Inside A HIPAA Breach - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Comments
Inside A HIPAA Breach
Newest First  |  Oldest First  |  Threaded View
dandmi
50%
50%
dandmi,
User Rank: Apprentice
11/13/2014 | 12:59:15 PM
Getting the CE to Sign Off on Noncompliant Solutions
The hardest part of being a BAA (especially a provider of tech solutions), is that many doctors and dentists don't want to buy all of the services that will keep them compliant on their networks.  When we are asked to install systems with configurations that don't comply with HIPAA (i.e. automatic logoffs, passwords on PCs, etc.), we need them to sign off stating that "best practices were proposed, but the CE elected not to go forward with fully compliant systems". 

Unfortunately, this practice does not sit well with the covered entity, however, it's important to make sure that the CE acknowledges that Best Practices for network configuration has not been deployed.

BAA's can be the first group to be thrown under the bus when an audit takes place, so my advice to BAA's is to dot your i's, and make sure there is written acknoledgement if fully compliant solutions are not deployed.

How do other BAA's approach this scenario?
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/23/2014 | 3:35:45 PM
Re: HIPAA Certified
Good ideas here, Gary. And that wisdom also extends to other devices, doesn't it, like printers? That, at least, is what i have learned from other experts in the past.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/23/2014 | 3:34:37 PM
Re: Speaking Out
The case has not yet been resolved. The dental surgeon is waiting to hear what happens from the government but is trying to mitigate his damage by taking the steps I outlined in the article, both in hopes of reducing his risk and because he really doesn't want to run the risk of exposing patient data. He felt terrible, of course.
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/23/2014 | 3:32:55 PM
Re: Exceptional reporting!!!
Thank you so much, @JerryWebb. As you so accurately point out, each state may have its own variations above and beyond HIPAA. I know Florida, where I live, has its own rules and you mention Texas. There is no such thing as a one-size-fits-all approach and if I was a healthcare provider, especially a smaller one, I would take some outside expert counsel here. 
Gary Scott
50%
50%
Gary Scott,
User Rank: Moderator
10/23/2014 | 3:13:43 PM
HIPAA Certified
HIPAA includes specific provisions on data protection.  When outsourcing projects to a third party, HIPAA Privacy Rule requires that a covered entity obtain satisfactory assurances from the businesses associate that the organization will safeguard EPHI it receives.

If you are a covered entity searching for an EPHI service provider, steer clear of any organization that tells you they are 'HIPAA Certified'.  HIPAA Certification does not exist.  Not only does HIPAA not certify providers for handling EPHI, HIPAA does not give steadfast rules on how services should be provided.

For example, when it comes to destroying EPHI from computer hard drives, HIPAA suggests 1) erasing, 2) degaussing or 3) physically shredding computer hard drives.  HIPAA also says "Other methods of disposal also may be appropriate, depending on the circumstances."  When dealing with EPHI and HIPAA regulations, do yourself a service and error on the safe side.

When it's time to dispose of your Windows XP computer -that time has already come and gone – have a third party vendor shred your hard drives.  Opting for the most secure handling of EPHI will help your business in the long run.
jerrywebb
100%
0%
jerrywebb,
User Rank: Apprentice
10/9/2014 | 1:34:49 PM
Exceptional reporting!!!
I see situations "in the trenches" like this every week (up to and including the "finger pointing" and being caught up in litigation). The notion that BA agreements are being used like cookie cutter templates is spot on. Many in the IT industry (where I come from) arbitrarily sign these agreements without a clue what they mean or the consequences (especially in Texas where there are more implications besides federal HIPAA law). HIPAA compliance process is a journey not a destination!! During a REAL RISK ANALYSIS, any security professional should discuss pros / cons of SAAS / CLOUD (it's NOT new technology and there are serious pros and cons), MSP's and all the other IT buzz words that get offered to small businesses (who usually don't have a clue nor can afford someone who does). It's not all about "what is the cheapest" when it comes to anything IT which is (sadly) where IT has gone the last decade having been in it for 40 years.
gcaus
50%
50%
gcaus,
User Rank: Apprentice
10/9/2014 | 9:52:32 AM
Re: Speaking Out
Clearly, with XP and other major issues regarding compliance, were there any fines from the OCR?! Please don't tell me that the only penalty was they had to pay for credit monitoring. If that is the case, I don't see how this scares physicians. Most aren't doing anything, or printing out some policies and getting an EHR.
marias117
50%
50%
marias117,
User Rank: Apprentice
10/8/2014 | 4:25:52 PM
HIPAA Certified?
A quick quotation of the article:

"Even though the breach occurred at a technology service provider that signed a business associate contract and was HIPAA certified"

Last time I checked  no certification program is recognized by any federal governing office. Also at the end of the article there is a mention of Windows XP still used in the practice.

I think this is more related to the quality of service of the business associate that was providing HIPAA advice. 
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
10/7/2014 | 10:10:10 AM
Speaking Out
Although "Dr. Jones" didn't want to use his own name, he wanted to speak to me because he was concerned other small practices could easily find themselves in the same position: Thinking they'd done everything they could to secure patient data and safe, due to business associate contracts. As he discovered, this is not the case. 


The State of Cloud Computing - Fall 2020
The State of Cloud Computing - Fall 2020
Download this report to compare how cloud usage and spending patterns have changed in 2020, and how respondents think they'll evolve over the next two years.
Slideshows
10 Ways to Transition Traditional IT Talent to Cloud Talent
Lisa Morgan, Freelance Writer,  11/23/2020
News
What Comes Next for the COVID-19 Computing Consortium
Joao-Pierre S. Ruth, Senior Writer,  11/24/2020
News
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Register for InformationWeek Newsletters
Video
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll