Before the Ransomware Damage is Done

How a single ransomware attack destroyed a thriving medical business and how to avoid it happening to you or your clients. I was sitting at a local breakfast spot near my home in Michigan one recent morning with a friend. I was discussing my work (online training for compliance and security in healthcare), when a neighbor leaned in to say she overheard me and wanted to share a story she thought I might be interested in. Apparently, a medical practice that did quite well in the Battle Creek area, experienced a data breach which locked down all of their patient records and accompanying files. Shortly thereafter they received a “ransom” message requiring them to pay $6500 for the key to unlock those files. Ransomware attacks are becoming more and more common in healthcare. The payload is a...

read more

STOP SUPERBUGS AND HAIs WITH STRATEGIC INFECTION PREVENTION

Create a Culture of Healthcare Site Compliance in 5 Simple Steps The recent Center for Disease Control (CDC) report on Antibiotic Resistance Threats in the United States (2019 AR Threats Report) includes the latest national death and infection estimates that underscore the growing risk of antibiotic resistance in the US. According to the report, more than 2.8 million antibiotic-resistant infections (superbugs) occur in the United States each year, and more than 35,000 people die as a result. In addition, more than 200,000 cases of Clostridioides difficile (C-diff) were tracked in 2017 with over 12,000 deaths. Director Tom Frieden, M.D., M.P.H. has stated that the CDC soon plans to support Antibiotic Resistance Prevention Programs in all 50 states. Clinical practitioners are tasked with...

read more

The Many Forms of HIPAA Enforcement

How is HIPAA enforced? That may be a simple enough question, but it also contains more nuance than may initially be expected. Determining how HIPAA is enforced can depend upon how the term enforcement is viewed and interpreted. The first step is to define enforcement. The dictionary definition of enforcement includes the following statements: (i) to give force to, (ii) to urge with energy, (iii) constrain, compel, (iv) to effect or gain by force, or (v) to carry out effectively. Looking at the definition comprehensively, enforcement is a means of compelling compliance with a concept or requiring another to follow a particular thing (in this case law and regulations). Enforcement by its nature is arguably imposing a non-voluntary action or requirement onto a person through some outside...

read more

Does Your Breach Response Plan Include Notification?

Remain Calm, Remain Honest – and Remain in Business Avoiding the inevitable does not make it go away. Healthcare patients choose a provider based on the quality of care. In addition to that, the public will generally assume that their private information is safeguarded and not something that they need to verify or investigate before choosing that specific provider. By alerting them to something they assumed to be a non-issue, it is understandable to be concerned about the loss of business. However, credit reporting agency Experian has recently found that this churn can be kept to a minimum with the proper response plan. In July 2019, Experian surveyed 1,000 adults in the United States and found that 90% of those surveyed would be somewhat forgiving if they were informed promptly as a...

read more

A Phishing Epidemic: Constant Stream of Reports

Since at least the beginning of the summer, it seems as though no day can go by without another phishing incident being reported by a healthcare entity. The reports are almost always the same too. After some period of time (usually not the same day), unauthorized activity will be found in the email account of one or more employee. A forensic analysis will be conducted that cannot conclusively determine what, if any, patient information or other data were accessed. Out of an abundance of caution though, a breach notification is provided to enable potentially impacted individuals to monitor accounts in the event of suspicious activity, with the entity sometimes covering the cost of such monitoring. Despite the somewhat tongue in cheek tone being given to the nature of the responses, being...

read more

Unnecessary Stress: HIPAA and Litigation Requests

While many areas of HIPAA compliance result in confusion and misinterpretation, responding to document requests from parties in litigation is one that has been presenting itself frequently. The classic scenario is Party A and Party B are in a lawsuit with each other. Party A’s claim is based upon suffering some sort of injury that resulted in receiving medical treatment. During the course of the lawsuit, Party B sends a request for documents to Party A’s physicians. No surprises have arisen yet and the ability to obtain documents is a classic part of litigation. However, the “fun” will often start when the physician receives the request. Many physicians receiving a request will look at it and refuse to provide documents until Party B provides a clear authorization from Party A allowing...

read more

CMS Releases 2020 Proposed Rule for the Quality Payment Program

CMS released its proposed policies for the 2020 performance year of the Quality Payment Program via the Medicare Physician Fee Schedule (PFS) Notice of Proposed Rulemaking (NPRM).   Key proposals for 2020 performance year of the Quality Payment Program include: Increasing the performance threshold from 30 points to 45 points Revising category weights for Quality (decreases from 45% to 40%) and Cost (increases from 15% to 20%) Increasing the data completeness threshold for the quality data that clinicians submit Increasing the threshold for clinicians who complete or participate in the Improvement Activity for group reporting Updating requirements for Qualified Clinical Data Registry (QCDR) measures and the services that third-party intermediaries must provide (beginning with the...

read more

Communication Tension or Breakdown

A scenario growing in frequency for physician practices and other healthcare organizations is the desire for patients to communicate with clinicians using the same tools as in everyday life. That desire translates to a preference for text messaging, WhatsApp, Facebook Messenger, iMessage, or any other number of third-party applications that enable quick and efficient communication. The convenience and ease of communication are also factors that give rise to a number of privacy and security concerns. A first question can be whether such tools are permissible in healthcare. If permissible, how can they be controlled? Where should agreements be created? Who is responsible for managing accounts? A multitude of other questions will cascade from there. However, a frequent refrain challenging...

read more

Health IT Proposals Must Do More for Patient Privacy

The American Medical Association (AMA) has submitted comprehensive comments to the Office of the National Coordinator for Health Information Technology (ONC) in response to the sweeping set of proposed changes to health information technology certification and implementation of the 21st Century Cures Act and to the Centers for Medicare and Medicaid Services (CMS) in response to its proposal on patient access and interoperability. The AMA supports several of the proposed changes, especially around health IT vendor practices, technology development, and Electronic Health Record (EHR) performance. The AMA also identified proposals that could prove problematic and run counter to the goals Congress set out to achieve in the Cures Act, particularly around privacy. “The AMA strongly supports...

read more

Ignore HIPAA at Your Own Peril

After a lull in enforcement actions concerning HIPAA, the Office for Civil Rights re-entered the fray with a $3,000,000 bang. The settlement announced on May 6, 2019, imposes a significant fine after widespread non-compliance was found by OCR. As with many prior settlements, the factual scenario underpinning the latest settlement is fairly egregious. As one of many missteps, the party with HIPAA troubles, in this instance Touchstone Medical Imaging, LLC (TMI), had its troubles revealed to it by the FBI. Around May 9, 2014, the FBI told TMI about an insecure FTP server that left patient information searchable on the internet. Likely unknown to TMI, OCR received notification of that insecurity at the same time and OCR confirmed the report only a few days later. While that combination of...

read more