MD Anderson Cancer Center in Houston is notifying about 30,000 patients of a breach of protected health information that includes some Social Security numbers.
The hospital, through its official statement and a spokesperson, declines to specify how many SSNs were involved, but it appears to be a substantial number. “There was data for approximately 30,000 patients on the stolen laptop,” according to the spokesperson. “Most of the data was not financial in nature. About one-third of the records did include financial information such as Social Security numbers.”
http://www.healthdatamanagement.com/news/breach-notification-hipaa-privacy-security-44691-1.html?ET=healthdatamanagement:e2672:202994a:&st=email&utm_source=editorial&utm_medium=email&utm_campr,aign=HDM_Daily_062912
NOTE: Folks need to remember, if it happens here, it can happen at your organization... Implement controls.
Friday, June 29, 2012
Wednesday, June 27, 2012
OCR’s HIPAA Privacy, Security and Breach Notification Audit Program & Protocol
Today, OCR posted on its website the protocol used to conduct the audits required by the HITECH Act. The OCR HIPAA Audit program analyzes key processes, controls, and policies of selected covered entities pursuant to the HITECH Act audit requirement. OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.
• The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
• The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
• The protocol covers requirements for the Breach Notification Rule.
Please visit the website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.htmlto learn more about the OCR HIPAA Audit Program and to access the audit protocol.
• The audit protocol covers Privacy Rule requirements for (1) notice of privacy practices for PHI, (2) rights to request privacy protection for PHI, (3) access of individuals to PHI, (4) administrative requirements, (5) uses and disclosures of PHI, (6) amendment of PHI, and (7) accounting of disclosures.
• The protocol covers Security Rule requirements for administrative, physical, and technical safeguards.
• The protocol covers requirements for the Breach Notification Rule.
Please visit the website at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.htmlto learn more about the OCR HIPAA Audit Program and to access the audit protocol.
Alaska Medicaid Settles HIPAA Security Case for $1,700,000
The Alaska Department of Health and Social Services (DHSS), the State Medicaid agency, has agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1,700,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. Alaska DHSS has also agreed to take corrective action to properly safeguard the electronic protected health information (ePHI) of their Medicaid beneficiaries. This is OCR’s first HIPAA enforcement action of a State agency and we expect organizations to comply with their obligations under these rules regardless of whether they are private or public entities.
The HHS Office for Civil Rights (OCR) began its investigation following a breach report submitted by Alaska DHHS as required by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The report indicated that a portable electronic storage device (USB hard drive) possibly containing ePHI was stolen from the vehicle of a DHHS employee. Over the course of the investigation, OCR found that DHHS did not have adequate policies and procedures in place to safeguard ePHI. Further, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.
In addition to the $1,700,000 settlement, the agreement includes a corrective action plan that requires Alaska DHHS to review, revise, and maintain policies and procedures to ensure compliance with HIPAA Security Rule. A monitor will report back to OCR regularly on the State’s ongoing compliance efforts.
The HHS Resolution Agreement can be found on the OCR website at :
http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/alaska-agreement.html
Thursday, June 21, 2012
OCR-NIST HIPAA Conference Slides
Did you miss the NIST and OCR conference. You can see the presentations and download the slides. This is an excellent source of information, some great presentations. Challenge yourself to view all of the presentations. Take one per day.
Presentations: http://csrc.nist.gov/news_events/hiipaa_june2012/presentations.html
Archived WebCast: http://www.nist.gov/itl/csd/hipaa-security-conference-2012-webcast.cfm
Safeguarding Health Information: Building Assurance through HIPAA Security
The National Institute of Standards and Technology (NIST) and the Department of Health and Human Services (HHS), Office for Civil Rights (OCR) are co-hosting the 5th annual conference Safeguarding Health Information: Building Assurance through HIPAA Securityon June 6 & 7, 2012 at the Ronald Reagan Building and International Trade Center in Washington, D.C.
Tuesday, June 19, 2012
OCR 20 Audit Findings / Recommendations
Washington DC, Linda Sanches from the OCR presented findings from the first 20 audits of their pilot program to assess HIPAA privacy, security and breach notification performance. The remaining 95 audits will occur in 2012 and they have indicated that audits will continue in 2013. Some highlights of the slidedeck (draw your own conclussions). This gives some insight into what they are looking at.
Audit Issues by Area:
The full slide deck from the presentation is in the attached link.
http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf?goback=%2Egde_2473393_member_124101464
More information about the Audit Program can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
Audit Issues by Area:
- Conduct Risk Analysis (17)
- Grant Modify User Access (17)
- Incident Response (11)
- Contingency Planning (34)
- Media Reuse and Destruction (18)
- Encryption (10)
- User Activity Monitoring (46)
- Authenticatin/Integrity (19)
- Physical Access (9)
- Policies and Procedures
- Priority HIPAA Compliance Programs
- Conduct of Risk Assessment
- Managing third party risks
NEXT STEPS based on the reviews:
- Conduct a robust review & assessment
- Determine Lines of Business affected by HIPAA
- Map/Flow PHI movement within your organization, as well as flows to/from third parties
- Find all of your PHI
- See guidance available on OCR web site
The full slide deck from the presentation is in the attached link.
http://csrc.nist.gov/news_events/hiipaa_june2012/day2/day2-2_lsanches_ocr-audit.pdf?goback=%2Egde_2473393_member_124101464
More information about the Audit Program can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/audit/index.html
Wednesday, June 6, 2012
OCR Releases a “Right to Access” Memo CONSUMER HIPAA PRIVACY
Leon Rodriguez, Director of the Office for Civil Rights released a right to access memorandum educating consumers on their right to access their medical information at ONC’s “Patient Access Summit.” The HIPAA Privacy Rule has always permitted this right to access, but many consumers have faced barriers in getting their health information. It is vitally important that consumers understand this right which will enable them to engage more fully in their health care. At the summit, Leon reinforced that it is a consumer’s legal right to obtain a copy of their health formation and his office is committed to informing the public of that right and enforcing it at HIPAA covered entities.
Visit the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
to obtain a copy of the memo and for videos, pamphlets, frequently asked questions and other guidance material to help consumers understand their rights under HIPAA.
Your Health Information Is Protected By Federal Law
Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure
Visit the OCR website at http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
to obtain a copy of the memo and for videos, pamphlets, frequently asked questions and other guidance material to help consumers understand their rights under HIPAA.
Your Health Information Is Protected By Federal Law
Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule, a Federal law that protects health information in electronic form, requires entities covered by HIPAA to ensure that electronic protected health information is secure
Tuesday, June 5, 2012
HIPAA Training Materials for State Attorneys General Now Available Online
The Health Information Technology for Clinical and Economic Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, gave State Attorneys General (State AGs) the authority to bring civil actions on behalf of state residents for violations of the HIPAA Privacy and Security Rules. OCR developed HIPAA Enforcement Training to help State Attorneys General and their staff use their new authority to enforce the HIPAA Privacy and Security Rules.
The training materials now available through the OCR website include videos and slides from in-person training sessions for State AGs that OCR conducted in 2011, as well as computer-based training modules that can be downloaded and saved to your own computer. Although developed for State AGs, the training materials provide a great deal of information about the content and enforcement of the HIPAA Rules that may be of interest to a broader audience. Topics include:
*General introduction to the HIPAA Privacy and Security Rules
* Analysis of the impact of the HITECH Act on the HIPAA Privacy and Security Rules
* Investigative techniques for identifying and prosecuting potential violations
* A review of HIPAA and State Law
* OCR's role in enforcing the HIPAA Privacy and Security Rules
* SAG roles and responsibilities under HIPAA and the HITECH Act
* Resources for SAG in pursuing alleged HIPAA violations
* HIPAA Enforcement Support and Results
Click here to learn more about the HIPAA Enforcement Training for State AGs and to view training materials. http://www.hhs.gov/ocr/privacy/hipaa/enforcement/sag/index.html
NOTE: We are seeing the beginning of more involvement by State Attorney Generals and HIPAA Security and HITECH. This training will continue that thrend.
