Is HIPAA Changing?

 HIPAA law continues to evolve as technology changes and as OCR evaluates its audits and reaches new settlements with providers and business associates. (Photo is in the public domain and free for reprinting without attribution.)

HIPAA law continues to evolve as technology changes and as OCR evaluates its audits and reaches new settlements with providers and business associates. (Photo is in the public domain and free for reprinting without attribution.)

The following guest blog was posted by Margaret Scavotto, JD, CHC, of Management Performance Associates on April 26, 2018 on MPA's website - with her permission we're reprinting it here.

The OCR Shared 3 HIPAA Revisions We Might See Soon

Last week, I heard Marissa Gordon-Nguyen, Senior Advisor for HIPAA Policy for the Office of Civil Rights (OCR), and Iliana Peters, formerly of the OCR and now with Polsinelli, speak about HIPAA enforcement. Here’s a summary of the tips they shared, as well as a few ways HIPAA might be changing.

Not encrypting? That’s “less and less persuasive”

Many providers struggle to decide whether to invest in encrypting electronic PHI. After all, encryption is addressable, but not required, under the HIPAA security rule. Iliana Peters advised that covered entities’ and business associates’ reasons for not encrypting “are becoming less and less persuasive” to the OCR. This is partly because encryption methods are increasingly available and affordable. And, encryption brings important security benefits to an increasingly high-risk environment.

New Guidance!

The OCR is currently developing new guidance for covered entities and business associates, addressing:

  1. Social Media
  2. Texting
  3. Encryption

While there is not a timeline for releasing this guidance, MPA will let you know when it’s available.

New Changes?

Ms. Gordon-Nguyen discussed three potential HIPAA changes that we might see soon:

  1. Presumption of good faith. The OCR is in the process of proposing a rule that would modify the Privacy Rule “to clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members, unless there is evidence that a provider acted in bad faith.”  In the current environment, no such presumption exists.
  2. Removal of the NPP acknowledgment. OCR proposes to update the Privacy Rule to remove the “requirement that health care providers obtain from individuals a written acknowledgment of receipt of the provider’s notice of privacy practices, and if not obtained, to document its good faith efforts and the reason the acknowledgment was not obtained.”    
  3. Compensation for harmed individuals. The OCR also discussed a Request for Information, seeking public input on a rule that would distribute a portion of HIPAA settlements and penalties to the harmed individuals. This has also been referred to as the “whistleblower” provision, because patients could recover from the provider if they are damaged under HIPAA. 

None of these potential changes is in effect yet – but keep an eye out for rules and comment periods if you would like to provide input.

The Top 10

Wondering how the OCR would view your HIPAA compliance program? Ms. Peters shared a “top ten” list of recurring HIPAA compliance issues:

  1. Pattern of Disclosure of Sensitive Paper PHI
  2. Business Associate Agreements
  3. Risk Analysis
  4. Failure to Manage Identified Risk, e.g. Encrypt
  5. Lack of Transmission Security    
  6. Lack of Appropriate Auditing
  7. No Patching of Software
  8. Insider Threat
  9. Improper Disposal
  10. Insufficient Data Backup and Contingency Planning

Share these top ten HIPAA issues with your Compliance Committee and use them to evaluate where your HIPAA compliance effort stands.

 Contact Margaret Scavotto at 314-394-2222 ext 24 or mcs@healthcareperformance.com

Contact Margaret Scavotto at 314-394-2222 ext 24 or mcs@healthcareperformance.com


The HIPAA E-Tool®

The HIPAA E-Tool® offers answers to your HIPAA compliance needs also, with policies and procedures that stay up to date as the law changes. Stay informed, subscribe to our newsletter here, or call/email us 1-800-570-5879 INFO@HIPAAETOOL.COM

SamSam Ransomware Continues to Threaten Healthcare Sector

 Public facing servers are believed to be the point of entry, not phishing.

Public facing servers are believed to be the point of entry, not phishing.

Hackers have launched at least eight separate cyberattacks on healthcare and government organizations so far in 2018 using SamSam ransomware, according to the Department of Health and Human Services. 

