HIPAA Compliance News and Information

HIPAA Compliance News and Information

Security | Privacy | Compliance | Training > www.itsalliances.com

SCOTUS' Cellphone Ruling Has Health Data Privacy Implications

iHealthBeat, Friday, June 27, 2014

On Wednesday, the Supreme Court unanimously ruled that cell phone searches conducted by law enforcement officials without a warrant are unconstitutional, in part because of the potential for phones to contain personal health care data, Modern Healthcare reports.


The ruling overturns a decision by a California state appeals court after a criminal conviction in a case, Riley v. California, and upholds a federal appeals court decision to strike down a criminal conviction in United States v. Wurie.

According to Modern Healthcare, the original convictions in both cases were obtained using data collected by law enforcement officials from the defendants' cell phones, which were confiscated at the time of their arrests. 

At issue in the Supreme Court case was whether the law enforcement officials' cell phone searches violated the Fourth Amendment, which states, "The right of the people to be secure in their persons, houses and effects against unreasonable searches and seizures."


In the opinion, Chief Justice John Roberts wrote that cell phones differ from other evidence collected and searched by law enforcement, such as a wallet, purse or car.

He noted that their data are "qualitatively different" and that cell phones have large storage abilities and are able to connect to online servers and cloud-based storage systems (Conn, Modern Healthcare, 6/26).

For example, the ruling noted that an individual's cell phone might show an "Internet search and browsing history" that could "reveal an individual's private interests or concerns -- perhaps a search for certain symptoms of disease, coupled with frequent visits to WebMD."

Further, the ruling stated that cell phones can track an individual's every movement and contain applications that could reveal "alcohol, drug and gambling addictions" or the individual's pregnancy status or desire to become pregnant (Barbash, Washington Post, 6/26).

Therefore, the court ruled that "a warrant is generally required before a [cell phone] search" (Modern Healthcare, 6/26).

Roberts wrote, "We cannot deny that our decision today will have an impact on the ability of law enforcement to combat crime." However, he added that "[m]odern cell phones are not just another technological convenience. With all they contain and all they may reveal, they hold for many Americans 'the privacies of life'" (Vijayan, Computerworld, 6/25).


Health care privacy specialists say the ruling likely will have broader implications in the health care industry.

According to Modern Healthcare, it could become a guide for privacy advocates and health care stakeholders as they grapple with consent rights over who can access patients' medical records. Jim Pyles, a principal attorney at Powers Pyles Sutter & Verville, said that the ruling "should be very good news for those of us who do believe patients should have control over who sees their health care information."

Pyles added that the ruling could affect current discussions by HHS' Substance Abuse and Mental Health Services Administration regarding potential changes to privacy protections to facilitate the sharing of substance misuse data.

Meanwhile, Adam Greene, a privacy lawyer with Davis Wright Tremaine, said he does not foresee "any immediate potential impact for the health care industry." However, he said the ruling "sets up precedent in the government having a very strong stake in protecting patient privacy above other interests" (Modern Healthcare, 6/26).

Source: iHealthBeat, Friday, June 27, 2014

Fanny Pack Mixup Unravels Massive Medicare Fraud Scheme

By Charles Ornstein ProPublica,  July 11, 2014, 7:59 a.m.

The fraud scheme began to unravel last fall, with the discovery of a misdirected stack of bogus 2014 and a suspicious spike in Medicare drug spending tied to a doctor in Key Biscayne, Fla.

Now it's led to two guilty pleas, as well as an ongoing criminal case against a pharmacy owner.

Last year, ProPublica chronicled how lax oversight had led to rampant waste and fraud in Medicare's prescription drug program, known as Part D. As part of that series, we wrote about Dr. Carmen Ortiz-Butcher, a kidney specialist whose Part D prescriptions soared from $282,000 in 2010 to $4 million the following year. The value of her prescriptions rose to nearly $5 million in 2012, the most recent year available.

But no one in Medicare bothered to ask her about the seemingly huge change in her practice, Ortiz-Butcher's attorney said. She stumbled across a sign of trouble last September, after asking a staffer to mail a fanny pack to her brother. But instead of receiving the pack, he received a package of prescriptions purportedly signed by the doctor, lawyer Robert Mayer said last year. Ortiz-Butcher immediately alerted authorities.

Since then, investigators have uncovered a web of interrelated scams that, together, cost the federal government up to $7 million, documents show.

In February, the U.S. Attorney's office for the Southern District of Florida charged Maria De Armas Suero, who had been a secretary at Ortiz-Butcher's Island Clinic from March 2011 to September 2013, with 11 counts of conspiracy, fraud and aggravated identity theft.

Suero subsequently agreed to plead guilty to two counts of conspiracy and identity theft. In a recounting of her wrongdoing, called a factual proffer, she acknowledged using Ortiz-Butcher's paper prescriptions</a> to "create fraudulent scripts for numerous Medicare beneficiaries 2026 The prescriptions falsely represented that the Medicare beneficiary was seen by [Ortiz-Butcher] and that the listed prescriptions were medically necessary."

