HIPAA Breach Settlements and Ransomware Attacks - Is Your Practice Secure?

February 5th, 2018 - Wyn Staheli, Director of Research
Categories:   HIPAA|PHI  
0 Votes - Sign in to vote or comment.

Two recent reports should make providers stop, take notice and make sure their practice's policies and procedures are up-to-date.

The first one involves a HIPAA Breach settlement of a company with facilities in several states. The OCR memo stated "In addition to a $3.5 million monetary settlement, a corrective action plan requires the FMCNA covered entities to complete a risk analysis and risk management plan, revise policies and procedures on device and media controls as well as facility access controls, develop an encryption report, and educate its workforce on policies and procedures." The following failures were outlined in the report:

  1. Failure "to conduct an accurate and thorough risk analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI."
  2. They "impermissibly disclosed the ePHI of patients by providing unauthorized access for a purpose not permitted by the Privacy Rule."
  3. Failure "to implement policies and procedures to address security incidents."
  4. Failure "to implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI into and out of a facility; and the movement of these items within the facility.
  5. Failure "to implement policies and procedures to safeguard their facilities and equipment therein from unauthorized access, tampering, and theft, when it was reasonable and appropriate to do so under the circumstances.
  6. Failure "to implement a mechanism to encrypt and decrypt ePHI, when it was reasonable and appropriate to do so under the circumstances."

Every healthcare practice needs to review these six items and ensure that they have taken the appropriate steps to ensure compliance. A Risk Analysis must be conducted annually. It is essential that the previous items are addressed and that you have appropriate policies and procedures in place - which brings us to the next issue.

The second incident involved a ransomware attack on a large EHR company. Approximately 1,500 practices were essentially shut down and in some cases unable to even schedule appointments. While this attack could not have been prevented by those healthcare practices, it shines light on one important HIPAA provision - a disaster plan. The HIPAA Security Officer is responsible for testing and implementing a contingency and disaster recovery plan. Those practices who have complied with HIPAA by having a viable contingency plan are are more effectively able to face situations like this.

To help providers maintain compliance, Find-A-Code's Complete and Easy HIPAA Compliance publication includes, as part of its downloadable, editable templates, a Contingency Plan Procedure (includes a disaster recovery plan) and a Policies and Procedures document.

###

Questions, comments?

If you have questions or comments about this article please contact us.  Comments that provide additional related information may be added here by our Editors.


Latest articles:  (any category)

CMS and HHS Tighten Enrollment Rules and Increase Penalties
October 1st, 2019 - Wyn Staheli, Director of Research
This ruling impacts what providers and suppliers are required to disclose to be considered eligible to participate in Medicare, Medicaid, and Children's Health Insurance Program (CHIP). The original proposed rule came out in 2016 and this final rule will go into effect on November 4, 2019. There have been known problems ...
Federal Workers Compensation Information
October 1st, 2019 - Wyn Staheli, Director of Research
When federal employees sustain work-related injuries, it does not go through state workers compensation insurance. You must be an enrolled provider to provide services or supplies. The following are some recommended links for additional information about this program. Division of Federal Employees' Compensation (DFEC) website Division of Federal Employees' Compensation (DFEC) provider ...
E-Health is a Big Deal in 2020
September 16th, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
The new 2020 CPT codes are on the way! We are going to see 248 new codes, 71 deletions, and 75 revisions. Health monitoring and e-visits are getting attention; 6 new codes play a vital part in patients taking a part in their care from their own home. New patient-initiated ...
Chiropractic 2020 Codes Changes Are Here
September 9th, 2019 - Wyn Staheli, Director of Research
There are some interesting coding changes which chiropractic offices will want to know about. Are codes that you are billing changing?
Q/A: Is the Functional Rating Index by Evidence-Based Chiropractic Valid?
September 9th, 2019 - Wyn Staheli, Director of Research
Question Is the Functional Rating Index, from the Institute of Evidence-Based Chiropractic, valid and acceptable? Or do we have to use Oswestry and NDI? Answer You can use any outcome assessment questionnaire that has been normalized and vetted for the target population and can be scored so you can compare the results from ...
List of Cranial Nerves
September 3rd, 2019 - Find-A-Code
Cranial nerves are involved with some of our senses such as vision, hearing and taste, others control certain muscles in the head and neck. There are twelve pairs of cranial nerves that lead from the brain to the head, neck and trunk. Below is a list of Cranial Nerves and ...
So How Do I Get Paid for This? APC, OPPS, IPPS, DRG?
August 21st, 2019 - Chris Woolstenhulme, QCC, CMCS, CPC, CMRS
You know how to find a procedure code and you may even know how to do the procedure, but where does the reimbursement come from?  It seems to be a mystery to many of us, so let's clear up some common confusion and review some of the main reimbursement systems.  One of the ...



About Codapedia by InnoviHealth Systems Contact Us Terms of Use Privacy Policy Advertise with Us

Codapedia™ by InnoviHealth Systems™ - 62 E 300 North, Spanish Fork, UT 84660 - Phone 801-770-4203 (9-5 Mountain) - Fax (801) 770-4428

Copyright © 2009-2019 Find A Code, LLC - CPT® copyright American Medical Association