Friday, September 29, 2017

10 Common HIPAA Myths and Misconceptions

10 Common HIPAA Myths and Misconceptions

Health Insurance Portability and Accountability Act (HIPAA) compliance has become a top concern among doctors practicing in the United States. According to the Department of Health and Human Services (HHS), more than 36,000 HIPAA complaints have been investigated from April 2003 to June 2017.

But not everything you hear about HIPAA is true. Today, we're going to explore some of the most common HIPAA myths and misconceptions

#1) Written Authorization is Always Required When Disclosing PHI

Normally, doctors must obtain the patient's consent via a written authorization form when disclosing his or her Protected Health Information (PHI) to third-party entities, as per the HIPAA Privacy Rule. However, there are certain exceptions to this requirement.

Doctors, for instance, can disclose PHI without the patient's written authorization if the disclosure is used to facilitate healthcare services, treatment or payment. Additionally, doctors are allowed to disclose a patient's PHI to law enforcement without written authorization if they believe the patient may cause harm to themselves or others. For all other situations, however, written authorization is typically required when disclosing PHI to third-party entities.

#2) You Don't Have to Report Small Breaches

Just because a PHI breach is small doesn't mean you can ignore it. The HHS requires doctors and covered entities to report all PHI breaches affecting fewer than 500 individuals to the HHS Secretary within 60 days of the end of the year in which the breach was initially discovered.

For larger breaches affecting 500 or more individuals, covered entities must notify the HHS Secretary without unreasonable delay and no later than 60 days from when the breach was initially discovered. All breach notifications -- those affecting fewer than 500 individuals and those affecting more than 500 individuals -- must be submitted manually using the online portal on the official website.

#3) Patient Sign-In Sheets Violate the Privacy Rule

If patient sign-in sheets were a violation of the Privacy Rule, we would see significantly more fines levied against doctors. From family-owned healthcare practices to large hospitals, countless healthcare providers use sign-in sheets. They are typically located at the front desk in the lobby, where patients sign their name to check in.

Keep in mind, however, that sign-in forms are only acceptable when they contain a limited amount of information about the patient. Requesting the patient's name, date and appointment time is perfectly fine. But if the sign-in sheet requires the patient's reason for visiting, it could be considered a violation of the Privacy Rule. Stick with basic information on your practice's sign-in sheets to avoid a HIPAA violation.

#4) Doctors Must Provide All Patients With a Copy of Their Medical Records

The Privacy Rule does not require doctors to provide all patients with a copy of their medical records. It does, however, give the patients the right to request a copy of their medical records. Assuming the patient follows the required steps -- and the doctor does not believe the medical records will harm the patient's health -- the doctor must comply with the request.

If the doctor denies the patient's request for medical records, the doctor must notify the patient in writing. If the doctor does not comply, the patient may file a complaint with the Office for Civil Rights (OCR).

#5) Patients Can Sue Doctors for HIPAA Violations

Some doctors and covered entities wrongfully assume that patients can sue them for violating HIPAA. While patients can file a complaint with the OCR -- and the OCR may follow up by investing the incident to determine if fines or corrective action is required -- patients can not sue for HIPAA noncompliance.

With that said, some state laws allow patients to sue doctors for other reasons, such as breach of doctor-patient confidentiality or invasion of privacy.

#6) Doctors Cannot Disclose PHI to Friends

Family members aren't the only ones who can receive updates on the status of a patient's healthcare; friends can receive updates as well. This goes back to the Privacy Rule, which allows doctors and covered entities to disclose a patient's PHI without written authorization if the disclosure is used to facilitate healthcare treatment, services or payment.

A doctor, for instance, may inform a patient's roommate about the patient's medicine dosage. However, a doctor may decline to disclose PHI to a patient's friend if the doctor believes the patient objects to this disclosure.

#7) Password Protection is Sufficient for Electronic Devices Containing ePHI

Conventional passwords are becoming increasingly less effective at securing electronic devices. According to a 2016 Verizon Data Breach Investigations report, an overwhelming majority (63%) of data breaches are caused by weak or stolen passwords. Therefore, password protection alone isn't sufficient for protecting electronic devices on which Electronic Protected Health Information (ePHI) is stored.

The HIPAA Security Rule requires covered entities to protect ePHI using "reasonable and appropriate" administrative, physical and technical safeguards.

Technical safeguards are technologies like unique user identification, emergency access, automatic logoff, encryption, authentication and password protection. Physical safeguards, on the other hand, are physical measures like maintenance records, locked doors, video surveillance, facility security plans, and media disposal. Administrative safeguards are policies and procedures designed to protect ePHI from disclosure.

#8) Encryption is a Required Specification of the Security Rule

Encryption is one of the most effective ways to secure data, leading many doctors to believe it's a required specification of the Security Rule. The HHS debunks this myth on the frequently asked questions section of its HIPAA website, stating that encryption is actually an addressable specification.

So, what does this mean exactly? Addressable specifications, including encryption, are only required under the Security Rule when the specification is deemed reasonable and appropriate in securing ePHI following a risk assessment. If a doctor conducts a risk assessment and determines that encryption is beneficial, he or she must then implement encryption as a safeguard.

