s investigations indicated widespread non-compliance throughout the various subsidiaries of Triple-S, including:

• Failure to implement appropriate administrative, physical, and technical safeguards to protect the privacy of its beneficiaries’ PHI;
• Impermissible disclosure of its beneficiaries’ PHI to an outside vendor with which it did not have an appropriate business associate agreement;
• Use or Disclosure of more PHI than was necessary to carry out mailings;
• Failure to conduct an accurate and thorough risk analysis that incorporates all IT equipment, applications, and data systems utilizing ePHI; and
• Failure to implement security measures sufficient to reduce the risks and vulnerabilities to its ePHI to a reasonable and appropriate level.

Here is the latest information on U.S. Department of Health & Human Services’ website: http://1.usa.gov/1XDjyVY.

Are you at risk?  If you’re a healthcare provider or a business associate/vendor, you are.  Protect your organization against HIPAA and other compliance risks with Aegify Compliance Manager, part of Aegify RSC Suite.

Aegify RSC Suite, conceptualized and designed in Cupertino, CA, provides bulletproof risk, security and compliance protection for healthcare, financial and retail companies throughout the USA.  Discover just how affordable peace of mind is at Aegify.com or by emailing sales@aegify.com.

The post $3.5 million fine levied against Triple-S Management Corporation for HIPAA violations appeared first on Aegify.

In the world of healthcare data security, the Goliaths dominate. However, there is an underdog story in the making in this field too. Healthcare providers are struggling to keep up to date on compliance with changing regulations as well as the technology needed to properly protect their data. For example, 36%-40% of hospitals (depending on size) reported dissatisfaction with their security systems and a need for improvement in the next 12 months.

Many hospitals rely on vendors- 24% specifically according to Peer60 2015 report- to keep security software and programs up to date, while another 11% depend on the same companies to comply with HIPAA regulations. Vendors often do a poor job of explaining their complex systems and this makes it much more difficult for hospitals to implement all of the tools they have been given. Also, many security companies aren’t up to date on current data protection technology. If these hospitals are not taking advantage of all of the features a security solution has to offer and the technology used is not effective, than how safe could your important data really be?

Since a select few large companies run most Network security systems, this complaint with how protection is being managed in hospitals is largely significant to all other security vendors and providers looking to get their name out on the market through innovation and disruption in the market place.. By providing less expensive, easier to use, and more effective data security protection, the smaller and newer security companies can shift demand away from the dominant few that have controlled the market in past years. If the large security companies cannot satisfy, then it is time for the Davids of the data security world to make their mark. This is already happening in the highly evolving Security Monitoring and CyberSecurity arena.

In the recently released Gartner CIO Agenda Report, 2015, CIOs have identified Security & Risk Management as one of their top priorities. Many of your peers have already engaged Aegify to manage their security, risk and compliance efforts. Discover why. To learn more about how to protect important data, please click HERE to watch our excellent 55 minute presentation on how to protect your company from cyber attacks.

The post Security Goliaths Have Had Their Time, But Here Comes David appeared first on Aegify.

Think about healthcare.  Offense is a given.  There are frequent C-Suite discussions about new services, attracting the best clinical talent, effective community outreach and the like.

What about defense?  Sure, providers have whole departments to reduce risk in its many insidious forms, but playing defense in the SRC (security, risk and compliance) arena just isn’t as sexy as playing offense.  Unfortunately, mistakes on the defensive side of the ball can wipe out years of good offense work.

With this pleasant thought, let’s turn out attention toward data security.  Doesn’t it seem like data breaches happen disproportionately in healthcare?  I haven’t seen any definitive numbers to prove this point, but I am convinced healthcare breaches are more common because of the shear amount of healthcare data being put on computers and into the cloud.

According to peer60, 96% of hospitals claim health information security is a huge priority for them.

Key findings include:

• There are multiple obstacles to security, risk and compliance but key challenges revolve around lack of budget and non-compliant employees.
• While lack of budget is an issue for most providers, it is especially so for smaller hospitals.
• Although total threat prevention is daunting, significant optimism exists, especially at the manager and director levels. While 54% of CIO’s said threat prevention is impossible, only 22% of security managers and directors responded the same way.  This is good news!
• Hospitals with 500+ beds see fault with the underlying security weakness of Healthcare IT systems, not their SRC efforts.

I would like to invite you, your compliance officer, CSIO, CIO, CFO and any other appropriate team members to dedicate an hour to improving your game on the defensive side of the ball.  Sure, offense is sexy.  But, as winning coaches know, defense wins the game and ensures your healthcare organization’s long-term safety.

