HIPAA Breach Settlements and Ransomware Attacks - Is Your Practice Secure?

February 5th, 2018 - Wyn Staheli, Director of Research
Categories:   HIPAA|PHI  
0 Votes - Sign in to vote or comment.

Two recent reports should make providers stop, take notice and make sure their practice's policies and procedures are up-to-date.

The first one involves a HIPAA Breach settlement of a company with facilities in several states. The OCR memo stated "In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures." The following failures were outlined in the report:

  1. Failure "to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI."
  2. They "impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule."
  3. Failure "to implement policies and procedures to address security incidents."
  4. Failure "to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.
  5. Failure "to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.
  6. Failure "to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances."

Every healthcare practice needs to review these six items and ensure that they have taken the appropriate steps to ensure compliance. A Risk Analysis must be conducted annually. It is essential that the previous items are addressed and that you have appropriate policies and procedures in place - which brings us to the next issue.

The second incident involved a ransomware attack on a large EHR company. Approximately 1,500 practices were essentially shut down and in some cases unable to even schedule appointments. While this attack could not have been prevented by those healthcare practices, it shines light on one important HIPAA provision - a disaster plan. The HIPAA Security Officer is responsible for testing and implementing a contingency and disaster recovery plan. Those practices who have complied with HIPAA by having a viable contingency plan are are more effectively able to face situations like this.

To help providers maintain compliance, Find-A-Code's Complete and Easy HIPAA Compliance publication includes, as part of its downloadable, editable templates, a Contingency Plan Procedure (includes a disaster recovery plan) and a Policies and Procedures document.

###

Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.


Latest articles:  (any category)

Don't Let Your QPro Certification(s) Expire! Your Certifications Matter!
June 20th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
Hello QPro Members, Just a friendly reminder!                                                                                        ...
How to Properly Report Monitoring Patients Taking Blood-thinning Medications
June 18th, 2019 - Wyn Staheli, Director of Research
Codes 93792 and 93792, which were added effective January 1, 2019, have specific guidelines that need to be followed. This article provides some guidance and tips on properly reporting these services.
A United Approach
June 14th, 2019 - Namas
A United Approach As auditors, we all have a different perspective when evaluating documentation. It would be unreasonable to think that we all view things the same way. In my opinion, differing perspectives are what makes a great team because you can coalesce on a particular chart, work it through and ...
Documentation of E/M services for Neurology (Don't Forget the Cardiology Element)
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
According to Neurology Clinical Practice and NBIC, the neurologic exam is commonly lacking in documentation due to the extensive requirements needed to capture the appropriate revenue. With the lack of precise documentation, it results in a lower level of E/M than that which is more appropriate, which can cost a physician a lot ...
Medicare Now Reimburses for Remote Monitoring Services (G2010)
June 13th, 2019 - Aimee Wilcox, CPMA, CCS-P, CST, MA, MT, Director of Content
Medicare's 2019 Final Rule approved HCPCS code G2010 for reimbursement, which allows providers to be paid for remote evaluation of images or recorded video submitted to the provider (also known as "store and forward") to establish whether or not a visit is required. This allows providers to get paid for ...
Now is Your Chance to Speak Up! Tell CMS What You Think!
June 13th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
CMS is asking for your input, we all have ideas on how we would change healthcare documentation requirements and get rid of the burdensome requirements and regulations if it were up to us, so go ahead, speak up! Patients over Paperwork Initiative is being looked at to help significantly cut ...
Spotlight: Anatomy Images
June 13th, 2019 - Brittney Murdock, QCC, CMCS, CPC
When viewing CPT codes, Find-A-Code offers detailed anatomy images and tables to help with coding. For example 28445 offers a table with information to assist classification of gustilo fractures: Click on the image preview from the code information page to expand the image.



About Codapedia & Find-A-Code Contact Us Terms of Use Privacy Policy Advertise with Us

Codapedia™/Find-A-Code™ - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain) - Fax (801) 770-4428

Copyright © 2009-2019 Find A Code, LLC - CPT® copyright American Medical Association