Get ‘er Done! I’m referring of course to the HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan. Between 85%-90% of the 5,000+ eligible hospitals say they plan to qualify for Stage 1, yet data from the Centers for Medicare &Medicaid Servicesshows less than 25% have attested and received payment as of November 30, 2011. So for the 3,300 or so other hospitals – this is no time to procrastinate. Time flies, whether you’re having fun or … →
Earlier this month, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released further details on its plan to audit 150 covered entities under its pilot HIPAA audit program. Periodic audits of the HIPAA privacy, security and breach notification standards are required of the HHS Secretary under Section 13411 of the 2009 HITECH Act (2009). In June of 2011, OCR awarded a $9.2 million contract to the consulting firm KPMG to develop an audit methodology … →
As required by section 13402(e) (4) of the HITECH Act, the HHS Secretary must post a list of breaches of protected health information (PHI) impacting 500 or more individuals. In the past 2 years, over 11.8 million Americans have been affected in nearly 330 separate incidents. This information is contained in a publicly searchable and downloadable database. Thus many organizations (including Redspin) have published “PHI breach reports” which summarize the data and offer conclusions based on the results of the past … →
I wasn’t the only one celebrating a birthday last week. It’s been exactly two years since the breach notification rule, mandated by the HITECH Act, took effect. Since then, 330 major health information breaches affecting 11.8 million individuals have been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). And while major breaches are those that impact the largest number of Americans (500 or more per incident), it is worth noting that another 30,500 smaller … →
In July, the HHS’ Office of Civil Rights (OCR) announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of 2012. The implementation of the audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act. The KPMG contract enables OCR to put “feet on the street,” while retaining an oversight role in the process. Sue McAndrew, OCR’s deputy director for health information privacy, confirms … →
We hold these truths to be self-evident, that all networks are created for a higher purpose, that they are intended to support communication, productivity, and prosperity, and are endowed by their architects and administrators with certain unalienable Rights, that among these are Security, Confidentiality, and Integrity. That to secure these systems, expertise arises among certain noble men, deriving their just powers from the deep understanding of inherent vulnerabilities — That whenever any Form of Hacker becomes destructive of these ends, … →
Certain types of computer dysfunction are analogous to disease, at least in a descriptive sense. For example, we say that a PC can get “infected” by a computer “virus.” The recent rash of hacker attacks makes me wonder if we’re on the verge of a data breach “epidemic?” True epidemics occur when new human cases of a certain disease substantially exceed what is expected over a period of time. Epidemic diseases need not be communicable; they occur when there are … →
A recent report suggests that nearly 40% of data breaches of protected health information occur at third party companies entrusted by health care providers with sensitive data. A striking statistic particularly since HIPAA and HITECH mandate that healthcare providers ensure privacy and security among such “business associates.” While providers generally insist these obligations be included in their contracts with outside vendors, the 40% breach statistic shows just how ineffective such agreements have been, without the benefit of additional enforcement or … →
We wouldn’t be so bold as to say “I told you so,” but for months Redspin has been publicly calling on the ONC to beef up the security controls and measures in the “meaningful use” EHR incentive plan, the Federal Strategic Health IT Plan, and the HIPAA Security Rule itself. In fact just two weeks ago, we offered the following public comments on the Strategic Plan: “Next, the “security risk analysis” identified as Core Measure 15 should be defined as … →
Last Monday night, I boarded a “red-eye” flight from LAX to Dulles to attend the OCR/NIST HIPAA Security Conference. I landed at 6:15AM, did a quick change into my business attire, grabbed some coffee, rented a car, and found my way to the Ronald Reagan Building at 1600 Pennsylvania Avenue, 3 blocks from The White House. I thankfully arrived just before the breakfast buffet ended and took a seat at the back of the conference ballroom. The room was packed … →
