HIPAA + Meaningful Use – Aegify https://www.aegify.com Comprehensive Security, Risk and Compliance Assurance Solution Wed, 03 Aug 2016 00:23:43 +0000 en-US hourly 1 https://wordpress.org/?v=6.4.3 A Small Breach, But a Big Fine Once Again https://www.aegify.com/a-small-breach-but-a-big-fine-once-again/ https://www.aegify.com/a-small-breach-but-a-big-fine-once-again/#respond Thu, 20 Sep 2012 14:02:04 +0000 http://www.egestalt.com/blog/?p=374 It was Alaska DHSS first, and now the Massachusetts Eye and Ear Infirmary suffering a big consequence for a relatively small breach. The organization has agreed to pay a hefty penalty of $1.5 million for HIPAA violations identified during OCR’s investigation of the theft of an unencrypted laptop which occurred in 2010. This Boston-based teaching…

The post A Small Breach, But a Big Fine Once Again appeared first on Aegify.

]]>
It was Alaska DHSS first, and now the Massachusetts Eye and Ear Infirmary suffering a big consequence for a relatively small breach. The organization has agreed to pay a hefty penalty of $1.5 million for HIPAA violations identified during OCR’s investigation of the theft of an unencrypted laptop which occurred in 2010.

This Boston-based teaching hospital of Harvard Medical School has also agreed to a corrective action plan similar to the one in the case of Alaska DHSS, including reviewing, revising, and maintaining policies and procedures for HIPAA security compliance. In addition to this, the agreement also requires the organization to get an independent monitor to conduct assessment of compliance with the corrective action plan and submit semi-annual reports to the Department of Health and Human Services for a period of three years.

Industry experts are of the opinion that this incident yet again reinforces the need for organizations to improve their HIPAA compliance efforts. Rebecca Herold, an independent security consultant who heads the firm Rebecca Herold & Associates stated that organizations of all sizes that possess protected health information should implement long-held, proven, and widely accepted security measures for all types of personal data. She further said that many organizations take a wait-and-see approach for implementing security controls. They want to be told to implement encryption, employee training etc. before making any such investment. They do not want to take action unless it is proven that these security measures are absolutely necessary.

Entities should understand that preventing a breach would cost significantly lesser than paying a penalty and taking corrective action after a breach has occurred and the reputation of the organization is lost. In the case of Massachusetts Hospital OCR launched an investigation after the theft of a laptop was reported in February 2010. This unencrypted laptop contained information on more than 3500 patients as well as 68 participants in a research project.

The investigation revealed that the hospital had failed to take necessary steps to comply with some requirements of the HIPAA security rule including conducting risk analysis, implementing adequate security measures, and adopting policies for restricted access to protected health information. It was also found that these failures had continued over an extended period of time, thus demonstrating long-term disregard for HIPAA norms.

This is the second time in three months that a huge penalty has stemmed from a small breach. This incident further highlights the need to be fully compliant with HIPAA rules at any given point in time. This is possible only with a solution like SecureGRC, which will take care of all the security requirements with its in-built HIPAA compliance framework, and allow organizations to steer clear of security challenges.

The post A Small Breach, But a Big Fine Once Again appeared first on Aegify.

]]>
https://www.aegify.com/a-small-breach-but-a-big-fine-once-again/feed/ 0
HIPAA and Meaningful Use Now Tightly Intertwined https://www.aegify.com/hipaa-and-meaningful-use-now-tightly-intertwined/ https://www.aegify.com/hipaa-and-meaningful-use-now-tightly-intertwined/#comments Mon, 03 Sep 2012 06:13:52 +0000 http://www.egestalt.com/blog/?p=370 The provisions of the two final rules of Stage 2 of Meaningful Use released last week have attracted significant attention, especially the rule demanding retention of patient engagement obligations. However, what is more striking is how these two final rules are intertwined with the privacy and security requirements of HIPAA, although many commenters on the…

The post HIPAA and Meaningful Use Now Tightly Intertwined appeared first on Aegify.

]]>
The provisions of the two final rules of Stage 2 of Meaningful Use released last week have attracted significant attention, especially the rule demanding retention of patient engagement obligations. However, what is more striking is how these two final rules are intertwined with the privacy and security requirements of HIPAA, although many commenters on the proposed rules have asked the Centers for Medicare & Medicaid Services to remove redundancies.  This clearly shows that the government’s top priorities lie in keeping electronic records secure, and allaying patients’ fears about the security of their medical records.

Elizabeth Holland, Director of HIT Initiative Group of CMS’ Office of e-Health Standards and Services said that HIPAA is now being reinforced, and that there will be added emphasis on the privacy and security of patient information as people are wary about the confidentiality of their health records when they go electronic.

So, conducting effective risk assessment of EHR and safeguarding EHR from vulnerabilities are now not only a part of HIPAA’s security rules, but also clearly a requirement as per the Stage 2 rule of Meaningful Use. However, the requirements of both these rules are not really identical. According to Elizabeth Holland, while HIPAA doesn’t require annual risk assessment, for the Meaningful Use program, risk assessments have to be conducted every year and these assessments must more specifically address data encryption for EHR.

While the final Stage 2 rule has adopted most of the provisions of HIPAA, there are some noteworthy differences too:

  • Firstly, the proposed rule requires encryption to be enabled as a default setting on EHRs, and the ability to disable this setting should be limited
  • Secondly, the rule which expands the accounting for disclosure obligations for patient data in electronic form is not yet final, but the proposed Stage 2 rule recommends this as an “optional” criterion to meet the certification obligations of Stage 2

While the proposed certification rule included certain technical requirements in dealing with patient requests for amending electronic data, the final rule allows some flexibility in this capability.

So it is quite evident that if you are complying with HIPAA, you should be easily able to meet the Stage 2 requirements of Meaningful Use. But, it is important to remember that this intertwining of HIPAA and Meaningful Use rules also means that if you are not complying with one of them, you may be violating both. This reinforces the need for a solution like SecureGRC which can help you meet the requirements of HIPAA effectively by safeguarding health records in a comprehensive manner, while also ensuring that you significantly benefit from ‘Meaningful Use’ of EHR.

The post HIPAA and Meaningful Use Now Tightly Intertwined appeared first on Aegify.

]]>
https://www.aegify.com/hipaa-and-meaningful-use-now-tightly-intertwined/feed/ 1