Healthcare and Technology news
48.6K views | +1 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

How do I report an unsecured Protected Health Information (PHI) Breach?

How do I report an unsecured Protected Health Information (PHI) Breach? | Healthcare and Technology news | Scoop.it

Have you had a HIPAA Breach?  Here's how you report it.

If you are a covered entity and have experienced the loss or theft or accidental disclosure of unsecured or unencrypted Protected Health Information (PHI), you have most likely had a HIPAA Breach. As a covered entity you must undergo specific breach notification procedures as per HIPAA law,  if you discover a breach of unsecured protected health information.  You may need to invoke your incident response plan and involve your attorney depending on the size and nature of the breach.

Step 1- Notify the Secretary of Health and Human Services (HHS)

Your obligations for breach notification to the secretary differ based on whether the breach affects 500 or more individuals or fewer than 500 individuals. If you are unsure how many individuals are affected at the time of submission, provide an estimate.  If the breach affects 500 or more individuals, you need to report the breach to the Secretary no later than 60 days of discovering the breach.

Once HHS receives your breach notification, your information along with some information of the breach will be published on the HHS Breach Portal, also known as the "Wall of Shame".  The Office of Civil Rights (OCR) will then open an investigation.

Step 2- Providing additional information after a breach has been reported

If you discover additional information, submit updates as necessary. If only one option is available in a submission category you should pick the best option, and may provide additional details in the free text portion of the submission.

If you discover additional information that supplements, modifies, or clarifies a previously submitted notice to the Secretary, you may submit an additional form by checking the appropriate box to indicate that it is an addendum to the initial report, using the transaction number provided after submitting the initial breach report.

Step 3- Notify the affected individuals

  1. It is your responsibility to notify each individual of the breach of their PHI, either by notifying them via first class mail, or if they have given permission, you may notify them via email. This notice must include a description of the breach, including the information involved in the breach, steps the individual can take to protect themselves and a summary of the steps you are taking to investigate the breach and what you are doing to prevent future breaches. 

 

What if I don’t have the contact information for Affected Individuals?

 

  1. If contact information for 10 or more individuals is incorrect, you must provide a public notice or media notification in the residential area of those affected individuals, providing them with an 800 number they can call to find out if their information was included in the breach. This number must remain active for a minimum of 90 days.  These individual notices may be substituted by providing notice on your website for a minimum of 90 days or by issuing a media statement notifying the public of the breach.

 

If the Breach Affects 500 or More Individuals:

 

3. If a breach of unsecured protected health information affects 500 or more individuals, you must notify the Secretary of HHS of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.  You must submit the notice electronically by clicking on the link below and completing all the required fields on the breach notification form.  

Step 4- Notify the media and update your website 

If the breach affects 500 or more individuals, you need to report the breach to prominent media outlets in the areas where affected or potentially affected individuals reside.  This helps inform all breach victims of the possibility of the exposure of their protected health information.  

If you do not have up-to-date contact information or addresses of 10 or more affected individuals, then you need to update your website with a notice of the breach.  A link to the breach notice must be prominently visible on your home page.

Step 5- Notify HHS annually of breaches affecting fewer than 500 individuals

If a breach of unsecured protected health information affects fewer than 500 individuals, you must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (You are not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; you may report such breaches at the time they are discovered.) You may report all your breaches affecting fewer than 500 individuals on one date, but you must complete a separate notice for each breach incident. The covered entity must submit the notice electronically by clicking on the link below and completing all of the fields of the breach notification form.

 

Other considerations

  • Be aware that your state may have more stringent breach notification procedures compared to the Federal Government. 
  • Be cognizant of the timeline of breach notification; delays in notification can cause fines and penalties to be levied.
  • Business Associates are also subject to the Breach Notification Rule. Business Associates must inform covered entities within 60 days of discovering the breach.  Business Associates must comply with requirements specified in their Business Associate Agreement with the covered entity.
  • Contact HHS OCR with questions toll-free at: 1-800-368-1019, TDD: 1-800-537-7697 or send an email to OCRPrivacy@hhs.gov
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Health IT Security: What Can the Association for Computing Machinery Contribute?

A dazed awareness of security risks in health IT has bubbled up from the shop floor administrators and conformance directors (who have always worried about them) to C-suite offices and the general public, thanks to a series of oversized data breaches that recentlh peaked in the Anthem Health Insurance break-in. Now the US Senate Health Committee is taking up security, explicitly referring to Anthem. The inquiry is extremely broad, though, promising to address “electronic health records, hospital networks, insurance records, and network-connected medical devices.”

The challenge of defining a strategy has now been picked up by the US branch of the Association for Computing Machinery, the world’s largest organization focused on computing. (Also probably it’s oldest, having been founded in 1947 when computers used vacuum tubes.) We’re an interesting bunch, having people who have helped health care sites secure data as well as researchers whose role is to consume data–often hard to get.

