Risk and Security LLC

Risk Assessments, Training and More

This content shows Simple View

Medical Records

FEDERAL JUDGE RULES FOR OCR, FINES MD ANDERSON $ 4.3 MILLION DOLLAR FINE FOR MAJOR HIPAA VIOLATION INVOLVING UNENCRYPTED STOLEN DEVICES AND 33,000 PATIENT RECORDS

In the ruling, the Judge found that The University of Texas MD Anderson Cancer Center (MD Anderson) violated the HIPAA RULE for Privacy and Security Rules and granted summary judgment to the Office for Civil Rights (OCR) on all issues, requiring MD Anderson to pay $4,348,000 in civil money penalties to OCR. The $4.3 million dollar fine is the fourth largest amount ever awarded to OCR.

MD Anderson is an academic institution and a comprehensive cancer treatment and research center located at the Texas Medical Center in Houston.  OCR investigated MD Anderson following three separate data breach reports in 2012 and 2013 involving the theft of an unencrypted laptop from the residence of an MD Anderson employee and the loss of two unencrypted universal serial bus (USB) thumb drives containing the unencrypted electronic protected health information (ePHI) of over 33,500 individuals.

OCR’s investigation found that MD Anderson had written encryption policies going as far back as 2006 and that MD Anderson’s own risk analyses had found that the lack of device-level encryption posed a high risk to the security of ePHI. Despite the encryption policies and high risk findings, MD Anderson did not begin to adopt an enterprise-wide solution to implement encryption of ePHI until 2011, and even then it failed to encrypt its inventory of electronic devices containing ePHI between March 24, 2011 and January 25, 2013.

OCR is serious about protecting health information privacy and will pursue litigation, if necessary, to hold entities responsible for HIPAA violations,” said OCR Director Roger Severino. “We are pleased that the judge upheld our imposition of penalties because it underscores the risks entities take if they fail to implement effective safeguards, such as
data encryption, when required to protect sensitive patient information
.”

LESSONS LEARNED

1.  MD Anderson had written encryption politics going back to 2006, and had identified lack of
encryption as a material weakness in their own risk analysis!

2.  If a HIPAA Risk Analysis identifies a weakness in a critical area like encryption, immediately
start encrypting all electronic devices.

THANKS FOR READING THE RISKAlert Report©
For more information and a free subscription:  write to:  caroline@riskandsecurityllc.com

We provide the best CMS Facility All-Hazards Risk Assessments, HIPAA Risk Analysis, as well as Active Shooter Training,
Workplace Violence Assessments, and Mass Casualty Drills & Training Programs.

www.riskandsecurityllc.com   and   www.caroline-hamilton.com



Why HIPAA Compliance is Related to Federal Contracts

Most healthcare organizations take Federal money – whether it’s reimbursement for Medicare services, or if it’s a federal grant for
providing special care or even addiction treatments, or whether they are part of an NIH trial, or receiving grant money for research.

If your organization is part of state government, county government or even city government, your organization probably takes federal money too.

When the hospital, clinic or treatment center gets that Federal check, they have to first sign a contract saying they verify that they are in compliance WITH ALL FEDERAL LAWS, RULES AND GUIDELINES.  In the old days, this may have meant that you didn’t discriminate in your hiring policies, or that you complied with the Americans with Disabilities Act (ADA), or that you complied with federal reporting requirements, like for a GSA Contract, or for billing protocols.

But HIPAA is also a law, and a Federal Rule, and so when you signed that contract, you attested, or ‘represented’ that your organization was in compliance with all the HIPAA laws and rules, too.

I recently talked to a CEO of a large hospital that, as a Level 1 trauma center, received millions of dollars each year from the Federal government – and he wasn’t aware of their HIPAA status!  He didn’t know if a HIPAA risk analysis had been done (it hadn’t), or whether they had amended all their business associate agreements (hadn’t even started), and also had no idea that some of these HIPAA Rules had elements that needed to be formally approved by the Board.

If you’re the HIPAA Compliance Officer, the Privacy Officer, the Information Security Officer, or any functional title that means, the HIPAA Buck stop with you — you need to explain this to your manager or director.  This will get any administrator’s attention, because they don’t want to have to give any of that money back, and they also don’t want to get into a lawsuit over a compliance issue.

