Altex Business Solutions Blog

Altex Business Solutions has been serving the Texas area since 1993, providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses.

HIPAA Security Risk Analysis in order to maximize your MIPS score

What-You-Need-To-Know-New

As we move into the second half of the year, many practices and physicians are starting to consider the data they will need to submit under the MACRA/MIPS program. The MACRA/MIPS rules change slightly every year, and this year is no exception. Even though the rules have been adjusted, a basic requirement remains in place:

Continue reading

Article: Doctors are failing to protect your privacy as a patient

Article: Doctors are failing to protect your privacy as a patient

The title of the Business Insider article ( Doctors are failing to protect your privacy as a patient ) will open a lot of eyes. The article is written from a patient perspective on how her data was breached.

Somewhere on the Internet there is a photo of me topless. I’m not a celebrity, and this photo was not taken by paparazzi, an ex-boyfriend, or hackers—it was taken by a medical professional. In 2015, I was diagnosed with breast cancer, which was followed by a mastectomy, and then reconstructive surgery. An attendant in the doctor’s office took before and after photos of me for their records, naked from the waist up. I was told that the photos would not include my head, and would go directly to their database—though this was not comforting when the medical assistant whipped out her personal phone to snap the pictures.

Continue reading

OCR’s Guidance to HIPAA & Cloud Computing

OCR’s Guidance to HIPAA & Cloud Computing

We have previously posted about HHS/OCR’s Guidance on HIPAA & Cloud Computing. The guidance is presented in question and answer form. To see the full guidance, you can go to the OCR page.

Below are the 11 questions with partial answers to keep this brief but provide a good overview:

Continue reading

HIPAA Gets a Little Cloudy

HIPAA Gets a Little Cloudy

Pun intended.  We all use cloud computing resources every day.  All you have to do is go on the Internet, and chances are the website you are accessing uses cloud services.  Our website, www.altexsolutions.com, uses the Amazon cloud.  There are many definitions of cloud services, but at a high level it is the use of computing resources, generally services and storage, from another organization.  So how does this relate to HIPAA?  And what’s the big deal?

Many Covered Entities store healthcare data in the cloud.  Common applications include a cloud based EHR, backup of an onsite server or sending email with ePHI (encrypted email, of course).   The organizations that provide the cloud services (Cloud Service Providers) are Business Associates to the Covered Entities because they are storing the CE’s data.  Easy – right?

Continue reading

Hospital fined $400,000 for obsolete Business Associate Agreements

Hospital fined $400,000 for obsolete Business Associate Agreements

In a clear message to healthcare organizations, The U.S. Department of Health and Human Services Office of Civil Rights (OCR), fined Women & Infants Hospital of Rhode Island (WIH) for not having updated HIPAA Business Associate Agreements.

WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until Aug. 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule,” according to a Sept. 23 OCR news release announcing the settlements.

The fine was the result of an investigation regarding a HIPAA breach back in November of 2012

WIH told federal authorities it had lost unencrypted backup tapes containing ultrasounds of 14,004 women, including patient names, dates of birth, dates of exams, physician names and, in some cases, Social Security numbers.

Continue reading

Athens Orthopedic won’t pay for credit monitoring in data breach

Athens Orthopedic won’t pay for credit monitoring in data breach

Data breaches are happening on a frequent basis.  You can’t read the news or watch TV without hearing about another data breach. While a company may give out some details of a data breach, the financial details of what the data breach will cost a company usually are not disclosed.  This is especially true with non-public companies. Regardless of whether a company states how much the breach will cost them, one thing is true:

Breaches are expensive!

The data breach at Athens Orthopedic is a clear example of some of the costs that are associated with data breaches.  The details of the data breach, which affected nearly 200,000 patients, can be found here.

A company usually offers credit monitoring to affected individuals of a data breach. They do this to minimize the harm to those individuals. In a surprising announcement, Athens Orthopedic said that they would not offer credit monitoring because the costs were too expensive.

Continue reading

Updated HIPAA Training

Updated HIPAA Training

If you go back in time, to 2004, and look at Facebook it looks a lot different than it does today. The same can be said for applications like Microsoft Word or Excel. As these services or products mature they evolve – offering improved functionality, performance, stability and features.

New HSN HIPAA Training

Li

Continue reading

New ransomware is bad news for healthcare organizations

New ransomware is bad news for healthcare organizations

Well that didn’t take long. In a recent article I made the case that newer variations of ransomware could result in a reportable HIPAA breach.  I argued that if ransomware not only encrypted the victim’s files but also copied the files off of a computer or allowed access to the files, then the result could be a reportable breach.