Although SamSam was originally discovered in 2016, the criminals using it began to ramp up activity in December, 2017 and have continued to increase its use in 2018. SamSam was behind the Allscripts attack for example, two Indiana based hospitals, the Erie County Medical Center, the Colorado Department of Transportation, and the City of Atlanta, among others.

This ransomware does not work by tricking users with phishing. The attacker is believed to gain initial access to the target systems through open public facing servers (Remote DesktopProtocol/Virtual Network Computing), before gaining access to additional computers once inside the network and deploying the SamSam malware.

Healthcare is particularly vulnerable. “Due to the sector’s reliance on IT systems and the operational importance of patient data and records, the ransomware risk to the [health] sector is expected to continue for the foreseeable future,” HHS officials wrote. “Organizations are encouraged to utilize data backups and develop contingency and business continuity plans that can ensure resilient operations in the event of a ransomware event.” 

“The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification regulations require HIPAA covered entities and their business associates to safeguard protected health information (PHI). The HIPAA Security Rule requires implementation of security measures that can help entities prevent the introduction of ransomware as well as assist entities in how to respond and recover from ransomware attacks. Some of these required security measures include:

· Conducting a risk analysis to identify and assess risks to electronic protected health information (ePHI);

· Implementing security measures to mitigate or remediate identified risks;

· Implementing procedures to guard against and detect malicious software;

· Training users to assist in detecting malicious software and how to report such detections;

· Establishing contingency plans including data backup and recovery; and

· Developing procedures for responding to security incidents such as a ransomware attack.

All of these prevention measures are included in The HIPAA E-Tool®. In particular, the Risk Analysis – Risk Management section provides guidance needed about contingency plans and data backup. It’s impossible to create the back up or the contingency plan after the fact – the only way to stay safe is through prevention and planning. With The HIPAA E-Tool® your Risk Management Plan is easy to do, with step by step instructions and a dashboard to guide your progress - see below. All the data is archived so your work next year is easier to complete, and all is documented and saved, at your fingertips whenever you need it.

 The new dashboard in the Risk Analysis - Risk Management section guides staff through the process, allows for stop and start work to completion, and helps management see progress.

The new dashboard in the Risk Analysis - Risk Management section guides staff through the process, allows for stop and start work to completion, and helps management see progress.

Scoop - Top Targets in HIPAA Enforcement 2018

pexels-photo-695266.jpg

HIPAA enforcement continues in 2018. As Roger Severino, the Director of the Office for Civil Rights (OCR) said recently there is "no slowdown in our enforcement efforts," and the agency will continue with the "same enforcement mindset." He added that smaller companies should not assume they are off the radar. You may be vulnerable.

So, what should you be looking out for? Are there particular targets of enforcement you should know about? We believe there are. An analysis of the HIPAA Audits, and a review of recent HHS/OCR investigations reveals six top targets for both covered entities and business associates. These are areas that continue to be missed by covered entities (CEs) and business associates (BAs) and continue to draw attention of OCR. The conclusions and commentary by OCR in resolution agreements illustrate their priorities will continue to focus on these six areas in 2018. Each targeted area, or vulnerability, is covered in The HIPAA E-Tool®. 

  1. Risk Analysis – Risk Management

    • Failure to Manage Recognized Risk

    • Cyber Security

    • Software Security Updates & Patches

  2. Breach Notification Rule Compliance

    • Ransomware = Breach

  3.  Individual’s Right of Access to PHI

  4. Covered Entities

    • Notice of Privacy Practices

  5. Compliance with Business Associate Requirements
    • For both CEs & BAs

  6. Proper Disposal of PHI/EPHI

NOTE: Each of these elements is thoroughly addressed in The HIPAA E-Tool® with easy to follow steps to compliance - one example is shown below - an illustration of the Risk Analysis - Risk Management Module that guides the user through a three step process to inventory data, equipment, workforce and business associates, and assess and manage risks. All of it is saved to populate the Risk Management Plan, and then archived for next year, so next year's work won't duplicate everything already created - only new information needs to be added. 