So keep talking about that HIPAA Compliance deadline of September 23, 2013, and you’ll get the support you need, and maybe the budget you need to keep all your HIPAA activities in full swing!

 



The Top 5 Reasons Why You May Not Be HIPAA Compliant!

After updating the HIPAA Law (HIPAA Omnibus Rule) in 2013, and a new Enforcement Deadline
coming up on September 23, 2013, some organizations still aren’t HIPAA compliant!   With over
22,000,000 disclosures of Protected Health Information already, what are the five most common
reasons why your organization isn’t compliant!

1. No HIPAA Risk Analysis – maybe you were too busy, or maybe you weren’t sure what a risk
analysis really is.   A HIPAA Risk Analysis,  (according to the Office for Civil Rights for the Department
of Health and Human services) is: Conduct an accurate and thorough assessment of the potential
risks and vulnerabilities to the confidentiality, integrity, and availability of electronic 
protected
health information held by the organization.

2.  The HIPAA Risk Analysis is out of datemaybe you did it five years ago, which was BEFORE
the new HIPAA Omnibus Rule 
was mandated.  Maybe you wanted to update it, but you got busy
with all the other pressing IT issues.  Maybe you didn’t have the right resources to run a risk analysis.

3.  HIPAA Risk Analysis was too focused on technical elements.  Many information security
managers think that “IT people always know best”, and as far as HIPAA goes, that’s not correct.
HIPAA rules need to be followed by the medical staff, by the medical records people, by the human
resources department, and by everyone who handles or accesses PHI (protected health information).
And the Risk Analysis has to reflect input from all these different roles.

4.  No correlation between the HIPAA Risk Analysis Recommendations and the changes
that were made
after the HIPAA Risk Analysis was completed.  The HIPAA Security controls should
have been implemented in conjunction with the Risk Analysis, not added completely independently.
The Risk Analysis should be a road map, not a boring report that ended up locked in a file cabinet somewhere.

5.  Inadequate training and security awareness program.   In a recent HIPAA Risk Analysis,
the individuals surveyed said they had a few hours of HIPAA training when they joined the company,
but nothing since.  Next question, how long had they been with the organization, and they said,
six years, twelve years, fifteen years, and yet they had never had UPDATED HIPAA Training
or even access to a security awareness program.

Don’t find out you’re not HIPAA Compliant, when a federal regulator is sitting out in the lobby.
BE PRO-ACTIVE and start your HIPAA Risk Analysis today.  To get started, send your questions to caroline@riskandsecurityllc.com, or review the OCR Guidelines for HIPAA Risk Analysis at:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/rafinalguidancepdf.pdf



Why the HIPAA Risk Analysis should be finished by December 31, 2012

The federal regulators from the U.S. Department of Health and Human Services are from the Office of Civil Rights.  They think that breaches in patient information protection is a violation of the patient’s civil right!   Regulators commonly assess fees for non-compliance and some are as high as $4 milion dollars.

Because the OCR just came out with new Audit Guidelines this summer (email me and I’ll send you a copy), we all can see that the visits to healthcare organizations are still speeding up, and even more rules are coming this fall as they reconcile the HIPAA Security Rule with the HIPAA Privacy Rule with the Breach Notification Rule.  I call this:  MEGA HIPAA!

Because the current HIPAA rules have been in place for over ten years, and because the new Rules may be much more complex, it makes sense to finish your 2012 HIPAA Risk Analysis for either Security or Privacy, or both, before December 31, 2012.

My experience with federal regulators and auditors leads me to believe that a HIPAA Security Risk Analysis that is finished before the end of this calendar year will go a long way in reassuring regulators that there is, at least, a formal process in place to assess the risks to patient medical information.

A new software program is based on my original free Data Collection Guide,and can be used to complete these important security rules at a fraction of the cost of older, out-of-date risk analysis programs. Or do it on a spreadsheet.

Remember, you can also use it in your Meaningful Use Risk Assessment.  A two-for-one.

My advice:  Take the easy way out.  Finish the Risk Analysis!

 

 



Outlook on Risk & Security Compliance in 2012 – What to Expect.

This New Year’s Eve, I thought at times my neighbors were using a rocket launcher and several assault rifles to shoot up the New Year.  Lucky for me,  I spent the awake time to contemplate the outlook for risk, threat and security issues for 2012 and here’s what I see for 2012.

