The post HIPAA Audit: OCR Is On The Move appeared first on Aegify.

Read Whitepaper

The post Keep your Healthcare business Secure and Healthy! appeared first on Aegify.

Dr. John Frame, highly respected surgeon and founder of Breast Health Specialists of Oklahoma (BHS of OK), has operated on thousands of breast cancer patients over his nearly three decades of surgical experience. However, he also runs a vibrant, growing business.

The Challenge
In 2012, Dr. Frame, team leader of BHS of OK, had an insurance review. The company’s insurance representative pointed out that BHS of OK was vulnerable to security breaches and regulatory non-compliance fines.

“Regulatory rules are over-reaching and overly-detailed. It’s tough to comply with what is asked of us, but nonetheless these rules are a good thing.”

“It’s a defense move. Should there be a HIPAA compliance or security breach, you’d be really vulnerable to penalties if you haven’t done a compliance audit,” said John R. Frame M.D., Surgeon, Founder, BHS of OK.

The challenge was not that BHS of OK should comply with HIPAA regulations, but how. The insurance company had two pieces of good news. First, they recommended www.aegify.com as a comprehensive solutions provider. Second, they promised significant insurance savings upon proof of HIPAA compliance.

The Solution
After a 30-minute phone call with Aegify, Dr. Frame, learned that Aegify Compliance Manager provides a unified platform for all BHS of OK’s HIPAA compliance management activities and automatically integrates with risk, security management and audit operations. He appreciated his unprecedented visibility into BHS of OK’s compliance efforts and risk management across his organization.

The time investment to become HIPAA compliant the first time in BHS of OK’s history was 8-10 hours. BHS of OK answered Aegify’s compliance questions and gathered or created all required supporting documents. “Aegify gave us a lot of templates making the process easier,” said Dr. Frame.

The Results

1. Peace of mind. BHS of OK has been HIPAA compliant for three years. Should a compliance audit be mandated in the future, BHS of OK has a solid paper trail.
2. Significant insurance savings. For three years, BHS of OK has enjoyed lower insurance premiums because of their current Aegify certificates of compliance.
3. Best PHI practices. HIPAA compliance is now a part of BHS of OK’s daily operations. BHS of OK staff has been trained and compulsively adheres to best practices for securing protected health information in all forms: email, paper, databases, over the phone or in person discussions.

“I felt very good about the having a compliance document in my files,” said Dr. Frame. “To their credit, Aegify predicted that following years would be much easier. The renewal process requires less than 10 minutes every year.”

Download a PDF of this case study

The post Breast Health Specialists of Oklahoma appeared first on Aegify.

Read Whitepaper

The post Achieve HIPAA Omnibus Compliance in Five Easy Steps appeared first on Aegify.

“We had no idea where our compliance posture stood, or how much of our daily practices were already in compliance. However we did know that we were not in compliance as much as we should’ve been,” said Donnell, office manager for Internal Medicine Associates of Memphis, Tennessee. This is not an uncommon view among small medical practices nationwide. HIPAA data privacy laws coupled with HITECH security rules and enforcement is complex and foreign to most offices. These small businesses are not blessed by the deep pockets or internal IT resources enjoyed by larger clinics and hospitals to fund and obey HIPAA compliance standards. In most cases, outside consulting firms are hired, charging tens of thousands of dollars to ensure that hospitals receive the training and directives they need to stay in compliance. Not so for most small medical practices.

Key Requirements

Electronic health records (EHR) systems have certainly made management of confidential patient records easier in some respects but not necessarily more secure. The federal government is also encouraging the deployment of EHR via a program of monetary incentives that follow guidelines set out by “Meaningful use” practices. Offices that have not implemented EHR are not qualified to file for these incentives. The pressure is on for all medical practices regardless of size, to upgrade to EHR. “The sad reality is that, like many offices our size, we are still using paper forms,” said Donnell. “We have paper records that are 10-12 years old that can be difficult to find because nothing is online.” With three full-time primary care physicians and nine employees, Internal Medicine Associates of Memphis was facing a high degree of risk and potential fines for noncompliance.

