All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved

Data Fast News


Keep up to date with Data Fast Solutions for your business.

Healthcare Data Breach Analysis

Healthcare Data Breach AnalysisHealthcare industry data breaches have, unfortunately, become a more frequent occurrence in recent years. This information is tracked through the Health and Human Services (HHS) online breach portal. The portal has been dubbed the “Wall of Shame” and shows a higher rate of breaches over the past three years. It was put in place in 2009 to provide data, as required by section 13402(e)(4) of the HITECH Act, to “post a list of breaches of unsecured protected health information affecting 500 or more individuals.” Although the information provided contains the type and location of the breach, the portal does not provide more specifics which could help healthcare officials and I.T. professionals learn more about why the breaches are occurring.

Tracking trends in healthcare breaches is the key and the Protenus Breach Barometer is one of the best ways to reveal those trends. It utilizes data compiled by to provide a monthly snapshot which can be used to better combat specific issues. Prior year data, month over month, reveals that hacking and issues occurring from within healthcare organizations are the two main culprits of the data breaches. Those inside Issues include mistakes made by staff as well as malicious attempts by employees to obtain secure data.

As we have mentioned in previous blog posts, technology is not always fail proof when it comes to human error, but consistent employee training and everyday awareness can reduce the rate at which errors occur. Training all staff to constantly be aware of malicious attempts by insiders to steal electronic personal health information (ePHI) can help thwart an attack before it occurs. Simple, daily, communication can help raise awareness and keep all employees on alert. In addition, with the increasing rate of breaches, increasing the rate at which healthcare data audits are performed can help limit damage should employee errors occur.

highly valuable healthcare dataAddressing issues outside of an organization that involve hacking can be much more difficult. Hackers are increasingly more sophisticated in their attempts at obtaining highly valuable healthcare data than they have been in the past. However, just as hackers are persistent, highly reputable I.T. companies, such as Data-Fast Solutions, are just as persistent at stopping them. Through on-going education, training, and analyzing data breach trends, the healthcare I.T. industry is constantly learning new ways to progress.

With healthcare information technology, knowledge of issues after they occur is not enough. In addition to current technology, and ethical employees who understand the importance of protecting ePHI, getting to the root of data breach problems will help organizations become more proactive in their on-going approach. For assistance with your healthcare I.T. audit or to implement a more secure healthcare system for your organization, contact Data-Fast Solutions today.

This article is ©2018 Data Fast Solutions • All Rights Reserved

Auditing Business Associates for HIPAA Compliance

HIPAA Password Security and ManagementIn a previous blog, we discussed appointing a HIPAA Privacy and Security Officer and all of the duties that the officer may perform as set forth by the American Health Information Management Association (AHIMA).

In addition to those duties, an important task is to regularly audit your healthcare company to ensure overall HIPAA compliance. Part of your company’s audit should be to make sure Business Associate Agreements are up-to-date and include revisions, required under the Omnibus Final Rule, that the business associate will stay HIPAA compliant.

The HIPAA Omnibus rule (section 164.103) states that a covered entity may be a business associate of another covered entity and a business associate includes:

(i) A Health Information Organization, E-prescribing Gateway, or other person that provides data transmission services with respect to protected health information to a covered entity and that requires access on a routine basis to such protected health information.

(ii) A person that offers a personal health record to one or more individuals on behalf of a covered entity.

(iii) A subcontractor that creates, receives, maintains, or transmits protected health information on behalf of the business associate.

(4) Business associate does not include:

(i) A health care provider, with respect to disclosures by a covered entity to the health care provider concerning the treatment of the individual.

(ii) A plan sponsor, with respect to disclosures by a group health plan (or by a health insurance Issuer or HMO with respect to a group health plan) to the plan sponsor, to the extent that the requirements of § 164.504(f) of this subchapter apply and are met.

(iii) A government agency, with respect to determining eligibility for, or enrollment in, a government health plan that provides public benefits and is administered by another government agency, or collecting protected health information for such purposes, to the extent such activities are authorized by law.