Suero acknowledged that she was paid $100 for each prescription she generated. Local pharmacies then billed Medicare for filling the prescriptions, which were sometimes never dispensed. The false claims resulted in losses to Medicare of at least $2.5 million, the proffer said.

In March, the U.S. Attorney charged another secretary at the same clinic, Milagros Matias Ortiz, with two counts of conspiracy to commit health care fraud and aggravated identity theft. She also has pleaded guilty, acknowledging in her proffer that she created false prescriptions while she worked at the clinic from March 2011 to August 2012. She was paid $50 for each prescription.

Ortiz and Suero are set to be sentenced this month. Suero's lawyer, Rene Palomino Jr., said the doctor had no knowledge of what was going on. "Believe me if she had any knowledge about this, her name would have been in an indictment," he said.

Ortiz' lawyer, Joseph Tesmond, said his client has "accepted responsibility" for her "very minor role in this." He said she continued working at the clinic after she withdrew from the scheme, resigning in March before she was charged."

She has been cooperating with the government since the beginning," Joseph Tesmond said. "The first time that they came to speak to her, she spoke to them at length without [legal] representation."

In May, prosecutors also charged a pharmacy owner, Luisa Isabel Vega, with conspiracy and fraud relating to Medicare claims linked to Ortiz-Butcher. Vega's AB Pharmacy in Miami was overpaid $4.2 million by Medicare from April 2011 to November 2013, according to the indictment.

In an affidavit, Daniel Crespi, a special agent with the Health and Human Services Inspector General's office, said several Medicare beneficiaries whose prescriptions were supposedly filled by AB Pharmacy denied receiving most or all of the medications. "The beneficiaries further admitted that they had been paid kickbacks by patient recruiters for allowing AB Pharmacy to submit fraudulent claims to Medicare utilizing their personal information," Crespi wrote.

Crespi's affidavit says he interviewed a physician (ProPublica data shows it was Ortiz-Butcher) who purportedly sent prescriptions for 181 Medicare patients to AB Pharmacy, but it turned out that only 17 of them were actually patients of hers. "The physician concluded that his/her signature on the prescriptions were being forged and fraudulently utilized at AB Pharmacy."

Medicare data show that 7,613 prescriptions attributed to Ortiz-Butcher were filled at AB Pharmacy in 2012, more than any other doctor.

The second highest Medicare prescriber for AB Pharmacy was Miami physician, whose tab jumped from $2.1 million in 2010 to $8.7 million the next year. (It was $8.4 million in 2012). His most-prescribed drugs, like Ortiz-Butcher's, read like a shopping list of the brand-name pills that are most valued in scams.

In an interview last year, Ortiz couldn't recall whether the prescriptions were his, but later said he'd been aware that some bogus prescriptions had been written using his name. (He has not been charged.)

Vega, the pharmacy's owner, has pleaded not guilty. Her lawyer declined to comment, saying the case is pending.

A spokeswoman for the U.S. Attorney's office said other cases related to prescriptions attributed to Ortiz-Butcher are under investigation. Criminal cases also were brought against officials at two other pharmacies that filled the doctor's prescriptions, though they began before she uncovered the scam. "

The Suero and Ortiz cases are somewhat unique because we charged the individuals creating the fraudulent scripts," spokeswoman Michelle Alvarez wrote by email. "Most of our cases focus on those who are more directly involved in billing Part D, i.e. pharmacy owners, and those who recruit and pay patients needed to bill the Part D program."

The larger question may be why Medicare didn't spot the spike in Ortiz-Butcher's supposed prescribing and inquire about it.

Aaron Albright, a spokesman for the Centers for Medicare and Medicaid Services, said he can't discuss individual cases but said the agency has beefed up its oversight of the prescription drug program, including its use of proactive data analysis. The agency recently issued a new regulation giving itself the authority for the first time to kick abusive prescribers out of Medicare.

In a brief interview, Ortiz-Butcher said she was happy the case was being investigated and acted upon, but the effect on her has been profound. "When you trust people in your life to work with you, and that trust is violated, it leaves a sense of emptiness that's insurmountable and also makes it very difficult to trust again," she said. "That's pretty much where I'm at right now."

National Public Health Week

     A Statement by Assistant Secretary for Health Dr. Howard Koh

National Public Health Week is a time to recognize progress we have made in strengthening and protecting the public health and to rededicate ourselves to the work of improving the health and well-being of Americans by preventing disease, supporting medical research, and promoting safer and healthier communities.

This year, one of the main themes of National Public Health Week, “Be Healthy from the Start,”  is particularly appropriate, as we have just marked the end of the first open enrollment period of the Affordable Care Act.

The Affordable Care Act’s focus on prevention and expanding access to quality care is rooted in the concept of “being healthy from the start.” Because of the law, millions more Americans have quality affordable coverage, including preventive services, through the Marketplace or Medicaid. Not only can they get the care they need when they need it, but they can get preventive care as well, many for the first time. Already more than 100 million Americans with private insurance and Medicare have benefitted from expanded coverage of preventive services such as recommended cancer screenings without paying coinsurance or deductibles.