Aegify RSC Suite: a HIPAA Solution to the rescue

Fortunately, they turned to David Altizer, vice president of SOS Systems of Memphis, to cure their ailments with a HIPAA compliance solution and set of best practices. Immediately, SOS Systems, a Managed Compliance Provider (MCP) partner of Santa Clara, Calif.-based Aegify, rolled up their sleeves and began putting into action a HIPAA strategy. Starting with an evaluation to assess needs, SOS used the native templates available in Aegify’s RSC Suite solution to set up policies and automate procedures, thus helping to manage a decade’s worth of patient records.“We started with nothing, and SOS thankfully provided all the documentation we needed,“ said Donnell. “We scanned into the system hundreds of patient files. Using Aegify RSC Suite, we performed an assessment that instructed us how to proceed with aligning ourselves with HIPAA compliance. We could browse and click and see where things had to be. SOS trained us on using Aegify RSC Suite and explained how and where we needed to be compliant.” Donnell also realized that following HIPAA best practices would also lead to running her medical office more efficiently as a business. With the help of SOS Systems, Donnell could rest assure they were on the right track. “We promised to do whatever it took to get compliant. The last thing we wanted was to deal with a fine,” she said.

Results of using Aegify RSC Suite

Donnell found Aegify RSC Suite easy to use and deploy. “The web-based system simply asks a lot of questions, like a multiple choice test. We selected the answers and then attached the appropriate document to update and prove compliance.” “The system gave me confidence that policies and procedures were being followed, and that patient records were being managed successfully.” “We enjoyed working with SOS Systems and did not consider using another service provider. They have been very helpful. This was our first working experience and we are satisfied with the results,” said Donnell.

Conclusions: quick deployment, easy to use, a business-saver

“The Aegify RSC Suite solution was self-explanatory from the get-go. I figured that if I could use it, then anybody else could, too. Soon enough, I found myself conducting the assessments alone without any help,” admitted Donnell. “The whole process took less than two hours, and that included attaching documents, proving compliance, and completing the entire process.” “Wherever we needed guidance, SOS stepped in to help. Regarding HIPAA, we now have peace of mind. SOS has been a true life, or rather, business, saver.”

The post Internal Medicine Associates of Memphis Achieves HIPAA compliance appeared first on Aegify.

Barbara is the office manager for a Grand Rapids, Michigan family practice with four staffers and 1800 patients. The practitioner has been providing healthcare services to patients for 24 years. While attending her monthly association meeting of regional physician office managers, Barbara met local services provider Joe Dylewski, president of ATMP Solutions, a provider of healthcare IT technology for more than 20 years. (http://www.atmpgroup.com) Her challenge posed to Joe? To help her find an online risk assessment solution she could use without any previous IT experience or formal computer education. Her goal was to meet and sustain compliance with HIPAA and HITECH regulations, to fulfill a few core requirements of “Meaningful use” statues, and to facilitate patient care reimbursements from insurers. Several years ago the office had transitioned its patient records to an EHR system to automate day-to-day processes, thus helping to reduce administration costs.

A Solution for Compliance with HIPAA/HITECH

After conducting an evaluation of her office environment, ATMP Solutions recommended that Barbara implement Aegify RSC Suite, a cloud-based, SaaS-delivered application developed by Aegify Inc., of Santa Clara, Calif. The application helps meet HIPAA and HITECH privacy and security rules at dramatically less cost and complexity than standard approaches. “Aegify RSC Suite is probably the only tool on the market built from the ground up to Page | 4 service small medical practices,” said ATMP’s Joe Dylewski. “It also had the incomparable value of not requiring its users to have deep domain knowledge with the intricacies of HIPAA laws.”

Results of using Aegify RSC Suite

Said Barbara, “A major attraction of Aegify RSC Suite is its ability to collect and store all HIPAA-related provisions and related documents online into a single repository, making it a hands-on tool and thereby easier to use and access. The system is understandable given our level of tech expertise.” Having Aegify RSC Suite automate the risk assessment process by providing a comprehensive list of questionnaires gave the office its clearest picture yet of its current state of compliance, highlighting specific non-compliant areas, such as backup and recovery, that needed immediate addressing before the office could take comfort in knowing they were 100% HIPAA compliant.

