OIG: Paying Close Attention To HIPAA Security In Meaningful Use Audits

According to the recently released work plan of The Office of the Inspector General will continue to pay closer attention to the healthcare industry’s use of electronic health records – in particular HIPAA security, EHR incentive payments and fraud.

As digitization continues to be a priority so does it’s appropriate implementation and use. In a response to ensure IT security, compliance and electronic health records, the OIG has requested a $400 million FY2015 budget, an increase of $105 million and creating another 284 fulltime jobs to enforce the OIGs audits and reviews.

“Important changes are taking place across the healthcare industry,” wrote Daniel R. Levinson, U.S. inspector general, in OIG’s 2015 work plan justification. These changes, Levinson continued, include “an emphasis on coordinated care and an increased use of electronic health records. OIG will need to adopt oversight approaches that are suited to an increasingly sophisticated healthcare system and that are tailored to protect programs and patients from existing and new vulnerabilities.”

So how does that translate to healthcare providers and healthcare organizations? Practices can expect closer scrutiny for HIPAA privacy and security compliance. Penalties have increased significantly under the new regulations. Practices can face fines up to $50,000 per occurrence—quickly offsetting or negating the EHR incentives they received.

Physicians can no longer afford to be relaxed about HIPAA compliance. They must have sound privacy and security protocols in place to protect against violations that could result in severe penalties.

A prime example occurred in July 2009, when a physician and two former employees of an Arkansas medical center pleaded guilty to misdemeanor federal charges that they inappropriately accessed the medical records of a local television anchor, thereby violating the HIPAA privacy rule. Each faces a maximum penalty of one year in prison, a fine of up to $50,000, or both.

HIPAA Compliant v. Mobile Devices

The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.

The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.

The description above may seem black and white but the recent rise in theft of healthcare data has revealed gray areas that have caused some debate amongst the medical security community as to what safeguards are to be taken in order to assure your providers and staff are HIPAA compliant. Recently Beth Israel Deaconess levied a hefty fine, when a provider’s unencrypted laptop was stolen that contained patient information. This incident was responsible for leaking sensitive information of more than 41 million patients. This is clearly a black and white case of negligence, which is why the fine was levied, however what if the laptop was encrypted and the owner was robbed at knife point and forced to disclose the password information? Not so black and white, right? According to a recent robbery reported by Boston’s Brigham and Woman’s Hospital, this is exactly what happened to one of their physicians, creating an interesting interpretation of the HIPAA Privacy Rule and Security Rule. This most incident reported the theft of two devices that contained patient related information on 999 patients.

The armed robbery, which took place Sept. 24, was reported to the Boston Police Department, who then issued a community alert six days later. According to the police department, the physician was robbed at knifepoint and then bound to a tree. The stolen items have not yet been recovered.

“We apologize for any inconvenience and deeply regret any concern this situation may cause our patients,” said Cedric Priebe, MD, chief information officer at BWH, in a Nov. 17 press statement. “We have no knowledge that the information on these devices has been accessed, and we are reviewing related policies and procedures in an effort to determine if there are steps that may decrease the likelihood of this type of incident in the future.”

The bigger question of whether encryption alone covers a healthcare organization responsibility to the HIPAA Security Rule. According to the Department of Health and Human Services, the answer is No, encryption alone not enough. HHS states that the HIPAA Security Rule involves, “an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key … and such confidential process or key that might enable decryption has not been breached.”

This is the third HIPAA breach for BWH, according to data from HHS – and the third theft. BWH, is one of the largest healthcare organizations in Massachusetts and one of the most respected. If it can happen here, it can happen anywhere. With the advances of technology and sharing of information come the responsible to protect that information, the government has defined how that information is to be protected but it is responsibility of the Healthcare organization to safeguard patient sensitive information and put the proper precautions and mitigation plans in place to ensure security. Consult with a Security Expert today at EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) by contacting us at 1-800-376-0212 or contact@ehrpmc.com, even if you have completed a Security Assessment and have a Mitigation plan already in place, it’s better to have the assurance from a professional.

 

Failure to Encrypt A Provider’s Laptop Leads to a $100,000 Fine

Identity theft and security breaches have affected such big name companies as Target, Home Depot and most recently JP Morgan. hackers, reportedly stealing financial information from over 76 million households. Financial information is important to safeguard understandably but what about your personal information, such as your medical records and social security number, the most coveted piece of information? A recent healthcare data breach has affected 30 million people and counting, this information however includes patients’ social security numbers, leaving some feeling more exposed than when wearing a hospital gown. Beth Israel Deaconess, in Boston, MA can attest to how this can happen to any Healthcare Organization, especially when the proper training and precautions are not put in place. Beth Israel Deaconess was hit with a heavy fine this month, after information was leaked from an incident occurring in 2012, when a physician’s personal laptop was stolen. The Massachusetts Office of Attorney General levied a $100,000 fine for failure to encrypt the device.

According to the Identity Theft Resource Center, Healthcare data has seemingly become increasingly targeted, accounting for 43 percent in major data breaches reported in 2013. It seems to be on pace for this year and a dark shadow has already been cast over 2015.

Although the Federal Reporting requires breach notifications, that is in my opinion too little too late. Hefty fines are turning the heads of many larger healthcare organizations, reporting that 69 percent of health security professionals in a 2013 survey said their organization has a data breach plan in place. That’s not a number to grant a sense of ease, in fact it’s not the 40 percent of larger healthcare organizations that are unprepared that worries me, it’s the smaller private practices that have no or strategy in place and much like the Beth Israel Deaconess incident are still carrying my private medical information and potentially my social security number on a personal laptop with no encryption to secure the contents of the computer.

The moral of this story…don’t be a victim, take HIPPA security seriously and protect your patients’ sensitive information. Talk to a security expert, get the right training for your staff and put the proper precautions in place.

Contact EHR & Practice Management Consultants, Inc. (www.ehrpmc.com) for Assistance at 1-800-376-0212 or contact@ehrpmc.com for all your security needs including encryption!

Patient Access to Electronic Health Data v. Privacy/ Security Concerns

According to a recent survey of U.S. consumers:

  • 69% of those with chronic health conditions believe patients should have the right to access all of their healthcare information
  • 51% believe that accessing their medical records online outweighs the privacy risks
  • Consumers with chronic conditions had greater privacy concerns regarding online banking (70%), in-store credit card use (69%) and online shopping (68%), than their concern over privacy of their electronic medical record (65%)
  • 87% of U.S. consumers say they want to control their health data, but 55% believe they currently do not have very much control

Source: “Majority of U.S. Consumers with Chronic Conditions Believe Accessing Medical Records Online Outweighs Privacy Risks, According to Accenture Survey,” Accenture Press Release, May 5, 2014, http://newsroom.accenture.com/news/majority-of-us-consumers-with-chronic-conditions-believe-accessing-medical-records-online-outweighs-privacy-risks-ccording-to-accenture-survey.htm