Step Up Your Game in HIPAA Compliance


Now is a Perfect Time

Three priorities will take you a long way toward improving your HIPAA compliance. Taking cues from security experts and the Office for Civil Rights (OCR) enforcement over the past year, our three suggestions are: 1. Complete (or refresh last year’s) Risk Analysis, 2. Review your breach notification policies and 3. Ramp up workforce training.

Risk Analysis-Risk Management

OCR requires that Risk Analysis should be continuous and ongoing, and updated as needed. (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii)). The Risk Analysis uncovers issues that need to be addressed, leading to a Risk Management plan that can be implemented as time and resources permit. You don’t need to get an “A”, you just need to do it for an honest assessment and a plan to improve.

The two key elements to a successful Risk Analysis are:

  • It is more than a “Security Risk Assessment”. This is a common misunderstanding, causing people to focus only on electronic records. Yes, the EHR system should have security safeguards to help maintain HIPAA compliance, but the overall Risk Analysis-Risk Management Plan includes an inventory of non-electronic information, a physical site assessment, workforce training, and business associate review (for covered entities).

  • The Risk Analysis needs to be site specific. For organizations with more than one site, this means that each location should be evaluated on its own because the physical layout, workforce members and risks are different.

The HIPAA E-Tool® has step by step guidance to help you do your own Risk Analysis without expensive outside help. Once you complete your first one, you Archive it with one click and it’s ready for review next year[1] SEE NOTE BELOW. Each year after the first one is easier, and our customer service guarantees you won’t get stuck – we help you when you need it!

RA RM for blog.png

Breach Notification  

The key here is to do everything possible to prevent breaches from happening. According to the 2018 Verizon Data Breach Report, more than half of all data breaches in the healthcare industry are caused by insiders (more than other industries). Motives are most often financial gain, followed by curiosity. How are these prevented? Through training, and sanctions against workforce members who don’t comply.

Outside threats still account for huge numbers of breaches and are expected to increase in 2019. Experts predict there will be more sophisticated and believable “spear phishing” attacks on all devices, including phones and tablets. They will involve more complex technology and will include some sponsored by foreign states. The best prevention involves awareness and training.

Breach Notification policies and procedures in The HIPAA E-Tool® guide you through what to do when a breach occurs – how to report it internally, and to whom. Compliance staff and management need to know how to analyze whether it’s reportable to OCR, and if so, what other steps need to be taken. Some states have more stringent requirements regarding Breach Notification and The HIPAA E-Tool® has a table of state laws for quick reference. Take the guesswork out of handling a Breach with our Breach Risk Assessment tool.

Breach Risk Assessment.png

Workforce Training

Not only is training required by HIPAA, but an educated workforce is the first and best defense against noncompliance and outside security threats. Do not forget to provide training to the C-Suite. Top executives and Boards of Directors are being held accountable for HIPAA compliance by OCR, not just compliance staff.

Management and the wider workforce need to understand basic HIPAA concepts to foster a culture of compliance. This includes how to interact with patients, family members and the press, but also security awareness to avoid cyber-attacks like phishing. Finally,

Workforce training is included in The HIPAA E-Tool® for both the basics and for security awareness.

Workforce Security Awareness and Training.png

The most complete, authoritative and affordable HIPAA compliance solution is within reach at The HIPAA E-Tool®. It is easy to use, and backed up with friendly, reachable customer service staff to answer your questions. Check us out at

NOTE [1] The Centers for Medicaid & Medicare Services (CMS) mandates covered entities seeking financial incentives to conduct a HIPAA Risk Analysis once a year. HIPAA regulations require “ongoing and continuous” Risk Analysis - Risk Management. A minimum of once a year has evolved as a best practice due to the CMS requirement, although if an organization is not seeking financial incentives through CMS, a Risk Analysis once a year is not mandated but is recommended, and may be required more often if circumstances change (e.g., new systems or equipment, a security incident).

$16M Anthem Settlement: Our Take

Dollars plus Resolution Agreement plus 2-year Corrective Action Plan…

Dollars plus Resolution Agreement plus 2-year Corrective Action Plan…

On October 15, 2018 OCR announced a $16 million settlement with Anthem over the 2015 breach of 79 million individuals’ protected health information. It’s the largest settlement amount in OCR history, and the largest healthcare data breach to date since HIPAA was implemented. In addition to the dollar payment, Anthem signed a Resolution Agreement and is also subjected to a two year Corrective Action Plan.

Paul Hales, J.D., the author of The HIPAA E-Tool® has been answering questions this morning from the press about his take on the settlement, and we are publishing an excerpt of those Qs and As here.

Q: What do you think about penalty amount? 

  • $16 Million Resolution Amount is eye-catching evidence of OCR’s commitment to enforce HIPAA.

  • Anthem would be liable for significantly larger civil money penalty if it did not settle – and is still liable if it fails to meet OCR’s Corrective Action Plan requirements.

Q: What do you think about the OCR findings? 

  • OCR’s findings, beginning with Anthem’s failure to perform an accurate and thorough Risk Analysis are not surprising.

  • Failure to perform Risk Analysis and manage identified risks is the most serious HIPAA violation among Covered Entities and Business Associates of all types and sizes.

  • Risk Analysis and Risk Management is the basis of a HIPAA compliance program.

  • Phase II Audit findings indicate failure to perform Risk Analysis – Risk Management is at the heart of our national health privacy information crisis with more than 177 Million Americans affected by a breach of their protected health information since record-keeping began in September, 2009.

  • OCR Director Roger Severino pledged to focus enforcement on egregious cases. It’s noteworthy that both the Anthem and Fresenius Resolution Agreement (of February 1, 2018) emphasize the importance of enterprise-wide Risk Analysis. Risk analysis is site-specific.