#9) Covered Entities are Liable for Business Associates

Another HIPAA myth believed by doctors is that covered entities can be held liable for the actions of a business associate. If a business associate fails to implement the necessary safeguards to protect ePHI from disclosure, for instance, the doctor may assume that he or she is at fault. As a result, some doctors invest countless time and resources into monitoring their business associations, checking to ensure they comply with HIPAA.

But HIPAA does not require covered entities to monitor the compliance or noncompliance of their business associates, nor can covered entities be held liable for such violations. The only requirement is for doctors to create a business associates agreement (BAA) when giving third-party entities access to PHI.

#10) Hackers Only Target Financial Data

Finally, some doctors believe hackers won't target their medical practice simply because they don't have valuable data, so they place HIPAA compliance on the back burner.

According to Forbes contributor Mariya Yao, the average cost of stolen credit card numbers on the black market is just $0.25, while social security numbers are even cheaper at $0.10. Electronic health records (EHR), however, can fetch hundreds or thousands of dollars. Besides, HIPAA violations can occur regardless of whether data was stolen.

As you can see, there are plenty of myths and misconceptions surrounding HIPAA. By understanding the nuances of HIPAA, doctors can improve the privacy for their patients while also minimizing the risk of fines and corrective action plans stemming from violations.

For help with implementing security or other technology solutions contact:

Robert Blake
Bit by Bit Computer Consultants
721 N Fielder Rd. #B
Arlington, Texas 76012 
Direct 817.505.1257
Mobile 972.365.7010

Friday, September 22, 2017

Security Advisory] Synology-SA-17:55 Moderate: Joomla security update

Synology Security Advisory Synology Synology Synology

CVE-2017-14596 allows remote attackers to retrieve sensitive information via a vulnerable version of Joomla.
  • Products
    • Joomla 3.7.1-0157 and eariler
  • Models
    • All Synology models
In Joomla! before 3.8.0, inadequate escaping in the LDAP authentication plugin can result in a disclosure of a username and password.
Update Availability
Synology will soon release the updates for the affected products.

Wednesday, September 6, 2017

Why Managed IT With a Good MSP is Superior to Break-Fix

Most small and medium-sized businesses (SMBs) have some relationship with an outside IT services provider that they call on to help keep their internal IT operations running smoothly. In fact, according to a survey conducted by CompTIA, more than two-thirds of companies have such a partner. In many cases, the way businesses make use of their IT services vendor is counterproductive.

That's because many SMBs operate in break-fix mode; the only time they call in their IT services partner is when their network or a server or a storage array breaks down. It may seem the most cost-effective way of doing things. After all, you only pay for service calls made. The opposite is true, however. Waiting until something breaks to call in your IT services vendor to fix it likely costs you far more than you may be aware.

Problems with the Break-Fix Approach

The primary issue with break-fix is that it is reactive rather than proactive. By definition, nothing happens until something breaks, and you have to make a call for help: "Our network has been down for two hours, and we haven't been able to get it running again. Please send someone over to get it back up."

What SMBs often fail to take into account is that even before they make that call for help, they have already lost a substantial amount of money. According to IDC, the cost of IT downtime for small businesses is between $137 and $427 per minute. So, when something breaks in a company's IT operations, the cost to get it fixed is far more than just the fee the IT services provider will charge.

Think about that fee and what it means to your IT service partner. They only get paid when you have problems, so they have little incentive to suggest proactive ways you can avoid problems in the future. Plus, once they are called in, the more time and resources (in parts and labor) they expend in getting you back online, the greater their fee is likely to be.

In other words, with the break-fix approach, the incentives you set up for your IT services provider run directly counter to the interests of your business.

The Alternative to Break-Fix: Managed IT Services

A much better option than the break-fix approach is to partner with a managed IT services provider or MSP. By doing so, you'll move from a reactive to a proactive stance that will result in fewer problems, less downtime, and an overall reduction in costs.

Employing a top-flight MSP realigns the incentives in the relationship in your favor. Rather than being paid for problem resolution on a per-issue basis, the MSP contracts with you to provide 24/7/365 support for your IT operations. Because they are continuously monitoring your network, servers, and storage, a good MSP will often detect potential problems long before they result in a complete breakdown. In fact, in many cases MSPs can identify and correct issues before the client is even aware of them.

The MSP takes on the responsibility for keeping your IT shop running smoothly. Since you are paying a set monthly amount rather than a per-incident fee, it's in the MSP's interest to ensure that as few incidents as possible occur. Therefore, they are likely to be very diligent about suggesting operational improvements and best practices, as well as technology upgrades, that will minimize the amount of downtime you experience.

If your company has been operating in break-fix mode, now would be an excellent time to consider how a top-notch MSP can reduce both your downtime and your maintenance costs.



Robert Blake
Bit by Bit Computer Consultants
721 N Fielder Rd. #B
Arlington, Texas 76012 
Direct 817.505.1257
Mobile 972.365.7010