CryptXXX Ransomware

A relatively new variation of ransomware called CryptXXX has been identified. Like older variations, the malware encrypts a victims files and demands a ransom to release the files. The ransom averages about $500.

Continue reading

Holy MACRA! – Being HIPAA Compliant is Part of How Physicians get Paid

Holy MACRA! – Being HIPAA Compliant is Part of How Physicians get Paid

On April 27, CMS came out with a proposed rule on how physicians will get paid under MACRA (the Medicare Access and CHIP Reauthorization Act).  If you want to read the whole 962 page snoozefest, you can find it here (PDF).  But sleep or not, this regulation changes the fundamental Fee-For-Service (FFS) system that CMS has used since Medicare’s enactment in 1966.  The new system is premised on tying physician payments to quality and value, and is directly related to the Triple Aim of providing better care, lower costs, and improved health.

Continue reading

Don’t Let HIPAA Audits, Ransomware Sink Your Practice

Don’t Let HIPAA Audits, Ransomware Sink Your Practice

Don’t Let HIPAA Audits, Ransomware Sink Your Practice

At the same time medical practices are faced with the increased likelihood of a HIPAA audit, hackers hover around waiting to steal patients’ personal data and/or hold it hostage through ransomware scams. These practices could easily sink in the perfect storm created by the confluence of these twin threats — especially if they are weighed down with tens of thousands of unsecured patients’ records.

Though they may have ignored earlier warning signs, medical practices should not be surprised by the escalating risk of being saddled with a HIPAA compliance audit. During the 2011 Phase 1 round of audits, the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) found a significant percentage of medical entities had not performed a comprehensive security risk assessment.

On top of that, the Office of the Inspector General criticized OCR for not investigating a sufficient number of small data breaches or tracking all healthcare organizations found to be violating federal privacy laws —criticisms that could prompt stricter enforcement and steeper fines

At the same time medical practices are faced with the increased likelihood of a HIPAA audit, hackers hover around waiting to steal patients’ personal data and/or hold it hostage through ransomware scams. These practices could easily sink in the perfect storm created by the confluence of these twin threats — especially if they are weighed down with tens of thousands of unsecured patients' records.

Though they may have ignored earlier warning signs, medical practices should not be surprised by the escalating risk of being saddled with a HIPAA compliance audit. During the 2011 Phase 1 round of audits, the Office of Civil Rights (OCR) in the Department of Health and Human Services (HHS) found a significant percentage of medical entities had not performed a comprehensive security risk assessment.

On top of that, the Office of the Inspector General criticized OCR for not investigating a sufficient number of small data breaches or tracking all healthcare organizations found to be violating federal privacy laws —criticisms that could prompt stricter enforcement and steeper fines.

OCR is in the process of sending tens of thousands of emails to collect contact information on data security officers in medical facilities. While not all small practices may be subject to a review, the price for failing a HIPAA audit is steep. Earlier in 2016, OCR received two multimillion-dollar settlements from providers whose unencrypted laptops had been stolen. More than that, those practices could lose patients who are fearful about the potential theft of their personal information.

Continue reading

Is Ransomware Considered A HIPAA Breach?

Is Ransomware Considered A HIPAA Breach?

The topic of ransomware, especially ransomware hitting healthcare organizations, is making headlines daily. Dan Munro has a very good article over at Forbes that asks an important question:

Is Ransomware Considered A Health Data Breach Under HIPAA?

David Harlow, Principal – The Harlow Group, LLC, whose insight into HIPAA law I respect greatly, states:

Ransomware has just recently come to the fore as a threat to the healthcare industry and it challenges our collective instincts about what should be considered data breaches under HIPAA. We need to remember that HIPAA is narrowly drawn and that a breach is defined as the unauthorized “access, acquisition, use or disclosure” of PHI. In many cases, ransomware “wraps” PHI rather than breaches it. This may explain why there are so few public reports of ransomware in healthcare – there is no obligation to report these incidents to OCR

Continue reading

Introducing: Altex HIPAA powered by OneSource

Introducing: Altex HIPAA powered by OneSource

Risk Assessment is required in order to comply with the HIPAA Security Rule.

Continue reading

Latest Blog

A.I. is one of those technologies that captivates the imagination with endless possibilities. You can’t turn your head these days without using something integrated with early artificial intelligence. Machine learning platforms, which are v...

Contact Us

Learn more about what Altex Business Solutions
can do for your business.

Altex Business Solutions
10223 Broadway P231
Pearland, Texas 77584

Account Login