SIDEBAR
»
S
I
D
E
B
A
R
«
HIPAA trends that could affect your business
May 9th, 2016 by aperio

The HIPAA Audit Program

On March 21, 2016, the Department of Health and Human Services, Office for Civil Rights (OCR) launched Phase 2 of its HIPAA Audit Program. This phase of the audit program, “…will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”

According to the OCR, the number of audits done in this phase will be relatively small. This  smaller number of audits reflects the OCR’s primary goal of better understanding the compliance efforts of covered entities and their business associates. The audit results will hopefully provide information to help them to determine what support is necessary for successful compliance.

This could be good news for companies that experience an audit; while the OCR maintains the option to initiate a compliance review in the case of egregious compliance issues, it will probably not be focusing primarily on enforcement actions.

HIPAA’s Privacy Requirements vs. the Spread of Social Media

How to maintain patients’ privacy in the face of widespread social media use is an ongoing challenge. With privacy rules that were originally written in 2000, then updated only once in 2009, it’s no wonder that HIPAA is lagging behind the rapid pace of technological change.

Although current regulations don’t completely cover the changing technological landscape, there are some common sense steps businesses can take to protect themselves. A good practice is to carefully remove all identifiers from PHI if it must be shared without the patient’s prior consent.

But be warned: modern search engines mean that surprisingly small amounts of information can unexpectedly be enough to identify patients. This means even a seemingly vague post on a site like Facebook could contain enough information to identify a patient, leading to liability concerns for the poster and their employer. Examples in the past few years include a Rhode Island physician who lost her privileges to work in the Emergency Room and faced a monetary fine for posting information online about a trauma patient. According to a Boston Globe article, “… [the] posting did not include the patient’s name, but… enough that others in the community could identify the patient.”

Your company will need to have clear, well-planned policies regarding social media use and will need to be certain that all employees have been made aware of these policies.

If you’d like to learn more about how HIPAA compliance affects your business, Aperio will be holding a Lunch & Learn Event on Wednesday, June 8. Brian Olsen, HIPAA Security Advisor, will be joining us to help answer your concerns about HIPAA regulations.

[action full_width=’no’ content_in_grid=’yes’ type=’normal’ icon=’fa-ticket’ icon_size=” icon_color=” custom_icon=” background_color=” border_color=” show_button=’yes’ button_text=’REGISTER HERE’ button_link=’http://events.constantcontact.com/register/event?llr=hxcf8qcab&oeidk=a07ecnjnfc31de5b02d’ button_target=’_blank’ button_text_color=” button_hover_text_color=” button_background_color=’blue’ button_hover_background_color=” button_border_color=” button_hover_border_color=”]

PLEASE REGISTER FOR OUR EVENT HERE (YOU MAY BRING 2 GUESTS)

[/action]

Additional information on HIPAA:

  • For a detailed look at dealing with Protected Health Information online, read The Hospitalist’s article on avoiding data breaches and HIPAA violations when posting online.
  • For a basic introduction to what the Health Insurance Portability and Accountability Act is, you can check out our previous blog post “What Does HIPAA Mean?
  • To learn more about what your IT team will face when dealing with HIPAA compliance, take a look at our blog post “What Does Your IT Team Need to Know about HIPAA Compliance?
Business Lessons Learned From The Sony Hack Attack
Jan 5th, 2015 by aperio

The hack attack on Sony has been a business disaster for the movie company.

In addition to leaked emails, revelation of salary data, and unfortunate disclosure of various private opinions regarding movie stars and upcoming films, the company’s stock price fell by double digits.

Sony’s business is of course entertainment and the media has had a field day with all the secret details regarding Hollywood celebrities. The nightly newscasts have played out like a soap opera and the company’s attempts to plug the gaps have been futile at best.

It remains to be seen how all this will play out long-term both internally and externally. Certainly relationships have been stressed to the maximum with corporate executives. Movie makers and “A” list actors may be hesitant to do business with the company.

While many cyber experts, including the FBI, have been quoted as saying this attack was planned and executed at a very high level of sophistication, reports indicate the company was not in full lock-down from a potential breach.

In fact its PlayStation network suffered an attack in 2011. Personal information on millions of PlayStation games were stolen. The network was down for weeks. Many question whether these issues were ever fully addressed.

Admittedly Sony is a worldwide organization and high-level cyber attacks are more likely targeted against larger well-known companies. JP Morgan Chase and eBay were both recent targets.

Still most companies of all sizes can take appropriate steps to ensure the highest levels of security protection are in place.

These include…

1. Investing appropriately in cyber security. Many large corporations don’t allocate the resources for high levels of security. They wait until disaster strikes and then make the appropriate investment in firewalls, anti-viral programs etc. The same holds true for smaller organizations. Unfortunately smaller companies may not have the luxury of an easy of a bounce-back as a multi-national giant. Small firms could lose sales, contacts and key data. A small business could be down for days or even weeks. Such a breach for a smaller organization could make the difference between ensuring a year of profitability or falling into the “red”.

2. Preparing for a well-planned response. All businesses should have a back-up system in place. Electronic off site back-up utilizing the cloud, for example, is a solid way to retain all records and data should records be breached, stolen and/or lost. Proper back-up enables a company to maintain business operations with little downtime as possible.

3. Creating a crisis communications plan. Chances are your firm will not be the subject of intense media scrutiny should a breach occur and important, private data made public. Still in this litigious environment it makes sense to have a plan in place should a crisis occur. This should involve a technology component to discover how the breach occurred and to take the proper IT related steps to prevent it from happening in the future. It should also involve a media component to properly address inquiries from print and television reporters. The document should be reviewed and updated periodically. Hopefully this plan will not need to be enacted but is money well spent should disaster occur.

The hack attack on Sony is a good reminder that an attempted breach can occur to almost any company at any time. Executives should not be hesitant to invest in the highest levels of Internet security no matter the size of the business.

 

Article Source: George Rosenthal
Photo Source: Christopher Skorr
SIDEBAR
»
S
I
D
E
B
A
R
«
»  Substance:WordPress   »  Style:Ahren Ahimsa