(iv) A covered entity participating in an organized health care arrangement that performs a function or activity as described by paragraph (1)(i) of this definition for or on behalf of such organized health care arrangement, or that provides a service as described in paragraph (1)(ii) of this definition to or for such organized health care arrangement by virtue of such activities or services.

HIPAA Password Security and ManagementTo ensure your business associates remain HIPAA compliant, Data-Fast Solutions recommends that your HIPAA Privacy and Security Officer audit your business associates on a regular basis. This is extremely important because the duties they carry out, as a covered entity, make you liable for any penalties occurred for violations committed by them.

Some ways to audit a business associate include asking about their security systems in place and:

  • How and when they are educating their workforce
  • Specifically, how they handle sensitive data
  • Whether they have HIPAA policies and procedures in place
  • Whether or not they are auditing their own business associates who may interact with HIPAA related data

As HIPAA Certified I.T. professionals, Data-Fast Solutions can assist you with an I.T. audit to ensure your company, and your business associates, are HIPAA I.T. compliant. Contact us at (817)380-3188 for more information.

This article is ©2018 Data Fast Solutions • All Rights Reserved

Appointing a HIPAA Privacy and Security Officer

HIPAA Password Security and ManagementIn a previous article, Small Healthcare Providers and HIPAA Compliance, it was noted that many small to mid-sized healthcare offices are less likely to appoint a HIPAA Privacy Officer and a HIPAA Security Officer. Part of the challenge is that privacy and security officers are hard to find across many sectors. The healthcare industry, requiring candidates with in-depth knowledge of HIPAA and HITECH, can make filling the position even more difficult. However, as HIPAA rules and technology continue to evolve, this is one area where adhering to the HIPAA mandate can keep smaller offices from experiencing a privacy breach.

Understanding the responsibilities of each officer can help smaller organizations find existing or new employees who may fit the requirements with little or no additional training.

Responsibilities of a HIPAA Privacy Officer

According to the American Health Information Management Association (AHIMA), a privacy officer’s responsibilities include:

  • Builds a strategic and comprehensive privacy program that defines, develops, maintains and implements policies and processes that enable consistent, effective privacy practices which minimize risk and ensure the confidentiality of protected health information (PHI), paper and/or electronic, across all media types. Ensures privacy forms, policies, standards, and procedures are up-to-date.
  • Works with organization senior management, security, and corporate compliance officer to establish governance for the privacy program.
  • Serves in a leadership role for privacy compliance
  • Collaborate with the information security officer to ensure alignment between security and privacy compliance programs including policies, practices, investigations, and acts as a liaison to the information systems department.
  • Establishes, with the information security officer, an ongoing process to track, investigate and report inappropriate access and disclosure of protected health information. Monitor patterns of inappropriate access and/or disclosure of protected health information.
  • Performs or oversees initial and periodic information privacy risk assessment/analysis, mitigation and remediation.
  • Conducts related ongoing compliance monitoring activities in coordination with the organization's other compliance and operational assessment functions.
  • Takes a lead role, to ensure the organization has and maintains appropriate privacy and confidentiality consents, authorization forms and information notices and materials reflecting current organization and legal practices and requirements.
  • Oversees, develops and delivers initial and ongoing privacy training to the workforce.
  • Participates in the development, implementation, and ongoing compliance monitoring of all business associates and business associate agreements, to ensure all privacy concerns, requirements, and responsibilities are addressed.
  • Works cooperatively with the Health Information Management (HIM) Director and other applicable organization units in overseeing patient rights to inspect, amend, and restrict access to protected health information when appropriate.
  • Manages all required breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
  • Establishes and administers a process for investigating and acting on privacy and security complaints
  • Performs required breach risk assessment, documentation, and mitigation. Works with Human Resources to ensure consistent application of sanctions for privacy violations
  • Initiates, facilitates and promotes activities to foster information privacy awareness within the organization and related entities.
  • Maintains current knowledge of applicable federal and state privacy laws and accreditation standards.
  • Works with organization administration, legal counsel, and other related parties to represent the organization's information privacy interests with external parties (state or local government bodies) who undertake to adopt or amend privacy legislation, regulation, or standard.
  • Cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities in any compliance reviews or investigations.
  • Serves as information privacy resource to the organization regarding release of information and to all departments for all privacy related issues.
Responsibilities of a HIPAA Security Officer