Join me for Aegify’s next helpful webinar, “HIPAA Omnibus: How to do Security Risk Analysis” on Tuesday July 7 at 11am PT.  This valuable webinar is designed to help you analyze and quantify your security risk and give you a practical roadmap for risk reduction and compliance for today and tomorrow.  As a special bonus, we’ll outline the Aegify disruptive SRC solution that can save your organization up to 80%.

To register for this webinar, please click HERE.  On behalf of all of us at Aegify, we look forward to your participation on Tuesday, July 7 at 11a PT.

Yours truly,
Anupam Sahai
Co-Founder & CEO, Aegify Inc., Cupertino, CA, USA

About Aegify:

Aegify’s comprehensive, unified platform uniquely operates at the intersection of security, risk and compliance for healthcare providers and their business associates. Discover what more than 400 other organizations already know: Aegify is the affordable, disruptive solution for IT security and compliance management, vulnerability analysis and risk management.

Aegify earned the highest rating of 5 out 5 stars by SC Magazine for Features, Performance, Documentation, Support and Overall Rating (June 2014).

The post Offense is Sexy. Defense Wins the Game appeared first on Aegify.

The HIPAA Omnibus rule demanding high standards for breach notification regulations, enterprises worked to strengthen the privacy and security protection mandated by HIPAA. Other changes brought in included changes in privacy protection for genetic data, limitations on the use of information for marketing and prohibition of sale of personal health information without individuals’ permission, and also an increase in the penalty amount in case of non-compliance. Moreover, as part of the change, business associates and vendors who transmit, create and maintain protected health information were also made directly responsible for HIPAA compliance.

However, within a year of the enforcing the rule, the department of health and human services in their "wall of shame" recorded an increase from the earlier 674 incidents to 1,126 incidents, a whopping increase by 67 percent! As for the number of individuals affected, the chart moved up from 27 million individuals from Sept 2013 to 38.7 million till date, an increase of 43 percent! The largest breach added to the "wall of shame" since the enforcement of HIPAA Omnibus rule is the hacker attack at Community Health Systems resulting in 4.5 million affected individuals. Federal regulators and experts associate such a vast increase in the breach tally to various factors, such as the increase in hacking incidents and increase of insider threats, and the HIPAA Omnibus Rule for detailed breach notification itself making a significant contribution, since now security incidents are now presumed to be reportable unless healthcare organizations demonstrate that LeadFormix Confidentiathe risks are low.

Despite the heavy penalties, even one year after HIPAA Omnibus rule helping to build the awareness of HIPAA, there are still large number of business associates and covered entities who do not fully embrace HIPAA compliance. For the regulatory changes to create a lasting impact, these need to be backed by strong enforcement policies. While efficient risk assessment technologies will help in locating potential threats, the covered entities and business associates are required to review their agreements to ensure HIPAA compliance.

Deploying an automated HIPPA security and compliance management solution such as Aegify Secure GRC will facilitate the healthcare providers and practitioners to identify, remediate and maintain HIPAA and HITECH compliance for all establishments that handle PHI, especially with the OCR’s plans to resume its HIPAA on-premises audit program, including auditing BAs as well as covered-entities. Moreover, equipped with built-in frameworks that facilitates compliance as per the HIPAA Omnibus rule, this cloud-based delivery solution ensures that enterprises, vendors and business associates need no heavy investment for the new infrastructure. The automated processes in Aegify make it much simpler and easier in remaining secure and compliant.

The post Tally of breach incidents grows by a whopping 67 percent a year after HIPAA Omnibus Rule! appeared first on Aegify.

The Three Focus Areas

According to Rodriguez, the three areas of focus for enforcement actions will be:

1. Major deficiencies or breakdowns in security. Often, a data breach is the catalyst for an investigation, but the security breakdown that is identified by OCR has little to do with the cause of the breach that triggered the investigation.
2. Egregious disclosures of patient information. This is with reference to cases where the exposure of PHI was totally unwarranted, and had nothing to do with the ‘quantity’ of patient records involved.
3. Failure to provide access. The HIPAA Omnibus rule allows patients to have access to information in their electronic medical record. Quoting the Cignet case where access was not provided, and no cooperation was extended to OCR during its investigation, Rodriguez described it as the ‘sleeper’ category for enforcement.

Following this, Rodriguez stated that OCR has a new portal where complaints will be captured, and that around 18,000 complaints are expected on this portal annually. He also said that the majority of these complaints will be potential HIPAA violations.

Advice and Guidance

Rodriguez provided valuable advice to covered entities and business associates about complying with the omnibus rule and avoiding breach incidents. Emphasizing the importance for every organization to know where PHI is stored and what the most significant vulnerabilities are, he reiterated that the key to compliance begins with a thorough security risk analysis which can identify the weakest link that may be the one causing an entire organization to face scrutiny.