Screen Shot 2018-03-14 at 7.24.33 PM.png

No other HIPAA compliance solution is as complete or legally sound as The HIPAA E-Tool® and no other solution offers a separate and complete program designed specifically for business associates. 

Your best protection is proactive – act today.

Avoid Crippling Costs With a Risk Management Plan That Works

Red dice not a game of chance.png

A Crisis Easily Avoided

All seven HIPAA violations across five entities of Fresenius Medical Care North America (FMCNA) could have been avoided if FMCNA had used The HIPAA E-Tool®. Each of the five breaches was considered small in the numbers of patients affected, but the collective impact resulted in a $3.5 million Resolution payment, 5 years’ OCR investigation and a 2-year Corrective Action Plan (with close OCR supervision), primarily because no system-wide Risk Analysis-Risk Management Plan was in place.

As OCR Director Roger Severino said, “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity.” (italics added) From HHS 

This is just the latest reminder that a Risk Analysis-Risk Management plan is at the heart of HIPAA, and policies alone are not enough without follow through. See our prior blog on OCR audit failures here

Background

On January 21, 2013, FMCNA submitted five breach reports to HHS regarding breaches of its unsecured electronic protected health information (“ePHI”). Each breach report pertained to a separate and distinct incident involving loss or theft of ePHI of the FMCNA Covered Entities.

FMCNA provides centralized corporate support to the FMCNA Covered Entities involved in the breaches, including centrally storing its patients’ medical records, creating and disseminating HIPAA policies and procedures, and investigating the circumstances of each breach reported to it by the FMCNA Covered Entities.

The Violations and the Preventive Solutions

The seven violations and corresponding solutions from The HIPAA E-Tool® are cited below. 

On July 15, 2013, OCR initiated a compliance review to investigate the five breach reports. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):

Violation 1: The FMCNA Covered Entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. See 45 C.F.R. §164.308(a)(1)(ii)(A).

The HIPAA E-Tool® Solutions:

SR-1  Security Management Process

SR-2  Risk Management

RA-1  HIPAA Risk Analysis-Risk Management Policy and Procedures

Section 3  HIPAA Risk Analysis-Risk Management

Violation 2: The FMCNA Covered Entities impermissibly disclosed the ePHI of its patients by providing unauthorized access for a purpose not permitted by the Privacy Rule. See 45 C.F.R. § 164.502(a).

The HIPAA E-Tool® Solutions:

PR-8  Uses and Disclosures of Protected Health Information – General Rules

SR-1  Security Management Process

SR-2  Risk Management

RA-1  HIPAA Risk Analysis-Risk Management Policy and Procedures

BN-1  Breach of Unsecured PHI

Section 5  Introduction to the HIPAA Security Rule

Section 3  HIPAA Risk Analysis-Risk Management

Violation 3: FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard its facilities and the equipment therein from unauthorized access, tampering, and theft. See 45 C.F.R. §164.310(a)(2)(ii).

The HIPAA E-Tool® Solutions:

SR-27  Facility Access Controls

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 30  Do you have and implement a Facility Security Plan with Policies and Procedures to safeguard the Facility and equipment from unauthorized physical access, tampering and theft?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

Violation 4: FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility. See 45 C.F.R. § 164.310(d)(1).

The HIPAA E-Tool® Solutions:

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 35  Do you implement Policies and Procedures regarding the receipt and removal of hardware and Electronic Media that contain EPHI into and out of the Facility and movement of these items within the Facility?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

Violation 5: FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI. See 45 C.F.R. §164.312(a)(2)(iv).

The HIPAA E-Tool® Solutions:

SR-31  Access Control

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 44  Do you implement Encryption and Decryption Procedures to Encrypt and Decrypt EPHI?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

Violation 6: FMC Ak-Chin failed to implement policies and procedures to address security incidents. See 45 C.F.R. § 164.308(6)(i).

The HIPAA E-Tool® Solutions:

SR-18  Security Incident Policy and Procedures

SR-19  Security Incident Response and Reporting

SR-19.A  Security Incident Report

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 19  Do you have Policies and Procedures to address Security Incidents?

