Kusserow on Compliance: Compliance officers cite HIPAA as their highest priority

The 2019 Compliance Benchmark Survey respondents reported that compliance officers are finding dealing with data breaches as their highest-ranked priority, with two-thirds of respondents citing HIPAA Security/Cyber-security and over half for HIPAA Privacy as their number one concern. This represented the biggest change since last year’s survey. Coupled with this finding was that nearly 75 percent of respondents reported the compliance office has assumed responsibility for HIPAA Privacy and nearly one-third assumed responsibility for HIPAA Security. So far this year, OCR has reportedly received upwards of a quarter million HIPAA privacy complaints.

The Survey did not focus on privacy laws and regulations emerging on the state level, nor did it provide much understanding on how organizations and compliance offices were responding to the challenges. As such, a separate 2019 survey has been designed to gather that information along with a variety of other issues.  It is designed to provide a general understanding of levels and nature of current commitment to this area.  Those who wish to participate in the 2019 HIPAA Compliance Survey can do so by clicking on the following hyperlink.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Most organizations reported encounters with government authorities

• Most organizations have made disclosures for HIPAA breaches and overpayments
• One third received demand letters
• Other encounters report were with OIG and DOJ

It is widely recognized that regulatory and legal enforcement activities have been increasing over the last few years. The results should be a warning bell to all compliance officers that regulators and enforcement officials are right around the corner, necessitating increased efforts on ongoing monitoring and auditing to mitigate exposure of compliance-related risk areas. In the soon to be released national healthcare “2019 Compliance Benchmark Survey” most respondents reported having encountered issues with government agencies in last five years. Ranking at the top, with nearly two-thirds of the respondents, was disclosure to the HHS Office for Civil Rights (OCR) for breaches of privacy under the Health Insurance Portability and Accountability Act (HIPAA). Over half reported making self-disclosures of overpayments received and addressing audits or investigations by government agencies. One-third reported responding to a demand letter from a government agency or contractor. Serious legal encounters with the government was reported at a much lower level.  One out of five respondents reported self-disclosure to the DOJ, OIG and CMS.  About one out of eight respondents reported their organization being involved in the settlement process with DOJ, self-disclosing to the OIG engagement of sanctioned individuals/entities, and being involved in a settlement process for a corporate integrity agreement (CIA).

The “2019 Compliance Benchmark Survey” report will be available without charge at the upcoming HCCA conference in Boston at Strategic Management Services, Booth 420. 

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OCR releases new guidelines on software vulnerabilities and patching

The HHS Office for Civil Rights (OCR) recently released a report focuses on software bugs and patches designed to reduce the vulnerability of computer systems that put electronic personal health information (ePHI) at risk. The OCR noted that last year researchers discovered a widespread vulnerability in computer processors that were sold over the previous decade. These vulnerabilities, known as Spectre and Meltdown, allow “malware” to bypass data access controls and potentially access sensitive data. This security flaw has been present in nearly all processors produced in the last 10 years and affects millions of devices. Upon discovery of these defects, vendors scrambled to release patches that addressed this problem. Managing patches plays an important role in maintaining HIPAA Security Rule compliance and without them vulnerabilities will not be fixed. The health care sector relies on software to manage ePHI and organizations are required under the HIPAA Security Rule to use appropriate technical safeguards to ensure the security of ePHI, including the evaluation of software vulnerabilities, the assessment of potential risks, and the implementation of solutions to keep risk at a reasonable minimum. The OCR suggested the following for effective patch management:

  • Evaluate patches to determine if they apply to your software/systems.
  • Test patches on an isolated system for any unwanted side effects.
  • Once patches have been evaluated and tested, approve them for
  • Deploy patch installation on live systems.
  • Test and verify to ensure correct patch installation and no unforeseen side effects

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: The challenge of protecting PHI

The challenges of securing sensitive information which is stored electronically, has become extremely difficult in the face of legal requirements to do so, and every day there are new reports of data breaches in the health care sector. Few would argue that it is likely that this kind of threat will continue to grow. There are some positive news on this front. According to Risk Based Security’s recent first quarter 2018 data breach report, the number of data breaches in the first quarter of 2018 marked a four-year low with a total of 685 breaches. This number is down from 1,444 breaches in the first quarter of 2017 and 1,153 in the first quarter of 2016. Overall, businesses saw the most reported breaches at 50.4 percent during the first quarter while medical breaches came in at 10.2 percent, according to the report. Within the health care sector, practitioners’ offices saw 43.4 percent of the data breaches while hospitals saw 30.2 percent and medical facilities were at 17.1 percent.  However, health care providers, managed care organizations, and others having access to patient data remain extremely vulnerable to cyber and ransom attacks because information is critical to operations and the need to share data among multiple parties creates opportunities for attack. Many organizations rely upon outdated software and lack controls over those with access to the systems. Not being able to access patient data can shut an organization down. Those desiring data for criminal use can find the needed identifiable data in patient records that include name, date of birth, Social Security Number, family information, and often credit information.

Dr. Cornelia Dorfschmid, PhD is an expert in this area and noted that there are many different measures available to take preventative measures to protect PHI, beginning with encryption that is the most basic method used. She offered a number of steps and tips that health care organizations can take to mitigate their exposure and risks to hacking:

  1. Ensure patient data is stored in an encrypted database
  2. Maintain close control and encryption over any removable media
  3. Have multi-levels of passwords to access any database storing PHI and change passwords frequently
  4. Periodically run background checks and sanction-screening on those handling PHI
  5. Make sure malware detection software is running on servers and workstations
  6. Ensure that your firewalls are up and secure
  7. Review and implement standard network security controls
  8. Protect PHI and other sensitive information wherever it is stored sent or used
  9. Control against shifting data from one device to another external device
  10. Restrict the downloading of data
  11. Shred all the files and folders before disposing of any storage equipment
  12. Ban unencrypted devices, including laptops and other portable devices
  13. Use solid passwords for any access and change them from time to time
  14. Limit accessibility to those who are working on company’s sensitive data
  15. Provide privacy and security training to all employees and others with access to data
  16. Establish a breach response plan to trigger a quick response to data breaches to limit harm
  17. Develop and maintain a disaster recovery plan should a breach occur
  18. Be on the lookout for any suspicious network activity
  19. Track movement of data within the network
  20. Use automated systems to regularly check password settings, server and firewall controls
  21. As part of ongoing monitoring, periodically check security controls

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.