Q: What are the big lessons here for other Covered Entities and Business Associates? 

  • The HIPAA Rules are a blueprint to protect your organization and an individual’s protected health information you create, receive, maintain or transmit.

  • Enterprise wide, site-specific Risk Analysis and Risk Management are essential.

  • Safeguards to address identified risks threats must be established or strengthened as appropriate.

  • HIPAA policies and procedures must be reviewed and revised as appropriate to incorporate necessary safeguards and comply with the HIPAA rules.

  • Workforce members must be trained to follow the organization’s HIPAA compliance policies and procedures.

Q: Did the U.S. ever identify who was behind attack and why? Rumors had been about China gathering intelligence on U.S. citizens. Do we have any confirmation of that?

  • The California Department of Insurance states an investigation conducted by Alvarez & Marsal Insurance and Risk Advisory Services, LLC determined with a high degree of confidence the identity of the attacker and concluded with a medium degree of confidence that the attacker was acting on behalf of a foreign government. It does not identify the foreign government. See here and also here and more here.

  • News reports indicate the malicious software was a variant of “Sakula” developed in China. On August 21, 2017 Yu Pingan was indicted in the U. S. District Court for the Southern District of California and alleged to be a malware broker in the People's Republic of China who employed “Sakula” to attack U. S. computer systems. Here is the complaint against Yu Pingan in federal court.

  • I am not aware of any public statement by government authorities or others that the Chinese government instigated the Anthem attack.

Anthem’s Resolution Agreement and Corrective Action Plan can be found here.

If you have questions about the significance of the Anthem settlement, or what it might mean for your organization, whether you are a covered entity or a business associate, let us know. or 1-800-570-5879

HIPAA During Hurricane Florence

Hurricane Florence on September 12, 2018

Hurricane Florence on September 12, 2018

HIPAA is NOT Suspended During Emergencies

Hospitals and Public Health agencies roll into action during disasters. Working with FEMA, other public agencies and the private sector, all collaborate to protect the health and safety of individuals who face risks and injury. Time is short and personnel may be overworked. And while HIPAA remains in place the Department of Health and Human Services (HHS) recognizes that certain provisions should be waived to help hospitals care for patients and connect patients with their families.

Although HIPAA is not suspended when a public health emergency is declared, several provisions of the Privacy Rule are waived or suspended for a limited time, for hospitals. Otherwise HIPAA remains in effect, and once the time period has ended, the suspended provisions are back in effect. The suspension rules are simple.

Disaster Bulletin from HHS

Quoting from this week’s disaster bulletin from the HHS:

The Secretary of HHS has declared a public health emergency in North Carolina, South Carolina, and Virginia following the President’s declaration that a disaster exists in the area as a result of Hurricane Florence. Under these circumstances, the Secretary has exercised the authority to waive sanctions and penalties against a covered hospital that does not comply with the following provisions of the HIPAA Privacy Rule:

• the requirements to obtain a patient's agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).

• the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).

• the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.

• the patient's right to request privacy restrictions. See 45 CFR 164.522(a).

• the patient's right to request confidential communications. See 45 CFR 164.522(b).

When the Secretary issues such a waiver, it only applies:

(1) in the emergency area and for the emergency period identified in the public health emergency declaration;

(2) to hospitals that have instituted a disaster protocol; and

(3) for up to 72 hours from the time the hospital implements its disaster protocol.

 When the Presidential or Secretarial declaration terminates, a hospital must then comply with all the requirements of the Privacy Rule for any patient still under its care, even if 72 hours has not elapsed since implementation of its disaster protocol.

 The entire Bulletin is here.

The HIPAA E-Tool® Guidance

The Risk Analysis - Risk Management module of The HIPAA E-Tool® provides everything needed to document a Risk Management Plan with step by step guidance on how to get it done. A disaster protocol is one element of such a Plan, and the first requirement for hospitals to take advantage of the Privacy Rule waivers during a disaster. A HIPAA Compliance program is not complete without policies for all of the HIPAA Rules, workforce training, and an annual Risk Analysis - all at your fingertips in The HIPAA E-Tool®.

OCR Has Collected Almost $80 Million Through Enforcement


The Office for Civil Rights (OCR) has been busy enforcing HIPAA since the Privacy Rule came into effect in 2003. OCR has settled or imposed a civil money penalty in 55 cases resulting in a total dollar amount of $78.8 million in the last fifteen years. Many other investigations resulted in corrective action plans or technical help to bring the covered entity or business associate into compliance. Many simply didn't have the tools to begin with.

OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

The Big Issues

The compliance issues investigated most are, in order of frequency:

  • Impermissible uses and disclosures of protected health information;
  • Lack of safeguards of protected health information;
  • Lack of patient access to their protected health information;
  • Lack of administrative safeguards of electronic protected health information; and
  • Use or disclosure of more than the minimum necessary protected health information.

A "HIPAA Compliant" EHR Program is Not Enough

Four out of the five issues named are not centered around electronic records but are related to the overall approach that depends on a “culture of compliance” within an organization. Do staff understand what kind of use or disclosure is permissible? Is the workforce trained in the meaning of the minimum necessary standard? When patients request their own PHI, do they receive it in a timely fashion?

A Complete Approach

The HIPAA E-Tool® has it all. Every Policy, Procedure and Form for the Privacy, Security and Enforcement Rules, a Risk Analysis module, and Workforce Training to help staff understand what they need to know to maintain a culture of compliance. Take action now to get in front of the issue, and don’t get caught short in case a complaint or investigation comes your way.

