42,000 Impacted by Insurance Hard Drive Breach

A Wisconsin health insurance group has notified nearly 42,000 of its members that their protected health information may have been compromised following a HIPAA privacy breach.

Back in December, Unity Health Plans Insurance Corporation, which serves some 140,000 members, discovered a unencrypted portable computer hard drive containing health records of 41,437 individuals was missing from the University of Wisconsin-Madison School of Pharmacy. Officials say the school had this information as part of a benefits program evaluation.

Member names, dates of birth, name of prescription drugs and dates of service were contained on the device.

“(We’re) reviewing all our policies and trying to reeducate employees,” Jennifer Woomer Dinehart, spokesperson for Unity Health, told Healthcare IT News. Woomer Dinehart would not confirm or clarify what the company-wide encryption policy was.

“We are sorry this happened and want to provide pertinent information concerning the occurrence along with the steps we are taking to minimize any potential impact,” read a Jan. 30 company notice.

To date, out of the more than 80,000 HIPAA breach cases OCR has received since 2003, only 17 of them have resulted in fines thus far.

Just this past December, the five-hospital Riverside Health System in southeast Virginia announced that the PHI of nearly 1,000 patients had been compromised in a privacy breach that continued for four years. From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients. The breach wasn’t discovered until Nov. 1 following a random company audit.

 

Originating Source

Skype With Patients? HIPAA Says “No Go”

Oklahoma medical board sanction against Thomas Trow, MD, sparked concern over the practices of telemedicine and telepsychiatry. Using Skype, Trow conducted online video appointments and prescribed controlled substances to a patient who ultimately succumbed to an overdose. Trow never saw the patient in person before prescribing the drugs. As a result, the Oklahoma medical board published a ruling on January 16 of this year, stating that telemedicine, “Technology must be HIPAA compliant.”

With growing excitement, doctors and patients are “seeing” each other online through a range of video chat technology platforms. In fact, healthcare innovation like telemedicine is vital to the changing landscape of patient demands and government-driven insurance. For many, the Oklahoma telemedicine ruling brings welcome clarification and an opportunity to educate providers about this new way of practicing HIPAA-compliant telemedicine.

“The last thing the U.S. healthcare system needs is to abandon the idea of telemedicine,” said Daniel Gilbert, president and CEO of CloudVisit Telemedicine. “The technology has tremendously positive implications for providers and patients. To lose out because of one platform — a platform that was never designed as a medical tool — would be real detriment.”

Since the Oklahoma ruling does not specifically cite any brand names, many physicians are left wondering, “Is Skype HIPAA compliant?” Skype’s privacy policy simply states that they, “will take appropriate organizational and technical measures to protect the personal data…” and owner, Microsoft Corp.’s Business Associate Agreement (BAA) explicitly omits Skype. To better understand Skype’s security, one must turn to the Health Insurance Portability and Accountability Act (HIPAA).

  • Telemedicine is a HIPAA-compliant method for patient appointments
  • Online video appointments must be conducted via a HIPAA-compliant telemedicine platform
  • Business Associate Agreement (BAA) must exist between the healthcare provider and the company responsible for the telemedicine technology
  • The BAA must guarantee the HIPAA compliance of all measures for security practices and data encryption
  • Providers must obtain informed patient consent prior to conducting online video appointments
  • In absence of a BAA and informed consent, Skype is not HIPAA compliant

“It’s important to keep in mind that Microsoft never intended Skype to be a medical tool,” reminds Gilbert. “Beyond significant HIPAA issues, Skype has many operational shortcomings. CloudVisit provides tools for scheduling and billing, plus treatment notes and more. Skype has none of these features.”

In fact, a search of the word “telemedicine” on the Skype website comes up empty. They do not claim to be HIPAA compliant, nor do they position themselves as a resource for the medical community.

As stated, healthcare practices and patients have a lot to gain from online video appointments. The right technology can be highly effective and appropriate for follow-up care, routine appointments, and mental health consultations once a provider-patient relationship is established in person.

