Category Archives: HIPAA and HITECH Compliance

HIPAA Refresher

We would like to make sure all of our valued clients remain up to date on the latest HIPAA developments that affect their practices. In light of the Omnibus Rule updates, and considering the looming onset of Meaningful Use 2, allow us to provide a quick refresher!

All practices should, by now, have completed a HIPAA Security Risk Assessment (RA), whether or not they have attested for Meaningful Use. As is the nature of legislation, the regulations this RA is based off of have been changed yet again. Updating the RA for these changes is a key aspect of a practice’s compliance program.

The first major change that happened with the onset of the Omnibus Rule this past September has to do with us – Business Associates. Direct liability for safeguarding patient data has been imposed, including a requirement for us to complete our own RA! Practices, however, just need to make sure their Business Associate Contracts have been updated. These should be updated as they expire, or within a year of 9/23/13 (whichever is sooner).

Breach Notification requirements were also amended. The definition of a breach of PHI has been updated; now, a breach is not reportable to HHS if a practice can determine, via a RA, that there is a low probability the PHI has been breached. Furthermore, fines cannot be imposed if the breach was not due to willful neglect and was corrected within 30 days.

The Privacy Rule has not been missed in this recent HIPAA makeover. Changes have been made to permissible uses and disclosures, patient’s right to access their PHI electronically, and restrictions on the sale of PHI. In light of this, a practice should update their Notice of Privacy Practices.

As always, Kali Systems is available to help with your HIPAA compliance efforts. We would be happy to answer your questions, assist you with your RA updates, or provide templates for NPPs and BA Contracts.

The End of an Era – Microsoft Discontinues Support for XP Operating System


Microsoft’s announcement to discontinue support for XP systems has been widely reported in the news lately, and many industry leaders have voiced their opinions on the implications this has for security. From broadly replacing all XP systems, to taking these workstations off the internet, to not doing anything at all, what is the best option for your practice?

Discontinued support does not mean that XP systems will cease to run properly – all this means is that Microsoft will no longer be patching (updating) the operating system as security flaws are detected. For reference, Microsoft currently patches their systems monthly, and sooner for critical vulnerabilities. As these systems go unpatched, malware developers will discover an increasing number of vulnerabilities to exploit, compromising the security of the computer.

We do have options for XP systems, especially for our Virtualized clients employing Terminal Servers. We are able to convert these workstations into “Thin Clients” – the workstation connects to a session on the server from which the desktop, operating system, and software is provided. This eliminates external connections from the unsupported XP system, mitigating associated security risks. It also saves cost by utilizing existing infrastructure rather than purchasing replacement desktops for all the XP machines in your office.

We are available to discuss this further with each of you, along with additional solutions we have available, and come up with a plan tailored to fit your needs. Give us a call or send us an email to get started!

Cybersecurity a greater risk than natural disasters

A majority of companies, including healthcare organizations, now rank cybersecurity risks as greater than natural disasters, fires and other major business risks, according to a new survey by the Ponemon Institute.

In a previous study, Ponemon put the average cost of a data breach at $188 for each lost or stolen record.

Looking at healthcare in particular, it reported that 94 percent of the 80 participating healthcare organizations experienced at least one data breach that they were aware of in the previous two years, and that such breaches cost organizations a total of $6.78 billion annually.

Among the new survey findings:

  • Protecting against the financial impact of cyber security risks ranks as high as or higher than other insurable risks.
  • Responsibility for managing that risk is moving outside the IT department, with risk management or compliance officers more likely to manage that.
  • Most companies either have cyber security insurance or are considering adoption. Thirty percent of respondents notetheir company has no interest in purchasing a policy at this time.

Healthcare and pharmaceuticals represented the third-largest industry segment polled.

Jared Rhoads, lead author and senior research specialist for a report from CSC’s Global Institute for Emerging Healthcare Practices, previously recommended taking a holistic approach to managing the risk posed by cyber criminals.

Privacy experts speaking at the Healthcare Privacy Summit earlier this summer said healthcare organizations tend to be too reactive in their approach to health data security.

But the industry is waking up to the risk. A new survey of the cyber security workforce by the public-private partnership Semper Secure just found healthcare the fourth-largest employer of cyber professionals after government, manufacturing and defense/aerospace.

To learn more:
– Read the Ponemon survey report (.pdf)
– Here’s the Semper Secure survey (.pdf)

<Reprint of article by Susan D. Hall – FierceHealthIT ©2013>

Choose Your IT Vendor Carefully!

As Brian Horowitz writes in his article on eWeek:

“Business associates now must meet the privacy and security rules of HIPAA just like doctors, hospitals and health insurance providers, according to the final “omnibus” rule the U.S. Department of Health and Human Services (HHS) announced on Jan. 17.”

While this is not entirely new information, and those who know Kali Systems know that we have been promoting this fact for quite some time now, the news really is that the regulators are focusing on this now – and have a meaningful enforcement arm (the Office of Civil Rights) and a penalty structure which is, frankly, quite intimidating.