For more information see the Department of Health and Human Services Enforcement Highlights here.

Wearable Tech Triggers HIPAA

Wearable tech and HIPAA.jpg

Does HIPAA Apply?

Your FitBit, Smartwatch or hearing aid, if not connected or communicating to a healthcare provider, is not affected by HIPAA. But when you provide the data to a doctor or a health plan, HIPAA kicks in. The responsibility for compliance is on the provider or the health plan, and those organizations should make sure they comply with HIPAA.

Business Associates

A potential gap in protecting privacy is represented in the number of business associates connected to patient data. Business associates of healthcare providers and health plans also need to comply with HIPAA. Those are the entities that create, receive, maintain or transmit protected health information on behalf of healthcare providers and health plans. In wearable tech, that's a lot of organizations who are just beginning to develop HIPAA compliance programs. Think Apple, AT&T, Google, Cisco, IBM, Verizon and Amazon.

Value of Wearable Tech

The use of wearable technology is expected to grow because it can improve health outcomes. Studies have shown that remote monitoring can reduce risk of predictable conditions, like stroke. The Journal of the American Medical Association on July 10 published the results of a study aimed at reducing strokes by monitoring patients with atrial fibrillation. The wearable device was much more likely to detect atrial fibrillation more quickly, allowing for immediate intervention and saving lives. More info about the studies here. Some patients are initiating the sharing of their information with their healthcare providers, and insurance companies are beginning to request that PHI be shared. As home health and chronic disease management become more prevalent, the growth in this market will be driven by improved outcomes, convenience and cost reductions. One report projects a growth from $4.36 billion in 2018 to $6.59 billion by 2023. 


The security of electronic transmission is more critical with wearable devices in healthcare. Opportunities for theft through hacking abound by introducing multiple entities and transmission pathways. All the business associates who make this possible, and every covered entity using the data need to understand their HIPAA responsibilities and take steps to protect the privacy of patients who the new technology is designed to serve.

Botnet Report - Strategies for a Worldwide Response to Cybercrime


Cybercrime is increasing at a rapid pace, interfering with business operations, costing millions, breaching privacy and threatening national security. Our federal government is addressing the growing threat with recommendations on how to respond. The 50-page Report[i] released May 30, 2018, calls for international cooperation and partnerships across the private and public sectors.

But the key takeaway, in our opinion, is that all of us have a responsibility to participate by learning more and implementing preventative measures. Individual consumers at home, and managers in small and large organizations need to play a role by educating themselves and taking action. In healthcare, a strong HIPAA Compliance program that includes Risk Management is the best prevention available.

What is a Botnet?

Stemming from the words “robot” and “network”, a botnet is a network of robots used to commit cybercrime. One particularly damaging technique is a “distributed denial of service”, or DDoS, which is caused when a botnet is used to overwhelm a network, or a website, and simply shuts it down. Good articles explaining botnets here and here.

Criminals today want to infect and control as many connected devices as possible. The payoff may be in currency (ransomware), private data (healthcare data is 50x as valuable as social security or credit card #s) political or social disruption (attacks on voting systems, spreading of fake news through social media), or a combination. Attacks on cities are becoming more common – Atlanta and Baltimore experienced DDoS attacks recently – made possible through the use of botnets. The larger the network, the bigger the payoff.

But small networks are vulnerable too. Attacks are automated, reaching across the Internet at lightning speed and are reaching into our homes and personal devices. The picture we so often see of one hacker in a hoodie in a dark room on a keyboard is misleading – the threat is an army of robots on constant attack, not caring where it lands.

The Report Describes the Landscape and Calls for Action

The Report focuses on six principle themes and five goals. The problem is a global one and while work is underway to mitigate the risks, more needs to be done. There are tools available to prevent attacks, but many individuals and organizations do not understand the risks or haven’t taken steps to protect themselves. Goal 5 of the Report is Increase Awareness and Education Across the Ecosystem. That’s where you come in.

You Can Make a Difference

Healthcare organizations are particularly vulnerable because patient data is the gold standard for criminals selling private data on the black market. While the cybercrime crisis can seem insurmountable, there are steps you can take. Guidance on how to maximize your defenses, at home or in your organization: update your software – always install the recommended patches; maintain a quality anti-virus and malware program on all of your devices; and back up your data. In the workplace, security workforce training is essential.

In The HIPAA E-Tool®, numerous policies directly address the Report’s Goals.

The Security Rule section provides for Administrative, Physical and Technical Safeguards in protecting patient data. For example:

  • Security Workforce Training and Awareness in Policy SR-13
  • Protection from Malicious Software in Policy SR-15
  • Data Backup Plan in Policy SR-21
  • Transmission Security in Policy SR-35

The Risk Analysis-Risk Management section contains step-by-step instructions to create a robust Risk Management Plan (in line with NIST standards and the Security and Privacy Rules). The Plan is easy to archive and update every year.

The best defense against cybercrime in healthcare is a sound HIPAA Compliance Program. The HIPAA E-Tool® provides everything needed to prepare for and prevent hackers from stealing data or shutting down your business. Follow HIPAA, educate yourself and train the workforce, conduct an annual Risk Analysis, follow the Risk Management Plan, and you will be in the best position possible.

[i] On May 30, 2018, the Departments of Commerce and Homeland Security released the final Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats

Is HIPAA Changing?

HIPAA law continues to evolve as technology changes and as OCR evaluates its audits and reaches new settlements with providers and business associates. (Photo is in the public domain and free for reprinting without attribution.)

HIPAA law continues to evolve as technology changes and as OCR evaluates its audits and reaches new settlements with providers and business associates. (Photo is in the public domain and free for reprinting without attribution.)