Conclusion: Quick Deployment of Aegify RSC Suite

The deployment went as planned. “There was no need to schedule 40 hours to walk through the system,” said Barbara. “It only took 3-4 weeks to complete the entire process and determine our level of compliance.” “Being an ACO (accountable care organization), it was important for our practice to fall in-line with prevailing compliance standards, to not cause a bottleneck with other doctors’ offices or business associates, and most of all, to not find ourselves in any hot water with regulators. I know this [Aegify RSC Suite] is going to be useful. We’re already seeing other groups within our association take interest. They too want to get involved with ATMP and Aegify’s compliance solution.” “Another added plus about this application is the positive impact it has had with expediting our reimbursements, which is always good for business.”

The post Finding ‘Meaningful Use’ in a simple HIPAA Solution appeared first on Aegify.

Phase 2 audits will be conducted by OCR staff and will likely involve a different methodology than previous audits. Unlike the comprehensive Phase 1 audits, Phase 2 audits will be more narrowly focused. OCR intends to audit 350 covered entities and 50 business associates. Concentrating on compliance with requirements related to the notice of privacy practices and patient access to protected health information, the OCR will audit 100 covered entities on the Privacy Rule.  For the first time, business associates are to be included in these audits.  OCR will request a list of business associates from covered entities.

OCR has implied that the Phase 2 and future audits’ adverse findings could lead to civil monetary penalties or a resolution agreement. The estimated “Round 2” of Phase 2 audits and those conducted in 2016 and beyond, are likely to focus on device and media controls, transmission security, Privacy Rule safeguards, encryption and decryption, physical facility access controls, breach reports, and complaint processes. However, there may be a significant impact on how the audit program ties to enforcement because OCR leadership is likely to change soon.

OCR will audit 150 covered entities on security focusing on risk analysis and corresponding risk management. The OCR learned in Phase 1 that with no address confirmation, a hard copy audit notification can drag on indefinitely. In response, last year the OCR gathered information from more than 550 covered entities. Unlike Phase 1, for now OCR does not intend for Phase 2 audits to include on-site visits, but this is subject to review.

Prepare for Your Office for Civil Rights Phase 2 Audit

The best way to prepare for a HIPAA audit is to complete document your privacy and security strategy, using the Aegify documentation management system.

If HIPAA compliance auditors discover an organization cannot produce adequate documentation, logically they’ll suspect subpar compliance efforts. Healthcare organizations need the following documents ready:

• Security and privacy policies and procedures
• Risk assessment and corrective action plan
• Organizational chart outlining privacy and security responsibilities
• Technology inventory, including all security tools used
• Business associate agreements
• Incident response plan
• HIPAA compliance training materials

Click HERE to discover how Aegify prepares companies for their OCR Phase 2 audits.

The post Prepare for “Phase 2” HIPAA Audits appeared first on Aegify.

• Extent to which hospitals comply with the contingency planning requirements of HIPAA in terms of establishing policies and procedures for responding to any emergency or events that could compromise protected health information.
• How truly were the providers entitled to meaningful use incentives and how effective is the oversight of CMS (Centers for Medicare & Medical Services) on security controls over networked medical devices integrated with EHR Systems
• Adequacy of covered entities and business associates in securing electronic patient protected health information created or maintained by certified EHR technology and whether hospitals have conducted the required security risk analysis.

When you get an audit notice do you feel stressed? CMS audit rate is about 5% of facilities that have attested and according to Figliozzi and Co,  there’s a 4.7% failure for first time audits .

The reasons for failure could be due to some common myths surrounding the security risk analysis:

1. One security risk analysis is good forever – No. HIPAA Compliance mandates that you review the security risk analysis periodically.
2. My EHR vendor takes care of this – No. The EHR vendor is only responsible to provide you a certified system. Privacy and Security of your ePHI and having a complete security risk analysis conducted is solely your responsibility.
3. The security risk analysis is optional for a small practice like mine – No.  Covered Entities, whatever the size, are required to conduct /review a complete security risk analysis under HIPAA guidelines.

