Help Me With Hipaa

We first talked about this in Ep 62. Darknet sale of healthcare records. Now, more information is coming out and it gets more unfortunate for patients every time we read more. Deep Dot Web broke the news: https://www.deepdotweb.com/2016/06/26/655000-healthcare-records-patients-being-sold/ We picked it up on Data Breaches.net because they were trying to figure out who the entities actually were in each case: https://www.databreaches.net/damn-anyone-know-what-facilities-these-are/ Get more info at https://HelpMeWithHIPAA.com/66

What happened? March 23, 2013 Oregon Health & Science University notified HHS of a breach due to a stolen unencrypted laptop. May 1, 2013 OCR notifies them they are investigating the incident July 28, 2013 Oregon Health & Science University notified HHS of another breach resulting from storing ePHI at an internet-based service provider without a business associate agreement November 8, 2013 OCR notifies them they are investigating the new incident July 18, 2016 settlement announced for $2.7 million and a 3 year CAP   What can we learn from this?  Go to Help Me WithHIPAA.com/65

OCR recently sent out a message on their listserv asking if your CE or BA was ready for an incident. We have been discussing security incidents a lot lately so it is nice that OCR has brought it up. Because we have seen various Incident response reports recently, so we were working on an episode anyway.  So this episode is a review of Security Incident Response Plan development. Let's first be clear, this isn't just about HIPAA. We also have been reviewing the Economist Intelligence Unit 2013 (EIU) report: Cyber incident response: Are business leaders ready?, which is asking the very same question. For more information go to HelpMeWithHIPAA.com/64

There has been a lot of news and industry discussions about Medical Device security. Medical Devices are just like a computer, so they also need security to protect the information on them.   For more go to HelpMeWithHIPAA.com/63

A business associate is getting this OCR resolution, $650,000 and a two-year settlement.  CHCS in Philadelphia is a BA to 6 skilled nursing clinics in the Philadelphia area. Entities like this do the business part of healthcare and the other clinics don’t have to worry about it. An unencrypted iPhone that wasn’t password protected had PHI on it.     Patterson Dental Supply Inc. helps manage dental practice information for various providers. One of the clinics they help service is Massachusetts General Hospital, and 4,300 patients had their PHI hacked and compromised.   For more info: HelpMeWithHIPAA.com/62

Since 2010, ID Experts has sponsored this Ponemon Institute study which has been tracking data breach trends of patient data at healthcare organizations. The annual economic impact of a data breach has risen over the past six years, as has the frequency of data breaches. Criminal attacks and internal threats are the leading cause of healthcare breaches. Evolving cyber attack threats such as ransomware and malware are of primary concern for 2016. At the same time, internal issues such as employee negligence, third-party snafus, and stolen computing devices continue to put patient data at risk. For more info on this episode go to helpmewithhipaa.com/61 28w47ezq

As always, during times of crisis and chaos things do become confused and incorrect statements are made. It is a normal occurrence in troubling situations. But, we need to address it specifically to clear up a few points. There was no "special waiver from the White House". There was no need for one at all. People, even in a crisis, should not be invoking HIPAA over caring for the patient properly. The hospitals talked about implementing their crisis plan - why wasn't HIPAA addressed in the plan. It should be! For more details go to HelpMeWithHIPAA.com/60

Today’s podcast is a little different from our normal ones. We are covering a wide variety of subjects involving HIPAA, OCR, HHS, and PHI rather than one specific topic.   For more go to HelpMeWithHIPAA.com/59

Preventing ransomware is a major concern for every business today.  If not, it should be.  This episode covers understanding ransomware and methods for preventing it. Is ransomware a phi breach? April record number of cases and not slowing down 8 hospitals (more by the time we record) already hit. Training and vigilance is best defense Ransomware attacks continue to evolve to be "smarter"   For more see HelpMeWithHIPAA.com/58

HIPAA policy and procedure templates seem to be a panacea to many people who are just trying to meet the standards and move on. However, these are not the droids you seek! Templates can be the basis for what you need to do but they shouldn't be the solution to the written policy and procedure requirements under HIPAA.   See HelpMeWithHIPAA.com/57