The following guest blog was posted by Margaret Scavotto, JD, CHC, of Management Performance Associates on April 26, 2018 on MPA's website - with her permission we're reprinting it here.

The OCR Shared 3 HIPAA Revisions We Might See Soon

Last week, I heard Marissa Gordon-Nguyen, Senior Advisor for HIPAA Policy for the Office of Civil Rights (OCR), and Iliana Peters, formerly of the OCR and now with Polsinelli, speak about HIPAA enforcement. Here’s a summary of the tips they shared, as well as a few ways HIPAA might be changing.

Not encrypting? That’s “less and less persuasive”

Many providers struggle to decide whether to invest in encrypting electronic PHI. After all, encryption is addressable, but not required, under the HIPAA security rule. Iliana Peters advised that covered entities’ and business associates’ reasons for not encrypting “are becoming less and less persuasive” to the OCR. This is partly because encryption methods are increasingly available and affordable. And, encryption brings important security benefits to an increasingly high-risk environment.

New Guidance!

The OCR is currently developing new guidance for covered entities and business associates, addressing:

  1. Social Media
  2. Texting
  3. Encryption

While there is not a timeline for releasing this guidance, MPA will let you know when it’s available.

New Changes?

Ms. Gordon-Nguyen discussed three potential HIPAA changes that we might see soon:

  1. Presumption of good faith. The OCR is in the process of proposing a rule that would modify the Privacy Rule “to clarify that healthcare providers are presumed to be acting in the individual’s best interests when they share information with an incapacitated patient’s family members, unless there is evidence that a provider acted in bad faith.”  In the current environment, no such presumption exists.
  2. Removal of the NPP acknowledgment. OCR proposes to update the Privacy Rule to remove the “requirement that health care providers obtain from individuals a written acknowledgment of receipt of the provider’s notice of privacy practices, and if not obtained, to document its good faith efforts and the reason the acknowledgment was not obtained.”    
  3. Compensation for harmed individuals. The OCR also discussed a Request for Information, seeking public input on a rule that would distribute a portion of HIPAA settlements and penalties to the harmed individuals. This has also been referred to as the “whistleblower” provision, because patients could recover from the provider if they are damaged under HIPAA. 

None of these potential changes is in effect yet – but keep an eye out for rules and comment periods if you would like to provide input.

The Top 10

Wondering how the OCR would view your HIPAA compliance program? Ms. Peters shared a “top ten” list of recurring HIPAA compliance issues:

  1. Pattern of Disclosure of Sensitive Paper PHI
  2. Business Associate Agreements
  3. Risk Analysis
  4. Failure to Manage Identified Risk, e.g. Encrypt
  5. Lack of Transmission Security    
  6. Lack of Appropriate Auditing
  7. No Patching of Software
  8. Insider Threat
  9. Improper Disposal
  10. Insufficient Data Backup and Contingency Planning

Share these top ten HIPAA issues with your Compliance Committee and use them to evaluate where your HIPAA compliance effort stands.

Contact Margaret Scavotto at 314-394-2222 ext 24 or

Contact Margaret Scavotto at 314-394-2222 ext 24 or

The HIPAA E-Tool®

The HIPAA E-Tool® offers answers to your HIPAA compliance needs also, with policies and procedures that stay up to date as the law changes. Stay informed, subscribe to our newsletter here, or call/email us 1-800-570-5879 INFO@HIPAAETOOL.COM

SamSam Ransomware Continues to Threaten Healthcare Sector

Public facing servers are believed to be the point of entry, not phishing.

Public facing servers are believed to be the point of entry, not phishing.

Hackers have launched at least eight separate cyberattacks on healthcare and government organizations so far in 2018 using SamSam ransomware, according to the Department of Health and Human Services. 

Although SamSam was originally discovered in 2016, the criminals using it began to ramp up activity in December, 2017 and have continued to increase its use in 2018. SamSam was behind the Allscripts attack for example, two Indiana based hospitals, the Erie County Medical Center, the Colorado Department of Transportation, and the City of Atlanta, among others.

This ransomware does not work by tricking users with phishing. The attacker is believed to gain initial access to the target systems through open public facing servers (Remote DesktopProtocol/Virtual Network Computing), before gaining access to additional computers once inside the network and deploying the SamSam malware.

Healthcare is particularly vulnerable. “Due to the sector’s reliance on IT systems and the operational importance of patient data and records, the ransomware risk to the [health] sector is expected to continue for the foreseeable future,” HHS officials wrote. “Organizations are encouraged to utilize data backups and develop contingency and business continuity plans that can ensure resilient operations in the event of a ransomware event.” 

“The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification regulations require HIPAA covered entities and their business associates to safeguard protected health information (PHI). The HIPAA Security Rule requires implementation of security measures that can help entities prevent the introduction of ransomware as well as assist entities in how to respond and recover from ransomware attacks. Some of these required security measures include:

· Conducting a risk analysis to identify and assess risks to electronic protected health information (ePHI);

· Implementing security measures to mitigate or remediate identified risks;

· Implementing procedures to guard against and detect malicious software;

· Training users to assist in detecting malicious software and how to report such detections;

· Establishing contingency plans including data backup and recovery; and

· Developing procedures for responding to security incidents such as a ransomware attack.

All of these prevention measures are included in The HIPAA E-Tool®. In particular, the Risk Analysis – Risk Management section provides guidance needed about contingency plans and data backup. It’s impossible to create the back up or the contingency plan after the fact – the only way to stay safe is through prevention and planning. With The HIPAA E-Tool® your Risk Management Plan is easy to do, with step by step instructions and a dashboard to guide your progress - see below. All the data is archived so your work next year is easier to complete, and all is documented and saved, at your fingertips whenever you need it.

The new dashboard in the Risk Analysis - Risk Management section guides staff through the process, allows for stop and start work to completion, and helps management see progress.

The new dashboard in the Risk Analysis - Risk Management section guides staff through the process, allows for stop and start work to completion, and helps management see progress.

Scoop - Top Targets in HIPAA Enforcement 2018


HIPAA enforcement continues in 2018. As Roger Severino, the Director of the Office for Civil Rights (OCR) said recently there is "no slowdown in our enforcement efforts," and the agency will continue with the "same enforcement mindset." He added that smaller companies should not assume they are off the radar. You may be vulnerable.

So, what should you be looking out for? Are there particular targets of enforcement you should know about? We believe there are. An analysis of the HIPAA Audits, and a review of recent HHS/OCR investigations reveals six top targets for both covered entities and business associates. These are areas that continue to be missed by covered entities (CEs) and business associates (BAs) and continue to draw attention of OCR. The conclusions and commentary by OCR in resolution agreements illustrate their priorities will continue to focus on these six areas in 2018. Each targeted area, or vulnerability, is covered in The HIPAA E-Tool®. 

  1. Risk Analysis – Risk Management

    • Failure to Manage Recognized Risk

    • Cyber Security

    • Software Security Updates & Patches

  2. Breach Notification Rule Compliance

    • Ransomware = Breach

  3.  Individual’s Right of Access to PHI

  4. Covered Entities

    • Notice of Privacy Practices

  5. Compliance with Business Associate Requirements
    • For both CEs & BAs

  6. Proper Disposal of PHI/EPHI

NOTE: Each of these elements is thoroughly addressed in The HIPAA E-Tool® with easy to follow steps to compliance - one example is shown below - an illustration of the Risk Analysis - Risk Management Module that guides the user through a three step process to inventory data, equipment, workforce and business associates, and assess and manage risks. All of it is saved to populate the Risk Management Plan, and then archived for next year, so next year's work won't duplicate everything already created - only new information needs to be added. 

Screen Shot 2018-03-14 at 7.24.33 PM.png

No other HIPAA compliance solution is as complete or legally sound as The HIPAA E-Tool® and no other solution offers a separate and complete program designed specifically for business associates. 

Your best protection is proactive – act today.

Avoid Crippling Costs With a Risk Management Plan That Works

Red dice not a game of chance.png

A Crisis Easily Avoided

All seven HIPAA violations across five entities of Fresenius Medical Care North America (FMCNA) could have been avoided if FMCNA had used The HIPAA E-Tool®. Each of the five breaches was considered small in the numbers of patients affected, but the collective impact resulted in a $3.5 million Resolution payment, 5 years’ OCR investigation and a 2-year Corrective Action Plan (with close OCR supervision), primarily because no system-wide Risk Analysis-Risk Management Plan was in place.

As OCR Director Roger Severino said, “The number of breaches, involving a variety of locations and vulnerabilities, highlights why there is no substitute for an enterprise-wide risk analysis for a covered entity.” (italics added) From HHS 

This is just the latest reminder that a Risk Analysis-Risk Management plan is at the heart of HIPAA, and policies alone are not enough without follow through. See our prior blog on OCR audit failures here


On January 21, 2013, FMCNA submitted five breach reports to HHS regarding breaches of its unsecured electronic protected health information (“ePHI”). Each breach report pertained to a separate and distinct incident involving loss or theft of ePHI of the FMCNA Covered Entities.

FMCNA provides centralized corporate support to the FMCNA Covered Entities involved in the breaches, including centrally storing its patients’ medical records, creating and disseminating HIPAA policies and procedures, and investigating the circumstances of each breach reported to it by the FMCNA Covered Entities.

The Violations and the Preventive Solutions

The seven violations and corresponding solutions from The HIPAA E-Tool® are cited below. 

On July 15, 2013, OCR initiated a compliance review to investigate the five breach reports. OCR’s investigation indicated that the following conduct occurred (“Covered Conduct”):

Violation 1: The FMCNA Covered Entities failed to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI. See 45 C.F.R. §164.308(a)(1)(ii)(A).

The HIPAA E-Tool® Solutions:

SR-1  Security Management Process

SR-2  Risk Management

RA-1  HIPAA Risk Analysis-Risk Management Policy and Procedures

Section 3  HIPAA Risk Analysis-Risk Management

Violation 2: The FMCNA Covered Entities impermissibly disclosed the ePHI of its patients by providing unauthorized access for a purpose not permitted by the Privacy Rule. See 45 C.F.R. § 164.502(a).

The HIPAA E-Tool® Solutions:

PR-8  Uses and Disclosures of Protected Health Information – General Rules

SR-1  Security Management Process

SR-2  Risk Management

RA-1  HIPAA Risk Analysis-Risk Management Policy and Procedures

BN-1  Breach of Unsecured PHI

Section 5  Introduction to the HIPAA Security Rule

Section 3  HIPAA Risk Analysis-Risk Management

Violation 3: FMC Duval and FMC Blue Island failed to implement policies and procedures to safeguard its facilities and the equipment therein from unauthorized access, tampering, and theft. See 45 C.F.R. §164.310(a)(2)(ii).

The HIPAA E-Tool® Solutions:

SR-27  Facility Access Controls

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 30  Do you have and implement a Facility Security Plan with Policies and Procedures to safeguard the Facility and equipment from unauthorized physical access, tampering and theft?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

Violation 4: FMC Magnolia Grove failed to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility, and the movement of these items within the facility. See 45 C.F.R. § 164.310(d)(1).

The HIPAA E-Tool® Solutions:

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 35  Do you implement Policies and Procedures regarding the receipt and removal of hardware and Electronic Media that contain EPHI into and out of the Facility and movement of these items within the Facility?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

Violation 5: FMC Magnolia Grove and FVC Augusta failed to implement a mechanism to encrypt and decrypt ePHI. See 45 C.F.R. §164.312(a)(2)(iv).

The HIPAA E-Tool® Solutions:

SR-31  Access Control

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 44  Do you implement Encryption and Decryption Procedures to Encrypt and Decrypt EPHI?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

Violation 6: FMC Ak-Chin failed to implement policies and procedures to address security incidents. See 45 C.F.R. § 164.308(6)(i).

The HIPAA E-Tool® Solutions:

SR-18  Security Incident Policy and Procedures

SR-19  Security Incident Response and Reporting

SR-19.A  Security Incident Report

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 19  Do you have Policies and Procedures to address Security Incidents?

# 20 Do you have Procedures to identify and respond to suspected or known Security Incidents, mitigate to the extent possible the harmful effects of Security Incidents that are known and document Security Incidents and their outcomes?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

Violation 7: FVC Augusta failed to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI. See 45 C.F.R. § 164.310(b).

The HIPAA E-Tool® Solutions:

SR-28  Workstation Use

Section 3  HIPAA Risk Analysis-Risk Management

RA-2.A  Security Rule Checklist

# 33  Do you implement Policies and Procedures that specify the proper functions to be performed, the manner in which those functions are to be performed and the physical attributes of the surroundings of a specific Workstation or class of Workstation that can access EPHI?

RA-5.B  Risk Management Actions – Risks Identified by Security Rule Checklist

RA-6.D  Risk Management – Security Rule Checklist Completion

The resolution agreement and corrective action plan may be found on the OCR website here.

The HIPAA E-Tool® is affordable, accessible and thorough - the most legally rigorous and complete HIPAA compliance solution available, and is designed to be used by business professionals without prior HIPAA knowledge. There is no need to gamble when you have the tools to comply. If you have questions, call us 1-800-570-5879 or email to

Opioid Crisis and Flexibility Under HIPAA


Clarifying Guidance

Although federal regulations appear immovable and monolithic at times, change does happen. One recent example is how the opioid epidemic led the Office for Civil Rights to clarify how health care providers can communicate with family and friends of patients who have overdosed or are incapacitated. Family and close friends are critical to any patient's health progress, and when the risks are elevated in an emergency, full communication is essential.

While HIPAA has always allowed health professionals to share health information with a patient’s loved ones in emergency or dangerous situations, the rules are often misunderstood. By emphasizing how communications are permitted rather than restricted, OCR hopes to help health care professionals provide better care for patients in danger from overdose. In October 2017, Roger Severino, the OCR Director said:

“Our clarifying guidance will give medical professionals increased confidence in their ability to cooperate with friends and family members to help save lives.”

Support for Behavioral Health

In addition to the guidance released in October, HHS and OCR in December launched an array of new tools to help combat the opioid epidemic.

These new tools, several of which are specifically related to behavioral health, include:

  • Two new HIPAA webpages for mental and behavioral health, one for consumers and one for professionals

  • Collaborations among partnering agencies within the U.S. Department of Health and Human Services to develop model programs around the use and disclosure of Protected Health Information

  • Updated guidance on HIPAA and research, as called for in the 21st Century Cures Act

  • Launch of a working group to study and report on the uses and disclosures under HIPAA of protected health information for research purposes

Flexibility and new approaches should be welcomed if it means the quality of healthcare will improve and lives will be saved. On the other hand, care will need to be taken to ensure that patient privacy remains sacrosanct. Because discrimination remains a concern, patients want to be sure that disclosures remain within the family or to approved legal representatives, not to employers, law enforcement or the public.

Avoid a Meltdown - Critical Security Information


We Are All Affected, Worldwide

The chip used in most computers, workstations and electronic devices has a dangerous flaw that makes the electronic device vulnerable to cyber criminals. The flaw makes electronic devices susceptible to malicious software called Meltdown and Spectre. The Department of Homeland Security warns that the vulnerability will be cured only when new chips are available and installed. However, a representative of the leading chip maker Intel, says software and firmware patches should be available from chip manufacturers to correct the flaw at some future date.

Apple is warning its customers that Iphones, Ipads and Macs are vulnerable but is working to correct the flaw with patches and updates. Google, Microsoft and others have created and made some updates available and are working to create more security patches to address the risks.

Take Action Immediately

What can you and must you do now?

  • Check all your devices and install all available software patches and updates.

  • Keep checking for updates regularly. This guidance from the Department of Homeland Security includes links to vendor advisories and patches published in response to the Meltdown and Spectre.

  • Beware of phishing emails that promise Meltdown or Spectre solutions. This is a common cybercriminal tactic, to take advantage of the fear created when a major security flaw is publicized. Think Before You Click. It is believed that the Spectre malware in particular is distributed when unsuspecting users click on a link in an email or malicious advertising.

  • In some cases organizations may want to install an ad blocker. Ads are a common entry point for hackers. Individuals should consider installing ad blockers on all their personal devices.

For more in-depth information, a good article aimed at general audiences can be found here from PCWorld.

In Healthcare, Full HIPAA Compliance is a Good Defense

A Risk Analysis and Risk Management Plan required by HIPAA helps health care providers and business associates create defenses against security breaches by raising awareness, providing workforce training and creating an inventory of equipment and data, with an action plan for preparation, prevention, response and recovery. The HIPAA E-Tool® has everything needed to provide the strongest defense possible. 

