OCR Publishes New HIPAA Audit Protocol
The Department of Health and Human Services Office for Civil Rights (OCR) has published a new HIPAA audit protocol for the second round of compliance audits. The audit protocol has been updated to incorporate 2013 Omnibus Final Rule changes, and OCR is encouraging covered entities to read the new protocol and submit comments. The 2016 HIPAA audits have a much narrower focus than the first round and will be conducted in modules. The modules will assess separate elements of the Privacy Rule, Security Rule, and Breach Notification Rule. OCR may decide to audit a covered entity on one or more modules, depending on the type of organization. If selected for audit, covered entities will be required to submit a range of documents to OCR via a dedicated web portal. The most current versions of documents must be submitted in PDF, Word, or Excel formats. Documentation will need to include evidence of implementation of each aspect of HIPAA. If no documentation is held, the covered entity will be required to submit a statement to that effect. Auditors will then be provided with a selection of...
Breach Notification Laws in Tennessee Updated
Data breach notification laws in Tennessee have been updated to better protect state residents. The new law requires organizations to issue notifications to state residents more quickly, while the range of information covered has been broadened. When the new laws come into effect, organizations doing business in the state of Tennessee will be required to notify state residents of a breach of personal information within 45 days of the discovery of data exposure. Originally the bill required entities to issue notifications within 14 days of discovery, although this was later amended to 45 days. Previously, data breach notification laws in Tennessee required all businesses to issue breach notifications in a reasonable time frame after a breach was discovered. Tennessee is the eighth state to introduce a time frame for sending breach notification letters. Tennessee is not the only state to introduce laws that reduce the timescale for notifying breach victims – it is the eight state to add a timescale for sending notifications – but in contrast to many states, information holders are...
One In Five Companies Has Suffered a Data Breach Involving Mobile Devices
One in five companies has suffered a data breach involving mobile devices according to a study recently published by Crowd Research Partners. 39% of respondents said malware had been downloaded onto devices supplied to employees by their company or used under BYOD schemes, and almost a quarter of respondents said devices had connected to malicious Wi-Fi networks. The number of devices that had been compromised is a concern; however, what is more worrying is the extent to which organizations are monitoring the devices that are allowed to connect to their networks. When asked whether devices had connected to malicious networks, 48% of respondents said they were not sure. When asked whether malware had been downloaded onto mobile devices, 35% said they were not sure, and 37% could not say whether mobile devices were involved in security breaches at their organizations. These results suggest that while mobile devices are allowed to connect to work networks, the controls put in place to keep those devices secure were insufficient in many organizations. When asked about the risk control...
Ransomware and HIPAA: Are Attacks Reportable?
Following a number of high-profile ransomware attacks on hospitals, the issue of whether ransomware attacks are reportable under HIPAA has been raised by a number of privacy experts. So far attacks on hospitals, including the Hollywood Presbyterian Medical Center attack in February, have not been added to the HHS breach portal and are unlikely to appear. The healthcare organizations that have announced they have been hit with ransomware infections claim that while files were encrypted, patient data were unaffected. But what about situations when malicious file-encrypting software does lock files containing the PHI of patients? Would those ransomware attacks be reportable under HIPAA? The Department of Health and Human Services’ Office for Civil Rights must be informed of malware attacks that result in hackers gaining access to PHI, but with ransomware the situation is less clear. If ransomware encrypts the Protected Health Information of patients, the attackers are the only individuals with a security key to unlock the data. That does not mean that PHI has been viewed or acquired...
Transition to HIPAA Electronic Administrative Transactions Could Save Industry $8 Billion, says CAQH
On Wednesday this week, the 2015 CAQH Index was released. The data show that many healthcare organizations are continuing to rely on manual administrative processes for basic transactions such as verifying patient coverage, submitting claims, prior authorization, and referral certification, even though these tasks can easily be performed electronically. The CAQH Index is released once a year and is a measure of the adoption of electronic transactions for routine business processes in the healthcare industry. The aim of the report is to raise awareness of the potential cost savings that can be made by switching to electronic HIPAA transactions. The data used for the CAQH Index in 2015 represents some 440 million transactions relating to 92 million patients. The reliance on manual processes rather than HIPAA electronic administrative transactions is costing the healthcare industry dearly. CAQH believes the continued reliance on resource-intensive manual processes is costing the healthcare industry $8 billion each year. Each time health plans and healthcare providers perform a manual...