AHIMA describes the responsibility of a HIPAA Security Officer as one who:

  • Builds a strategic and comprehensive information security program that defines, develops, maintains and implements policies and processes that enable consistent, effective information security practices which minimize risk and ensure the integrity, confidentiality and availability of information that is owned, controlled and processed within the organization. Ensures information security policies, standards, and procedures are up-to-date.
  • Initiates, facilitates, and promotes activities to foster information security awareness within the organization.
  • Creates a culture of cyber security both with the IT organization and driving behavioral changes for the business.
  • Evaluates security trends, evolving threats, risks and vulnerabilities and applies tools to mitigate risk as necessary.
  • Manages security incidents and events involving electronic protected health information (ePHI)
  • Ensure that the disaster recovery, business continuity, risk management and access controls needs of the facility are addressed.
  • Ensures the institution/organization complies with the administrative, technical and physical safeguards.
  • Collaborates with organization senior management, Privacy Officer, and Corporate Compliance officer to establish governance for the security program.
  • Serves in a leadership role for security compliance.
  • Works closely with the Privacy Officer to ensure alignment between security and privacy compliance programs including policies, practices and investigations, and acts as a liaison to the information systems and compliance departments.
  • Is responsible for initial and periodic information security risk assessment/analysis, mitigation and remediation. Responsible for development and implementation of security risk management plan.
  • Ensure organization has audit controls to monitor activity on electronic systems that contain or use electronic protected health information.
  • Oversee periodic monitoring and reviewing of audit records to ensure that activity is appropriate. Such activity would include, but is not limited to, logons and logoffs, file accesses, updates, edits and printing.
  • Ensure the organization has and maintains appropriate system use and disclosure / confidentiality statement.
  • Oversees, develops and/or delivers initial and ongoing security training to the workforce. Initiates, facilitates and promotes activities to foster information security awareness within the organization and related entities
  • Participates in the development, implementation, and ongoing compliance monitoring of all BA's and business associate agreements, to ensure -security concerns, requirements, and responsibilities are addressed.
  • Assists Privacy Officer as needed with breach determination and notification processes under HIPAA and applicable State breach rules and requirements.
  • Establishes and administers a process for investigating and acting on security incidents which may result in a privacy breach breaches.
  • Partners with Human Resources and Privacy Officer to ensure consistent sanctions for security violations
  • Maintains current knowledge of applicable federal and state security laws, licensing and certification requirements and accreditation standards.
  • Cooperates with the U.S. Department of Health and Human Service's Office for Civil Rights, State regulators and/or other legal entities, and organization on officers in any compliance reviews or investigations.
  • Serves as information security consultant to all departments for all data security related issues.

HIPAA Password Security and ManagementIt’s important to note that if one individual meets the requirements of both officers it is acceptable for one person to perform both roles. However, many smaller offices tend to appoint an existing office or billing manager to the privacy and security position. In doing that, one or more privacy and security duties may not be performed adequately. So, it is okay for some work to be delegated to others if the privacy and security officer makes sure that the work is carried out properly.

For assistance from an I. T. security standpoint, a HIPAA knowledgeable I.T. professional can help. Data Fast Solutions has been providing HIPAA I.T. services in the Dallas Fort Worth area for many years. If you have any questions about your information technology and HIPAA compliance, contact Data Fast Solutions today!

This article is ©2017 Data Fast Solutions • All Rights Reserved

HIPAA Password Security and Management

HIPAA Password Security and ManagementThe HIPAA Security Rule was established to provide national standards regarding electronic personal health information (ePHI). In relation to the security rule, administrative security standards were created to address different areas of concern in relation to ePHI. One important piece is password management which states “the covered entity must implement procedures for creating, changing, and safeguarding passwords.” The following information provides some guidelines in relation to the security standards for passwords.


Creating Complex Passwords

To create a strong password, use the criteria below.