Audit letters are being sent out by OIG for documentary evidence of compliance with the particular meaningful use measures such as calculation reports printed from the EHR system, and security risk analysis reports. A study by OIG found that the estimated incentive payment of $6.6 billion between 2011 and 2016 to professionals and hospitals is vulnerable that incentive payments could be made to those that do not fully meet the meaningful use requirements. OIG recommended in their November 2012 report that CMS should obtain and review documentation from selected professionals and hospitals and provide guidance on documentation procedures to establish and maintain compliance.

In submitting response to the question on meaningful use measures you would be confirming that  you have conducted or reviewed a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies as part of the risk management process.  The security risk analysis must be done at least once before the end of the reporting period being attested. Thereafter, you must review the security risk analysis before each reporting period that follows. All security deficiencies and/or breaches identified during a risk analysis must be comprehensively addressed.Covered Entities, irrespective of their size, must treat the requirement to conduct a security risk analysis as a license to practice.

Businesses across the healthcare industry and its verticals therefore need to scan their PHI assets and conduct security analysis besides ensuring meaningful use of the EHR. Aegify has been developed as a comprehensive security, risk and compliance management solution that not only addresses all of HIPAA compliance needs but also provides the covered entities with meaningful use attestation reports with proof of security and risk analysis. Further, Aegify automates HIPAA management through continuous workflow assessment cycle, and provides instant remediation measures to correct the security deficiencies, a trusted Solution by 70+ MSPs with thousands of customers. Aegify protects your assets, detects vulnerabilities proactively, and responds with appropriate remedial measures. Aegify is the only solution that unifies a comprehensive Security, Risk, and Compliance Assurance system.

A cloud-based Aegify walks you through simple steps in your risk analysis and management and helps you face the OIG audit on risk analysis through effective automated processes and documentation reports. Aegify Risk Framework is comprehensive:

Aegify – Continuous Monitoring Cycle

Aegify – Risk Management Model

The Aegify Risk Management Service meets the risk assessment methodology best practice as shown below:

Aegify’s automated risk management module helps you keep track of documents required as part of required evidences. Extensive report generation facilities provide online resource with the following simple steps.

1. Configure Risk Profile	Select Standards / Regulations against which the customer need to assess the organizational Risk. Applicable controls to assets are identified based on the selected Risk Profiles here.
2. Manage Assets	Add assets, manually or through automated scan-based asset discovery, or from an uploaded asset-list file. Define Asset attributes for each asset. Asses the security risk for each asset.
3. View Dashboards/ Reports	View perspective-based security risk posture. Generate risk reports for analysis.
4. Assess Risk Controls	Publsih Risk Assessments or review risks from published and responded assessment. Generate risk assessment report.
5. Do What-if analysis	Simulate various risk scenarios by changing risk parameters. View security posture at different levels of risk settings. Prioritize remedial actions  based on what-if analysis.
6. Configure risk settings	Review and modify asset types. Review risk scenario of each asset type and customize risk settings for different assets. Work with various mitigation strategies in respect of non-compliant controls for meeting the regulatory control requirements. Customize the list of ever-changing threat sources and vulnerabilities.

The default settings would normally be adequate in identifying and managing assets, assessing the risk levels of all or selected assets, assessing compliance to regulatory risk controls, and for doing detailed what-if analysis by changing various parameters in the risk assessment process. However, where risk configuration needs more customization to meet the specific characteristics of an organization the risk configuration settings provide the advanced customization options.

Offered as a cloud-based model, Aegify includes all security and IT GRC functions. Equipped with a built-in compliance framework that supports HIPAA, RBI, NSE, BSE, MCDEX, PCI, ISO, COBIT, FISMA and other country based ones, Aegify also has advanced alert and monitoring systems that makes it a complete end-to-end automation solution for all security, audit, compliance and risk management needs of an enterprise.

The post Meaningful Use Incentive Payments – OIG Audits Begin appeared first on Aegify.

The Health Insurance Portability and Accountability Act demands that health care providers report data breach in cases that effect more than 500 people. In case of violation of HIPAA, enterprises and their business associates and covered entities, face a penalty of $50,000 reaching up to $ 1,500,000. Over 40% of cyber security breaches in 2014 has been across healthcare providers and their business associates. Such rampant breaches across this sector leads to loss of millions of digital healthcare records and personal information of patients and therefore calls for aggressive counter measures to address these rampant data breaches, given the fact that PHI is getting more valuable in the cyber-fraud scenario than the credit cards.