The Affordable Care Act also establishes the National Prevention Council, which, through the National Prevention Strategy, strives to move the nation from a focus on sickness and disease to one based on wellness and prevention across all sectors. The Council works in conjunction with the Prevention and Public Health Fund and other efforts to prevent heart attacks, strokes and cancer, reduce tobacco use, prevent obesity, combat health disparities and improve the nation’s health.     

To help gauge advancements in America’s public health, the U.S. Department of Health and Human Services tracks leading health indicators via the Healthy People initiative, which provides science-based 10-year national objectives for improving the health of all Americans. (www.healthypeople.gov)

National Public Health Week is an opportunity to recognize not only the important work of public health workers in communities across our country, but also the role every citizen plays in the effort to "Be Healthy from the Start."

By taking better care of ourselves, and supporting friends and family in their efforts to lead healthier lives, we can all play an important role in National Public Health Week.


Cybersecurity: Involving Senior Leaders

Cybersecurity: Involving Senior Leaders


April 7, 2014

To boost cybersecurity, senior leaders - whether a CEO, a board member or a government agency director - need to think of information as a critical asset worthy of protection, risk management experts Val Rahmani and Malcolm Harkins say.

Rahmani, the former CEO of computer security provider Damballa, says many of these leaders hadn't considered information as a critical enterprise asset until publicity surrounding the Target breach and other breaches surfaced. She says: "They now are trying to work out, in conjunction with the technical team: What are our assets? What do they look like? Where are we at risk?"

Rahmani explains in a joint interview with Harkins: "What they're trying to do now is really understand what are those assets, interpreted not as bytes, but in terms of the value to the business. Then, I can start thinking about who might want those assets and how they would try to go after them. And, until you've done that, you haven't even got the capability to start thinking how might I protect them."
Communicating Clearly

Harkins, chief security and privacy officer for chipmaker Intel, says CISOs and other IT security leaders should avoid technical lingo in explaining to top executives and board members vulnerabilities their organizations face.

"When you start talking about BIOS and firmware and drivers and your network infrastructure and that level of technical depth, if you're a business leader who is not in the technology space, you might not know what those words are," Harkins says. "You have to use different ways of communicating with that senior-level audience to say there is a technical vulnerability in this particular product. The specific aspects of what it is isn't relevant, but if exploited, here's what that means in terms of impact to the enterprise."

In the interview, Rahmani and Harkins also:

  • Explain how information risk can be incorporated into the overall risk management function of the board;
  • Provide examples of how to put technical risk challenges into business terms; and
  • Discuss the appropriateness of board members bypassing the chief executive to speak directly with the CISO.

Rahmani is a corporate board member, consultant and start-up adviser. From 2009 through 2013, she served as chief executive of Damballa, a computer security company focused on malware, advanced persistent threats and targeted attacks. For more than 30 years, she served in various executive positions at IBM, with her last assignment as general manager of IBM Internet Security Systems.

Harkins is an Intel vice president. Before becoming Intel's first chief security and privacy officer, he served as its CISO. Harkins also previously held roles in finance, procurement and various business operations. He has managed IT benchmarking efforts and Sarbanes Oxley systems compliance efforts.

Does IP Convergence Open You up to Hackers?

Does IP Convergence Open You up to Hackers


April 7, 2014

Recent reports indicate that unauthorized persons gained access to Target's network using credentials stolen from a company that worked on the company's refrigeration, heating, ventilation and air conditioning. The ongoing investigation will have to determine whether this was the root cause of the Point-of-Sale (POS) malware, or was a parallel attack. Whichever it turns out to be, it is clear that you should take steps to assure that any access you provide for vendors not be abused or misused.

Kroll has seen cases that are not dissimilar. In one example, we were engaged to conduct a vendor-neutral review of a company's data security, and in the course of our penetration testing, we determined that there was an external Internet-based connection to a company that had been engaged to install and maintain a network of security sensors and cameras. This network of cameras, controllers and digital recorders, which ran over the company's corporate IT network, primarily allowed on-site security personnel to observe the camera images, steer the cameras, respond to alarms, and to control the recording of camera images.

The vendor had the ability to log into the network to maintain the camera software and diagnose problems with the security systems. We determined that there were some significant issues.

  • First, when the access account had been provisioned for the security vendor, it wasn't assigned to an individual, but to the vendor so that anyone could use it.
  • It was provisioned with an initial and trivial default password, and there was no requirement that the password be changed. In fact, we learned that it was known to a number of employees (and former employees) of the vendor.
  • There was no test in place to see if the vendor's log-in came from a known IP address associated with the vendor.
  • There was no audit to see if the access using the vendor's account was reasonable - something the company's facilities manager could easily have done.
  • The vendor was not required to maintain security controls equivalent to those of the company.
  • Finally, once in the network, an intruder with those security company credentials could pivot and reach parts of the network unrelated to the security system.

Increasing Convergence, Increasing Risk?

Over the past few years, there has been recognition of the advantages of running multiple systems over a single IP network. As network speeds have increased, it has made sense not to run parallel networks for infrastructural elements like security, environmental management and similar support systems. But we have found that in many cases, the security issues relating to these systems are not well understood, since it seems like they just use the network for data transport. Of course, as real-world cases demonstrate, it isn't that simple.

