Monthly Archives: March 2011

Over $5.3 Million Fines Imposed for HIPAA Violations

Full article: Massachusetts General Hospital was fined $1 million for violating the Health Insurance Portability and Accountability Act (HIPAA). It is the second ever fine imposed on a health care organization by the US Department of Health and Human Services ever since HIPAA went into effect in 2003. “We hope the health care industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement,” Georgina Verdugo, the director of the agency’s Office for Civil Rights, said on Feb. 24. The steep fines should make organizations think twice about skimping on HIPPA compliance, wrote Chester Wisniewski, a Sophos senior security advisor, wrote on the NakedSecurity blog. A doctor once told Wisniewski, “When they start putting doctors in jail, I’ll worry about encrypting my records.” Mass General lost the medical records for 192 patients when a hospital employee accidentally left the documents on the subway in March 2009. The patients were part of the hospital’s Infectious Disease Associates outpatient practice and may have included patients with HIV/AIDS. The misplaced documents included a patient schedule containing names and medical records numbers, as well as billing forms containing names, dates of birth, diagnoses, and insurance policy information. The subsequent investigation into the breach revealed the hospital had failed to implement “reasonable, appropriate safeguards” to protect patient privacy when removed from premises. As part of its settlement with HHS, the hospital has to designate a director of internal audit to assess compliance and report to HHS about its results for the next three years. The first fine was imposed on Cignet Health, for not providing records in a timely manner. The $4.3 million penalty was not for a data cooperating with an investigation. Cignet, which operates two clinics in Maryland, refused to provide records to 41 patients when they asked, and also did not comply to OCR’s request. OCR imposed the fine for the company’s “willful neglect” in cooperating with the OCR for nearly 13 months. Cignet also did not help matters when complying with a subpoena, the health center provided 59 boxes of medical records belonging to over 4,500 patients, and not just the 41 patients being requested. “Covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements,” Verdugo said. While the compromised records in both cases were physical, and not electronic, the law doesn’t differentiate between the two, said Wisniewski.

Continuously evaluating your security with the ever changing technology landscape

Full article: We have seen a surge in the implementation of electronic health records. This of course has improved access to patient medical data and made it accessible from literally anywhere in the world. But with the incredible growth seen in Smartphones in consumer market and clinicians, comes the challenge of what to do to ensure the protection and safety of the medical records. When an organization selects to implement a complete EHR in their environment the software vendor will assist in implementing, configuring, installing and maintaining the system. They will also stage the system for accessibility from patient portal, Smartphones, Tablets, and other methods. But as health information becomes more accessible from different devices and at different points this creates a daunting task for many IT departments to ensure the security of the entire infrastructure. The real security difficulty that we will be facing in today’s complex environment is the unknowns created by some of the newly adopted mobile devices. But mobile devices are not the only ones that can pose a potential risk for data exposure. While most EHR advertise that the patient data is secured and can only be accessible by users who are allowed to see that information, it is far from the truth. Following is a list of dangerous situations that can jeopardize patient’s information: Some EHR products while installed on an end user’s PC download data to the workstation’s temp folders and retain protected health information in the local station accessible by ANYONE locally. Windows Phone 7 SD file system is not encrypted which means that installed apps can be read and accessed if the device is compromised Several EHR products use database engines that can easily be accessed and data extracted by technical staff who may not and should not have access to clinical data (Database Example: Advantage, Ctree, SQL, MySQL, etc..), and there are several available tools online that can help gain access to health data that otherwise should only be accessible by the end user. Few products in the market place also allow unsecured emails send from the applications that may contain sensitive medical information regarding the patient. Web servers that maybe exposed to the internet from within the organization to provide access to data for Smartphones and tablets through web services. This requires far more complex security planning to ensure its protection as it is more exposed to the elements that may target the organization EHR products that store images or documents such as scanned charts in wide open shares for anyone to access from the organization While we have several other areas that can pose a risk for health organizations and allow data to be leaked out, many CIO and health administrators have followed a methodology to ensure that their data is protected and secured regardless of the new products and technologies implemented.