So over the next few weeks, half a dozen volunteers on the ACM US Public Policy Council will discuss what to suggest to the Senate. Some of us hope the task of producing a position statement will lead the ACM to form a more long-range commmittee to apply the considerable expertise of the ACM to health IT.

Some of the areas I have asked the USACM to look at include:

Cyber-espionage and identity theft
This issue has all the publicity at the moment–and that’s appropriate given how many people get hurt by all the data breaches, which are going way up. We haven’t even seen instances yet of malicious alteration or destruction of data, but we probably will.

Members of our committee believe there is nothing special about the security needs of the health care field or the technologies available to secure it. Like all fields, it needs fine-grained access controls, logs and audit trails, encryption, multi-factor authentication, and so forth. The field has also got to stop doing stupid stuff like using Social Security numbers as identifiers. But certain aspects of health care make it particularly hard to secure:

  • The data is a platinum mine (far more valuable than your credit card information) for data thieves.
  • The data is also intensely sensitive. You can get a new credit card but you can’t change your MS diagnosis. The data can easily feed into discrimination by employees and ensurers, or other attacks on the individual victims.
  • Too many people need the data, from clinicians and patients all the way through to public health and medical researchers. The variety of people who get access to the data also makes security more difficult. (See also anonymization below.)
  • Ease of use and timely access are urgent. When your vital signs drop and your life is at stake, you don’t want the nurse on duty to have to page somebody for access.
  • Institutions are still stuck on outmoded security systems. Internally, passwords are important, as are firewalls externally, but many breaches can bypass both.
  • The stewards/owners of health care data keep it forever, because the data is always relevant to treatment. Unlike other industries, clinicians don’t eventually aggregate and discard facts on individuals.
Anonymization
Numerous breaches of public data, such as in Washington State, raise questions about the security of data that is supposedly anonymized. The HIPAA Safe Harbor, which health care providers and their business associates can use to avoid legal liability, is far too simplistic, being too strict for some situations and too lax for others.

Clearly, many institutions sharing data don’t understand the risks and how to mitigate against them. An enduring split has emerged between the experts, each bringing considerable authority to the debate. Researchers in health care point to well-researched techniques for deidentifying data (see Anonymizing Health Data, a book I edited).

In the other corner stand many computer security experts–some of them within the ACM–who doubt that any kind of useful anonymization will stand up over the years against the increase in computer speeds and in the sophistication of data mining algorithms. That side of the debate leads nowhere, however. If the cynics were correct, even the US Census could not ethically release data.

Patient consent
Strong rules to protect patients were put in place decades ago after shocking abuses (see The Immortal Life of Henrietta Lacks). Now researchers are complaining that data on patients is too hard to get. In particular, combining data from different sites to get a decent-sized patient population is a nightmare both legally and technically.
Device security
No surprise–like every shiny new fad, the Internet of Things is highly insecure. And this extends to implanted devices, at least in theory. We need to evaluate the risks of medical devices, in the hospital or in the body, and decide what steps are reasonable to secure them.
Trusted identities in cyberspace
This federal initiative would create a system of certificates and verification so that individuals could verify who they are while participating in online activities. Health care is a key sector that could benefit from this.

Expertise exists in all these areas, and it’s time for the health care industry to take better advantage of it. I’ll be reporting progress as we go along. The Patient Privacy Rights summit next June will also cover these issues.


more...
No comment yet.
Scoop.it!

Digital transformation and the law of small numbers

Digital transformation and the law of small numbers | Healthcare and Technology news | Scoop.it

A recent survey indicates that health care has made little progress toward value-based care (VBC) since last year, with more than two-thirds (67 percent) of physicians and health plan executives indicating that U.S. health care is still predominantly a fee-for-service system.

 

The findings come at the same time that the Center for Medicare and Medicaid Services (CMS) has announced a slew of proposals that have, among other things, reduced the amount of total incentives available for redistribution to eligible physicians who meet quality thresholds under the Merit-Based Incentive Systems Program (MIPS) for Medicare beneficiaries.

 

According to Dr. L Patrick James, Chief Clinical Officer of Quest Diagnostics, who conducted the survey, a majority of physicians believe they do not have the tools or the data to succeed in a value-based contracting environment. 

 

 

The slowdown in the shift towards value-based care has several ramifications.

A dampening effect on the pace of digital transformation in health care

Many of the components of value-based care, namely data and analytics, remote monitoring, enhanced patient engagement and improved caregiver communications are all part of the ongoing digital transformation of health care. Investing in these programs continues to make economic sense only when there is money to be made doing so, and cease to have any meaning when the system of incentives diminishes the monetary benefits of these programs.

A slowdown in technology investments

With the stalling of the shift to value-based care, health systems are likely feeling the impact of margin compression as reimbursements under the traditional fee-for-service model continue to fall. Discretionary dollars are more likely to go towards maintaining and upgrading essential infrastructure, and in optimizing existing IT investments. The appetite for big-ticket technology investments, especially for digital initiatives, is likely to be low, except for targeted investments with clearly identifiable returns on investment.