These infrastructure support systems must often be accessed by vendors as well as company personnel. Even for company personnel, there may be a need for remote access to respond to off-hour emergencies. As a result, many of these systems require that they be accessible online from outside of the company. That leads to the issue of authentication. Who has the access? How is it authenticated? Are access credentials tied to an individual, or are they just supplied to a vendor for anyone to use? Are strong passwords required and changed recently? Is account usage subject to audits?

The other issue is connectivity. Are the users of these accounts (particularly vendor accounts where they don't need access to other company online resources) limited to the specific level of access they require? Are they limited to accessing the specific devices and applications they need, or is it just assumed that's what they will do?

Windows XP Will Leave Organizations Severely Exposed

Windows XP Will Leave Organizations Severely Exposed

April 7, 2014

The clock is ticking - as of this week Microsoft will no longer support Windows XP. The operating system will pose an increasing risk to its users, making it more important than ever for organizations to identify and upgrade legacy systems wherever possible, or have stringent network security in place to mitigate the risks and to create a virtual "ring of steel" around the most susceptible systems. Windows XP has been a fairly stable, reliable and extremely popular operating system for over a decade now, but it really is time to put the venerable OS out to pasture.

What does the expiration of Windows XP support mean for organizations? Businesses have managed to get by just fine with Windows XP for years - "If it ain't broke, don't fix it", right? Well, the problem with that theory is that it assumes that Windows XP isn't broken in the first place, and that support will continue forever. It doesn't account for the reality. Windows XP works and runs business software, but it is less secure than its successors. Windows XP systems are compromised by 27 per cent more malware attacks than subsequent Windows versions, and resolving a malware incident on Windows XP takes an average of seven times longer. When viewed through the lens of security, it's easy to see that Windows XP is, in fact, broken.

When it comes to leaving corporate networks exposed to risk, "almost" is not good enough. If you lock all of the doors and windows on your house, but forget to lock the back door, you may as well not have locked any of them. Similarly, if you upgrade all of the PCs in the organization to Windows 7, but a rogue Windows XP machine you're not aware of is still connected to your network you're still at risk, as that lone machine represents an open back door into the rest of the network.

A rogue, unsupported Windows XP machine will eventually become a target to exploit that can allow them to gain a foothold inside a corporate network. That one compromised Windows XP system could be used to siphon information from the network, or spread malware to other systems.

It is crucial to have a complete and accurate inventory of the systems connected to your network. If businesses don't know what's out there, they can't keep it properly maintained and updated and can't mitigate the risk posed by it.

Knowing is half the battle

The first step in mitigating risks is to know which operating systems are in use within your organization. Using asset tracking solutions, businesses will be able to detect and identify lingering Windows XP systems with minimal effort and assess their risk level.

Businesses should consider custom software running on their systems. Businesses need to determine whether continued use of Windows XP will impact these custom systems in terms of ongoing support from their manufacturers and determine what changes these applications need when migrating to another OS, particularly if it is already a legacy, unsupported application.

The risk is that hackers will be able to identify holes in Windows XP that will no longer be addressed in short order with a Microsoft patch or service pack. These potential holes for exploitation will continue to multiply over time and as such the cost of managing a Windows XP estate will rise very quickly, both from maintenance point of view, but also from potential exploits and lost productivity.

It is recommended that organizations still using Windows XP look to upgrade to the latest - or a more recent supported version - Windows operating system to ensure they continue to receive the latest security and stability patches. Doing so will ensure their software ecosystem is protected from known exploits. Whether businesses opt for upgrading their XP machines to a new version of Windows, or they look to overhaul their entire hardware estate, the cost savings will pay off in a short amount of time. For hackers, Windows XP is like breaking into a car with no alarm installed, it will be easy for them as all the potential exploits and vulnerabilities will be known from patches for other versions of Windows.

2013 Florida Excellence Award Recipient

ITS Alliances Inc has been recognized as a 2013 Florida Excellence Award Recipient

Mar. 25, 2014 - ORLANDO, Fla. -- ITS Alliances Inc has been selected for the 2013 Florida Excellence Award amongst all its peers and competitors by the US Institute for Excellence in Commerce (USIEC).

Each year the USIEC conducts business surveys and industry research to identify companies that have achieved demonstrable success in their local business environment and industry category. They are recognized as having enhanced the commitment and contribution of small businesses through service to their customers and community. Small businesses of this caliber enhance the consumer driven stature that Florida is renowned for.

ITS Alliances Inc has consistently demonstrated a high regard for upholding business ethics and company values. This recognition by USIEC marks a significant achievement as an emerging leader within various competitors and is setting benchmarks that the industry should follow.

As part of the industry research and business surveys, various sources of information were gathered and analyzed to choose the selected companies in each category. This research is part of an exhaustive process that encapsulates a yearlong immersion in the business climate of Florida.