  1. Passwords should not contain the user’s I.D. or account name.
  2. Sequential numbers, such as 1, 2, 3, 4, or sequential letters such as a, b, c, d, should not be used.
  3. Passwords should not contain common words or phrases.
  4. Passwords should not be your birthdate, nor your license number or social security number.
  5. A lowercase letter, upper case letter, and a number between 0 and 9 should be used in addition to a special character such as !, @, $, %, ^, &, *, (, or, ).

A password is only strong if:

  • The password is not shared
  • No one sees you typing the password
  • You log-out
  • You use a different password for every site and application you enter
  • You change the password on a regular basis
Changing Passwords

Having a system that prompts users to update their passwords every three months or so seemed like a good idea in the past. However, current data suggests that changing passwords too frequently can make them less secure. A blog written for the Federal Trade Commission, by Chief Technologist, Lorrie Cranor, “Time to rethink mandatory password changes” states that when users are required to change their passwords frequently, they often select weaker passwords leaving them more open to attackers. A good rule of thumb is to review passwords and storage of passwords on a yearly basis and create new ones based on complex password creation criteria at that time.

HIPAA Password Security and ManagementPassword Storage

With increasingly complicated passwords and different passwords for every site, storing passwords is almost always necessary to be able to remember them. However, the storage must be secure. Writing passwords on a piece of paper when it’s accessible to others is like storing passwords in your computer, or smartphone, without using encryption and both leave your passwords vulnerable to misuse.

Cloud based secure and encrypted password storage methods allow you to access passwords from multiple devices. However, the information is stored online and can be less secure. More secure methods are:
  • Using a password management software stored on your own computer
  • Using encryption software to create an encrypted folder on your computer to store passwords

After reviewing and updating less secure storage methods, it’s important to securely delete any current passwords stored elsewhere. This can be done using a shredding software to safely erase existing files.

Passwords are meant to safeguard data and the user from unscrupulous attacks. Following the guidelines above can help your healthcare organization implement, or update, password procedures to ensure your ePHI is secure. Data Fast Solutions is always available to help your company with any of your HIPAA compliant technology needs. As certified HIPAA technology experts, we specialize in all aspects of keeping your ePHI safe.

This article is ©2017 Data Fast Solutions • All Rights Reserved

Disaster Recovery Planning and HIPAA

healthcare contingency planningRecent natural disasters, such as Hurricane Harvey in Texas and Hurricane Irma in Florida have, once again, put the spotlight on the importance of healthcare contingency planning. When a catastrophic event takes place, it's imperative for any business to have a back-up plan and be up and working again as soon as possible. This is especially true in healthcare. Many in the healthcare industry have contingency plans in place as required. However, testing and updating the plan as the needs of the business, and those employed by the business, change is imperative to the plan working properly should the need arise to use it.


Electronic Personal Health Information (ePHI) is an integral part of any healthcare contingency plan and the HIPAA Final Security Rule, Section §164.308(a) (7), “requires the establishment and implementation of procedures for responding to events that damage systems containing electronic protected health information”. This requirement is outlined in the Health and Human Services’ Information Technology Contingency Plan template. The template, designed for HHS, can be a useful tool for any company. It’s a comprehensive plan for all the I.T. systems in an organization should a natural disaster or other catastrophic event take place.

Keys to HIPAA Contingency Planning

As with any good contingency plan, the HHS plan establishes procedures to restore ePHI through notification, recovery, and reconstitution. The template also provides a sample contact list which is formulated to provide a line of succession for individuals with decision making authority. It also identifies the team who is responsible for enacting the contingency plan and the team’s responsibilities. In addition, and an integral part of the plan, is to establish criteria for validation and testing of the plan between the business owner and the system developer at least once a year.

Your Partners in HIPAA Disaster Recovery

Disaster Recovery PlanThe HHS I.T. contingency plan can be found with a simple Google search as can other, similar, back-up plans for HIPAA related data. However, some smaller health care organizations may not have an in-house system developer on staff. When it comes to HIPAA related data and keeping electronic protected health information (ePHI) safe, it’s important to have a knowledgeable and experienced I.T. company. An I.T. professional who can help with constructing a workable plan custom designed for the specific needs of the business will help save time and money.