As per the requirements of HIPAA compliance, all patient health information and   critical assets have to be secure. But, the records compiled in 2014 points to a      disturbing trend in increased in data breaches, nearly 41 million from 29.3 million,  an increase of 41% over 2013. Moreover, records also display that the complaints  received by the Office for Civil Rights include nearly 5,447 unresolved cases and  around 53,000 closed. The reasons put across are lack of jurisdiction or  complaints being withdrawn, and not because there was no HIPAA violation.  Further, analysis of the HHS data also brings to light that a large portion of the security breaches (over 52%) have been through theft, nearly 10% due to unauthorized access due to loss of devices, and over 9% due to hacking incidents.

Source: Compilation by Erin McCann, Managing Editor at Healthcare IT News, using data from the Department of Health and Human Services, which includes HIPAA breaches involving more than 500 individuals, reported by 1,149 covered entities and business associates

Businesses across the healthcare industry and its verticals therefore need to scan their PHI assets and conduct security analysis besides ensuring meaningful use of the EHR. Understanding the criticality of the situation, enterprises have deployed a number of new age techniques to protect their electronic data from breaches.

However, Aegify has been developed as a comprehensive security, risk and compliance management solution that not only addresses all of HIPAA compliance needs but also provides the covered entities with meaningful use attestation reports with proof of security and risk analysis. Further, Aegify automates HIPAA management through continuous workflow assessment cycle, and provides instant remediation measures to correct the security deficiencies, a trusted Solution by 70+ MSPs with thousands of customers. Aegify protects your assets, detects vulnerabilities proactively, and responds with appropriate remedial measures. Aegify is the only solution that unifies a comprehensive Security, Risk, and Compliance Assurance system.

The post The Ever growing list of HIPAA breaches appeared first on Aegify.

The HIPAA Privacy rule was aimed to protect the privacy of individually identifiable health information. Along with this the OCR also brought out the HIPAA Security Rule, which sets national standards for the security of electronic protected health information. The HIPAA Breach Notification Rule requires covered entities and business associates to notify following a breach of unsecured protected health information and the confidentiality provisions of the Patient Safety Rule that protect identifiable information used to analyse patient safety events and improve patient safety.

HIPAA is a set of complex federal rules and regulations that govern how medical institutions and their business associates treat private health information. With penalties for HIPAA violations being substantially high, legal experts are analysing the impact of Connecticut Supreme Court’s ruling whether plaintiffs can sue a healthcare provider for negligence if HIPAA regulations have been violated by not protecting the privacy of patients. As per the HIPAA Security Rule, OCR has set national standards for the security of protected health information (PHI) that is created, stored, transmitted, or received electronically.

However, as methods to ensure the confidentiality, integrity, and availability of ePHI data, the HIPAA Security Rule requires medical practitioners, covered entities, business associates and consumers to implement a series of administrative, physical, and technical safeguards when working with ePHI data. The Connecticut case of Emily Byrne vs. Avery Centre for Obstetrics and Gynaecology which involved a patient who sued a healthcare clinic that released her medical records to a third party without her authorization, falls into one of 10 types of HIPAA violation. Failure to comply with HIPAA requirements leads to civil and criminal penalties that applies to both covered entities and individuals.

The covered entities and business associates should therefore take adequate steps to ensure that the patient data is safe from any sort of data breach. The HIPAA/HITECH Security and Compliance management solution, Aegify, is a continuous security monitoring and compliance management solution that is built on a framework approach and allows covered entities and business associates to gain control and improve compliance levels across HIPAA, HITECH, PCI, SOX, ISO, COBIT including country-specific regulations. Its built-in vulnerability scanning technology makes security and compliance monitoring simple and effective and is designed to facilitate both large hospitals as well as small and medium healthcare establishments and their business associates to continuously monitor security of PHI against any data breaches.

The post Don’t let ePHI make your business another Connecticut case of HIPAA Negligence appeared first on Aegify.