Archive | News RSS feed for this section

Business Associate Tips

May 10, 2013 by Jana Langhorne 0 Comments

Complying with the Omnibus Rule

HIS Logo

 

Healthcare Info Security recently featured Mac McMillan’s advice for Business Associates (BAs).  McMillan first addresses that the recent Omnibus Rule defines BAs as “anyone who receives, creates, maintains or transmits protected health information on behalf of a covered entity” and that means BAs are now responsible to comply with the HIPAA Security Rule and several provisions in the HIPAA Privacy Rule.   McMillan reminds us that BAs only have until September 23 to be prepared for enforcement.

McMillan advises that BAs should conduct a risk analysis under the HIPAA Security Rule.  BAs need to conduct the analysis to identify issues in policies and procedures.  Addressing the issues is a stride towards a successful and well-defined security program.  He also suggests that educating and training staff on their responsibilities is also key to assuring an effective security program.  McMillan provides insight that BAs can find guidance on how to conduct a risk analysis through Office for Civil Rights (OCR) website, as well as North Carolina Healthcare Information and Communications Alliance’s website.

Next, McMillan advises BAs to prepare for having to respond to breaches.  Now under the Omnibus Rule BAs will have to notify their covered entity of any loss of personal health information (PHI).  He points out that when a BA has an incident, they should consider the severity of the incident based upon what information was lost, who obtained/received the info and any other factors that could reduce the risk of compromise.  They will need to analyze this info and document their decision of whether to notify or not.

To read the entire article visit Healthcare Info Security’s site.

News
, ,

CynergisTek Sees Record Growth

May 9, 2013 by Jana Langhorne 0 Comments

CynergisTek

Growth Due to Increased Regulatory and Enforcement Activity & Increasing Awareness of Strategic Value of Investing in Security

 CynergisTek, announced  that the company achieved the highest annual revenue to date with 24% growth in 2012. The company believes that increasing regulations and enforcement of penalties combined with the company’s ongoing involvement in industry associations and publications aided this growth. As a result, in 2012 CynergisTek expanded its partnerships, signed new clients and added new staff resources.

CynergisTek is projecting growth to continue in 2013, with first quarter (Q1) new revenue already coming in up 421%, compared to Q1 2012. The company associates the stellar growth with new regulatory demands, including Centers of Medicare & Medicaid Services (CMS) Meaningful Use audits and the Office of Civil Right (OCR) HIPAA Audit Program, creating an increased need for comprehensive privacy and security solutions.

Read more…

News

CynergisTek to Exhibit at HCCA

April 17, 2013 by Jana Langhorne 0 Comments

CynergisTek and Partners to Focus on New Regulatory and Security Requirements at HCCA Annual Compliance Institute hcca-2013-ci-exhibit-email-sidebar-220w

CynergisTek™ will be exhibiting in booth 320 at the Health Care Compliance Association (HCCA) Annual Compliance Institute on April 21-24, 2013 in National Harbor, MD. CynergisTek will focus on best practices and solutions for audit preparedness, privacy monitoring and business associate management.  Several of CynergisTek’s partners, including Iatric Systems, Inc. (booth #509), Blass Compliance, LLC – ComplyAssistant (booth #708) and Zix Corporation (booth #901) will also be exhibiting at the conference.

HIPAA’s mounting regulations and enforcements, OCR’s audit program and the final Omnibus Rule are brining a renewed focus to information security in healthcare, urging provider organizations to examine security policies and practices from multiple standpoints. CynergisTek and its partners offer industry expertise and solutions for ensuring that healthcare organizations, business associates and other covered entities sharing protected health information (PHI) are taking the proper security measures to effectively manage their risk and meet compliance mandates.

“The healthcare industry is facing some of the greatest compliance and security expectations we have seen to date,” said Mac McMillan, CEO, CynergisTek. “Given the recent emphasis on regulation and enforcement, and the various compliance audits, providers are being forced to address the gaps in their security programs and bolster their infrastructure to ensure compliance.”

“With the Omnibus Rule now in effect, it is more important than ever for provider organizations to proactively manage their extended risk around their business associates,” said Gerry Blass, President and CEO, Blass Consulting & Compliance. “It is clear from the prevalence of data breaches and hacking incidents that organizations need guidance in assessing and addressing the IT security risks that exist beyond the four walls.”

“As regulatory demands around patient privacy become increasingly complex, providers are realizing the need for expert, outsourced support,” said Rob Rhodes, Senior Director of Patient Privacy Solutions, Iatric Systems. “Demonstrating compliance today is no easy task, and compliance staff are finding themselves overwhelmed with the level of risk analysis, audit maintenance and security monitoring that is required to ensure patient health information is adequately protected in today’s digital landscape.”

Representatives from CynergisTek, Iatric Systems, Blass and ZixCorp will be available at the conference to provide a more detailed overview of the regulatory and compliance challenges facing provider organizations today.

Events, News
, ,

Upcoming Event -MT HIMSS Conference

April 12, 2013 by Jana Langhorne 0 Comments

LOGO-HIMSS

 

 

CynergisTek’s CEO Mac McMillan Featured as Keynote Speaker

 

The Montana HIMSS chapter is hosting their Second Annual Spring Convention & Trade Show on May 2-3 in Billings, Montana. The event will hold a tradeshow and several educational sessions and networking opportunities. Mac McMillan will open the conference with his educational session, “Game Changers: Understanding the Impacts of the Final Omnibus Rule & OCRs Random Audits. During the presentation, McMillan will review the changes that the Omnibus rule imposes on Covered Entities and now Business Associates. Then he will present the analysis from OCRs initial random audits,  the lessons learned and provide insight on the future of the audit program.

For more information on the event, or to register, click here to visit the Montana HIMSS chapter website.