Emergency Preparedness Rule – Are You Ready?

helicopter 2 rescue.jpg

We saw heartbreaking examples of ill prepared health care providers in Texas and Florida during hurricane season, and some of the most vulnerable are individuals served by Medicare and Medicaid in senior living facilities, FQHCs, community mental health centers and dialysis facilities. 

By tomorrow, November 15, 2017, most Medicare health care providers and suppliers should be compliant with the emergency preparedness (EP) rule that was published in 2016. Failure to comply could result in loss of certification from the Centers for Medicare and Medicaid Services (CMS). These new rules are more comprehensive than prior CMS standards and are focused primarily on 1) risk assessment with emergency preparedness planning, 2) policies and procedures, 3) communication plans, and 4) training and testing.

The list of providers and suppliers contains 17 types, including Hospitals, Long Term Care Facilities, Hospices, Home Health Agencies and Federally Qualified Health Centers – the full list is here. Whether your organization is required to comply or not, a family member may receive services that are affected, and your community is certainly affected. The best preparation for natural and man-made disasters involves regional collaboration among the wider community to share resources and plans for recovery.

A core element of a full HIPAA compliance program includes a Risk Analysis and Risk Management plan that incorporates a Contingency Plan for natural and man-made disasters. The requirements outlined in the CMS rule mirror HIPAA compliance around Risk Analysis, so if an organization follows HIPAA, conducts its annual Risk Analysis and follows its own Risk Management plan, most of the work toward compliance with the new CMS emergency preparedness rule is completed. That being said, each organization should evaluate the CMS rule on its own to ensure its policies cover the bases.

There is guidance about the new rule in a number of places, including FEMA, an organization that learns new lessons every year in response to hurricanes, flooding, drought and wildfires like those we have seen this year. Available here. The EP rule itself cites extensive additional resources.

A HIPAA compliance program like The HIPAA E-Tool® takes care of the risk assessment required by CMS. The Risk Analysis – Risk Management module is interactive, building action steps automatically as the assessment is completed. It is then archived for use the following year when the Risk Analysis must be completed again. The second and following years build on the work done in the beginning, allowing more time (and less cost) to devote to managing the facility and caring for patients.

OCR Audits Reveal Dismal Performance

For well over a year, the Office for Civil Rights (OCR) has been public about its top seven priorities in HIPAA compliance. The priorities were developed from OCR’s first Phase of Desk Audits in 2016. The Phase 2 Audits were finished recently and we now have the preliminary results which are profoundly disappointing. Two areas where entities drastically failed stand out – an individual’s Right of Access to their protected health information, and Security Management. OCR's full summary regarding all seven areas is here.

Seven Deadly Sins, Seven Simple Solutions

Our HIPAA expert, Paul Hales, J.D., has spoken frequently on the top priorities over the past year in an effort to help covered entities and business associates learn from OCR’s guidance. The HIPAA E-Tool® software contains policies and procedures to address all of them. The secret to HIPAA is that the rules are easy to follow step-by-step once you know the steps.

Although there are seven priorities, they fall into four categories, illustrated below:

4 categories.png

Unfortunately, although these hot buttons have been publicized, it appears that covered entities and business associates have not gotten the message, or are slow in finding solutions.

Right of Access

A central principle of HIPAA law is the individual’s Right of Access to their own health information, but fewer than 1% (1 out of 103) had it right. Ten entities substantially met the requirements, but a whopping 65 of them (63%) had no or negligible efforts toward compliance. 

Access pie chart w percent.png

How can that be? One theory is that health care providers confuse the Authorization with the Right to Access, and are requiring patients to submit an Authorization form, a more cumbersome process.

The U. S. Department of Health and Human Services (HHS) warned in 2016 published guidance that requiring an Individual to execute an Authorization in order to exercise his or her Right of Access may create an impermissible obstacle. See: Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524. HHS explained the significant differences between a Disclosure of PHI to an Individual under the Right of Access which is required by the Privacy Rule and a Disclosure by valid HIPAA Authorization which is permitted by the Privacy Rule. Forms for both are contained in The HIPAA E-Tool® and are specifically designed and developed from the Privacy Rule Standard.

Risk Analysis and Risk Management

Even more surprising is how poorly covered entities are faring in Risk Analysis and Risk Management. Risk Analysis and Risk Management have been mandatory for covered entities since 2005. And the Anthem healthcare data breach in January 2015 which exposed 78.8 million individuals’ protected health information should have been a wake-up call. Almost three years later the level of noncompliance in security is astounding.

No entities were found to be in full compliance with the Risk Analysis rules. Thirteen percent were found to be substantially in compliance and the remaining 87% had made minimal to no efforts toward compliance.

Risk analysis Pie chart percents.png

Unsurprisingly, the Risk Management results are similar, if a little worse. Of the 63 entities audited, only one was in compliance; three were substantially in compliance, but the remaining 59 or 93% had made minimal to no efforts toward compliance. See below.

Risk Management Pie chart percents.png

The HIPAA E-Tool® contains an easy-to-use interactive Risk Analysis module that securely saves and archives data as it's completed. Scalable to the organization’s size, it works for one or multiple locations. Designed for use by on-staff practice managers, compliance and IT personnel it fosters an internal culture of compliance and saves the unnecessary expense of outside consultants. As the Risk Analysis is completed, it populates a Risk Management Plan with inventories, tasks, and responsible staff to carry out the Plan. The beginning page is below.