Sunday, June 3, 2012
Department of Homeland Security Issues Warning on Medical Device Threats
The U.S. Department of Homeland Security has issued a warning (UNCLASSIFIED/ FOR OFFICIAL USE ONLY) about the role of medical devices in compromising IT networks and patient data.
In its alert "Attack Surface: Healthcare and Public Health Sector," DHS says medical devices that connect to IT networks may pose a threat to security. Find the entire PDF here (download and read it).
http://info.publicintelligence.net/NCCIC-MedicalDevices.pdf
Some Highlights:
According to Health and Human Services (HHS), a major concern to the Healthcare and Public Health (HPH) Sector is exploitation of potential vulnerabilities of medical devices on Medical IT networks (public, private and domestic)
The protection of networked MDs can best be implemented in a layered security approach using the suggested following best practices:
• Purchasing only those networkable medical devices which have well documented and fine-grained security features available, and which the Medical IT network engineers can configure safely on their networks.
• Including in purchasing vehicles vendor support for ongoing firmware, patch, and antivirus updates where they are a suitable risk mitigation strategy.
• Operating well maintained external facing firewalls, network monitoring techniques, intrusion detection techniques, and internal network segmentation, containing the medical devices, to the extent practical.
• Configuring access control lists (ACL) on these network segments so only positively authorized accounts can access them.
• (U) Establishing strict policies for the connection of any networked devices, particularly wireless devices, to Health Information Network (HIN) including; laptops, tablets, USB devices, PDAs, smartphones, etc. such that no access to networked resources is provided to unsecured and/or unrecognized devices.
• Establishing policies to maintain, review, and audit network configurations as routine activities when the Medical IT network is changed.
• Using the principle of least privilege to decide which accounts need access to specific medical device segments, rather than providing access to the whole network.
• (U) Implementing safe and effective, but legal patch and software upgrade policies for Medical IT networks which contain regulated medical devices.
• (U) Securing communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel.
• (U) Having and enforcing password policies to protect patient information.
In its alert "Attack Surface: Healthcare and Public Health Sector," DHS says medical devices that connect to IT networks may pose a threat to security. Find the entire PDF here (download and read it).
http://info.publicintelligence.net/NCCIC-MedicalDevices.pdf
Some Highlights:
The protection of networked MDs can best be implemented in a layered security approach using the suggested following best practices:
• Purchasing only those networkable medical devices which have well documented and fine-grained security features available, and which the Medical IT network engineers can configure safely on their networks.
• Including in purchasing vehicles vendor support for ongoing firmware, patch, and antivirus updates where they are a suitable risk mitigation strategy.
• Operating well maintained external facing firewalls, network monitoring techniques, intrusion detection techniques, and internal network segmentation, containing the medical devices, to the extent practical.
• Configuring access control lists (ACL) on these network segments so only positively authorized accounts can access them.
• (U) Establishing strict policies for the connection of any networked devices, particularly wireless devices, to Health Information Network (HIN) including; laptops, tablets, USB devices, PDAs, smartphones, etc. such that no access to networked resources is provided to unsecured and/or unrecognized devices.
• Establishing policies to maintain, review, and audit network configurations as routine activities when the Medical IT network is changed.
• Using the principle of least privilege to decide which accounts need access to specific medical device segments, rather than providing access to the whole network.
• (U) Implementing safe and effective, but legal patch and software upgrade policies for Medical IT networks which contain regulated medical devices.
• (U) Securing communications channels, particularly wireless ones, by the use of encryption and authentication at both ends of a communication channel.
• (U) Having and enforcing password policies to protect patient information.
Subscribe to:
Posts (Atom)