How to spot a cyber breach

The types of events that could lead to a privacy or data security incident in your practice can vary from seemingly harmless to catastrophic. If you’re not sure what to look for, see the list below. If you experience any of the following, immediately report the incident to your IT department or your organization’s privacy officer:

  • malicious code such as viruses, worms, Trojans, or bots;
  • unauthorized access to a computer or network;
  • network attacks such as denial of service;
  • probe, scan, unauthorized electronic monitoring (e.g. sniffers);
  • theft of source or programming code;
  • a violation of privacy or data security policies or procedures;
  • abuse or misuse of information assets;
  • misuse or accidental disclosure of personal information, such as a post on a website or public forum, an email sent to wrong person, or an email sent without encryption;
  • compromised system or user credentials;
  • Phishing or other social engineering email;
  • establishment of an unauthorized account for a computer or application;
  • loss or theft of a PC, laptop, cell phone, or other electronic storage device;
  • lost, stolen, or missing hard-copy documents or media; or
  • other circumstances that your organization deems sufficiently suspicious, like malfunction of a server or employee work station.

Source: eplace Solutions

What every physician needs to know about the Internet of things

Connected devices generate and store data for their various functions, posing serious security and privacy concerns. This presentation is intended to warn physicians of the risks with using internet connected devices and includes best practices to keep their practice safe within the internet of things.

Charging for copies of medical records: new rules released

by Kassie Toerner

 The amount you can charge for supplying copies of medical records has changed, as the Office of Civil Rights (OCR) has issued guidance that clarifies allowable fees. Under the new rules, allowable fees differ for the release of records directly to the patient versus release of records to a third party.

Fees to release directly to the patient/individual

Chapter 45 of the Code of Federal Regulations Section 164.524 outlines individuals’ rights to access their protected health information (PHI). Below are highlights from the new rules.

Flat rate of $6.50 —The OCR has determined that a flat-fee of $6.50 is a reasonable cost for the release of medical records directly to a patient/individual. If the provider does not calculate a reasonable fee as outlined below, then the provider should charge the flat-rate of $6.50 to the individual for copies of their PHI.

Charging an individual more than $6.50
For any request from an individual, a provider (or business associate operating on its behalf) may calculate the allowable fees as follows:

  1. By calculating actual allowable costs to fulfill each request; or
  2. By using a schedule of costs based on average allowable labor costs to fulfill standard requests.
  3. Alternatively, in the case of requests for an electronic copy of PHI, covered entities may charge a flat fee not to exceed $6.50 (inclusive of all labor, supplies, and postage)

Charging a flat fee not to exceed $6.50 per request is an option for covered entities that do not want to go through the process of calculating actual or average allowable costs for requests for electronic copies of PHI.

Whether a covered entity chooses to use the average cost method or flat fee, the entity may receive an uncommon request that it had not considered when setting up its fee structure. In these cases, the entity may calculate actual costs as long as the costs are reasonable and only of the type permitted by the Privacy Rule.

A covered entity that chooses to calculate actual costs in these circumstances must — as in other cases — inform the individual in advance of the approximate fee that may be charged for providing the copy requested.

Health care providers are urged to err on the side of caution when determining fees for release of records directly to the patient. While the HHS has published the guidelines above, these rules are intended to increase patients’ access to their own records. This is demonstrated by language found in the HHS FAQs:

“ . . . while the Privacy Rule permits the limited fee described above, covered entities should provide individuals who request access to their information with copies of their PHI free of charge. While covered entities should forgo fees for all individuals, not charging fees for access is particularly vital in cases where the financial situation of an individual requesting access would make it difficult or impossible for the individual to afford the fee. Providing individuals with access to their health information is a necessary component of delivering and paying for health care.”

For more information, please see these FAQs along with Chapter 45 of the Code of Federal Regulations Section 164.524.

Fees to release records directly to a third-party

The new OCR flat-rate fee guidance does not apply to release of records to a third-party unless that release is directed by the individual/patient to the third-party (see FAQs).

For direct requests from a third-party, the covered entity should follow the Texas Medical Board (TMB) rules for release of PHI. Below is an excerpt from the TMB rules.