RA-RM Screen Shot .png

If you suspect your organization needs guidance, take a look at The HIPAA E-Tool®. The most legally rigorous and complete HIPAA compliance product available, it contains every policy, procedure and form needed for full compliance, is always up-to-date with step-by-step instructions in plain language to allow you to take control and comply with HIPAA. Privacy, Security, Breach Notification, and Risk Analysis - Risk Management are all covered, and links to the 180 HHS Audit Protocols to guide you through an audit.

For other information, including a snapshot of results from the other four topics, see the blog by our respected colleague, Margaret Scavotto, J.D. CHC, and President of Management Performance Associates.

Mega Disasters – Havoc Wreaked by Equifax

Natural and Manmade Disasters Coincide

Natural and Manmade Disasters Coincide

Hurricanes vs. Equifax – Compare and Contrast

Did we really need one more piece of bad news as summer wound down? The devastation and losses across Texas, Louisiana, Florida and the Caribbean had many of us on the edge of our seats from August 25 through last weekend. From the safety of high ground in the Midwest we were not directly affected by Harvey or Irma other than a temporary surge in gas prices. But friends, relatives and customers have suffered terribly. Homes were destroyed and lives were lost. We donated money, we filled boxes with cleaning supplies and diapers to ship south, we checked in with friends. We breathed some relief – it could have been worse.

house slides irma-florida-0912-super-169.jpg

Then in marched Equifax. Not as visual a disaster, perhaps not as obviously heartrending but yes, it is a disaster of unprecedented proportion, affecting 143 million people directly - over half of American adults. It is insidious precisely because the damage is not visual and not at all obvious. The potential economic damage to millions of people is underground, perhaps not immediate, but waiting to emerge as cyberthieves find ways to use your data to enrich themselves. 

Watching your $$ and your future...

Watching your $$ and your future...

How Did It Happen?

Negligence. It now appears that the vulnerability (the open door used by hackers) was a software application Equifax uses but had failed to “patch” although the patch had been available since March. More reporting on that here.

red computer keyboard pexels-photo-249203.jpeg

If You Aren’t Worried, You Aren’t Paying Attention

If your personal information was not compromised in 2015 by the Anthem or IRS data breaches, it most likely is now. The Equifax breach gathered more data than either of those, and it’s all in one place, making identity theft much easier. Sensitive information stolen includes names, birthdays, addresses, social security numbers, and driver’s license numbers. Any of your assets that you track online are potentially available to thieves and your ability to build and maintain good credit is at risk. This damage will last for decades. NOTE: Even if you did not use Equifax yourself, you could be affected, because Equifax tracks everybody with credit.


Physical damage from hurricanes and floods can eventually be repaired. The rebuilding in Florida and Texas began as soon as the storms moved on and  eventually will be completed. But building safety around personal data does not have an end date. In today’s world, the real story is that we have to change our thinking and change our habits – we all need to become schooled in how to fool cyberthieves – how to conduct our own Risk Management Plan. We can’t leave it up to the institutions we’ve trusted in the past. There is a lot of advice about what to do as a consumer. Here is guidance from the Federal Trade Commission. 

What About Healthcare?

When it comes to protecting health information, Covered Entities and Business Associates both have a legal responsibility to conduct a Risk Analysis and implement a Risk Management Plan to reduce the chances of compromise. The HIPAA E-Tool® contains an easy to use Risk Analysis-Risk Management tool to enable the highest level of protection, by nudging staff to evaluate risks, and to install patches, as soon as available. It also helps inventory equipment and data, and assigns responsibility for follow through to manage risks.

“The first Risk Analysis step of The HIPAA E-Tool's interactive Risk Analysis-Risk Management tool calls for identification of any software that has not been updated with the latest security patch. Any unpatched software identified in Risk Analysis Step 1 is automatically entered on the first set of Risk Management Action Steps.”

Identifying risks, and setting action steps to manage them is easy with an interactive Risk Analysis - Risk Management tool within  The HIPAA E-Tool ®.

Identifying risks, and setting action steps to manage them is easy with an interactive Risk Analysis - Risk Management tool within The HIPAA E-Tool®.

Is HIPAA Suspended During a Hurricane?

The short answer is “no.” But the full answer is more mixed.

The U.S. Department of Health and Human Services (HHS) learned lessons during Hurricane Katrina (2005), Hurricane Sandy (2012) and the Ebola crisis (2014-16) that have guided its policies around exceptions to the Privacy Rule during disasters. 

HHS Bulletins Provide Guidance

Hurricane Harvey's destruction may surpass that of Katrina and Sandy, and HHS has just today issued a Bulletin outlining its policy on waivers for hospitals in Texas and Louisiana. HHS issued  Bulletins during other emergencies, including two in 2005 resulting from Hurricane Katrina, one in 2013 related to law enforcement, and one in 2014 related to privacy in emergency situations. All of these Bulletins and additional guidance may be found here HHS Bulletins and Guidance

During a public health emergency or disaster, there are exceptions to HIPAA that permit covered entities like hospitals to share protected health information with other providers, public health authorities and certain other designated parties. On the other hand, even during a disaster, the majority of HIPAA requirements will remain in effect so covered entities must remember they are responsible for fulfilling HIPAA obligations even in the midst of a disaster.

No Excuse for Social Media Photos posted by Covered Entities

In the last several days, pictures of nursing home residents and patients in Texas have been posted on Facebook and other social media by health care providers. Whether an appeal for help, or for publicity, even if well intentioned, these are blatant violations of patient privacy and are unjustified by the emergency. 

The HIPAA Privacy Rule is not Suspended

HIPAA still applies during a public health emergency. However, if the President declares an emergency or disaster, and the HHS Secretary declares a public health emergency, then the Secretary may waive sanctions and penalties against a covered hospital that does not comply with certain HIPAA provisions. On August 27, Secretary Tom Pr