Renewed debates on the state of data and analytics

It’s safe to say that the debate on health care’s future in data has been put to rest. However, as indicated by the Quest survey, it appears that physicians are overwhelmed by the flood of data, and making the data actionable is a crucial challenge today. Poor data, along with a lack of adequate tools, impact the ability of physicians to qualify for incentives under the MIPS scheme, forcing them to stay with fee-for-service payment models even in an era of declining reimbursements.

 

Across industries, there is more downbeat news on digital transformation. A recent study by consulting firm Capgemini and the MIT Center for Digital Business concludes that organizations are struggling to convert their digital investments into business successes. The reasons are illuminating and many: lack of digital leadership skills, and a lack of alignment between IT and business, to name a couple. The study goes on to suggest that companies have underestimated the challenge of digital transformation and that organizations have done a poor job of engaging employees across the enterprise in the digital transformation journey.

 

These findings may sound surprising to technology vendors, all of whom have gone “digital” in anticipation of big rewards from the digital bonanza (at least one global consulting firm has gone so far as to tie senior executive compensation to “digital” revenues). Anecdotally, “digital” revenues are still under 30 percent of total revenues for most technology firms, which further corroborates the findings of market studies on the state of digital transformation.

Relax, digital is alive and well

Despite the somber survey findings, health systems continue to invest in initiatives that deliver tangible, near-term benefits. An example of a high priority investment area is patient access. At Providence St Joseph Medical system, a focus on online scheduling has delivered savings of $3 to 4 per appointment booked, producing over $300,000 in total savings to the health system. As a bonus, there are fewer no-shows when patients book online, which results in additional bottom-line benefits to the hospital. Since labor is around 60 percent of a hospital’s costs, any digital solution that has a labor substitution component and increases productivity is a target for health system executives. The rising popularity of voice-enablement in caregiver communications is a case in point. 

 

Which leads me to the title of this blog: is digital a game of small numbers?  The point solutions referred to above seem to suggest that to be the case, at least as it relates to digital. Health care is no stranger to big numbers, considering the many millions each hospital has invested in implementing electronic health record (EHR) systems over the last decade. However, it seems unlikely that we will see such investment levels in digital, at least in the short term. Part of the reason is that there no single, monolithic digital platform that can perform the tasks at the scale and scope of a foundational transaction system like EHR. The digital health solution provider market is highly fragmented, and there is a shortage of ready-to-deploy “last mile solutions” which I have discussed in an earlier column.

 

The momentum for digital transformation, while it has slowed down, is still positive. In the short term, there is ample opportunity to leverage existing investments to stay on the path of digital transformation and transition to value-based care. As Dr. James of Quest Diagnostics says, “Measures that optimize EHRs, make data more accessible and insightful and reduce the complexity of quality measurement are much-needed steps to accelerate this transition.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Anthem says at least 8.8 million non-customers could be victims in data hack

Anthem says at least 8.8 million non-customers could be victims in data hack | Healthcare and Technology news | Scoop.it

Health insurer Anthem Inc, which earlier this month reported that it was hit by a massive cyberbreach, said on Tuesday that 8.8 million to 18.8 million people who were not its customers could be victims in the attack.

Anthem, the country's second-largest health insurer, is part of a national network of independently run Blue Cross Blue Shield plans through which BCBS customers can receive medical services when they are in an area where BCBS is operated by a different company.

It is those Blue Cross Blue Shield customers who were potentially affected because their records may be included in the database that was hacked, the company said.

It is the first time that Anthem has quantified the impact of the breach on members of health insurance plans that it does not operate.

Anthem updated the total number of records accessed in the database to 78.8 million customers from its initial estimate of 80 million, which includes 14 million incomplete records that it found.

Anthem does not know the exact number of Anthem versus non-Anthem customers affected by the breach because of those incomplete records, which prevent it from linking all members with their plan, Anthem spokeswoman Kristin Binns said.

Security experts are warning that healthcare and insurance companies are especially vulnerable to cybercriminals who want to steal personal information to sell on the underground market.

Anthem continued to estimate that tens of millions of customer records were stolen, rather than simply accessed. The spokeswoman added that the company's investigation was ongoing. Federal and state authorities are also investigating.

Anthem runs Blue Cross Blue Shield healthcare plans in 14 states, while plans in states such as Texas and Florida are run independently. In all, 37 companies cover about 105 million people under the Blue Cross Blue Shield license.

Binns said the company still believes the hacked data were restricted to names, dates of birth, member ID/Social Security numbers, addresses, phone numbers, email addresses and employment information such as income data.

Anthem will start mailing letters next week to Anthem customers and other Blue Cross Blue Shield members affected by the hacking. It will offer two years of identity theft repair assistance, credit monitoring, identity theft insurance and fraud detection.


more...
No comment yet.