“(e) Allowable Charges
(1) Paper Format
(A) The physician responding to a request for such information in paper format shall be entitled to receive a reasonable, cost-based fee for providing the requested information.
(B) A reasonable fee for providing the requested records in paper format shall be a charge of no more than $25 for the first twenty pages and $.50 per page for every copy thereafter.
(2) Electronic Format
(A) The physician responding to a request for such information to be provided in electronic format shall be entitled to receive a reasonable, cost-based fee for providing the requested information in electronic format.
(B) A reasonable fee for providing the requested records in electronic format shall be a charge of no more than: $25 for 500 pages or less; $50 for more than 500 pages.
(3) Hybrid Records Format.
(A) The physician responding to a request for such information that is contained partially in electronic format and partially in paper format (“hybrid”), may provide the requested information in a hybrid format and shall be entitled to receive a reasonable, cost based fee for providing the requested information.
(B) A reasonable fee for providing the requested records in a hybrid format may be a combination of the fees as set forth in paragraphs (1) and (2) of this subsection.
(4) Other Charges.
(A) If an affidavit is requested, certifying that the information is a true and correct copy of the records, whether in paper, electronic or hybrid format, a reasonable fee of up to $15 may be charged for executing the affidavit.
(B) A physician may charge separate fees for medical and billing records requested.
(C) Allowable charges for copies of diagnostic imaging studies are set forth in §165.3 of this title (relating to Patient Access to Diagnostic Imaging Studies in Physician’s Office) and are separate from the charges set forth in this section.
(5) A reasonable fee for records provided in a paper, electronic or hybrid format may not include costs associated with searching for and retrieving the requested information, and shall include only the cost of:
(A) copying and labor, including, compiling, extracting, scanning, burning onto media, and distributing media;
(B) cost of supplies for creating the paper copy or electronic media (if the individual requests portable media) that are not prohibited by federal law;
(C) postage, when the individual has requested the copy or summary be mailed; and
(D) preparing a summary of the records when appropriate.”

For more information, please review the most recent version of the TMB rules Chapter 165.2 Medical Records Release and Charges and TMB FAQs for Consumers. 

Release to patient with an outstanding bill

An entity may not withhold or deny an individual access to his or her PHI because the individual has not paid the bill for health care services provided.

While the Privacy Rule permits the fees as described, there are other limited circumstances under which a covered entity should not charge copying fees. For example,

  • when records are requested by a health care provider for acute or emergency medical care; and
  • when patients request records to support a disability or benefits application under: Aid to Families with Dependent Children, Medicaid, Medicare, Supplemental Social Security Income, and Federal Old-Age and Survivors Insurance, and Veteran’s Benefits.

For more on medical record release, please visit the TMLT website or contact the Risk Management Department. You can also visit the Cornell Legal Information Institute.

Is Your Cyber Security Really Covered?

By John Southrey, CIC, CRM

Health care organizations are increasingly the target of cyber attacks, and cyber criminals are using a spectrum of techniques* — ransomware, phishing attacks, and other malware infections — to gain access to electronic protected health information (ePHI).

TMLT policyholders reported 112 cyber-related incidents in 2016. One-third of these incidents involved ransomware attacks. To combat these cyber threats and data breaches, TMLT developed fee-based risk management resources to help medical practices assess and mitigate their cyber risks.

TMLT’s cyber risk management services are focused on protecting medical privacy and security and include:

  • HIPAA risk assessments (done on-site or remotely) to evaluate a practice’s physical, administrative, and technical safeguards;
  • customized workforce training (on-site or online) to maintain compliance with privacy laws;
  • IT support such as system penetration and phishing vulnerability testing, hosting, backup management and disaster recovery;
  • managed detection and response from eSentire and;
  • policy and procedures review.

Though data breaches are a systemic business risk that can be devastating to a medical practice and its patients, many health care organizations continue to take a “wait and see” approach to improving their data security. They may not even recognize when they have been breached because it can take up to several weeks to detect and respond to incidents. (1)

Indeed, TMLT regularly encounters the following objections when addressing this issue with practice administrators and physicians.

“Our cyber security is covered.”

  • But are you monitoring your computer log files (i.e., network traffic) 24 hours a day?
  • How often are you updating your computer system and software?
  • How would you know if malicious malware bypassed your security, such as “zero-day” flaws that have not yet been patched by a software vendor?