CloudVisit Telemedicine provides a HIPAA-compliant telemedicine and telepsychiatry platform for scheduling, conducting, tracking, and billing online video appointments with patients. CloudVisit enters into a BAA with every client.

 

Originating Source

Coming to a Medical Practice Near You: HIPAA and Hi-Tech Audits

On December 26, 2013, the U.S. Health and Human Services Office of Civil Rights (“OCR”) announced its first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. Adult & Pediatric Dermatology, P.C., (“the Practice”) of Concord, Massachusetts agreed to settle potential violations with a $150,000 penalty and corrective action plan.

In 2011, the Practice notified OCR that an unencrypted thumb drive containing the electronic protected health information (“ePHI”) of approximately 2,200 individuals was stolen from a staff member’s vehicle. OCR launched a subsequent investigation and found that the Practice had failed to conduct an accurate and thorough analysis of the potential risks and vulnerabilities of confidential ePHI as part of its security management process.  Further, the Practice did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

The Final Omnibus Rule has been discussed at length on this blog and compliance was mandated by September 23, 2013. Providers should already have policies and procedures implemented to correspond with the Final Rule, reflect current technology, and address ePHI. The OCR’s December settlement, however, serves as a startling reminder that providers of every size are being audited. No entity is too small and medical practice practitioners are gravely mistaken if they think they are off OCR’s radar.

The importance of HIPAA risk analysis cannot be stressed enough. The Practice failed to have a risk analysis and paid the costly consequences. Not only is an analysis required as the first step in HIPAA Security Rule compliance, but it is also a Core Measure of Stage 1 and 2 “Meaningful Use.”

The Practice’s troubles began over a lost thumb drive. Does your practice use thumb drives? How about laptops? Mobile phones? Have you accounted for the use and misuse of these devices in your HIPAA risk analysis?

 
Originating Source

Worker’s Reluctant to Follow Company BYOD Policy

Even at companies with BYOD (bring-your-own-device) policies, users may still be reluctant to officially register their tablets and smartphones with IT, instead preferring to covertly access the network. That’s according to a new study that shows employees are concerned about losing their personal data if they officially register their devices with the IT organization at their company. To ensure compliance with policies, managed services providers (MSPs) may need to win over small and mid-sized businesses (SMBs) employees with promises to protect personal data.

Aruba Networks, Inc. (ARUN) conducted the survey of more than 3,000 employees around the world. American respondents, specifically, fear the loss of personal data more than other regions of the world, the study revealed. Around 66 percent of American respondents claimed that they fear the loss of data, compared to the 45 percent of Europeans and 40 of Middle Easterners who felt the same.

More than 50 percent of Americans said their IT department takes no steps to ensure the security of corporate files and applications on their personal devices, a concern that has forced many employees to keep personal devices away from IT departments. Seventeen percent of Americans have not told their employers that they use a personal device for work. If you think that’s frightening, keep reading.

Eleven percent of American respondents said they would not report a compromised device, while 36 percent said they would not report leaked data immediately.

According to the survey, these numbers come from a distrust of IT departments and employee fear about what IT may do with personal data. Forty-five percent of respondents in the United States worry about their IT department’s access to personal data.

Should MSPs include policies and guarantees to customers’ employees on personal data?

There need to be incentives from the company to persuade employees to follow BYOD policy.  Furthermore, there must be a culture of transparency and trust from IT to help calm the fears workers have.

Our Mobile Device Management (MDM) solutions allow our technicians and engineers the ability to monitor and manage the mobile device but they do not have access to personal items such as text messages or pictures.  If there is ever a question of what we can or can not do, we give the client a complete tour of our MDM platform.

The importance of a highly secure IT environment coupled with the lack of adherence of workers to BYOD policies gives rise to major concerns.  Companies of all sizes need to rethink their policies and procedures regarding BYOD.  Also, ensure the MSP or IT provider is trustworthy and operates in complete transparency.  The goal is to protect your company, your IT environment, your customers and your employees.

