My New Year’s resolutions will likely be broken early and often in 2016. My consequences are mostly non-monetary: a few more pounds, a little less savings, and not winning the triathlon in my age group. Your consequences, as a HIPAA-covered entity or business associate, for not complying with the Privacy and Security Rules could be much greater, and could put you into serious debt to the HHS Office of Civil Rights (OCR). Therefore, we propose that you resolve now to become fully HIPAA compliant in 2016.

OCR delivered an early holiday gift, wrapped in the Director’s Sept. 23, 2015, report to the Office of Inspector General. In that report, she disclosed that OCR will launch Phase 2 of its HIPAA audit program in early 2016, focusing on noncompliance issues for both covered entities and business associates.

So, grab that cup of hot cocoa and peruse this review of 2014-2015 HIPAA enforcement actions, which should help identify noncompliance issues on which OCR will focus in 2016. 
Continue Reading HIPAA compliance: another year older, but hopefully not deeper in debt

HIPAA and the IRS. There isn’t a whole lot of guidance out there about what to do when the IRS knocks on your organization’s door and asks for protected health information. Should the agency be treated as a cop or robber?

The most risk-averse approach for a HIPAA-covered entity or business associate to take is to treat the IRS as a potential thief and draw the deadbolt when it comes to data requests involving PHI. Such a tack would, among other things, comply fully with HIPAA’s minimum necessary requirement and, frankly, reinforce the Everyman attitude toward the agency. Moreover, PHI produced in response to an information document request (IRD) is unlikely to be treated under 45 CFR 164.512 as a disclosure required by law, a disclosure for an administrative proceeding, or a disclosure for a law enforcement purpose, because the IRS appears to lack the authority to compel compliance with an IRD. However, we should be careful that we don’t always and automatically view the IRS with HIPAA suspicion –  in some circumstances the IRS does perform a legitimate healthcare oversight function for which it may receive PHI without individual authorization, consistent with HIPAA’s treatment/ payment/ operations exception.
Continue Reading Cops or Robbers: PHI, the IRS and IRDs

Wow, our group health plan premiums are crushing us. Wait a minute—what if we ramped up our company’s wellness program, using cool technology to help get our workforce in shape? Let’s get all our employees to use those wearable fitness tracker gizmos! We can fold those into our BYOD program, offer a device subsidy, and then have our employees report their stats and progress in some kind of fitness competition, with cool stuff as motivating rewards. Premium costs down, flab down, fitness up, profits up… what could possibly go wrong?

Plenty will go wrong, unless the company takes a breather and checks the pulse of information-related risks and compliance issues. So, let’s run a quick information governance circuit drill.
Continue Reading IG perspective: Are wearable fitness trackers fit for the workplace?

 will be missed, but his wisdom will endure. Who else could have observed “No one goes there nowadays. It’s too crowded”? The information governance equivalent is “No one has information anymore. There’s too much of it.” In the last decade we have witnessed the systemic utilitization of computing power. Data used to be housed predominantly within a company’s own systems, but now, through remote storage, SaaS, PaaS, and other cloud solutions, more and more information is hosted by third-party providers. Also, as marketplace forces compel organizations to leverage or outsource functions that used to reside internally, operational service providers increasingly create, receive, maintain, and process information on the organization’s behalf.

It follows that information governance (the organization’s approach to satisfying information compliance and controlling information risk while maximizing information value) can no longer simply be an internally-focused exercise. IG “has come to a fork in the road, and must take it.” Service provider selection, contracting, and oversight are now primary vehicles of information governance – because when it comes to governing your organization’s information, “the future ain’t what it used to be.”
Continue Reading 90% of information governance is half contracting

Cancer Care Group, P.C. settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules on September 2 with the U.S. Department of Health & Human Services Office for Civil Rights (OCR) for $750,000. Cancer Care, a radiation oncology private physician practice located in Indiana, also agreed to adopt a corrective action plan to remedy defects in its HIPAA compliance program.
Continue Reading $750K HIPAA settlement highlights importance of risk analysis, device control policy

Healthcare is trending toward value-based payments. Back in January, Sylvia Burwell of the of the U.S. Department of Health & Human Services announced Medicare’s move toward paying providers based on quality, rather than quantity, of care they give to patients. Secretary Burwell emphasized the importance of alternate payment models, including accountable care organizations (“ACOs”). Regardless of whether you are for or against value based payments, ACOs are will play a big role in the future of healthcare, and many providers will find themselves involved in an ACO. So, what are the privacy and security issues associated with being an ACO participant?
Continue Reading Privacy & security issues for ACO participants

Ineffective wireless encryption

Taped-over door lock on data room

Inadequate passwords

Computers without adequate log-off

Disabled audit logging

Unencrypted email and laptops

Former employees with inappropriate network access

These vulnerabilities and more (a total of 151) were found at seven large hospitals during a round of audits by the Department of Health & Human Services. Although these vivid examples point to hospital systems, HIPAA applies also to many other types of covered entities and business associates including, of course, physician practices. These non-hospital providers are most likely even more vulnerable to such lapses as they are less likely to have dedicated information technology staff, legal departments, and formalized record-keeping practices.
Continue Reading Seven steps to better information management for small health practices

Having no need to brandish bandanas to obscure identity or firearms to force entry, cyber bandits, in a sophisticated and well-orchestrated robbery, waltzed into the IT vaults of Anthem, the second-largest U.S. health insurer, and walked off with personally identifiable information on about 80 million current and former members, a population that comprises Anthem customers,