There are no federally recognized HIPAA certification standards for covered entities (CE) and business associates (BA) and it's unlikely one will be. However, that doesn't stop larger CEs from requiring some form of certification to demonstrate compliance with HIPAA and proof that BAs have implemented sound information security programs. The Health Information Trust Alliance (HITRUST) published its first common security framework (CSF) in March 2009 with the goal of focusing on information security as a core pillar of the broad adoption of health information systems and exchanges. Larger CEs, primarily large health plans, now require their BAs to become HITRUST certified.
Cyber threats continue to grow and evolve, but most share a similar origin: phishing. Phishing emails, seemingly innocuous or legitimate emails used to infiltrate an organization, are a common source of malware and are used for scams in which a criminal impersonates another individual to obtain sensitive information. A study released in March by PhishMe estimated that up to 93% of phishing emails contain ransomware.
Although the damage phishing emails can do is tremendous, security officers can help their organizations turn the tide by using a combination of technical controls and targeted education.
The danger and the success of phishing emails lies in their ability to manipulate the individual on the receiving end. Phishing emails may be sent from domains that are a near-identical match for an organization's and come with what appear to be legitimate and urgent attachments or links. It's a simple scheme that criminals can use for a variety of purposes.
"They hope to get malware installed so they can control the computers they infect or even the entire network. They hope to get network or application login credentials. They hope to trick people into performing certain actions, i.e., a wire transfer of money," Kevin Beaver, CISSP, independent information security consultant at Principle Logic, LLC, in Atlanta, says. "The possibilities are endless."
Q: We recently received a request for a patient's records. The patient transferred to another provider several years ago and we subsequently transferred all the patient's records to the new provider. Should I direct the request to the provider the patient transferred to? I'm unsure that we should be responsible for retrieving and releasing information for this patient since we transferred the patient's entire record to the new provider.
A: If you sent a copy of the patient's records to the new provider and still have the original records, it would be appropriate for you to respond to the request. If you transferred all records to the new provider and no longer have the patient's information, refer the request to the new provider.
Editor's note: Mary Brandt, MBA, RHIA, CHE, CHPS, is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS. Email your HIPAA questions to Associate Editor Nicole Votta at nvotta@hcpro.com.
Threats to PHI are coming fast and furious. Although many organizations are ready to take HIPAA compliance seriously, it requires sustained attention and resources for organizations to protect PHI. That can't happen if privacy and security officers aren't being heard by the board and senior leaders.
In July, OCR announced it reached a HIPAA breach settlement with Oregon Health and Science University (OHSU), an academic health center. In its statement on the settlement, the agency drew attention to the vital role hospital executives and senior leaders play in HIPAA compliance. OHSU did complete risk analyses and identify vulnerabilities, including those that caused the two massive breaches named in the settlement, but no action was taken to mitigate these vulnerabilities. Without support from the top, OHSU's security risks remained unaddressed until it was too late. Failure to address these risks came with a $2.7 million price tag, a strict three-year corrective action plan, and the kind of bad press that's difficult to put a positive spin on.
Privacy and security officers need executive support, but obtaining it may be a challenge. Alliances with key staff and an understanding of the concerns senior leaders face can be a win for privacy and security in the boardroom.
Growing threats to PHI, particularly ransomware, have drawn attention to privacy and security this year. Senior leaders and members of the board may be feeling the pressure to change the way their organizations operate and step up security measures.
PHI is a bankable commodity. Hackers steal data and sell it to fraudsters. Individuals borrow or trade health information to fraudulently obtain coverage for services. Medical identity theft is a highly personal crime that can impact the victim's finances, personal and professional life, and health. Protecting this data is a tall order and involves staff in diverse departments, from front desk registration to information security.
"It doesn't take much to steal a credit card and use it for a hit-and-run buying spree, but healthcare data includes far more personal information," says Kate Borten, CISSP, CISM, HCISSP, founder of The Marblehead Group in Marblehead, Massachusetts. PHI often includes the individual's name, address, and Social Security number, along with medical record numbers and insurance identification number.
Understanding how to detect medical identity theft and how to mitigate its effects can help organizations reduce the prevalence of such crime.
Medical identity theft can be difficult to detect, says Chris Apgar, CISSP, founder of Apgar and Associates, LLC, in Portland, Oregon.
"There is no national tracking system in place like there is with, say, theft of credit card data. I could perpetrate Medicaid fraud using the same data in multiple states, and unlike with credit cards, there is no national system to detect and shut down medical identity theft," he says.