“We’re too small to be a target”

  • How many medical records do you have in your EHR and/or PM systems?
  • Do you give your Business Associates and their subcontractors access to your EHR?
  • Are you aware that small-to-medium practices are targeted by cyber criminals because they’re considered “low-hanging” fruit due to inadequate data security?

“We outsource our IT”

  • How much does your IT vendor know about the HIPAA Security Rule? (Breaches can originate within Business Associates or their subcontractors.)
  • Do you have an Incident Response Plan and have you educated your workforce on the HIPAA Breach Notification Rule?

“We’ve moved our data to the cloud.”

  • Will your cloud provider sign a Business Associate Agreement?
  • Does your cloud provider’s data security strategy include end-users on the network?
  • Are you and your employees aware of phishing, social engineering, and targeted attacks and how to appropriately handle them?

There are inherent risks with using technology in health care; moving to the cloud doesn’t eliminate data security risks. Sophisticated malicious software such as some ransomware variants have the capability to lock cloud-based backups when systems are continually backed up in real time and can even encrypt cloud storage devices that are mapped to infected computers. (2)

It is widely reported that the health care industry is failing to keep pace with evolving cyber threats and have under-invested in protecting their data. (3) The Office for Civil Rights (OCR), the HIPAA enforcement arm of the U.S. Dept. of Health and Human Services, has advised health care organizations that: “Healthcare organizations and contractors and vendors that handle protected health information must step up their game.”

The OCR has also warned that Cybersecurity-related attacks have continued to rise and become more destructive and disruptive. Although effective incident response planning can be a complex task, it should be one of the covered entities and business associates’ priorities.” (4)

Effective cyber security requires a multi-layered approach using threat detection, prevention, and incident response planning. The legal ramifications and reputational harm can be significant to a medical practice suffering a data breach. And as practices pursue the “triple aim” of value-based health care, data breaches will not improve the patient experience.

Resources
1. In a survey of 223 US-based healthcare executives conducted by KPMG, only 13 percent reported tracking known cyber security attacks daily. Additionally, 25 percent stated they do not have or do not know their capabilities, in real-time, if their organization’s systems are being compromised. KPMG. Health Care and Cyber Security — Increasing Threats Require Increased Capabilities. 2015.

2. How to protect your network Network From Ransomware. U.S. Department of Justice.

3. Playing catch-up. Health Care Risk Management Review. January 14, 2016.

4. HIPAA enforcer’s latest actions: an analysis. Health Care Info Security. July 18, 2016.
* These techniques are also known as “attack vectors,” which is a path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. More information is available at http://searchsecurity.techtarget.com/definition/attack-vector

Social media and cyber risk maangement

Using social media can lead to risk and liability for an organization. Privacy and data security issues can arise from employees using social media in a way that discloses confidential or sensitive information — such as personal Information of customers, patients, or employees, and confidential information about the organization.

These disclosures are usually innocent, but can harm an organization.

In addition, social media can provide an avenue for hackers or thieves to attack an organization. Information found through social media is often used in spear-phishing attacks and makes them effective because it increases the legitimacy of the request. Hackers can also use social media to exploit vulnerable networks, steal intellectual property, or harm an organization’s reputation.

You can help protect the organization from these risks by following these best practices.

1. Develop a social media policy and educate your workforce on it.  Every organization, regardless of size, should have a policy on the use of social media. Staff should know their responsibilities about referring to the organization on social media and the consequences of misuse or abuse of it.

2. Never disclose your organization’s trade secrets, intellectual property, or other confidential information through social media platforms.

3. Never disclose private or personal information related to (a) clients, customers, vendors, or patients, or (b) employees, managers, supervisors, senior management, officers, board members, or owners. This includes financial information, social security numbers, etc.

4. Do not disclose client, customer, or patient names or the work the organization performs for them unless the information is already available in the public domain.

5. If you say something online in support of your organization, including its products or services — even with a personal account — be sure to clearly disclose your relationship with the organization.

6. Do not accept “friend requests” from anyone that you do not know personally, including friends of friends. When a social media friend request is accepted — unless privacy settings are specifically adjusted to restrict access — that person can view all of your personal information, familiarizing themselves with your nearest friends and associates.

Source: eplace Solutions