# 20 Do you have Procedures to identify and respond to suspected or known Security Incidents, mitigate to the extent possible the harmful effects of Security Incidents that are known and document Security Incidents and their outcomes?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

Violation 7: FVC Augusta failed to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. See 45 C.F.R. § 164.310(b).

The HIPAA E-Tool® Solutions:

SR-28  Workstation Use

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 33  Do you implement Policies and Procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific Workstation or class of Workstation that can access EPHI?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

The resolution agreement and corrective action plan may be found on the OCR website here.

The HIPAA E-Tool® is affordable, accessible and thorough - the most legally rigorous and complete HIPAA compliance solution available, and is designed to be used by business professionals without prior HIPAA knowledge. There is no need to gamble when you have the tools to comply. If you have questions, call us 1-800-570-5879 or email to info@hipaaetool.com.

Opioid Crisis and Flexibility Under HIPAA

pexels-photo-265702.jpeg

Clarifying Guidance

Although federal regulations appear immovable and monolithic at times, change does happen. One recent example is how the opioid epidemic led the Office for Civil Rights to clarify how health care providers can communicate with family and friends of patients who have overdosed or are incapacitated. Family and close friends are critical to any patient's health progress, and when the risks are elevated in an emergency, full communication is essential.

While HIPAA has always allowed health professionals to share health information with a patient’s loved ones in emergency or dangerous situations, the rules are often misunderstood. By emphasizing how communications are permitted rather than restricted, OCR hopes to help health care professionals provide better care for patients in danger from overdose. In October 2017, Roger Severino, the OCR Director said:

“Our clarifying guidance will give medical professionals increased confidence in their ability to cooperate with friends and family members to help save lives.”

Support for Behavioral Health

In addition to the guidance released in October, HHS and OCR in December launched an array of new tools to help combat the opioid epidemic.

These new tools, several of which are specifically related to behavioral health, include:

  • Two new HIPAA webpages for mental and behavioral health, one for consumers and one for professionals

  • Collaborations among partnering agencies within the U.S. Department of Health and Human Services to develop model programs around the use and disclosure of Protected Health Information

  • Updated guidance on HIPAA and research, as called for in the 21st Century Cures Act

  • Launch of a working group to study and report on the uses and disclosures under HIPAA of protected health information for research purposes

Flexibility and new approaches should be welcomed if it means the quality of healthcare will improve and lives will be saved. On the other hand, care will need to be taken to ensure that patient privacy remains sacrosanct. Because discrimination remains a concern, patients want to be sure that disclosures remain within the family or to approved legal representatives, not to employers, law enforcement or the public.

Avoid a Meltdown - Critical Security Information

computer-motherboard-pc-wires.jpg

We Are All Affected, Worldwide

The chip used in most computers, workstations and electronic devices has a dangerous flaw that makes the electronic device vulnerable to cyber criminals. The flaw makes electronic devices susceptible to malicious software called Meltdown and Spectre. The Department of Homeland Security warns that the vulnerability will be cured only when new chips are available and installed. However, a representative of the leading chip maker Intel, says software and firmware patches should be available from chip manufacturers to correct the flaw at some future date.

Apple is warning its customers that Iphones, Ipads and Macs are vulnerable but is working to correct the flaw with patches and updates. Google, Microsoft and others have created and made some updates available and are working to create more security patches to address the risks.

Take Action Immediately

What can you and must you do now?

  • Check all your devices and install all available software patches and updates.

  • Keep checking for updates regularly. This guidance from the Department of Homeland Security includes links to vendor advisories and patches published in response to the Meltdown and Spectre.

  • Beware of phishing emails that promise Meltdown or Spectre solutions. This is a common cybercriminal tactic, to take advantage of the fear created when a major security flaw is publicized. Think Before You Click. It is believed that the Spectre malware in particular is distributed when unsuspecting users click on a link in an email or malicious advertising.

  • In some cases organizations may want to install an ad blocker. Ads are a common entry point for hackers. Individuals should consider installing ad blockers on all their personal devices.