Data Fast Solutions can assist with testing and continued maintenance of a contingency plan through modification, or the creation of a new plan, to make sure it coincides with any new systems put in place. As HIPAA Certified I.T. Professionals, Data Fast specializes in ePHI and restoring it quickly, so lifesaving data is readily available should a catastrophic event take place.

This article is ©2017 Data Fast Solutions • All Rights Reserved

Retention of Medical Records

Informed ConsentWhile medical record retention requirements are not governed by the HIPAA Privacy Rule, state laws generally do provide direction on how long medical records should be kept. However, per Health and Human Services, the HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. (See 45 CFR).

Many healthcare providers today are utilizing electronic medical records in their day-to-day practice even if older charts have not yet been migrated completely. With technology rapidly advancing, it can be a challenge for medium and small healthcare facilities to navigate the rules and regulations of HIPAA and state laws as well as the technology needed to retain electronic protected health information (ePHI) safely.

However, there are some helpful guidelines by Health and Human Services to help ensure ePHI is being managed and retained securely.

The Privacy and Security Guide provides a specific section on working with electronic health records (EHR) and health I.T. developers to help understand the privacy and security practices put in place. It reads as follows:

Consent Form Healthcare Medica“When my health IT developer installs its software for my practice, does its implementation process address the security features listed below for my practice environment?
o ePHI encryption
o Auditing functions
o Backup and recovery routines
o Unique user IDs and strong passwords
o Role- or user-based access controls
o Auto time-out
o Emergency access
o Amendments and accounting of disclosures
• Will the health IT developer train my staff on the above features so my team can update and configure these features as needed?
• How much of my health IT developer’s training covers privacy and security awareness, requirements, and functions?
• How does my backup and recovery system work?
o Where is the documentation?
o Where are the backups stored?
o How often do I test this recovery system?
• When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?
• How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?
• If I want to securely email with my patients, will this system enable me to do that as required by the Security Rule?”

The additional section on cybersecurity is especially helpful as cloud based storage of ePHI is more prevalent. This section has a link to the HHS Security Risk Assessment Tool at:

This can be useful for small to medium-sized health care practices and their I.T. professionals.

As technology changes and improves quickly, it may be helpful for healthcare professionals to know that there are HIPAA trained I.T. professionals such as Data Fast Solutions who can assist them effectively.

This article is ©2017 Data Fast Solutions • All Rights Reserved

Meaningful Consent

Informed ConsentWhen it comes to electronic personal health information (ePHI), there is no lack of guidance for healthcare professionals on how it should be handled to remain HIPAA compliant. However, the way in which ePHI is exchanged is rapidly changing and a patient must consent to an electronic health information exchange (eHIE). Some providers have a simple “opt in” or “opt out” option, but this should not be a simple “yes” or “no”. Meaningful consent is required. describes meaningful consent as “when the patient makes an informed decision and the choice is properly recorded and maintained”. In addition, according to HHS, the meaningful consent should have the following six aspects in regard to a patient’s decision:

  • It must be made with full transparency and education
  • It must be made only after the patient has had sufficient time to review educational material
  • It must commensurate with circumstances for why health information is exchanged (i.e., the further the information-sharing strays from a reasonable patient expectation, the more time and education is required for the patient before he or she makes a decision)
  • It must not be used for discriminatory purposes or as a condition for receiving medical treatment
  • It must be consistent with patient expectations
  • It should be revocable at any time

Ironically, with many healthcare providers, patient consent is not obtained electronically, but through paper form. The Office of the National Coordinator for Health Information Technology (ONC) has put together a toolkit to encourage healthcare organizations and providers to offer patients the ability to provide meaningful consent, or non-consent, through technology.

There is a trial project for e-consent underway and it’s easily obtainable through the ONC’s e-consent toolkit. The toolkit is not an all-encompassing, straight out of the box, way for an organization to immediately implement e-consent. However, it does offer well-researched examples of how to implement a technological approach to meaningful consent. The ONC e-Consent Trial Project put together a way to gather a patient’s input on consent, educate them about eHIE, and capture and store this information electronically.

Consent Form Healthcare MedicaThe toolkit includes planning resources which include an example survey for patients to obtain what patients need to know before making a meaningful consent decision. The toolkit also contains educational materials, texts, and stories, and, of course, technical resources. The technical resources for providers includes a helpful eConsent Story Engine Tool which can display educational material to patients and allows for electronically capturing patients’ signatures.  Also, for implementers of the tool, there are video tutorials in regard to the e-Consent Story Engine Tool, architectural analysis and technical standards for computer software and hardware for the Story Engine installation on a web server, an installation guide, and a user guide.

As technology continues to evolve in the healthcare industry, just as meaningful consent is required from patients, it makes sense to utilize technology in a meaningful way. Utilizing helpful resources such as the ONC’s e-Consent Toolkit can help your organization lessen paperwork and redundancy. Data-Fast Solutions can help your organization utilize the e-Consent Toolkit and other technical resources to ensure your company is functioning more efficiently.

This article is ©2017 Data Fast Solutions • All Rights Reserved

Top Reasons for HIPAA Breaches and How to Avoid Them

The top reasons for HIPAA breachesSince HIPAA was enacted over two decades ago, the top reasons for HIPAA breaches have remained constant. Even with the possibility of incurring hefty fines, which have exceeded billions, healthcare organizations continue to be vulnerable to HIPAA related threats.

The top reasons for HIPAA breaches continue to include:

 - Hacking
 - Lost or stolen devices
 - Improper disposal of devices
 - Employee dishonesty
 - Third-party (or business associate) disclosure

To be proactive and avoid possible HIPAA violations, it’s important to be aware of these issues and communicate them as effectively as possible. Educating others about common HIPAA violations can help diminish occurrences, but training for HIPAA must be done efficiently and, most importantly, consistently to be effective.

Training which includes employee and business associate involvement can increase retention of the information being presented. One of the most effective training techniques is done through role playing by assigning employees specific tasks to carry out in a team environment. The team works together to accomplish a common goal which can encourage communication about the importance of possible HIPAA violations. This type of training also encourages awareness about possible dishonest employees or business associates. Other, more traditional, training can be done in a classroom setting, once a quarter, or, preferably, more frequently if time allows.

Another way to ensure the people in your healthcare organization are HIPAA-aware is through on-going, weekly, email communication. This can include notices about well-known breaches in the news such as the recent “Wanna Cry” ransomware attacks. These notices can be a reminder to employees to follow important HIPAA guidelines on a regular basis. Technology alerts within commonly used software have also shown to be highly effective. For example, setting pop-up reminders to backup important data on a consistent basis can thwart ransomware attacks.

Hardware used by employees outside of the office or hospital can be equipped with software to disable it should the device be lost or stolen, however, timing is key. So, this is not always as effective as an aware employee who knows the importance of keeping devices secure inside, and outside, a work setting. Providing clear instructions on how to dispose of hardware containing sensitive, HIPAA-related data is imperative as well, yet not having a specific process and procedure in place for hardware disposal can make it confusing to some employees.

The top reasons for HIPAA breaches are not unavoidable if employees are kept alert and involved. Most people affected by these types of breaches are not those whose jobs involve cyber security on a regular basis. This is why hackers and thieves find it so easy to boldly prey on a healthcare organization’s vulnerabilities. However, as technology evolves and most healthcare organizations are utilizing it more and more, there is a greater threat for a breach. This is why it can be much more cost effective to hire a company such as Data Fast Solutions, who specializes in HIPAA security, rather than be faced with high fines and fees for a breach that could have been avoided rather easily.

This article is ©2017 Data Fast Solutions • All Rights Reserved

HHS Guidance on Ransomware and HIPAA

Medical Document SecurityHIPAA breaches are not something that a healthcare organization wants, or expects, to occur and one of the top culprits continuing, and showing no signs of diminishing, is ransomware. Per the Ransomware and HIPAA Fact Sheet, published by Health and Human Services, on average, there have been 4,000 daily ransomware attacks since early 2016. These attacks were across all industries and affected individuals as well. Estimates show that in 2016, ransomware resulted in costs of over a billion dollars making it one of the most lucrative malicious acts carried out by criminals. Over a year later, well into 2017, ransomware attacks are still a serious problem.