Companies, especially small businesses, that ignore BYOD are playing Russian roulette.  Everyday workers are using secure business networks to do things on their mobile devices which are highly unsecured and dangerous to the IT environment.  For some verticals, such as healthcare, these oversights can led to a breach and bring disastrous implications.

Want to have a discussion about protecting your business and your employees?  Give us a call find out how we can help.

Do Your BA Due Diligence

Long gone are the days that you pull down a template Business Associate Agreement and everyone just signs it.  BAs may not understand the extent of their obligations under HIPAA.  You need to confirm your agreements plus check what they are really doing to comply.

I really don’t recommend blindly using a template agreement to anyone.  Make sure you know what the agreement is committing for both parties.  There are optional things in those templates that can cause problems for some businesses.  Many folks just rolled them all in there and never looked at the implications closely.

Once you have the agreement worked out, get at least a general understanding of what each BA is doing for their own compliance including BAs they use to provide services.  We use a due diligence checklist to help with the process.  Here are a few things we have learned while doing them.

IT Support Companies.  If you are trying to manage HIPAA Security requirements without some sort of IT company involved (or your own IT staff), you probably aren’t doing everything that is required.  Someone has to understand firewall logs, encryption key management, network scanning, etc.  BUT, make sure the one you do use is HIPAA compliant.  If they have admin access to all your servers they have access to everything; and they can’t do their job well without that level access.

We find that most IT companies have the security part of the rules covered, maybe not documented fully but mostly in place.  The real problem comes when you ask about anything outside the Security Rule.  They should have a training program, understand minimum uses and disclosure requirements, breach notification policies and procedures and a few more things that have nothing to do with the Security Rule.  Make sure they understand there is more to HIPAA than the Security Rule.

Collections Services.  Collections services vary widely in the data they gather.  Many of these services may not specialize in medical but make it a segment of their business.  Be very thorough with any service that doesn’t offer specific secure connections or instructions for data exchange.  When checking these guys you have to ask about Security first.  You may never even get to the things outside of security requirements before you know you have a problem.  Make sure to determine how much medical work they are doing first then ask about the rest of compliance, especially how they worry about encryption at all stages of the process.

Accounting/CPAs.  Sometimes these are also collection or billing services which may make things easier.  Think through what you do with them otherwise and make sure you understand exactly what they are doing with your patient information they may be privy to for their services.   In cases where they are simply doing accounting they may only see patient data when dealing with large balance accounts or writing refund checks.  It is still PHI.  Make sure they have a plan to protect PHI.  Also, make sure they train employees on HIPAA even if they think they are discreet enough because they have to be for everyone.

Billing Services.  These guys deal in high volumes of data moving through their offices all the time.  They usually have a decent understanding of the uses and disclosure rules but may be lax in security within their office.  Also, they have a lot of downline BAs and subcontractors in most cases just in processing services.  Make sure they have security plans in place and understand clearly what their BA and subcontractors obligations include.

Transcription.  A wide array of situations are occurring when we ask about transcription.  You need to be sure you know if they are signing your BAA but using subcontractors that may not be signing one with them.  This area can get very messy just working out who is storing data and who is accessing data.  Review every part of their set up to be sure they are covering their bases.  Make sure you check a lot of details with this BA both for a service as well as individual contractors.

Many of the compliance management tools include BA management features.  It is a very valuable tool to help you keep up with all this information and documentation.  It is hard enough to keep up with our own stuff but you have to get some info about all their stuff too.   It is important, though.

By checking on your BAs to make sure they truly understand their obligations, you better protect your patients and your business from compliance problems that aren’t under your roof.  If you have a BA that you know is a BA but they don’t want to become compliant, you have very specific steps you need to follow in order to protect your compliance status.

  • Take reasonable steps to cure the problem with the BA and get compliance in line
  • If a BA still does not comply, you must terminate the business contract on HIPAA compliance grounds.
  • If there is no other entity you can get the service provided by the non-compliant BA, you must report them to HHS.

One more thing…….  BA management isn’t just for CEs anymore.  All you BAs need to follow the same process for your BAs.

Original article authored by Donna Grindle, used here by permission.