1.  Government-Mandated Compliance Is Here to Stay for the Healthcare Industry.

I remember when the IT departments are many hospitals thought George W. was going to revoke the HIPAA Security Rule.  It never happened, and this year, for the first time, there is a regulatory body in place that is intent on REAL ENFORCEMENT.

The Dept. of Health & Human Services, Office of Civil Rights,  has expanded HIPAA Security and Privacy Rules to include “Business Associates” including lawyers working in healthcare, and the infamous “3rd Party Providers” who do everything from warehouse data to taking over the IT function of a hospital, and this trend will continue as pressure builds from consumers who’s medical and financial data continues to be compromised.

2.  Workplace Violence Prevention will become an OSHA mandate, if not in 2012, at least by 2015.  Based on the slug-like pace of OSHA, who only recently provided directives for high risk industries, and the pressure from the more than 30 states who have passed their own regulations,  the pressure to stop the number of incidents and to lower their intensities will increase and management will be forced to address it as a major corporate issue.

3.  Pressure on the financial industry to protect consumer information will increase.
  Like many other areas, pressure is increasing to prevent the enormous data breaches we saw in 2011, like Tricare, the recent Stratfor hack by Anonymous, Wikileaks and HealthNet breaches.  Consumers are the squeaky wheel and they want the convenience of plastic and internet use, and they will not tolerate breaches, and they are all registered voters!

The FFIEC has already tightened up on both risk assessment standards, as well as
authentication guidelines for all financial institutions.

 

There will be a increase in requirements for risk assessment as an accountability feature to force managers to maintain better security in all areas of their organizations. 

Accountability means that individual managers will be held responsible for the decisions they make regarding other people’s:

1.  Financial Data

2.  Medical Records

3.  Safety from both Violence & Bullying in their workplaces.

Budgets can be cut, and staff can be reduced but consumers are demanding protection of their information, and themselves, and the regulators will make sure they get it in 2012!



DO WE NEED HEALTH INSURANCE?

HEALTHIER WITHOUT HEALTH INSURANCE

Last week I showed you my medical records – now I’m going to give you my take on the Healthcare Bill & Accountability! 

I never had health insurance — shocking, isn’t it!!  I grew up and raised two wonderful sons without any health insurance.  Part of it was my natural disinclination for paperwork, part of with my years of being self-employed but the main reason was I never understood why I should pay someone – that is – bet against myself — on my health.

Because I wasn’t saddled with medical paperwork, I could negotiate with the doctors for treatments I needed and usually got the price down 40% BECAUSE they didn’t want to use insurance anyway – it meant they got paid in six months instead of right now. 

My family believed in Adelle Davis – for those younger readers – she wrote “Let’s Eat Right to Keep Fit” and “Let’s Cook It Right”, “Let’s Get Well”, and “Let’s Have Healthy Children”. These books came out in the 50s and my mom was an immediately convert.  In fact, if you find these tattered old paperbacks in a used book store – you’ll see they were ahead of their time, in worrying about aluminum pans contributing to Alzheimer’s, endorsing fresh fruit and veggies for Vitamin C., and taking on the food industry which mightily contributes to disease in this country. 

I was never sick.  One bout of Scarlet fever that left my sister, Linda, deaf in one ear, but other than having two children – I was never sick.  The one year I did have health insurance was a total loss – paid about $3000 for N*O*T*H*I*N*G.  

Mind you, I’m in favor of national healthcare, delivered simply and effectively.  I am NOT in favor of fifteen xrays for a sprained ankle, seventeen mammograms that find nothing and basically – what I call the over-zealous use of medical technology.

Hey – news flash – healthcare is a BUSINESS!! Healthcare providers want to MAKE MONEY. The more procedures they perform – the more money they make.  It’s a very simple system.

So if it’s true that you have to incentivize people to stay healthy – maybe that’s the way to teach personal accountability for your own health!   I am amazed at how many of my friends, who are smart, and well-educated – turn their healthcare over to any doctor and do not question anything the doc says.  They don’t ask about the procedures or the tests, and they always assume that the doc knows best.