Speaking about the value of encryption, Rodriguez said that there is a widespread misperception that encryption is not a cost-effective solution to avoiding unauthorized disclosure of PHI, but in reality encryption is of great value for any covered entity or business associate.

Permanent Audit Program

Delving into the learnings of the recently concluded pilot audit program, Rodriguez also gave some perspective into what would be the key focus of the permanent audit program. Reiterating the importance of the role played by security risk analysis, he said that one of the key findings of the pilot audit was that failure to conduct risk analysis increases the chances of a breach.

Rodriguez also said that he would like the permanent audit program to address a larger population of entities, and that in order to accomplish this, OCR is in the process of adding permanent staff to complement outside auditors. Another noteworthy point is that OCR will continue to use civil monetary penalties as a tool in their enforcement actions going forward.

Key Takeaways

Rodriguez’s talk clearly expressed themes that have been constantly emphasized by OCR. He stressed the need for a security risk analysis, and its value as the cornerstone of a positive HIPAA compliance posture. He also highlighted the value of encryption technology for maintaining an appropriate security posture.

With ‘meaningful use‘ driving more healthcare entities to adopt electronic health record (EHR) systems, there may be an increase in the number of complaints arising from challenges that patients will have in gaining access to their health records. So entities should address these challenges even as they adopt EHR systems.

OCR is likely to carry out rigorous enforcement actions under the permanent audit program, which will cast a wider net to identify many more entities lacking in security and privacy controls and compliance. At this juncture, healthcare organizations can greatly benefit by adopting comprehensive security solutions such as Aegify Security Posture Management or Aegify SecureGRC to ensure compliance with HIPAA rules and to effectively handle the upcoming audit.

The post Rodriguez’s Thoughts & Guidance on HIPAA Enforcement appeared first on Aegify.

This makes it necessary for business associates and subcontractors of healthcare entities to take immediate steps, including documenting their security and privacy practices. The security measures taken by business associates and subcontractors so far will not be sufficient, as the final rule makes them accountable for the protection of private health information as much as covered entities are.  This clearly means that all covered entities will now relook at their agreements with business associates who in turn will update and modify their agreements with subcontractors to suit the requirements of the final HIPAA rule.

One of the noteworthy consequences of the final rule is that more and more business associate agreements are now seen to be transferring all the costs of breach remediation to business associates in cases where they are responsible for a breach. Therefore business associates and subcontractors now have a big burden to carry on their shoulders. How can they manage this new compliance responsibility? What are the measures they need to take to prepare themselves? Here are some immediate steps that have to be taken:

• Identifying a privacy expert who can manage matters of privacy and security in the organization
• Encrypting all devices that store or process patient health information
• Documenting privacy and security practices and risk analysis measures
• Assessing and identifying means to provide patients with accounting of disclosures of their health information
• Adopting privacy and security management platforms like Aegify Security Posture Management and Aegify SecureGRC which can simplify compliance with HIPAA to a large extent.

Since business associates and subcontractors are also now completely bound by HIPAA, they are also subject to random audits by the Department of Health and Human Services in the near future. Hence implementing the above measures should be of top priority for business associates and subcontractors if they wish to avert security threats, prevent data breaches, and avoid consequent legal action.

The post How Can BAs & Subcontractors Tackle the New Compliance Burden? appeared first on Aegify.

Healthcare entities, their associates, and employees are bound to ensure that health information is kept completely protected. The Department of Health and Human Services’ Office for Civil Rights is responsible for enforcing and administering these privacy standards, and holds the right to conduct investigations and complaints whenever necessary.

OCR seeks the cooperation of covered entities in complying with the HIPAA Privacy Rule, and may also extend technical assistance if necessary to encourage voluntary compliance. However, those entities that fail to comply with the standards set by the HIPAA Privacy Rule may not only be subject to civil monetary penalties but in some cases may face criminal prosecution. Here’s a look at the civil and criminal penalties that healthcare entities may attract if found guilty of non-compliance with HIPAA.

Civil Action

Failure to comply with any or all of the requirements of the HIPAA Privacy Rule may lead to civil penalties. These penalties can vary significantly depending on several factors including the date of violation, likelihood of willful neglect, and knowledge of the failure to comply. Also, penalties may not exceed a calendar year cap for multiple violations of the same requirement.

However, under certain circumstances, healthcare entities may not face civil penalties. Such circumstances may include:

• Cases when ‘willful neglect’ was not a reason for the failure to comply, and corrective action was taken during a 30-day period after the entity came to know of its failure to comply with the privacy rule. This period may be extended at the discretion of OCR.
• Cases where criminal penalty has been imposed for non-compliance, by the Department of Justice

In addition to this, the Office of Civil Rights may decide to reduce the penalty if non-compliance was due to a reasonable cause, and may consider the nature and extent of the failure to comply, for which the penalty would be excessive.