The article also states:

“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” HHS Office for Civil Rights Director Leon Rodriguez said in a statement. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider or one of their business associates.”

The IT vendors that healthcare practices use will often have access to their EHR, be responsible for data backup and otherwise have broad access to a great many forms of ePHI in the practice. That privilege comes with some serious responsibility and obligation to comply on the part of the vendor. The practice is ultimately responsible for assuring that their vendors meet the standards and have compliant Business Associate Agreements in place prior to providing access to protected data.

The Risk Assessment process, as outlined by HHS guidelines, clearly includes a review of all Business Associates as part of the process. Our Risk Assessment product covers this requirement, along with other requirements necessary for Meaningful Use attestation.

Please see full eWeek article by Brian Horowitz here:

10 Tips To Prepare For An OCR Audit

It’s one thing to prepare your organization with a solid defense against a potential privacy breach. Add in an HHS/OCR audit or investigation, and it becomes crucial that organizations take the necessary steps to comply with the HIPAA Privacy, Security, and Breach Notification rules.

Mahmood Sher-Jan, vice president of product management at ID Experts, and Chris Apgar, president and CEO at Apgar and Associates, outline 10 tips for preparing for an OCR audit.

1. Learn your compliance status. This goes for both HIPAA privacy and security rules and the interim final breach notification rule. According to Sher-Jan and Apgar, every covered entity should gain a full understanding of its compliance and gaps with these rules. Conducting an evaluation or gap analysis of HIPAA privacy, security, and breach notification requirements, they said, is the logical starting point. And, don’t forget about your business associates, since they can pose a “significant risk” as well. Remember, they warned, that the HIPPA security and privacy rules have been with us for several years, and the interim final breach notification rule was effective September 2009.

Continue reading

OCR Announces HIPAA Audit Program

Don’t get caught unprepared!

On November 8th, the Office for Civil Rights (OCR) officially unveiled its long anticipated audit program. These audits, mandated by Section 13411 of the HITECH Act, are intended to “ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.”[1]

If your organization has not been keeping up with recent changes to HIPAA Privacy and Security Rules, you may be unaware of significant new requirements for covered entities and business associates, such as breach notification, and the drastic overhaul of the enforcement process including a tiered penalty plan.

Continue reading

Time To Take Notice

This week’s news highlights the growing need to take proactive steps to protect sensitive data. It’s time to take notice, before your organization has to give notice of a data breach.

The Office of Civil Rights (OCR), responsible for enforcing HIPAA regulation, has announced the hiring of KPMG of McLean, VA to implement an audit program of covered entities and business associate compliance with the HIPAA privacy and security standards. This action marks the first time proactive “periodic audits”, as required by the HITECH Act, will be implemented. Until now, investigations have been in response to complaints.[1] Continue reading

Office for Civil Rights Gets Tough on HIPAA Violations

For the second time this week, the Department of Health and Human Services (HHS) has announced stiff penalties for HIPAA violations. This may signal the start of stronger HIPAA enforcement action by the Office for Civil Rights (OCR) and a sign of things to come when HHS rolls out its HIPAA compliance audit program as mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act.

On February 22nd, HHS announced a landmark civil monetary penalty (CMP) against Cignet Health of Prince George’s County, Md., for violations of the Privacy Rule. The $4.3 million penalty was imposed for failing to provide 41 patients with copies of their records in the time frame required by HIPAA, and for failing to cooperate with the OCR investigation. It was the first time a penalty was assessed for Privacy Rule violations, and the first time the increased penalty amounts authorized by Section 13410(d) of the HITECH Act were applied. Continue reading

Willfull Neglect – $4.3 Mil. Penalty Results

As I reviewed the provisions of HIPAA Security and Privacy provisions with a lead surgeon who heads a small but bustling medical practice, I could tell he would rather be in a treatment room with a patient than sitting in the lunch room with me discussing one of a legion of requirements and regulations. “Do other doctors really do this?” he asked, his head buried in his hands.

Protecting sensitive data is a hot button. Criminal data theft and fraud have grown alongside the explosion of day-to-day dependence on the internet, wireless and mobile technology. The Identity Theft Resource Center reported 662 data breaches in 2010, affecting 16,167,542 records. 76% of these records included Social Security numbers.

Continue reading

Healthcare and Email – Dangerous Assumptions

Email has truly become our central production form of communication, both internally and externally. We rely on the ease and rapidity of messaging, and our ability to readily attach documents, pictures or other relevant information. And we are increasingly going mobile (read that as “real time”) with our email connectivity. A recent comScore study revealed that Americans are increasingly using their mobile phones and tablets to access email on the run.

As a result, the information we find useful to have in email is increasing. And services like GMail have made it easy to integrated email, calendaring and contacts all available from web browsers, mobile devices and our home computers – all for a very reasonable price indeed! But hang on here… when we use our “personal” email in such a fashion, what have we really given to these third party providers? Are we really secure? Are we even compliant? Continue reading