For more in-depth information, a good article aimed at general audiences can be found here from PCWorld.

In Healthcare, Full HIPAA Compliance is a Good Defense

A Risk Analysis and Risk Management Plan required by HIPAA helps health care providers and business associates create defenses against security breaches by raising awareness, providing workforce training and creating an inventory of equipment and data, with an action plan for preparation, prevention, response and recovery. The HIPAA E-Tool® has everything needed to provide the strongest defense possible. 

Emergency Preparedness Rule – Are You Ready?

helicopter 2 rescue.jpg

We saw heartbreaking examples of ill prepared health care providers in Texas and Florida during hurricane season, and some of the most vulnerable are individuals served by Medicare and Medicaid in senior living facilities, FQHCs, community mental health centers and dialysis facilities. 

By tomorrow, November 15, 2017, most Medicare health care providers and suppliers should be compliant with the emergency preparedness (EP) rule that was published in 2016. Failure to comply could result in loss of certification from the Centers for Medicare and Medicaid Services (CMS). These new rules are more comprehensive than prior CMS standards and are focused primarily on 1) risk assessment with emergency preparedness planning, 2) policies and procedures, 3) communication plans, and 4) training and testing.

The list of providers and suppliers contains 17 types, including Hospitals, Long Term Care Facilities, Hospices, Home Health Agencies and Federally Qualified Health Centers – the full list is here. Whether your organization is required to comply or not, a family member may receive services that are affected, and your community is certainly affected. The best preparation for natural and man-made disasters involves regional collaboration among the wider community to share resources and plans for recovery.

A core element of a full HIPAA compliance program includes a Risk Analysis and Risk Management plan that incorporates a Contingency Plan for natural and man-made disasters. The requirements outlined in the CMS rule mirror HIPAA compliance around Risk Analysis, so if an organization follows HIPAA, conducts its annual Risk Analysis and follows its own Risk Management plan, most of the work toward compliance with the new CMS emergency preparedness rule is completed. That being said, each organization should evaluate the CMS rule on its own to ensure its policies cover the bases.

There is guidance about the new rule in a number of places, including FEMA, an organization that learns new lessons every year in response to hurricanes, flooding, drought and wildfires like those we have seen this year. Available here. The EP rule itself cites extensive additional resources.

A HIPAA compliance program like The HIPAA E-Tool® takes care of the risk assessment required by CMS. The Risk Analysis – Risk Management module is interactive, building action steps automatically as the assessment is completed. It is then archived for use the following year when the Risk Analysis must be completed again. The second and following years build on the work done in the beginning, allowing more time (and less cost) to devote to managing the facility and caring for patients.

OCR Audits Reveal Dismal Performance

For well over a year, the Office for Civil Rights (OCR) has been public about its top seven priorities in HIPAA compliance. The priorities were developed from OCR’s first Phase of Desk Audits in 2016. The Phase 2 Audits were finished recently and we now have the preliminary results which are profoundly disappointing. Two areas where entities drastically failed stand out – an individual’s Right of Access to their protected health information, and Security Management. OCR's full summary regarding all seven areas is here.

Seven Deadly Sins, Seven Simple Solutions

Our HIPAA expert, Paul Hales, J.D., has spoken frequently on the top priorities over the past year in an effort to help covered entities and business associates learn from OCR’s guidance. The HIPAA E-Tool® software contains policies and procedures to address all of them. The secret to HIPAA is that the rules are easy to follow step-by-step once you know the steps.

Although there are seven priorities, they fall into four categories, illustrated below:

4 categories.png

Unfortunately, although these hot buttons have been publicized, it appears that covered entities and business associates have not gotten the message, or are slow in finding solutions.

Right of Access

A central principle of HIPAA law is the individual’s Right of Access to their own health information, but fewer than 1% (1 out of 103) had it right. Ten entities substantially met the requirements, but a whopping 65 of them (63%) had no or negligible efforts toward compliance. 

Access pie chart w percent.png

How can that be? One theory is that health care providers confuse the Authorization with the Right to Access, and are requiring patients to submit an Authorization form, a more cumbersome process.