How is this determined?

The OCR, before imposing a penalty on the covered entity, sends a notification and provides a fair opportunity to the entity to show written evidence of the circumstances that may reduce or bar a penalty. Such evidence has to be provided to OCR within a period of 30 days from the date of receipt of the notice. Also, if OCR proposes to impose a penalty, covered entities may request an administrative hearing to appeal the proposed penalty.

Criminal Action

The Department of Justice is responsible for criminal prosecutions under the Privacy Rule. A person who is guilty of obtaining or disclosing individually identifiable health information may face criminal penalties up to $50,000 and imprisonment up to one year. These penalties may go up to $100,000 and five years imprisonment if such wrongful conduct also involves false pretences, and up to $250,000 and ten years imprisonment if the act was intended with an aim to sell, transfer, or use identifiable health information for commercial advantage, malicious harm, or personal gain.

What Should Healthcare Entities Do?

Firstly, healthcare providers and their business associates should understand the importance of protecting patient health information, and the consequences of not doing so. They should take steps to train their employees and educate them about the need to safeguard individually identifiable information. Secondly, all healthcare providers should resort to a complete data security solution like SecureGRC that can provide end-to-end security for all electronically stored data and make sure that patient data remains protected at every point whether it is on the healthcare entity’s systems and databases, or stored on other end-point devices like laptops, tablets, or mobile phones.

The post OCR Enforcement & Penalties for HIPAA Non-Compliance appeared first on Aegify.

As per the OCR, the main violators in this practice were failing to adequately safeguard patient information with necessary policies and procedures, and for failing to identify a security official. Non-maintenance of the records of the training that was imparted to the employees on the policies and procedures for conforming to the HIPAA regulations was another key violation. It also included the failure to carry out a risk analysis, and get a possession of the business associate agreements with its Internet-based e-mail and calendar services vendors.

While HIPPA compliance requires a health care provider to comply with the requirements of the privacy and security rules, its non-compliance can be a huge legal penalty and at times, can  include substantial remediation costs. Leon Rodriquez, the director of the Office for Civil Rights (OCR), stresses that OCR expects committed HIPAA compliance “no matter what the size of a covered entity is.” This makes it all the more necessary for healthcare providers to be aware of their security policies procedures and infrastructure.

It is time to implement adequate administrative and physical safeguards and avoid the violations, like the ones committed by the Phoenix Cardiac Surgery P.C. You must adopt a completely automated and integrated solution that can meet the expectations of OCR optimally, and help you comply with the HIPPA compliance program. Among other measures, it is imperative to have a corrective action plan to conduct the necessary risk assessments and execute appropriate policies and procedures.

eGestalt’s SecureGRC, is an ideal solution with end-to-end automation for all your security, compliance, assessment, audit, and risk management needs. Knowing that you need to maintain compliance with HIPAA on a continuous basis, SecureGRC has a built-in support for HIPAA/HITECH that can ensure you are compliant at all times.

The post How to Avoid Expensive HIPAA Non-Compliance Mistakes appeared first on Aegify.

There was large number of information security breaches since 2009 ranging from thefts of hard drives (BlueCross Blueshield of Tennessee), laptop (AvMed), and backup tapes (New York City Health &Hospitals Corp.) resulting in compromising sensitive medical and health information of millions of people. Even as the full and final version of the HITECH breach notification rule is expected to be released later this year as part of an ‘omnibus’ package that would include several rules, the current version requires that organizations should conduct risk assessment to determine any incident that could be a potential threat and if it does cause harm, the eventual breach must be reported.

So is it really that difficult for healthcare organizations to take the right action as far mitigating such information risks are concerned? Actually no! It is not difficult if a prudent medical practitioner or healthcare enterprise owner ensures that healthcare compliance measures are in place by adopting the appropriate HITECH compliance solution. All that a healthcare organization needs to do is to enforce such a security policy that can restrict any unauthorized access. SecureGRC, an automated compliance solution from eGestalt, can help healthcare organizations deal with their compliance woes comprehensively. The solution is so designed that it can identify, remediate and maintain HIPAA and HITECH compliance for all healthcare organizations that handle Patient Health Information.

SecureGRC is equipped to help healthcare organizations achieve and maintain compliance to regulations set forth in both HIPAA and HITECH acts. Additionally, since the solution can be delivered via Cloud, not requiring any custom hardware investments, the compliance solution is actually future-proof! The solution not only automates the audit process but also provides concrete evidence of what risks need to be addressed and also how it should be addressed. eGestalt makes it easy to stay clear of Health information breaches with its fully optimized solution that addresses all healthcare compliance issues.

The post Staying Clear of Health Information Breaches appeared first on Aegify.