Tips for ensuring HIPAA compliance


The Department of Health and Human Services (HHS) issued modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules on Jan. 18. According to Leon Rodriguez, director of the HHS Office for Civil Rights (OCR), “This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented.”

The final rules had been anticipated for some time by the industry and because few sanctions were imposed as well as the low value of monetary fines levied, HIPAA regulations have historically not been viewed by the industry as high risk. These new updates, combined with the proactive HIPAA audits initiated by OCR last year that are increasing this year, create significant additional risk for healthcare organizations – both providers and payers. These risks now extend to the Business Associates (BAs) that service the providers and payers. The risks are significantly higher for all the organizations that have access to protected health information (PHI), with penalties now going as high as $1.5 million per violation, depending on the level of negligence. For the million covered entities and millions of their BAs that touch PHI, it’s time to act on these final rules to get compliance processes up to date as soon as possible.

Given the potential impact, all covered entities must prepare to demonstrate evidence of compliance and maintain an “audit-ready” state. Some suggested actions for healthcare organizations include:

– Review all privacy and security policies and procedures to ensure they are up-to-date and reflect actual practice;

– Perform self-assessments to detect issues of non-compliance with the requirements and initiate corrective actions where necessary;

– Implement a training and awareness program for employees and BAs. The program should include verification of effectiveness to reduce risks of a privacy breaches and address the expectations of auditors;

– Conduct knowledge assessments to demonstrate that employees have received appropriate HIPAA training;

– Review the current methods used for investigating reported HIPAA violations;

– Review business partner relationships to understand where PHI is used outside of the organization and ensure that appropriate Business Associate Agreements (BAAs) are in place;

– Conduct assessments of BAs to proactively identify potential risks and prevent privacy breaches that may occur outside the organization. It is important to note that studies have shown that most breaches occur as the result of the deficiencies of third party business partners;

– Review auditing and monitoring practices to ensure that the organization is proactively looking for areas of non-compliance.

Management of privacy breaches and streamlined reporting is also critical to maintaining compliance and ensuring each incident is managed properly. Steps to ensure that this process is completed properly include logging and tracking unauthorized disclosures, managing investigations of suspected breaches, tracking and logging the status of notifications to affected parties and producing the necessary information for HHS reporting. It’s also important to remember that even though a breach may have been caused by a BA, the risk related to the breach will still fall on the healthcare organization, so proper management of third parties is critical.

Today, many healthcare providers, health plans and their BAs continue to manually manage multiple, independent processes including the revision, distribution and acknowledgement of policies and procedures. They are also attempting to manually manage the risks of third parties, remediate gaps in compliance, assess and test overall risks related to breaches and required notifications, as well as preparing for proactive audits. Without the automation of these tasks on a common platform, staff members must expend enormous effort to address all the requirements, remediate compliance gaps and document evidence of compliance status and breach management readiness. Lack of automation can also result in an increased risk of privacy breaches, sanctions and fines.

In order to eliminate these manual, time-consuming tasks, healthcare organizations should seek to streamline compliance efforts, reduce overhead costs and ensure desired outcomes by adopting integrated solutions that specifically support audit preparation. By having access to up-to-date HIPAA privacy and security rules with background analysis and best practice recommendations, along with risk assessment questionnaires and facilitation of corrective actions, an organization can ensure that it is always audit-ready.

The new HIPAA updates, combined with the proactive OCR audits, create significant additional risk for all healthcare organizations and many of their BAs. By embracing automation and integrated solutions and processes, these organizations can make sure they are on top of their compliance processes and when an OCR audit comes their way, they will be fully prepared and increase the likelihood that the audit will result in their favor.

John Brooke, general manager of healthcare, SAI Global Compliance, works with healthcare provider customers and prospects throughout the United States. Brooke is directly responsible for healthcare sales operations and interacts daily with Compliance 360 executives, marketing, business development, professional services and product management to ensure a constant focus on the success of the company’s healthcare provider customers. He has also spent more than 25 years in healthcare including responsibilities in finance at for-profit healthcare leader American Medical International, Inc.

Read More

Alabama man finds breached PHI in dumpster

A Florence, Ala. man found thousands of medical files from an unnamed Virginia doctor’s office while collecting wooden pallets last week. How exactly the files ended up in Alabama is unclear, but WHNT News 19 reports that the files contained sensitive data.