As many in healthcare now know, ransomware is malware, a type of malicious software, used to attempt to high-jack a computer system in exchange for payment. As these attacks have risen, many healthcare organizations are unsure of whether they should be held liable for hackers’ unscrupulous access of HIPAA protected data. In answer to this, and other questions, Health and Human Services (HHS) put together the Ransomware and HIPAA Fact Sheet to help healthcare professionals take proactive steps to ensure their businesses are not easily attacked and what to do should an attack occur. Becoming familiar with the fact sheet is imperative to prevention and recognizing a ransomware related HIPAA breach.

Protect against RansomwareThe fact sheet states:

“Whether or not the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination. A breach under the HIPAA Rules is defined as, ‘…the acquisition, access, use, or disclosure of PHI in a manner not permitted under the [HIPAA Privacy Rule] which compromises the security or privacy of the PHI.’ See 45 C.F.R. 164.402.

When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a ‘disclosure’ not permitted under the HIPAA Privacy Rule.

Unless the covered entity or business associate can demonstrate that there is a ‘…low probability that the PHI has been compromised,’ based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, including notification to affected individuals without unreasonable delay, to the Secretary of HHS, and to the media (for breaches affecting over 500 individuals) in accordance with HIPAA breach notification requirements. See 45 C.F.R. 164.400-414.”

The Ransomware and HIPAA Fact Sheet also provides preventative security measure recommendations based on the HIPAA Security Rule. These include putting together a security management process, creating procedures to protect against malicious activity, providing user training on software protection so the user can help report any suspicious activity, and implementation of controls for accessing ePHI. It also discusses the importance of a thorough risk analysis.

As with most malicious software activity, and with ransomware in particular, one of the best ways to thwart an attack is to be educated on the risks. The ransomware and HIPAA Fact Sheet is a great tool for becoming more familiar with ransomware and its implications. Utilizing a HIPAA certified I.T. company in conjunction with the information provided by HHS can help lessen a healthcare organization’s ransomware risk significantly. Data Fast Solutions is HIPAA I.T. certified and can ensure that your ePHI is safely protected from ransomware and other malicious software.

This article is ©2017 Data Fast Solutions • All Rights Reserved

Small Healthcare Providers and HIPAA Compliance

As busy healthcare professionals focus on their core business of patient care, smaller offices tend to be more vulnerable to HIPAA violations. A recent survey by NUEMD revealed that only 40% of 927 respondents were aware that OCR HIPAA Audits were even planned to take place. The majority of respondents to the survey had 1 to 10 providers.

Although HIPAA requires a HIPAA Security Officer and a HIPAA Privacy Officer be appointed, smaller offices are less likely to do so. In fact, even though the officers are required, the NUEMD survey found that only 53% of offices had security officers and only 54% had a privacy officer. As the survey points out, a compliance plan is the first step in making sure that HIPAA guidelines are followed and 70% of respondents claimed to have such a plan. However, simply having a plan is not beneficial unless thorough training for the compliance plan is also done.

In addition to compliance plans, the NUEMD survey also found that although HIPAA requires electronic devices containing personal health information (PHI) to be cataloged, a majority of small healthcare offices were not adhering to this requirement. Yet, patient and staff communication via mobile, email, texting and social media is taking place. Training for new and existing employees on overall compliance and on-going training on the use of all technology in a HIPAA compliant manner is important.

Larger healthcare offices are not immune. Although larger healthcare providers usually have robust I.T. departments, this doesn’t always prevent them from having some of the same issues found in smaller offices. Often, smaller healthcare practices may not be aware that lots of time and money is not necessary when it comes to their healthcare I.T. In fact, small I.T. companies may be their best option for assistance in HIPAA compliance. Companies like Data-Fast Solutions have the same technology as large I.T. firms but are much more agile in their responsiveness and ability to monitor HIPAA I.T. related issues more cost effectively.

In summary, for small healthcare practices, having a HIPAA compliance plan in place and working the plan through training and follow-up communication can help a smaller practice avoid time-consuming and costly HIPAA related issues later. Having a HIPAA certified I.T. professional company like Data-Fast Solutions to assist with I.T. compliance and provide on-going I.T. support is key. This can leave smaller healthcare practices the time to focus on patient care.