About ITS Alliances

ITS Alliances, Inc. is a leading Risk Management and Compliance Consulting company that serve clients in the Healthcare, Retail, Technology, Legal, Manufacturing and Ecommerce sectors. We’re dedicated to helping reduce risk for small to large healthcare providers and their business associates with high quality, cost-effective privacy and security compliance services with actionable guidance, integrity, innovation, and knowledge sharing. Offering organizations with automated cloud-based SaaS tools and metrics needed to discover and protect their IT assets while maintaining industry best practices and meeting regulatory compliance across frameworks of HIPAA, HITECH, ISO 2700xx, SOX, PCI-DSS, and FISMA.  Based in Orlando, Fl we serve clients anywhere in the nation.


The US Institute for Excellence in Commerce (USIEC) is a leading authority on researching, evaluating and recognizing companies across a wide spectrum of industries that meet its stringent standards of excellence. It has spearheaded the idea of independent enterprise and entrepreneurial growth allowing businesses of all sizes to be recognized locally and encouraged globally.

Particular emphasis is given to meeting and exceeding industry benchmarks for customer service, product quality and ethical practices. Industry leading standards and practices have been developed and implementation of the same has been pioneered by the dedicated efforts of the business community and commerce leadership.

HIPAA Security 101: Contingency Planning


This video (Security 101: Contingency Planning) via HealthIT.gov is provided for informational purposes only. Use of this video tool is neither required by nor guarantees compliance with federal, state or local laws. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. This video (Security 101: Contingency Planning) video is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

NOTE: This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.


HIPAA Security Risk Analysis

HIPAA Guidance on conducting a Security Risk Analysis.

This video via HHS is provided for informational purposes only. Please note that the information presented may not be applicable or appropriate for all health care providers and organizations. The Security Risk Analysis video is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. For more information about the HIPAA Privacy and Security Rules, please visit the HHS Office for Civil Rights Health Information Privacy website.

NOTE: This tool is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers, and professionals to seek expert advice when evaluating the use of this tool.


eGestalt Launches New Risk Management Module Service for Its Flagship Aegify Cloud-SaaS IT Security & Compliance Solution

Santa Clara, CA December 23, 2013 -----eGestalt Technologies announced it has added a risk management module, Aegify Risk Manager, that can be deployed with the award-winning company's cloud-based SaaS Aaegify Security Posture Management (ASPM) and Compliance Solutions. 

Call it a victory for strategic vs. ‘check off the boxes’ tactical IT security and compliance. Today, eGestalt Technologies announced it has added a risk management module, Aegify Risk Manager, that can be deployed with the award-winning company’s cloud-based SaaS Aegify Security Posture Management (ASPM) and Compliance solutions to enable an enterprise to strategically identify business-critical assets, continually assess the assets' security vulnerability, and, if necessary, fix security loop-holes and remediate based upon a rational, prioritized risk-benefit analysis achieved via rules and automated data inputs and assessments.

"Whether in healthcare, financial services, retail, e-commerce, or government markets, today's small, medium and large enterprises face security threats and must meet compliance obligations under HIPAA, HITECHSOXPCI-DSS, GLBA, FISMA â€“ or else face significant fines,” said Michael Osterman of Osterman Research. "With eGestalt adding a risk management service module to its cloud-based SaaS Aegify SPM and Compliance solutions, an enterprise can cost-effectively achieve automated, 24/7 IT security monitoring and achieve compliance in a strategic manner that allows the head of IT to readily justify security expenditures to the CEO. This is an important aid in helping senior decision makers to determine how IT security affects business and the bottom line."

eGestalt offers its comprehensive, unified, continuous end-to-end automated IT security, compliance and risk management Aegify solution to managed service providers (MSPs) and value-added resellers (VARs).

Anupam Sahai, co-founder and president, eGestalt Technologies, said: “The Aegify Risk Manager represents a complete risk management solution that is cost-effective, completely automated, and integrated with the Aegify security and compliance management services. The Risk manager leverages an expert system-based approach saving time and resources, while obviating the need of being an expert in the field.”

Aegify Security, Compliance and Risk Management Features & Benefits

Aegify enables complete work flow automation to comprehensively address and manage business security, compliance and risk needs. Aegify Risk Manager features:

o    Continuous Compliance Management Extensible with Built-in Frameworks -- Supports HIPAA Omnibus, GLBA, SANS20 and many other regulations 
o    Continuous Security Posture Management – Enables IT asset discovery, vulnerability analysis and remediation 
o    Continuous Advanced Risk Management – Prioritizes security and compliance gaps using advanced expert systems-based approach that automates mapping of security posture to compliance controls. Built-In Risk Profile Database leverages industry best practices in risk management for organization risk score calculation within minutes and in real-time 
o    Built-In Knowledge Base demystifies standards, while Policies Templates and Contracts can be easily customized with easy access to industry based practices

"As a practicing physician and one of the principals of a medical practice group, I'm focused primarily on the quality of patient care, and while I recognize IT security and compliance is a necessity to protect patient data, IT security and compliance has been a kind of 'black box' to me and I have it managed by one of my office managers," said Dr. Steven Krems, a principal of Access Medical Group in Marina del Rey, California, which has for 20 consecutive years served the Los Angeles Clippers of the National Basketball Association. "With a cost-effective and transparent IT security, compliance and risk management offering made available by eGestalt, I like that my IT manager can readily explain to me specifics as to why monies need to be allocated to protect patient data and achieve compliancy."