Exactly what patient data has been compromised is still muddled but the breach remains a risk for patients because Social Security numbers were involved.

“It’s concerning because there are phone numbers, birth dates, addresses, Social Security numbers in these files,” said Florence Police Department Detective Jerry Pearson to WHNT News19. The station tried to contact the doctor listed on the records, but hasn’t reached him yet. Though this isn’t the first case of found medical files in a dumpster, the distance between where the files originated and were found makes this interesting.

As asks, why isn’t there any information about patient notification and has the Department of Health and Human Services gotten involved yet?

Read More

The AV-TEST AWARD 2012: Awards Presented To The Best IT Security Solutions

Magdeburg, Germany, 28th January 2013 – AV-TEST GmbH is now presenting its awards to the best home-user and corporate anti-virus products of the year for the second time. The awards presented by Europe’s largest specialist test laboratory are used to honor the best security solutions available in the categories of PROTECTION, REPAIR and USABILITY.

Throughout the year 2012, a large number of well-known security products for Windows underwent complex certification tests in the AV-TEST GmbH test laboratory every two months. The AV-TEST AWARD is only presented to products that have earned such acclamation on the basis of their constant high performance. The awards for the best anti-virus solutions are presented in the test categories of PROTECTION, REPAIR and USABILITY.

This year’s AV-TEST AWARDS for home-user anti-virus products go to:
– BEST PROTECTION 2012 – F-Secure Internet Security
– BEST REPAIR 2012 – Bitdefender Internet Security
– BEST USABILITY 2012 – Symantec Norton Internet Security

This year’s AV-TEST AWARDS for corporate protection solutions go to:
– AWARD BEST PROTECTION 2012 – Kaspersky Endpoint Security
– AWARD BEST REPAIR 2012 – Kaspersky Endpoint Security
– AWARD BEST USABILITY 2012 – Symantec Endpoint Protection

The Categories Assessed

In the test category of PROTECTION, the candidates are examined using a variety of different types of current malware in order to test how they respond to threats. These examinations take the entire functionality of the protection programs into account.

In the category of REPAIR, we test the repair performance of a security solution. We evaluate the solution’s ability to remove active malware and to restore other system changes, as well as its performance when detecting and removing specially hidden malware (rootkits).

In the test category of USABILITY, security software is assessed with regard to the influence that it has on the system on which it is installed. The candidates are examined according to system interferences such as warning messages and blockages, false positives during system scans and whether the computer slows down while the software is being used.

AV-TEST – Our Name Says It All

The AV-TEST AWARD acts as confirmation of high-quality and consistent development work for all manufacturers of IT security software. The independent experts at the AV-TEST GmbH test laboratory use the award to honor companies’ commitment towards making a valuable contribution towards protection against Internet and cyber crime with their high-quality security solutions.

According to Andreas Marx, the CEO of AV-TEST GmbH: “By presenting the AV-TEST AWARDS, we want to raise awareness of the significance of high-quality PC security solutions among end users and companies and underline the importance of continuous development work.”

More Background Information

AV-TEST GmbH places high value on ensuring a high level of transparency in all of its tests, which is why the reports from tests carried out in
2012 can all be accessed free of charge on the company’s website at .

The website also contains all of the white papers that document the company’s standardised test procedures:

For more information on the AV-TEST AWARDS please visit:

Press representatives can find graphical material concerning the AV-TEST AWARD 2012 and the company AV-TEST GmbH at:

Press contact:
Mr Andreas Marx
Telephone: +49 (0)391 6075460
Fax: +49 (0)391 6075469

About the AV-TEST Institute

AV-TEST GmbH is an independent service provider in the fields of IT security and anti-virus research, specializing in the detection and analysis of the latest malware and using it to perform comprehensive comparative tests on security products.

The fact that we use extremely up-to-date test data enables us to quickly analyses new malware, detect virus-based trends at an early stage and examine and certify IT security solutions. The results produced by the AV-TEST Institute form an exclusive basis of information that helps manufacturers to optimize their products, enables specialist magazines to publish findings and provides end customers with support and orientation when choosing their products.
The company AV-TEST has been operating in the German cities of Magdeburg and Leipzig since 2004 and employs 28 members of staff boasting extensive professional and practical experience. The AV-TEST laboratories are equipped with 300 client and server systems in which over 500 terabytes of malicious and harmless data collected by the company are stored and processed.

For more information please visit our website at

Read More