Web-Tones

IDAHO State University Gets Whacked with $400K HIPAA Fine!

2013-05-22T08:39:34-04:00

See below. Expect this to be par for the course anytime a significant breach happen, and they are going to happen all the time over the next 3 to 5 years. $50K would have bought a significant amount of compliance protection. Now ISU will pay that (or more) and still have to pay $400K to HHS. I would venture to say that HHS simply let ISU off the hook for Privacy Rule violations that they likely found.

You can expect that the worse may not be over for ISU. Some enterprising law firm will file a class action lawsuit and, in any case, ISU has to pay the costs of notification. If the Ponemon institute is correct about the cost per record this will be a significant chunk of change,

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Idaho State University (ISU) has agreed to pay $400,000 to the U.S. Department of Health Human Services (HHS) for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. This settlement involves the breach of unsecured electronic protected health information (ePHI) of 17,500 individuals who were patients at an ISU clinic.

The Office for Civil Rights (OCR) opened its investigation after ISU notified HHS that the ePHI of approximately 17,500 individuals was accessible at its Pocatello Family Medicine Clinic because an ISU server firewall was disabled. OCR investigators found that ISU did not apply proper security measures and policies to address risks to ePHI and did not have in place procedures for routine review of information system activity which could have detected the breach in the firewall much sooner. Overall, ISU failed to ensure the uniform implementation of required Security Rule protections at each of its covered clinics.

The Resolution Agreement can be found on the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/isu-agreement.html.

A Business Associate Just Notified You of a Serious Breach: What now?

2013-05-01T10:54:56-04:00

This article provides guidance regarding what to expect, and what you should do, once a Business Associate has notified you of a breach. By now, you should already have a plan in place that helps you respond to this dreaded predicament. However, we know from experience that many of you don't, and even if you do, read on, you may learn something new.

The approach we take in the article is to use the breach notification process as a backdrop to point out a number of "holes" you may have in your HIPAA/HITECH compliance initiative, ones that you are likely not even aware of.

Tracking Security Incidents?

The term "security incident" means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. An attempt qualifies as an incident.

If you are not rigorously tracking incidents, then you can't possibly know when you have a breach. One of the first questions that an HHS auditor is going ask is "show me the system (i.e. the policies, processes and tracking mechanism) your organization uses to track security incident?" If you can't adequately answer this most basic of questions, you may be in willful neglect land five minutes into the audit.

Ok, so let's assume that for the purpose of this article you, as the covered entity, have a state of the art security incident tracking system in place. What we really want to know is "What kind of tracking system does your business associate have in place?" If the answer is "we don't have a clue," then may the HIPAA gods help you if it turns out that in fact, despite "catching" this incident, there is no business associate system in place at all.

How Do You Know It's a Breach?

In order to determine whether Breach Notification is triggered you need to follow a methodology that is mandated by the Breach Notification Rule ("Rule"). Although the Rule contains a basic methodology that is inherent in its text, it is not presented as such in the regulations. HIPAA/HITECH remain descriptive as opposed to prescriptive. That is, the regulations inform you as to what is required, but have very little (mostly nothing) to say about how you should go about complying.

The methodology consists of a three part analytical framework which we turn our attention to next. Although the framework only consists of three parts, it is significantly more complex than it first appears.

SIgnup for our FREE Newsletter or wait until it appears in the archives to read the rest of the article.

Mobile Devices under HITECH Training Module Now Available

2013-04-17T15:51:54-04:00

Digital Download

Omnibus Rule Ready™

Our Mobile Devices under HITECH Training Module is now available in the HSG Store. Our Subscribers get this product, like all our new products and updates, as part of their Subscription Plan.

Mobile Devices Under HITECH – Our Mobile Devices Under HITECH Training Module gets you up to speed on how Mobile Devices have impacted the HIPAA Rules including: 1) the HIPAA Security Rule; 2) the HIPAA Privacy Rule; and 3) the Breach Notification Rule. We walk you through Mobile Device (phones, pads, laptops, etc.) challenges created by locally stored PHI, asset management, bring your own device ("BYOD"), wireless networks and audits, as well as the best practices that help you meet these challenges. It short, we present an overiew of what your mobile compliance initiative ("MDI") should consist of, keeping in mind that most PHI data breaches occur as a result of Mobile Devices.

Excellent Summary of Patients' Access Rights Under HITECH/Omnibus Rule!

2013-04-10T08:38:26-04:00

This article does an excellent job of summarizing the new and/or modified access rights that patients now have under HITECH as finalized by the Omnibus Rule.

As the articles suggests, almost universally CEs and BAs will need to retrain staff and implement processes that were "minimalist" or did not exist at all heretofor. For many reasons, but primarily because HIPAA was an unenforced paper tiger before HITECH, CEs and BAs that believed they were "mostly compliant" are in for a rude awakening.

Hopefully for these organizations it is not an HHS Audit or a lawsuit that awakens their slumber.

Google Reader Gone & Google Basks in its own Ignorance!

2013-04-04T09:00:09-04:00

Google has announced that Google Reader will no longer be after July 1, 2013. This is proof that Google doesn't get how its products are used by enterprises large and small. Thousands of businesses (probably hundreds of thousands) have made Reader an integral part of their information gathering strategy. In short, it is used as a way to keep up with the industry they operate in (in my case a certain niche within the legal industry). For me it's integral to how I run my practice.

I also use Google Apps to run a part of my practice. I now have a lot less faith that Apps is here to stay for the long run. Here's the point, now that Google has broken trust with its users, why would any business person in their right mind commit to another Google product for its business?

This is by far the most stupid

decision made by an enterprise

information technology company

in thirty years...

This is a decision made by clueless/arrogant engineers that are now too rich to remotely identify what it means for a business to commit to something that is mission critical. To add insult to injury, despite the fact that it is not July 1, 2013 yet, Google has removed access to Reader from Gmail. They appear to be celebrating their own ignorance by pissing off millions of users even more.

Web-Tones

IDAHO State University Gets Whacked with $400K HIPAA Fine!

A Business Associate Just Notified You of a Serious Breach: What now?

Mobile Devices under HITECH Training Module Now Available

Omnibus Rule Ready™

Excellent Summary of Patients' Access Rights Under HITECH/Omnibus Rule!

Google Reader Gone & Google Basks in its own Ignorance!

This is by far the most stupid

decision made by an enterprise

information technology company

in thirty years...

The 'Do no Evil' slogan has now

been replaced with 'We are Google'

we are free to be

as stupid as we

want to be!