Aegify Pricing

Aegify modules are available via managed service providers and VARs, with eGestalt establishing a suggested retail price that makes it affordable from small and medium business to large enterprises. The eGestalt solution fits a ‘pay as you grow’ business model.

For information about pricing and how to become a channel partner to sell any or all of the Aegify solutions, send an email to sales(at)egestalt(dot)com.

About eGestalt:

Launched in 2009, eGestalt Technologies is a leading provider of Cloud-based software-as-a-service (SaaS) solutions for business IT security monitoring, vulnerability analysis, asset and risk management, penetration testing and compliance management. The company's flagship product Aegify is the world-first, software only solution for integrated security posture management (SPM), compliance management and risk management and eGestalt is completely channel-focused. Headquartered in Santa Clara, Calif., eGestalt has offices in the United States, Asia-Pacific and Middle East. eGestalt was named a 2013 'Emerging Vendor' by CRN and UBM Channel and Winner of TiE50 2013, a prestigious award for enterprising technology startups worldwide.

Media Contacts:

Anupam Sahai, eGestalt                                                 

Michael Krems, KremsPR 

$400,000 Fine for Ignoring Annual HIPAA Risk Analysis

Want to avoid a HIPAA penalty?  Check your network security!!

Do you know…

  • what a firewall is?
  • the difference between a firewall and the simple network routers most of us use at home?
  • how to properly set up network perimeter security, monitor it, and understand its reports?
  • how to monitor your Information System to identify risky behavior?
  • how to conduct a HIPAA Risk Analysis in a way that would sustain a HIPAA audit or data breach investigation?

If you answered no any of these, keep reading for 400,000 reasons to consider getting help so you know what is going on under the skin on your network.

On May 21 the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) settled with Idaho State University (ISU) for a $ 400,000 HIPAA penalty because a firewall failed at a university health clinic and the breach of 17,500 patient records was not detected for at least 10 months. As with other large HIPAA penalties, the triggering event—the firewall failing— resulted in an investigation that OCR said proved ISU had failed to complete fundamental HIPAA requirements.

Every day doctors order X-rays, MRIs, CTs, ultrasounds, biopsies, blood tests, and other tests and procedures to find out what is going on under a patient’s skin. A network vulnerability assessment can determine the level of security on your network and quickly identify deficiencies that need attention.

Idaho State University HIPAA Penalty

The first four HIPAA Security Rule requirements are a Risk Analysis, Risk Management, Sanction Policy, and an Information Systems Activity Review.  OCR said the $ 400,000 HIPAA penalty for ISU was for not conducting a risk analysis for over 5 years, not implementing security measures to reduce the risks and vulnerabilities for over 5 years, and not regularly reviewing records of information system activity for over 5 years. In human terms, it took longer to detect the firewall problem than it takes to have a baby, and the university did not comply with even the first requirements of HIPAA for so long the baby would already be in kindergarten. It sounds like a HIPAA penalty was appropriate, considering that 5 years of ignoring HIPAA is a good sign of the Willful Neglect so frowned upon by OCR.

Many of the HIPAA penalties have referenced a failure to conduct a regular risk analysis. This is the most fundamental tool required to identify where electronic Protected Health Information (ePHI) is stored, and how it enters and leaves your system. The risk analysis identifies what vulnerabilities exist, the threats that may act on them, the likelihood of a threat acting on a vulnerability, and the resulting impact. This document must be reviewed at least annually and updated whenever there is a significant change to your computing environment. The risk analysis is the very first HIPAA Security Rule requirement, and a HIPAA penalty of $ 400,000 sends a serious message to those who think they can ignore it.

Once you have done your risk analysis you need to create a risk management process to address the risks with the highest likelihood or the highest impact. ISU did not have one.

The University not only ignored HIPAA but failed to monitor access to its patient data, which may have detected the firewall failure much sooner.

You probably can’t be compliant without professional help.

A risk analysis requires experience with HIPAA and a deep understanding of technology. The federal government says “doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.”

Firewalls are not even mentioned in HIPAA, but ISU paid a $ 400,000 HIPAA penalty because one of theirs failed. How can you penalize someone for violating a rule that doesn’t exist? In fact, the rule does exist. Even without mentioning firewalls or other specific technologies, HIPAA requires that ePHI be protected from loss or unauthorized access, and that endpoints be protected from malicious software. Information System Activity Reviews need to occur regularly to identify who is accessing patient data. Guidance from the National Institute of Standards and Technology (NIST) includes information about protecting networks and specifically mentions firewalls.

Many health care organizations cannot afford full-time IT staff.  Some choose a ‘break-fix’ relationship with an IT professional where they only call when they feel a problem. Like many serious health conditions including cancer, problems can occur silently without letting you know, and, like cancer, can have serious consequences if you aren’t tested.

In today’s hi-tech environment with patient care relying on so many electronic systems, you need a technology relationship with a Managed Service Provider (MSP) who understands HIPAA. MSP’s will not just properly set up a device; they can monitor and maintain it at a fraction of the cost of employing a full time staff. They can conduct periodic Information System Activity Reviews, and bring in compliance specialists certified and experienced in risk analysis and risk management. Most charge affordable monthly subscription-type fees and can help you feel safe that you won’t be on the health care news wire because of a $ 400,000 penalty.

