HIPAA Compliance

HELLO, MY NAME IS REHMAN NIAZI FROM ACG247, AND FOR THE LAST 20+ YEARS I HAVE BEEN ASSISTING ORGANIZATIONS TO MANAGE AND SECURE THEIR INFRASTRUCTURE AND DATA NATIONWIDE.

OVER THE NEXT FEW MINUTES, WE WILL GO OVER YOUR HEALTHCARE PRACTICES’ POTENTIAL RISKS, VULNERABILITIES, AND REQUIREMENTS OF YOUR PROTECTED HEALTH INFORMATION (PHI) OR YOUR ELECTRONIC PROTECTED HEALTH INFORMATION (EPHI) AS THEY PERTAIN TO HIPAA, THE HITECH ACT, AND THE OMNIBUS RULE.

LET’S START BY ASKING, WHY WOULD SOMEONE TARGET YOUR PRACTICE? THINK ABOUT WHAT A PRIVATE HEALTH RECORD CONSISTS OF: NAMES, SOCIAL SECURITY NUMBERS, HOME ADDRESSES, AND PATIENT HEALTH INFORMATION. HIPAA REFERS TO THIS TYPE OF INFORMATION AS IDENTIFIERS.

PER A RECENT BROOKING INSTITUTE STUDY, HEALTHCARE RECORDS WERE MORE VALUABLE TO HACKERS THAN OTHER FORMS OF DATA, AND THE STUDY ALSO PREDICTED THAT ONE IN FOUR OF ALL DATA BREACHES THIS YEAR WILL HIT THE HEALTHCARE INDUSTRY. SIMPLY PUT, YOUR INFORMATION FUELS A 15 BILLION DOLLAR IDENTITY THEFT INDUSTRY.

THESE BREACHES WILL BE IN THE FORM OF DATA THEFT, VIRUSES, AND MALWARE. OVER THE PAST FEW YEARS, THE GROWING TREND TOWARDS RANSOMWARE, OR DATA WHICH IS MADE INACCESSIBLE USING STRONG ENCRYPTION AND HELD FOR RANSOM, HAS MADE IDENTIFIERS VERY VALUABLE TO CYBER CRIMINALS. IF YOU HAVE NO OFFLINE BACKUPS, YOUR ONLY COURSE OF ACTION IS TO PAY THE RANSOM TYPICALLY USING NON-TRACEABLE ELECTRONIC PAYMENTS SUCH AS BITCOIN AND HOPE YOUR DATA IS MADE ACCESSABLE BY THE SAME CRIMINAL THAT LOCKED YOU OUT OF IT IN THE FIRSTPLACE.

THE HIPAA SECURITY RULE REQUIRES COVERED ENTITIES TO MAINTAIN REASONABLE AND APPROPRIATE ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS TO PROTECT PRIVATE HEALTH INFORMATION.

  • YOU MUST ENSURE THE CONFIDENTIALITY, INTEGRITY, AND AVAILABILITY OF ALL PHI YOUR OFFICE CREATES, RECEIVES, MAINTAINS, AND/OR TRANSMITS.
  • YOU MUST IDENTIFY AND PROTECT AGAINST RESONABLY ANTICIPATED THREATS TO THE SECURITY OR INTEGRITY OF THE INFORMATION
  • YOU MUST PROTECT AGAINST REASONABLY ANTICIPATED IMPERMISSIBLE USES OR DISCLOSURE
  • AND ENSURE COMPLIANCY BY YOUR WORKFORCE.

NOW FOR THE SCARY PART:

HIPAA VIOLATIONS ARE COSTLY FOR ANY PRACTICE. PENALTIES RANGE FROM $100 DOLLARS TO 50K DOLLARS PER INDIVIDUAL VIOLATION AND UP TO A MAXIMUM OF 1.5 MILLION DOLLARS FOR MULTIPLE IDENTICAL VIOLATIONS. THIS MEANS EACH NAME, SOCIAL SECURITY NUMBER, OR PHONE NUMBER STOLEN FROM SOMETHING AS SIMPLE AS AN EXCEL SPREADSHEET IS TREATED AS AN INDIVIDUAL VIOLATION.

RECENTLY, A DERMATOLOGY PRACTICE PAID $150,000 IN FINES ARISING FROM THE LOSS OF A SINGLE UNENCRYPTED FLASH DRIVE.

A HOSPITAL WAS RECENTLY FINED $218K FOR USING A CLOUD-BASED FILE SHARING SERVICE AND VIOLATING HIPAA REQUIREMENTS. ALTHOUGH THERE WAS NO EVIDENCE A BREACH OCCERED, THE OFFICE FOR CIVIL RIGHTS, OR OCR, DEEMED THE METHOD BEING USED WAS RISKY ENOUGH TO WARRANT THE FINE. ANOTHER EXAMPLE COST A HEALTHCARE FACILITY IN MINNESOTA 1.5 MILLION DOLLARS FOR NOT HAVING A BUSINESS ASSOCIATE’S AGREEMENT EXECUTED WITH A CONTRACTOR. AN ORTHOPEDIC OFFICE IN NORTH CAROLINA AGREED TO PAY $750,000 FOR THE SAME VIOLATION WHEN THEY PROVIDED X-RAY FILMS OF 17,000 PATIENTS WITHOUT OBTAINTING A BUSINESS ASSOCIATE’S AGREEMENT.

TO BE CLEAR, THOSE LAST 2 EXAMPLES ENORMOUS FINES WERE DUE TO SIMPLY NOT HAVING A SIGNED PIECE OF PAPER.

YOU ARE RESPONSIBLE FOR EVERY FILE, PC, TABLET, SERVER, SMARTPHONE, EMAIL, AND TEXT THAT CONTAINS YOUR PRACTICE’S EPHI.

YOU ARE RESPONSIBLE FOR THE LEVEL OF ACCESS EVERY EMPLOYEE, VENDOR, AND ASSOCIATE HAS TO YOUR PATIENTS’ INFORMATION.

YOU ARE RESPONSIBLE FOR THE CONFIDENTIALITY, INTEGRITY, AND ACCESSIBILITY OF ALL OF YOUR PRACTICE’S PATIENT HEALTH INFORMATION.

AND YOU ARE RESPONSIBLE FOR SAFEGUARDING AND RECOVERING YOUR PATIENT HEALTH INFORMATION IN THE EVENT OF LOSS DUE TO HACKERS, HARDWARE ISSUES, OR ACTS OF GOD.

ENFORCEMENT EXAMPLES: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/

AWARENESS IS NOT THE FIRST STEP IN BEING HIPAA COMPLIANT.

A HIPAA CLIENT RISK ASSESSMENT IS THE FIRST STEP. (TAKE YOUR TEST)

A RISK ASSESSMENT ALLOWS US TO IDENTIFY YOUR PRACTICES VULNERABILITY AND NON-COMPLIANT PROCEDURES.

WE WILL THEN PROVIDE YOU WITH A HIPPA RISK SCORE AND ASSEMBLE A COMPREHENSIVE PLAN TO PROTECT YOUR PATIENT HEALTH INFORMATION.

CLICK HERE TO SCHEDULE YOUR ASSESSMENT, AND PUT YOUR ORGANIZATION ON THE PATH TO HIPAA COMPLIANCY.

LET ACG247 BE YOUR TRUSTED HIPAA COMPLIANCE ADVISOR.

 

Sincerely,

Rehman Niazi – CTO, Director of Business Development, Senior Network Engineer