Two reasons for today's topic: A question we received from a listener about understanding antivirus software and a news report about a malware scan that interrupted a medical procedure. Between those two cases it felt like it was time to discuss malware protection under HIPAA. Suzie from Savannah: I would like to have a podcast or a quick answer to the different between anti-virus software releases and anti-virus definitions being up-to-date. I understand the AV definitions up to date but a little fuzzy on AV software releases and examples please.... Report came out about malware scan stopping a medical procedure   

We always look at the security rule aspects of HIPAA because they deal with the easier parts for people to deal with when it comes to lowering their risk, but today we are diving into some privacy rule guidelines, because there is new HIPAA privacy guidance that has just been published. Get more info at HelpMeWithHIPAA.com/55

Recently, we ended up in several discussions about HIPAA access logs and what they really require with our clients. As per usual, any topic that comes up multiple times in my “real job” becomes a discussion for HMWH.  So, today we are talking about HIPAA access logs to attempt to clear up some confusion we have encountered.  There are multiple types of HIPAA access logs being created in most environments and you should be dealing with pretty much all of them in some manner. Get more at HelpMeWithHIPAA.com/54

We talked about OCR audits recently because they are in the news. The audit protocol is a perfect guide for developing and maintaining your HIPAA compliance programs. In fact, the audits have been a hot topic in the industry this month. However, the fact that only 200 audits will take place really means the audit protocol is more important as a guide for what your program should look like in the event you have a breach or complaint investigation. Statistically, you are much more likely to need it for that reason. Read more at HelpMeWithHIPAA.com/53

We really appreciate the support and feedback we have received for our little HIPAA podcast project known as Help Me With HIPAA.  This episode marks one complete year of weekly HIPAA podcasts (counting the special bloopers holiday episode).  We certainly learned a great deal since we started this little DIY project last year.  Granted, David was a convert to the idea much quicker than Donna.   Here we are one year later and our little HIPAA podcast is starting to gain some real momentum.  That is all thanks to you, our listeners, for sticking with us through our growing pains as we fumbled through figuring it all out.  Keep on sending in your questions and suggestions, we appreciate your help and support! Also, a special shout out to the silent member of our team Bojan Sabioncello for making us sound so much better once he came on board!   After saying all of that, what are we doing for this special episode?  We are interviewing each other to discuss how we ended up together and what we do in our "real jobs".

We often talk about doing the "work" of compliance. Some people seem to have the attitude that all I need to do some is annual staff training and hand out a Notice of Privacy Practices to do small office HIPAA compliance. When we try to explain there is more to it than that we often get pushback about the requirements. We always hear comments like: we don't have time, we don't have resources, we can't be expected to do this. So, how DO you do small office HIPAA compliance? Today we are going to talk to someone who is definitely doing the work of HIPAA compliance in a small office.  We are doing an interview with Erien Fryer of Medical Direct Care in Clarksville, TN to discuss small office HIPAA compliance issues, obstacles, and how to just get it done. For more details go to HelpMeWithHIPAA.com/51

Every website needs security. What questions should you be asking about your business websites and who should you be asking?  Website security can be an open hole in your security plans.  It can also be the source of lots of problems for your business if you don't pay attention to the site content or securing your message. More info on the website at helpmewithhipaa.com/50

The recent release of the new OCR audit protocol gives us new guidance on what they expect from HIPAA compliance programs.  There is a great deal of information to sift through if you are so inclined.  To make it easier for you we are discussing some of the details and things we have learned from reviewing it for you! So, here is our review of the new OCR audit protocol! For more details go to our website article helpmewithhipaa.com/49

In the first episode in our Disaster Recovery series that we will be doing this year we are discussing planning disaster recovery plans for flooding.  This episode is an interview with Ginger McCleish who experienced a real world disaster recovery flooding in the St. Louis, MO area in December 2015. Hear more at HelpMeWithHIPAA.com/48

The latest HIPAA buzz is about things like Interoperability, Data Governance, Patient Access Rights, and, of course, OCR random audits.  Donna attended HIMSS and the National HIPAA Summit recently.  In this episode we discuss what kinds of things are happening in the industry relating to HIPAA. For more details visit our website at helpmewithhipaa.com/47