If you want to avoid a HIPAA penalty and need help, contact ITS Alliances for assistance.

HIPAA Training Made Easy to Avoid Penalty

A HIPAA Penalty Can Be Avoided Using Online Certified Training Courses

Technology can only go so far in protecting data and avoiding a HIPAA penalty, but your employees have an almost limitless ability to make mistakes, take shortcuts, or let their curiosity get to them resulting in a HIPAA violation. A HIPAA penalty may even affect your ability to collect your Meaningful Use money through the Electronic Health Record (EHR) Incentive Program.

While the HIPAA Security Rule is focused on protecting electronic data, you may be surprised to learn that over 50% of the HIPAA regulations are Administrative Safeguards—policies, procedures, and training—with a smaller percentage split between Physical and Technical Safeguards. Key tools in protecting Protected Health Information (PHI) are Security Awareness and Training, focused on making sure your staff properly handles protected information in all forms—spoken, written, and electronic.

Two kinds of training are required. For managers and compliance officers, knowing about HIPAA, how to manage a compliant environment, and what to do if something goes wrong will go a long way to protecting your practice. Your general workforce doesn’t need to know details about HIPAA, just what they need to do and not do to make sure they don’t expose you to a complaint or investigation, and what will happen if they violate your rules.

Training records must be maintained as evidence to be used if you are audited or investigated for a HIPAA penalty. Even small organizations will find it easier to manage training using an online Learning Management System (LMS.) This online tool will make it easy to track which employees have taken training and which ones haven’t. The LMS makes it easy to train your current staff around their busy schedules and absences, and quickly train new hires effectively before giving them access to patient information.

HIPAA Management Training

Managers with responsibility for organizational compliance must have a basic understanding of HIPAA. They need to recognize potential problems and prevent them from happening; create procedures to ensure ongoing compliance; and must inspect your employees’ work to make sure it is compliant and not exposing your practice to a HIPAA penalty and a large fine. If there is a security incident, you must investigate and report it in accordance with state and federal regulations. 4Medapproved’s Certified HIPAA Security Professional (CHSP) training is designed for practice managers and compliance officers.

HIPAA Workforce Training

Workforce training needs to be specific and clear, explaining correct behavior. Your staff doesn’t need to know the specific regulations or what constitutes a HIPAA penalty, just your rules. Here are a few examples:

  1. Don’t use an unsecure web mail system like Gmail, Yahoo!, or Hotmail to send patient data.
  2. Don’t ever send patient data through a cell phone carrier’s text message system, because it is not secure.
  3. Never throw copies of patient information in the trash. Keep them separate so they can be shredded.”
  4. Never share your password with anyone, including IT or your boss.
  5. Don’t snoop in records for patients you are not treating.
  6. If you see something that might be a violation, say something to your manager.

4Medapproved’s workforce training teaches workforce members the right behavior so they don’t create a HIPAA violation.

HIPAA Awareness

Security reminders can be effective in keeping your organization compliant. Signs saying things like “Never Share Your Password with Anyone” and “What you see here, and hear here, stays here” can reinforce the behavior you want between annual training sessions. Messages can also be displayed on computer login screens and electronic signage. Just a few words can help you avoid a HIPAA penalty.

Since 2012 HIPAA penalties have noted that the organizations whose data was breached had not trained their workforces. Large fines have been assessed, and Corrective Action Plans have been required where training had to take place after the HIPAA penalty. It’s a lot cheaper to prevent a HIPAA penalty than paying a lot more after one.

Health Information Exchange

The Office of the National Coordinator (ONC) contracted the former organization, National Alliance for Health Information Technology (NAHIT) to create and report on key health IT definitions. Their report was published in April of 2008 with these definitions being adopted:

Health Information Exchange (HIE) – The electronic movement of health-related information among organizations according to nationally recognized standards. (verb)

Health Information Organization (HIO) – An organization that oversees and governs the exchange of health-related information among organizations according to nationally recognized standards. (noun)

Regional Health Information Organization (RHIO) – A health information organization that brings together health care stakeholders within a defined geographic area and governs health information exchange among them for the purpose of improving health and care in that community.

Today the ONC has further adopted the use of HIE. On HealthIT.gov, the term "health information exchange" (HIE) is explained using two related concepts:

As a Verb: The electronic sharing of health-related information among organizations.
As a Noun: An organization that provides services to enable the electronic sharing of health-related information.

The State Health Information Exchange Cooperative Agreement Program is authorized by the Public Health Service Act created through the American Recovery and Reinvestment Act (ARRA). It is designed to promote health information exchange (HIE) across the health care system. Federal policies and initiatives were adopted in the belief that "appropriate and secure electronic exchange of health information will improve care coordination, clinical outcomes, and the patient experience". In March of 2010, States, eligible Territories, and qualified State Designated Entities received $564,000,000 of grants in a Federal-State Collaboration to facilitate and expand the secure electronic exchange of health information.