The U. S. Department of Health and Human Services (HHS) warned in 2016 published guidance that requiring an Individual to execute an Authorization in order to exercise his or her Right of Access may create an impermissible obstacle. See: Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. HHS explained the significant differences between a Disclosure of PHI to an Individual under the Right of Access which is required by the Privacy Rule and a Disclosure by valid HIPAA Authorization which is permitted by the Privacy Rule. Forms for both are contained in The HIPAA E-Tool® and are specifically designed and developed from the Privacy Rule Standard.

Risk Analysis and Risk Management

Even more surprising is how poorly covered entities are faring in Risk Analysis and Risk Management. Risk Analysis and Risk Management have been mandatory for covered entities since 2005. And the Anthem healthcare data breach in January 2015 which exposed 78.8 million individuals’ protected health information should have been a wake-up call. Almost three years later the level of noncompliance in security is astounding.

No entities were found to be in full compliance with the Risk Analysis rules. Thirteen percent were found to be substantially in compliance and the remaining 87% had made minimal to no efforts toward compliance.

Risk analysis Pie chart percents.png

Unsurprisingly, the Risk Management results are similar, if a little worse. Of the 63 entities audited, only one was in compliance; three were substantially in compliance, but the remaining 59 or 93% had made minimal to no efforts toward compliance. See below.

Risk Management Pie chart percents.png

The HIPAA E-Tool® contains an easy-to-use interactive Risk Analysis module that securely saves and archives data as it's completed. Scalable to the organization’s size, it works for one or multiple locations. Designed for use by on-staff practice managers, compliance and IT personnel it fosters an internal culture of compliance and saves the unnecessary expense of outside consultants. As the Risk Analysis is completed, it populates a Risk Management Plan with inventories, tasks, and responsible staff to carry out the Plan. The beginning page is below.

RA-RM Screen Shot .png

If you suspect your organization needs guidance, take a look at The HIPAA E-Tool®. The most legally rigorous and complete HIPAA compliance product available, it contains every policy, procedure and form needed for full compliance, is always up-to-date with step-by-step instructions in plain language to allow you to take control and comply with HIPAA. Privacy, Security, Breach Notification, and Risk Analysis - Risk Management are all covered, and links to the 180 HHS Audit Protocols to guide you through an audit.

For other information, including a snapshot of results from the other four topics, see the blog by our respected colleague, Margaret Scavotto, J.D. CHC, and President of Management Performance Associates.

Mega Disasters – Havoc Wreaked by Equifax

 Natural and Manmade Disasters Coincide

Natural and Manmade Disasters Coincide

Hurricanes vs. Equifax – Compare and Contrast

Did we really need one more piece of bad news as summer wound down? The devastation and losses across Texas, Louisiana, Florida and the Caribbean had many of us on the edge of our seats from August 25 through last weekend. From the safety of high ground in the Midwest we were not directly affected by Harvey or Irma other than a temporary surge in gas prices. But friends, relatives and customers have suffered terribly. Homes were destroyed and lives were lost. We donated money, we filled boxes with cleaning supplies and diapers to ship south, we checked in with friends. We breathed some relief – it could have been worse.

house slides irma-florida-0912-super-169.jpg

Then in marched Equifax. Not as visual a disaster, perhaps not as obviously heartrending but yes, it is a disaster of unprecedented proportion, affecting 143 million people directly - over half of American adults. It is insidious precisely because the damage is not visual and not at all obvious. The potential economic damage to millions of people is underground, perhaps not immediate, but waiting to emerge as cyberthieves find ways to use your data to enrich themselves. 

 Watching your $$ and your future...

Watching your $$ and your future...

How Did It Happen?

