Healthcare and Technology news
48.6K views | +1 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

New HIPAA Regulations in 2019

New HIPAA Regulations in 2019 | Healthcare and Technology news | Scoop.it

While there were expected to be some 2018 HIPAA updates, the wheels of change move slowly. OCR has been considering HIPAA updates in 2018 although it is likely to take until the middle of 2019 before any proposed HIPAA updates in 2018 are signed into law. Further, the Trump Administration’s policy of two regulations out for every new one introduced means any new HIPAA regulations in 2019 are likely to be limited. First, there will need to be some easing of existing HIPAA requirements.

 

HIPAA updates in 2018 that were under consideration were changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS was considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of  substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. Other potential changes to HIPAA regulations in 2018 included the removal of aspects of HIPAA that impede the ability of doctors and hospitals to coordinate to deliver better care at a lower cost.

 

These are the most likely areas for HIPAA 2019 changes: Aspects of HIPAA Rules that are proving unnecessarily burdensome for HIPAA covered entities and provide little benefit to patients and health plan members, and those that can help with the transition to value-based healthcare.

How are New HIPAA Regulations Introduced?

The process of making HIPAA updates is slow, as the lack of HIPAA changes in 2018. It has now been 5 years since there was a major update to HIPAA Rules and many believe changes are now long overdue. Before any regulations are changed, the Department of Health and Human Services will usually seek feedback on aspects of HIPAA regulations which are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were signed into law.

 

After considering the comments and feedback, the HHS then submits a notice of proposed rulemaking followed by a comment period. Comments received from healthcare industry stakeholders are considered before a final rule change occurs. HIPAA-covered entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and enforceable.

New HIPAA Regulations in 2019

OCR issued a request for information in December 2018 asking HIPAA covered entities for feedback on aspects of HIPAA Rules that were overly burdensome or obstruct the provision of healthcare, and areas where HIPAA updates could be made to improve care coordination and data sharing.

 

The period for comments closed on February 11, 2019 and OCR is now considering the responses received. A notice of proposed rulemaking will follow after careful consideration of all comments and feedback, although no timescale has been provided on when the NPRM will be issued. It is reasonable to assume however, that there will be some at least some new HIPAA regulations in 2019.

OCR was specifically looking at making changes to aspects of the HIPAA Privacy Rule that impede the transformation to value-based healthcare and areas where current Privacy Rule requirements limit or discourage coordinated care.

 

Under consideration are changes to HIPAA restrictions on disclosures of PHI that require authorizations from patients. Those requirements may be loosened as they are considered by many to hamper the transformation to value-based healthcare.

 

OCR is considering whether the Privacy Rule should be changed to make the sharing of patient data with other providers mandatory rather than simply allowing data sharing. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have voiced their concern about this aspect of the proposed new HIPAA regulations and are against the change. Both organizations are also against any shortening of the timescale for responding to patient requests for copies of their medical records.

 

OCR is also considering HIPAA changes in 2019 that will help with the fight against the current opioid crisis in the United States. HHS Deputy Secretary Eric Hargan has stated that there have been some complaints about aspects of the HIPAA Privacy Rule that are stopping patients and their families from getting the help they need. There is some debate about whether new HIPAA regulations or changes to the HIPAA Privacy Rule is the right way forward or whether further guidance from OCR would be a better solution.

 

One likely area where HIPAA will be updated is the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices. That requirement is expected to be dropped in the next round of HIPAA changes.

 

What is certain is new HIPAA regulations are around the corner, but whether there will be any 2019 HIPAA changes remains to be seen. It may take until 2020 for any changes to HIPAA regulations to be rolled out.

Changes to HIPAA Enforcement in 2019

Halfway through 2018, OCR had only agreed three settlements with HIPAA covered entities to resolve HIPAA violations and its enforcement actions were at a fraction of the level in the previous two years. It was starting to look like OCR was easing up on its enforcement of HIPAA Rules. However, OCR picked up pace in the second half of the year and closed 2018 on 10 settlements and one civil monetary penalty – One more penalty than in 2018.

 

2018 ended up being a record year for HIPAA enforcement. The final total for fines and settlements was $28,683,400, which beat the previous record set in 2016 by 22%.

At HIMSS 2019, Roger Severino gave no indications that HIPAA enforcement in 2019 would be eased. Fines and settlements are likely to continue at the same level or even increase.

 

Severino did provide an update on the specific areas of HIPAA compliance that the OCR would be focused on in 2019. OCR is planning to ramp up enforcement of patient access rights. The details have yet to be ironed out, but denying patients access to their medical records, failures to provide copies of medical records in a reasonable time frame, and overcharging are all likely to be scrutinized and could result in financial penalties.