Nothing wrong with doctors – I love them.  But it’s YOUR BODY – learn how to take care of it!  Watching all the news about obese children, increase in diabetes, and declining health of the baby boomers (me included – I’m a baby boomer, but still healthy), it’s clear to me that what is missing is the connection between how someone lives every day – and how healthy they are.   So how do you encourage a healthy lifestyle?  That’s the $64,000 question.

My ingredients are simple:

Being outdoors
Taking extra vitamins and herbs
Getting moderate exercise
Eating less animal products
Low fat dairy
Don’t eat refined foods
Having pets
Doing work you love
Stress relieving activities – yoga and meditation work for me.

And… the big secret – being happy every day. 

So I am all for encouraging accountability and changing the insurance picture in this country.    This could mean – sliding scale of insurance costs based on how healthy you are.. like a Good Driver Discount for Staying Healthy! 

Having employer-sponsored plans also weighed and have unhealthy workers penalized.(I know that’s tough love – but they will thank you years later).

And adjusting pricing of health services so that preventive things  — like getting your blood pressure checked, become less expensive than expensive procedures like MRIs and CAT scans. 

Getting back to my original point – if you are totally RESPONSIBLE for your own healthcare – you make the extra effort to stay healthy. It’s a personal choice we all make every day.



Want to see MY Medical Records?? No Problem.

The fury and passion devoted to protecting medical records is totally incomprehensible to me. 

Who wouldn’t want their med records to be immediately available in case of  an emergency?   I have a twinge ( as opposed to a tweet) every time I go to my doc’s office and see his color-coded manila folder filing system.  It is a nightmare, but it doesn’t seem to bother the nurses.  

I understand that if someone had AIDS, they might not want their boss to know about it. But how many people reading this have AIDS (3/100 ths of a percent), based on U.S. Census Data (309 million Americans) and number of Americans afflicted (1 million). So could not be the only reason. 

I understand why not to disclosure STD’s.   What else?  I thought about my medical record and how bare and boring it is.   I’ll be happy to tell you all about it.  Here are the highlights:

     Had Scarlet Fever when I was about 11 years old.  I was lucky – no side effects, but my sister lost her hearing in one ear.

     Broke my right ankle in ballet class when I came down on the wrong angle after a SPECTACULAR tour jete!  I’m proud of that one.

     Got kicked by a pony near my left ankle when I was in my 40s.  Didn’t break anything, but insurance company put MY ANKLE on the list of NON-COVERED areas. LOL

    One dog bite from a German Shepard when I was college.  It was an accident.
    We were playing grab-it with a toy…

     Used to get bronchitis fairly regularly when I smoked, which was over twenty-five years ago.

     Had tubes tied after 2nd son.

     Had an eye lift – cosmetic surgery – Hurrah….

Pretty scintillating stuff!   You can see why I don’t worry about anyone getting their hands on my medical records.    I don’t even care about any of this – why would anyone else?  

I got another view of the medical record problem when my sister was diagnosed with a brain tumor.  HER medical records were enormous and included things I had never seen before like 3-D rotating images of her brain so doctor could turn it around and view it from any angle.  Her records were so complex that we literally had to take a set of CD’s to office visits.  Didn’t make any difference, she died four months later.

The cost of converting my boring records is something else I wanted to check out.  For a small doctors office with 3 doctors – installing a full document management system would cost about $100,000 with an annual maintenance fee of $30-50,000.  Quite an initial investment for a small office.

Here are some fun stats on paper records, from a Coopers Lybrand survey on the time and money spent on paper in today’s typical organization:

• Of all the pages that get handled each day in the average office, 90 percent are merely shuffled. 

.   The average document gets copied 9 times. 

• Companies spend $20 in labor to file a document, $20 in labor to find a misfiled document, and $220 in labor to reproduce a lost document.

.  7.5 percent of all documents get lost, 3 percent of the remainder get misfiled.  

• Professionals spend 5-5 percent of their time reading information, and up to 50 percent of their time looking for it.  

• There are over 4 trillion paper documents in the U.S. alone – growing at a rate of 22 percent per year. 

The famous Google Health project will digitize your medical records and put it in their repository for free, BUT you have to get them from your doctor in digital form first. 

And to see how mainstream this concept is going – there’s now an App for that! Yes, if you have an iphone you can get Health Cloud for free!  

But now that I have published my medical records on Twitter, or at least, my summary of my medical record – the whole world can have access!




top