ONC Resources

  • HealthIT.gov Health Information Exchange provider information
  • HealthIT.gov EHR Interoperability
  • Nationwide Health Information Network (NwHIN)—a set of standards, services, and policies that enable the secure exchange of health information over the Internet.

    Related Terms and Acronyms

    • CTE – Conditions for Trusted Exchange
    • FHA – Federal Health Architecture
    • HIE – Health Information Exchange
    • HIO – Health Information Organization
    • HIPAA - Health Insurance. Portability and Accountability Act
    • HISP - health information service provider
    • IIHI -Individually Identifiable Health Information
    • MPI – Master Patient (or person) Index
    • NwHIN – Nationwide Health Information Network
    • OSI – Office of Standards and Interoperability
    • RLS – Record Locator Service
    • SDE – State Designated Entity

Understanding HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to address several major health care issues, including:
  • Health insurers denied many new applicants because of pre-existing conditions and medical histories, making it difficult to change jobs because the new employer's insurance may not accept you.
  • Each insurance companies maintained its own list of treatment billing codes, making it confusing for providers and resulting in denials and payment delays
  • Providers and payers had control of medical records, and patients had no protection against the unauthorized release of their personal information

In 1996, HIPAA required insurance companies to accept new applicants if they were currently covered by another insurer, with few exceptions. Health Insurance Portability enabled workers to change jobs and be assured that they would be covered by their new employer's health plan. COBRA was implemented enabling people leaving a job to continue their health insurance for 18 months by paying for it themselves.

Administrative Simplification established a single national standard for billing codes, reducing confusion and denials, and speeding up payments for patient care.

In 2003, the HIPAA Privacy Rule defined Protected Health Information (PHI) as any identifiable record (in any form—written, verbal, or electronic) that included treatment or diagnostic information. Patients were required to receive Notice of Privacy Practices (NPP) from their providers and health plans. Patients were given the right to limit certain access and release of their medical information. Reception areas and pharmacy counters were modified to prevent patients from overhearing confidential information. HIPAA defined 'Covered Entities' as health care providers that bill electronically, payers, and clearinghouses that process data. 'Business Associates' are people or entities that have access to PHI in the course of their work, but are not Covered Entities. Covered Entities were liable for financial penalties for violations. Criminal penalties would be pursued for the unauthorized release of PHI for harm or personal gain.

In 2005, the HIPAA Security Rule provided a framework to protect electronic Protected Health Information (ePHI) stored in computer systems. This rule required written policies and procedures, workforce training, technical systems, and physical barriers to prevent the unauthorized access of patient data. The Security Rule is broken down into Administrative, Physical, and Technical Safeguards; Standards, and Implementation Specifications. The Standards and Implementation Specifications are vague to ensure they are flexible enough for providers and payers of all sizes. Some items are required and others Addressable, meaning a Covered Entity have the option of providing an alternate means to achieve the same goal. (Addressable does not mean Optional.)

In 2009, the HITECH Act made significant changes to HIPAA. The data breach law was modified. Business Associates must comply with HIPAA as if they are Covered Entities. Enforcement, which had been lacking, was funded and performance incentives were given to the US Department of Health and Human Services Office for Civil Rights. State attorneys general were given authority to enforce the HIPAA civil penalties. These changes were part of a federal 'stimulus' financial package that included incenting doctors and hospitals to adopt Electronic Health Record (EHR) systems with a $ 36 billion funding program. These changes were introduced in a temporary Interim Rule waiting for the Final Rule to be published.

In 2012, unprecedented penalties were assessed for HIPAA violations. A small medical practice paid $ 100,000 for using an unsecured online e-mail system for sending patient information, and for using an online calendar to track patient appointments. A hospital was fined $ 1.5 million when a doctor's laptop that contained unencrypted patient records was stolen. A state health department was fined $ 1.7 million when a hard drive was stolen.

In January, 2013, the HIPAA Omnibus Final Rule was published, providing specific requirements and deadlines to comply with the requirements of the HITECH Act of 2009. The Interim Rule was modified with changes to the data breach reporting requirements; Business Associates were not only made responsible for their own compliance and direct liability for data breaches, but are also required to ensure that any subcontractors also are compliant. Another change states that any organization that 'maintains' (stores) PHI or ePHI is a Business Associate, even if they never look at the data. The deadline for compliance with most requirements of the Final Rule is September 23, 2013.

HIPAA / HITECH Compliance Solution

HIPAA / HITECH Compliance solution for a Covered Entity and Business Associate. SecureGRC is an annual Software-as-a-Service (SaaS) subscription, a secure web-based Cloud architectural application service, using a consultative methodology approach, working autonomously on-site and or remotely with c-level management or your senior staff, including the designated HIPAA Security or Compliance officer, and others as needed, to identify and evaluate security and privacy risk, as well as develop and execute the internal compliance audits functions for the organization. These frameworks may include ISO 2700xx, SOX, PCI-DSS, HIPAA, HITECH, GLBA, COBIT, and FISMA .

Presentation click here

Wellpoint, Inc. Settles HIPAA case for $1.7 million

Full story click here

Blog Stats

  • Total posts(16)
  • Total comments(0)

Forgot your password?