 

OCR will also be continuing to focus on particularly egregious cases of noncompliance – HIPAA-covered entities that have disregarded the duty of care to patients with respect to safeguarding their protected health information. OCR will come down heavy on entities that have a culture of noncompliance and when little to no effort has been put into complying with the HIPAA Rules.

 

The failure to conduct comprehensive risk analyses, poor risk management practices, lack of HIPAA policies and procedures, no business associate agreements, impermissible PHI disclosures, and a lack of safeguards typically attract financial penalties. OCR is also concerned about the volume of email data breaches. Phishing is a major problem area in healthcare and failures to address email security risks are likely to attract OCR’s attention in 2019.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Meet HIPAA Compliance Requirements

How to Meet HIPAA Compliance Requirements | Healthcare and Technology news | Scoop.it

A Revolutionary Approach to HIPAA Compliance

We all know that meeting the requirements set forth in the HIPAA compliance policy is mandatory for any healthcare, medical records, insurance, or other healthcare-related business. Securing individuals’ electronic protected health information (ePHI) is the most critical step to complying with HIPAA.

 

Yet this is often easier said than done, especially when you consider the high number of complex requirements that must be met in order to prove compliance.

The challenges of abiding by the “Security Rule”

For example, one of the most critical items on any HIPAA compliance checklist is meeting the Security Standards for the Protection of Electronic Health Information. Commonly referred to as the “Security Rule,” this requirement establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule addresses the technical and non-technical safeguards that organizations referred to “covered entities” must put in place to secure individuals’ ePHI. All covered entities must assess their security risks, even those entities who utilize certified electronic health record (EHR) technology. Those entities must put in place administrative, physical and technical safeguards to maintain compliance with the Security Rule, and document every security compliance measure.

Related: Sorry for the Inconvenience – The Breaches Just Keep Coming (and so do the Ramifications)

CSPi’s HIPAA compliance solutions

If all of this sounds intimidating, we have some good news: CSPi’s security solutions are uniquely suited to address the requirements specified in the Security Rule (and in turn, to help you stay HIPAA compliant).

Our ARIA Software-Defined Security (SDS) solution and applications help healthcare organizations protect the security of individuals’ ePHI information with powerful tools and capabilities required to:

  • Know and prove what ePHI records were accessed (if any) through:

    • The automatic detection of intrusion or unauthorized access.
    • Continual and complete monitoring of ePHI data as it moves through the network (including east-west traffic), and is accessed throughout the environment.
    • The ability to stop or disrupt incidents that could lead to potential disclosure.
    • Block or redirect identified data conversations with ePHI repositories and provide the auditable documented detail of measures take to maintain HIPAA compliance.
    • Prevent unauthorized access of customer data through the use of encryption that can be applied on a per-customer basis.

Working in conjunction with ARIA, our nVoy Series provides additional proof of HIPAA compliance with:

  • Automated breach verification and notification, critical to giving healthcare organizations a better way to comply.
  • Detailed and complete HIPAA compliance reports, including recordings of all conversations involving ePHI.
  • Auditable proof of the exact impact of data breach, including:
    • What devices are involved and to what degree?
    • When did the breach start and when did it end?
    • What critical databases or files were accessed?
    • Who did the intruder talk to?

Visit CSPi at HIMSS19 in the Cybersecurity Command Center Booth 400, Kiosk 91.

Interested in learning more about CSPi, including how our innovative security tools are helping today’s healthcare leaders achieve compliance with HIPAA? Make your plans to visit with us at the upcoming HIMSS conference, or visit www.cspi.com, to learn more about our HIPAA compliance programs.

About CSPi

CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters. To learn more about how our cybersecurity products can help you with data privacy regulation compliance, check out our how-to guide, “Successfully Complying with Data Privacy Regulations.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Cryptomining Malware Can Affect HIPAA Obligations

Cryptomining Malware Can Affect HIPAA Obligations | Healthcare and Technology news | Scoop.it

The well-established security firm Check Point recently ranked cryptomining as the leading cyber-threat in healthcare – ahead of ransomware. Cryptomining malware, also known as cryptocurrency mining malware, refers to software programs and malware components developed to take over a computer’s resources and use them for cryptocurrency mining, without a user’s authorization. This hijacking of computer resources can result in a shutdown and even total systems failure.  Cryptomining is not specifically addressed by the HIPAA security rule. However, the threat of cryptomining malware should make covered entities and business associates evaluate their Security Rule compliance efforts, and, if necessary, implementing additional cybersecurity measures as needed to protect against this unique and powerful threat.

 

Under the HIPAA Security Rule, covered entities and business associates must implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronically protected health information (ePHI). Cryptomining malware can compromise this confidentiality, availability, and integrity. To understand the nature of the threat posed by cryptomining malware, it is useful to first understand some basic concepts.


These include cryptocurrencycryptography, and cryptomining.

What is Cryptocurrency?

Cryptocurrency is digital money that can be purchased, transferred, and/or sold. Cryptocurrency exists solely on the Internet. This form of currency is not backed by anything tangible (such as gold), nor is it backed or managed by any bank or government. Cryptocurrency transactions, or trades, are changed and verified by a decentralized (not affiliated with anyone single entity) network of computers.

What is Cryptography?

Cryptography is a method of protecting information by encrypting it into an unreadable format known as ciphertext. Ciphertext can be converted to regular text through the process of decryption. Cryptography encrypts and protects the data used to help identify and track cryptocurrency transactions.

What is Cryptomining? 

Cryptocurrency miners engage in cryptomining to earn more cryptocurrency (often referred to as “coins” or “Bitcoins”). 

Here is how the mining process works:

Miners compete with other cryptominers to solve complicated mathematical problems. Solving the problems enables the miner to authorize a transaction and to chain together (blockchain) blocks of transactions. Once a transaction is included in a block, it is secure and complete.

For his or her mining activities, the miner receives a small amount of cryptocurrency of his or her own, The more currency a miner “mines,” the more currency a miner ends up owning. Cryptocurrency can then be sold for actual cash. 

So, you may now be thinking, …..

“What Does Any of This Have to do with HIPAA Health Care?”

Crpyotmining malware is surreptitiously installed on a user’s computer. Once it is installed, the  cryptomining malware turns the affected computer, in effect, into a mining operation – one through which the miners solve their math problems and “earn” their coins and cash.

Here’s the problem: Cryptomining has an enormous appetite for computer power.  As the malware is enabling the mining, the mining process consumes significant computing power, bandwidth, and even electricity.  Particularly persistent forms of malware consume resources even after a user has logged off.   

Eventually, a device or a network may simply become unable to mining malware’s energy requirements, causing the device or network to crash.

Since any Internet-connected device can be infected with cryptomining malware, those devices used by covered entities or business associates that are missing essential security features – which features include, but are not limited to, antivirus software, firewalls, updates and patches for operating systems – can, upon a malware attack, shut down or experience total system failure.  ePHI data thus becomes compromised. As in, lost, rendered inaccessible, or damaged beyond repair. The HIPAA Security rule thus becomes implicated, and, if an organization is found to have implemented ineffective security safeguards, the Department of Health and Human Services’ Office of Civil Rights (OCR) can audit and fine that organization.

Compliancy Group Simplifies HIPAA Compliance

Covered entities and business associates can address their HIPAA cybersecurity compliance obligations under the Security Rule by working with Compliancy Group.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA cybersecurity issues so they can get back to confidently running their business. 

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM  their HIPAA compliance!

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Big Data in Healthcare: A Cause for Concern?

Big Data in Healthcare: A Cause for Concern? | Healthcare and Technology news | Scoop.it

A federal advisory panel has kicked off discussions about the privacy and security challenges related to the use of big data in healthcare, with a goal of making policy recommendations in the coming weeks.


During the Jan. 12 meeting of the Health IT Policy Committee's Privacy and Security Workgroup - formerly called the Tiger Team - members began sorting through a number of key big data themes that emerged from two public hearings the group hosted in December. The workgroup and the committee will make recommendations to the Office of the National Coordinator for Health IT, which could ultimately lead to new policies from the Department of Health and Human Services.


Last month's hearings included testimony from a number of stakeholders from various segments of the healthcare sector. For instance, testimony highlighted that while analyzing big data can bring big potential benefits, including better treatment outcomes and lower costs, it also can bring privacy risks to individuals, says workgroup Chair Deven McGraw, an attorney at the law firm Manatt, Phelps & Phillips, LLP.

The workgroup will now help to assess whether the nation has the right policy framework in place "in order to maximize what is good about what health data presents for us, while addressing the concerns that are raised," McGraw says.

Big Data Challenges

Big data concerns that emerged from the hearings in December included whether various "tools" that are commonly used to help protect an individual's health data privacy are sufficient, given the complexities of various big data use cases, McGraw says.

Those "tools" include data de-identification methods; patient consent; transparency to patients and consumers about how their data might be used; various practices related to data collection, use and purpose; and security measures to protect data.

Other concerns arising from the testimony that the workgroup plans to dig into relate to the legal landscape, such as whether there are regulatory gaps in HIPAA and other laws regarding keeping health data used for big data analytics private.

The workgroup, which will continue its discussion on Jan. 26, will also consider the harm that could be caused if big data is not kept private, including discrimination, medical identity theft, and mistrust of the healthcare system.

In early February, however, the workgroup will temporarily shift gears to discuss ONC's 10-year interoperability roadmap, which is expected to be released in late January. The roadmap will focus on secure health data exchange.

Nevertheless, the workgroup hopes to hammer out some preliminary findings or early recommendations about protecting big data so that it can make a presentation at the March 10 meeting of the HIT Policy Committee, McGraw says.


more...
No comment yet.