Implementing a strong HIPAA Compliance framework is a requirement for all Covered Entities and Business Associates, but many practices don't realize this is also their best strategy to prevent a breach from happening!   My hope is that understanding what the OCR will ask you for after a Data Breach will help you implement an IT security framework that will reduce your chances of ever experiencing a data breach.  

New ransomware is bad news for healthcare organizations

CryptXXX Ransomware provides the scenario we feared most.  Not only does CryptXXX encrypt a victims files, but it also copies data off of the victim's computer.  This can be consideered unauthorized access, and needs to be reported as a Data Breach.  The following article is written by Art Gross, our partner at HIPAA Secure Now. Read his article to learn more about this very dangerous new ransomware, and what you can do to prevent it.

Encryption Could Have Prevented Centene's Data Breach of 950,000 Patient Records

Encrypted Devices with PHI can be lost or stolen and it is not considered a Data Breach.  Encryption is like a Get Out of Jail Free Card!  Health Insurance credentials sell for $20 each on the black market, but when supplemented with personally identifiable information (PII) such as birth date, place of birth, social security number, it can yield over $1000 per record.  These are scary times, and Centene, a St. louis based health insurer is the latest victim of a data breach that will make your head spin.  The worst part is that it could have been easily prevented with one simple and inexpensive security measure.

Implementing a strong HIPAA Compliance framework is your best plan to prevent a breach. Understanding what the OCR will ask you for in the event of a Data Breach, and preparing all of this documentation ahead of time will give you a very good head start on HIPAA Compliance and may just prevent you from experiencing a breach.

The HIPAA Privacy Rule allows covered entities and health plans to disclose protected health information (PHI) to business associates, but only if the business associate signs a Business Associate Agreement in which it assures that it will appropriately safeguard the PHI it receives or creates on behalf of the covered entity.  So, which of your vendors need to sign a B.A. Agreement?  Here is a helpful list of vendors that need to sign your Business Associates Agreement.  You may be surprised!

Hackers are getting more sophisticated every day, and the ways they lure you to give them access to your computer are downright devious.  It is important that all employees are aware of these simple rules that will help prevent intruders from accessing your computer network.  

Protected Health Information (PHI) is defined as information in any format that identifies the individual, including demographic information collected from an individual that can reasonably be used to identify the individual.  PHI is information created or received by a healthcare provider, insurance company, employer, or health care clearinghouse, and relates to the past, present, or future physical or mental health or condition of an individual.  

In order for Covered Entities and Business Associates to protect PHI, it is critical that you are aware of these 18 identifiers that constitute that the information qualifies as PHI. 

The experts predict that it is not "if" businesses will be the victim of a data breach, it's is "when".  In fact, they believe that most businesses already have been victimized.  If the chances are that high, it would be a great idea to start thinking about what you will want to tell your customers when you notify them. Seriously, what will you want to be able to tell them about how you protected their personal information.

As hackers continue to target healthcare data, security needs to be top priority.

Most healthcare service providers don’t realize how vulnerable their IT systems are to cyber attacks. One of the contributing factors to data breach is the conversion from paper records to electronic files. Despite many benefits, there is no denying that it increases the risk of data theft. And since stolen healthcare information can be used to commit identity theft and financial crimes, securing healthcare data has become more important than ever.

While working with busy medical practices to conduct an independant HIPAA Risk Analysis, I am always amazed to find the same compliance issues.  If you are the Security Officer for your company, correcting the following violations is a great step toward HIPAA Compliance.