News

“Breach Notification: Omnibus Style”

April 9, 2013 by Jana Langhorne 0 Comments

logo

 

 

 

 

 

April 8, 2013 by Mac McMillan, posted on Healthcare Informatics.

Mac McMillan recently featured a blog post for Healthcare Informatics that reviews the Breach Notification Rule with the new Omnibus Rule, and reminds readers that the rule went into effect last month.  He analyzes the controversies of the previous “harm provision” and how the Omnibus Rule addresses the previous shortfalls under the “harm provision”.

McMillan reports on the four considerations of risk to account for when assessing if a compromise happened.  First, not all breaches are equal. It’s dependent upon how much and how sensitive the PHI is. Next, look at who used/received the info and then what they did with that info.  He points out there is a big difference between someone who receives PHI and destroys it, versus it falling into hands of someone that will commit identify theft with it. Last, it is important to consider is if/how the compromised information will be exploited.

McMillan then points out that notifications have not changed much. An incident compromising 500 or more individual records must still be reported within 60 days of knowing about the incident, and incidents with less than 500 records still have up until 60 days after the calendar year. However, there is a minimal change that smaller breaches can now be reported during the year that the incident was uncovered rather than the year of the occurrence. Also, under the new Omnibus Rule, McMillan points out that a risk analysis is only required if the organization is uncertain of the compromise.

Last, McMillan provides four simple tips to do before enforcement takes effect on September 24th. First, now is the time to revise internal breach notification programs and policies, and then educate the workforce of these new procedures. He also suggests to implement a new risk analysis and ensure documenting the analysis.

For the full article, click here to visit Healthcare Informatics site.

News
, , ,

Attestation To Audit: A Serious Responsibility

February 15, 2013 by Jana Langhorne 1 Comment

Written by Mac McMillan, FHIMSS, CISM | February 15, 2013

The final statement in the Attestation that Healthcare providers have to sign says it all.  “I certify that the foregoing information is true, accurate and complete.  I understand the Medicare/Medicaid EHR incentive program payment I requested will be paid from Federal Funds, that by filing this attention I am a claim for Federal Funds, and the use of any false claims, statements, or documents, or the concealment of a material fact used to obtain Medicare/Medicaid EHR incentive program payment, may be prosecuted under Federal or State criminal laws and may also be subject to civil penalties.”  And the Federal government is beginning to get serious about making sure those statements are indeed accurate.   If they are not, it puts the organization at risk of having to return incentive payments received, as some have had to do already, or worse face additional fines or criminal penalties.  At a time when the industry is struggling with small operating margins, the cost of implementing CEHRT and other technologies, and additional compliance related costs we can ill afford to have this happen.

So what is required to meet the privacy and security requirements of Meaningful Use for Stage 1?  Essentially organizations must meet Core Measures 12 and 15 and be able to demonstrate three things.  The first is that they have acquired and implemented a Certified Electronic Health Record Technology (CEHRT) in a meaningful way.  Meaningful way, as it relates to security, is defined as fully implemented and using all of the security functionality (technical controls) that the system offers.  Second, they must demonstrate the ability to provide access to the patient’s medical record and information upon request in accordance with Core Measure 12 and the Privacy Rule requirements around proper uses and disclosures.  Third, they must conduct or review a risk analysis in accordance with the original HIPAA Security Rule requirement prior to attesting and address remediation of gaps identified during the attestation period.  The reason the requirement specifically says “conduct or review” is because if the organization has already completed a risk analysis, which they should have to meet HIPAA compliance, then they are not required to conduct a full blown risk analysis, but simply review the one they have already completed taking into consideration for their CEHRT system.  Essentially there is nothing in Meaningful Use Stage 1 that is not already required by HIPAA.

Meaningful Use Stage 2 builds on Stage 1 and makes minor changes and additions to the security requirements, but again it does not change the basic requirements specified in HIPAA.  For Stage 2 the Risk Analysis requirement is broadened to include documentation of encryption use and it becomes an annual requirement in conjunction with the attestation year.  The basic requirement however remains the same, conduct or review a risk analysis in accordance with the HIPAA Security Rule standard.  Stage 2 adds the requirement for both Eligible Providers (EP) and Hospitals (EH) to demonstrate the ability to communicate securely with patients and provide secure access to their medical information.  For EPs there is a measureable component to this requirement for a small percentage of patients to use secure communications with them.  Stage 2 also rearranges some of the functionality requirements of the CEHRT, but it does not change them.  The basic technical controls called for in the HIPAA Security Rule are still required.  Procedurally there are a couple of changes, such as identifying specifically who can activate the Emergency Access Procedure, as opposed to simply having an emergency access procedure.  Again there is nothing required here that is not already present in HIPAA.

In the early part of 2012 the General Accounting Office conducted a review and called for better oversight of incentive payments under Meaningful Use, citing that CMS was not actively verifying that healthcare organizations applying for such funds were providing accurate information during the attestation process.  In response CMS launched an audit program with an outside audit firm to collect information concerning attestations.  Coincidentally the HHS OIG also launched a survey, which by the nature of its questions regarding CEHRT implementation and barriers to, also provides insight into the accuracy of those attestations. Many are already saying that the audits do not go far enough to verify these attestations.  Audits in the future may take on more of an OCR HIPAA audit like approach involving on-site review, interviews as well as documentation review.  The point is that this is a serious responsibility with potentially serious consequences.  Organizations need to ensure that security readiness is an integral component of their Meaningful Use compliance projects.  The good news is that this should not be a major challenge if an organization is already meeting their HIPAA Security Rule requirements.  The Office of the National Coordinator for Health IT has produced an excellent guide to help organizations understand and meet these requirements.

Guide to Privacy and Security of Health Information: http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf

News
, ,
Older Entries

%d bloggers like this: