Time for a HIPAA Security Check-Up!

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/time-for-a-hipaa-security-check-up-41189/

The 2015 HIPAA Security conference held by the National Institute of
Standards and Technology (“NIST”) and the U.S. Department of Health and
Human Services, Office for Civil Rights (“OCR”) kicked off last week with
OCR’s announcement of a new settlement. In its latest settlement with a
small health care provider, OCR emphasized comprehensive risk assessments
and securing mobile devices. This comes on the heels of the recently
released NIST draft guide for securing electronic health information on
mobile devices. The conference also brought a much anticipated audit
update. And newly appointed Deputy Director, Deven McGraw, promised new
guidance as early as October (2015).

What This Means for You

OCR continues to emphasize the importance of securing electronic protected
health information in an increasingly connected world. For small and large
health care providers alike, the use of laptops, smartphones, and other
portable devices is commonplace. HIPAA covered entities and business
associates should regularly update their risk analyses, implement controls
to safeguard electronic information, develop policies and procedures for
the receipt and removal of devices that store or access electronic
protected health information, and sanction employees for non-compliance.

While we wait for additional HIPAA guidance ranging from breach
notification to cloud security guidance, OCR promised its audit program is
moving forward with a contractor selected to help staff the next round of
audits. OCR confirmed it remains in the address verification phase –
meaning your organization still could be in the running. In an interview
following the conference, Deputy Director McGraw is reported to have
announced that OCR will submit its audit plans for public comment later
this year or early next year before moving forward with additional audits.
This means the next round of HIPAA audits will begin in 2016 at the
earliest.

Summary of the Latest HIPAA Settlement

OCR’s most recent settlement with a small Indianapolis-based oncology
radiation practice, Cancer Care Group, P.C. (“Cancer Care”), stemmed from a
breach reported to OCR in 2012. Cancer Care notified OCR of a breach of
electronic protected health information after a laptop and unencrypted
backup media were stolen from an employee’s car. OCR reported that
approximately 55,000 current and former Cancer Care patients were affected
by this incident, with potentially compromised information including
patient names, dates of birth, Social Security numbers, insurance
information, home addresses and clinical information. OCR alleged that
Cancer Care failed to conduct an enterprise-wide risk analysis, and failed
to implement policies that accounted for the removal of mobile devices or
portable media. To settle the alleged HIPAA violations, Cancer Care agreed
to pay $750,000 and entered into a three year corrective action plan. Under
the corrective action plan, among other things, OCR requires Cancer Care to:

- Conduct a comprehensive risk analysis, reviewing and updating it as
needed on an annual basis;
- Develop and implement a comprehensive risk management plan to “address
and mitigate anysecurity risks and vulnerabilities” identified in the risk
analysis (emphasis added);
- Revise policies and procedures for security of electronic protected
health information based on the findings of the risk analysis and the
implementation of the risk management plan; and
- Review and revise its training program for security of electronic
protected health information based on the findings of the risk analysis,
implementation of the risk management plan, and any revisions to its
policies and procedures.

OCR Director Jocelyn Samuels emphasized that “[o]rganizations must complete
a comprehensive risk analysis and establish strong policies and procedures
to protect patients’ health information.” Director Samuels reminded that
“proper encryption of mobile devices and electronic media reduces the
likelihood of a breach of protected health information.”

Next Steps

This recent settlement and the promise of upcoming audits serve as a good
reminder to do a check-up on your HIPAA security compliance. Your HIPAA
security risk analysis should be reviewed and updated periodically, and at
minimum, whenever there are environmental or operational changes.An OCR
official stated at the conference that the risk analysis is the cornerstone
of HIPAA security compliance.

DWT’s team of experienced privacy and data security attorneys can help you
implement a targeted, repeatable risk assessment that aligns with OCR and
NIST guidance. We offer a fixed fee and tiered model that allows us to
offer a customized Confidential Risk Assessment with a predictable budget.
Contact Anna Watterson for more information.

You also should have policies and procedures that address the increasingly
mobile environment, including protected health information and other
sensitive information on both corporate-owned and personally-owned devices.
Without proper training, employees and other workforce may not know the
proper practices for accessing and storing electronic protected health
information on mobile devices, including prohibited practices. Whether a
comprehensive refresher or periodic reminders, training also provides an
opportunity to help workforce understand the potential harm to patients and
the organization when electronic protected health information is not
properly secured.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!