Negligence. It now appears that the vulnerability (the open door used by hackers) was a software application Equifax uses but had failed to “patch” although the patch had been available since March. More reporting on that here.

red computer keyboard pexels-photo-249203.jpeg

If You Aren’t Worried, You Aren’t Paying Attention

If your personal information was not compromised in 2015 by the Anthem or IRS data breaches, it most likely is now. The Equifax breach gathered more data than either of those, and it’s all in one place, making identity theft much easier. Sensitive information stolen includes names, birthdays, addresses, social security numbers, and driver’s license numbers. Any of your assets that you track online are potentially available to thieves and your ability to build and maintain good credit is at risk. This damage will last for decades. NOTE: Even if you did not use Equifax yourself, you could be affected, because Equifax tracks everybody with credit.

Recovery

Physical damage from hurricanes and floods can eventually be repaired. The rebuilding in Florida and Texas began as soon as the storms moved on and  eventually will be completed. But building safety around personal data does not have an end date. In today’s world, the real story is that we have to change our thinking and change our habits – we all need to become schooled in how to fool cyberthieves – how to conduct our own Risk Management Plan. We can’t leave it up to the institutions we’ve trusted in the past. There is a lot of advice about what to do as a consumer. Here is guidance from the Federal Trade Commission. 

What About Healthcare?

When it comes to protecting health information, Covered Entities and Business Associates both have a legal responsibility to conduct a Risk Analysis and implement a Risk Management Plan to reduce the chances of compromise. The HIPAA E-Tool® contains an easy to use Risk Analysis-Risk Management tool to enable the highest level of protection, by nudging staff to evaluate risks, and to install patches, as soon as available. It also helps inventory equipment and data, and assigns responsibility for follow through to manage risks.

“The first Risk Analysis step of The HIPAA E-Tool's interactive Risk Analysis-Risk Management tool calls for identification of any software that has not been updated with the latest security patch. Any unpatched software identified in Risk Analysis Step 1 is automatically entered on the first set of Risk Management Action Steps.”

 Identifying risks, and setting action steps to manage them is easy with an interactive Risk Analysis - Risk Management tool within  The HIPAA E-Tool ®.

Identifying risks, and setting action steps to manage them is easy with an interactive Risk Analysis - Risk Management tool within The HIPAA E-Tool®.

Is HIPAA Suspended During a Hurricane?

The short answer is “no.” But the full answer is more mixed.

The U.S. Department of Health and Human Services (HHS) learned lessons during Hurricane Katrina (2005), Hurricane Sandy (2012) and the Ebola crisis (2014-16) that have guided its policies around exceptions to the Privacy Rule during disasters. 

HHS Bulletins Provide Guidance

Hurricane Harvey's destruction may surpass that of Katrina and Sandy, and HHS has just today issued a Bulletin outlining its policy on waivers for hospitals in Texas and Louisiana. HHS issued  Bulletins during other emergencies, including two in 2005 resulting from Hurricane Katrina, one in 2013 related to law enforcement, and one in 2014 related to privacy in emergency situations. All of these Bulletins and additional guidance may be found here HHS Bulletins and Guidance

During a public health emergency or disaster, there are exceptions to HIPAA that permit covered entities like hospitals to share protected health information with other providers, public health authorities and certain other designated parties. On the other hand, even during a disaster, the majority of HIPAA requirements will remain in effect so covered entities must remember they are responsible for fulfilling HIPAA obligations even in the midst of a disaster.

No Excuse for Social Media Photos posted by Covered Entities

In the last several days, pictures of nursing home residents and patients in Texas have been posted on Facebook and other social media by health care providers. Whether an appeal for help, or for publicity, even if well intentioned, these are blatant violations of patient privacy and are unjustified by the emergency. 

The HIPAA Privacy Rule is not Suspended

HIPAA still applies during a public health emergency. However, if the President declares an emergency or disaster, and the HHS Secretary declares a public health emergency, then the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain HIPAA provisions. On August 27, Secretary Tom Price declared such a public health emergency in Texas. The waivers apply to the following HIPAA Privacy Rule provisions.

  • the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. 

  • the requirement to honor a request to opt out of the facility directory.

  • the requirement to distribute a notice of privacy practices.

  • the patient's right to request privacy restrictions.

  • the patient's right to request confidential communications.

21167744_881919878615744_4570870936745191736_o.jpg

Note, this type of waiver only applies: