Kimberly Shutters

The Consequences of Medical Record Snooping

The Consequences of Medical Record Snooping Today, I am discussing the consequences of unauthorized access or disclosure of protected health information or medical record snooping. Snooping applies to either paper or electronic records. These days most medical record snooping is carried out using the organization’s electronic health record (EHR) system. In March 2022, Fierce Healthcare analyzed data from healthcare breaches reported on the Department of Health and Human Services’ Office for Civil Rights (HHS) — OCR portal* reported an increase by 267% accounting for more than 20% of all 2021 breaches reported. *Note: As required by section 13402(e)(4) of the HITECH Act, the Secretary must post a list of breaches of unsecured protected health information affecting 500 or more individuals. What is an Insider Threat? It is when a workforce member, including doctors, inappropriate access patient records regardless of whether the information acquired was used or disclosed for any reason. For example, if a workforce member sees their neighbor has come to the clinic and accesses the neighbor’s medical record to see why they are visiting the clinic, this is considered snooping! The US CERT defines a malicious insider threat as a current or former employee, contractor, or business partner who meets the following criteria Has or had authorized access to an organization’s network, system, or data Has intentionally exceeded or intentionally used that access in a manner that negatively, affected the confidentiality, integrity, or availability of the organization’s information, or information systems. Types of Insider Threats There are several types of insider threats within an organization, all with different goals. Some insider threats are as follows: Careless or negligent workers Malicious insiders Inside agents Disgruntled employees Third parties Source: Insider Threats in Healthcare – HHS Cybersecurity Program Careless and/or Negligent Workers While most companies invest more money on insider threats with malicious intent, negligent insider threats are more common. According to Ponemon’s 2020 Insider Threats Report, 61% of data breaches involving an insider are primarily unintentional, caused by negligent insiders. Insider threat have become one of the largest threats to organizations and some cyberattacks may be insider-driven. Although all insider threats are not malicious or intentional, the effect of these threats can be damaging to the regulated entities and have a negative impact on the confidentiality, integrity, and availability of its electronic PHI. What are the Consequences of Medical Record Snooping? Absent very unusual circumstances, the penalty for snooping is termination. This zero-tolerance applies to: Records of your spouse or domestic partner Records of your siblings Records of your children or grandchildren Records of co-workers Records of friends and neighbors Records of persons of media interest Over the years several healthcare organizations have received HIPAA violations because of inappropriate actions made by their workforce. More on this below but before I go into what can happen when your workforce snoops, it is important for you to know what the HIPAA Security Rule says. What does the HIPAA Security Rule Say? The HIPAA Security Rule, 45 CFR §164.312(b), requires Covered Entities (CEs) and Business Associates (BAs), collectively referred to by HHS as regulated entities to: “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI” see 45 CFR §164.312(b). And don’t forget regulated entities are also required to: “Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports” see 45 CFR §164.308(a)(1)(ii)(D). What Can Happen After You’re Caught Snooping? In 2021, hospitals and health systems reported patient record breaches by employees inappropriately accessing patients’ protected health information (PHI). Below are two of those cases: Our first case involves former surgery resident at Rochester, Minn.-based Mayo Clinic, was charged in Olmsted County (Minn.) District Court with one count gross misdemeanor of unauthorized computer access after one of the 1,614 patients. Our second case involves an emergency technician at Huntington (N.Y.) Hospital, part of Northwell Health, plead guilty to one count of criminal HIPAA violations in connection with his work at three New York-area hospitals between approximately June 2012 and August 2019. Some legal experts say these cases are a reminder of the various insider threats facing healthcare entities. But these two cases involving the intentional unauthorized access, disclosure, and use of PHI by insiders is only the tip of the iceberg. Something to Ponder … As a healthcare regulated entity you are required to: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI And don’t forget regulated entities are also required to: Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

Breach Notification Times

HIPAA Breach Notification Reporting Times

HIPAA Breach Notification Reporting Times In a recent article I broke down the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, into what the Department of Health and Human Services (HHS) requires Covered Entities (CEs) AND their third-party vendors, what to do in the event of a breach of unsecured protected health information (PHI). Today I am going a step deeper into the rule in order to help you understand the requirements for the HIPAA breach notification reporting time.  Time is on My Side Today, it is all about HIPAA Breach Notification requirements when it comes to time. Although The Rolling Stones said “Time Is on My Side” the truth is when an organization experiences a healthcare data breach, time is NOT on their side!! That’s because the clock starts ticking the moment an incident is detected. It doesn’t matter who finds it, the time is still the same. How Much Time Do You Have? The HIPAA Breach Notification Rule states an organization must provide notification without unreasonable delay and in no case later than 60 days following a breach. HHS is NOT the only game in town when it comes to reporting breaches; there are also state rules that need to be followed. To make matters more confusing each state has its own. That’s right there are 50 different state Breach Notification Rules. I found this handy link provided by Davis Wright Tremaine LLP., it allows you to select your state of choice for a summary of data breach notification statutes for that state. https://www.dwt.com/gcp/state-data-breach-statutes The HIPAA Breach Notification Rule states an organization must provide notification without unreasonable delay and in no case later than 60 days following a breach. HHS is NOT the only game in town when it comes to reporting breaches; there are also state rules that need to be followed. To make matters more confusing each state has its own. That’s right there are 50 different state Breach Notification Rules. I found this handy link provided by Davis Wright Tremaine LLP., it allows you to select your state of choice for a summary of data breach notification statutes for that state. https://www.dwt.com/gcp/state-data-breach-statutes This Includes Third-Party Vendors Too It is all about HIPAA Breach Notification Time, yours, and your third-party vendors. CEs use Business Associate Agreements (BAAs) to identify notification timeframes for acting once a breach is discovered. Here are some examples you should consider if a breach is discovered at your organization, or if you are notified of a breach by one of your vendors or partners, do you know your breach notification times? Things to consider when evaluating your BAAs: If you are a CE, does your patient population encompass multiple states? Do you know what the breach notification times are for each state? If you are a third-party vendor, is the breach notification time the same for all your clients and subcontractors? Almost every week there is a new story that involves a third-party healthcare data breach. Some of the biggest ones are making the news as I wrote this article. Remember, the breach notification time clock starts ticking the moment a breach is detected and it doesn’t matter who finds it, the time is still the same. That means you’ll want to evaluate your BAAs to verify they are in compliance with both state and federal regulations.

HIPAA Breach Notification Rule Enforcement

HHS is Not the Only Federal Agency Enforcing HIPAA Breach Notification Rule This week I am breaking down the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, directly from Health and Human Services (HHS). HIPAA Breach Notification Rule requires hospitals, insurance companies, healthcare providers and their third-party vendors provide notification following a breach of unsecured protected health information (PHI). But… Who Else is Watching Where Patient’s Information Goes The Federal Trade Commission (FTC) also enforces the Health Breach Notification Rule, when certain organizations (both businesses and nonprofits) not covered by HIPAA to notify their customers, the FTC, and, in some cases, the media, if there’s a breach of unsecured, individually identifiable health information. The FTC has not forgotten about makers of health apps, connected devices, and similar products. In a statement released on September 15,  2021, the FTC made it clear that developers and/or manufactures of health apps, connected devices, and similar products must comply with the Rule. To help they have provided developers with the following guidance: Mobile Health App Developers: FTC Best Practices.  And let’s not overlook State Attorney General’s have also implemented and enforced similar breach notification provisions to vendors (i.e., BAs) of personal health records and their third-party service providers. CEs and BAs that fail to comply with HIPAA Rules can and have received civil and criminal penalties. You should know the Office of Civil Rights opens a compliance review of all reported breaches that affect 500 or more individuals and many breaches affecting fewer than 500. HIPAA Breach Notification Rule Enforcement Significant breaches ARE investigated by OCR, and penalties may be imposed for failure to comply with the HIPAA Rules. Breaches that affect 500 or more patients are publicly reported on the OCR website, affectionately referred to as the “Wall of Shame.” Once your name has been written on the wall, there it shall remain. Trust me when I tell you, this is not a list you want to see your organization’s name on.

Compliance Officer Job Description

HIPAA Compliance Officer Job Description

3 Things to Include in Your HIPAA Compliance Officer Job Description Today, I am discussing what 3 things your HIPAA Compliance Officer job description should include. First, I need to share some background with you, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires Covered Entities and their third-party vendors to formally designate a Compliance Officer.  Your Compliance Officer will be responsible for managing the security of protected health information (PHI). That means their job description needs to outline responsibilities for establishing and maintaining HIPAA compliant mechanisms. This is necessary to ensure the confidentiality, integrity, and accessibility of the healthcare information systems and any electronic PHI they are entrusted with. These responsibilities will vary according to the nature and size of your organization. With that said let me take this opportunity to tell you it does not matter what size you are, what you do. Even if YOU are the only one who does everything you are still required to implement each of the HIPAA requirements. Who Can It Be Now? Identify who in your organization has a passion for technology and desire to Keep PHI Secure – this individual makes the best data security champion!! Remember: this does NOT have to be someone with an Information Technology degree!! OR You could outsource your HIPAA Compliance activities and designate a consultant as your HIPAA Security Officer. And as always … Remember to document your choice, an auditor may ask for it!! Did you know? Your HIPAA Compliance Officer is responsible for implementing the following activities: Analyzing risks, threats, and vulnerabilities to PHI from internal and external factors; Developing and implementing policies and procedures to ensure the confidentiality, integrity, and availability of the electronic PHI in your organization. Adopting security policies and procedures and responsible for training workforce how to keep PHI secure. Third-party vendor due diligence is another element your HIPAA Compliance Officer should address for any organization that creates, receives, maintains, or transmits PHI. Every third-party vendor is required to have a current and signed Business Associate Agreement (BAA) or subcontractor agreement on file before exchanging ANY PHI. Remember ANYONE who has access to PHI and you pay with via 1099 is a third-party vendor!! Covered Entities and third-party vendors should understand that patients are entrusting them with their private and intimate details, and they expect them to remain secure.

Social Media Policy

Social Media Policy – Do You Have One? Your social media policy should define and control your organization’s use of social media. Remember: There is no one size fits all solution, so what we recommend is to review a variety of approaches in order to determine what may work well for you. Here are some resources to help you get started. Here are some things you should consider: Who gets to speak on behalf of your organization and under what guidelines? For example, many organizations have selected an individual (or an organization) to serve as the “voice of the company.” By taking this approach an organization can easily implement “message control” (and damage control when necessary). Be sure to use specific clarity that protected health information (PHI) is NOT to be shared online in any way, shape, or form without the express authorization of the governance committee and the patient. All workforce members, including doctors and volunteer workforce, need to be trained on the organization’s social media policy (including personal use at work) as part of HIPAA training and/or employee orientation training. The list is not exhaustive. It is intended to get you thinking about the implications of social media and the intersection with HIPAA compliance. Social Media Policy Concepts Start by implementing a social media policy in your practice. First create a policy that fits YOUR culture, how you practice and most importantly be sure patient’s privacy is at the forefront. • Make it easy to understand. If you use buzzwords, tech jargon and legalizes you will confuse your workforce. • Create a rollout plan for your new policy. • Educate your workforce on your new policy. • Don’t forget to include all relevant parties and departments when creating and reviewing your policy. Social Media Healthful Tips • Keep personal social media accounts separate from organization accounts • Avoid “friending” patients, subscribers, and clients • Remember things are never fully deleted on the Internet • Private personal page posts can still be accessed and distributed • Never repost, retweet or “regram” patient information on personal pages Understand the list of 18 personal identifiers – very little information can lead to a breach • Post signs in facilities describing photos and videos may not be taken • Post a commenting policy on your social media sites • Collaborate with human resources, legal counsel, risk management, privacy officer, security officer, compliance officer, marketing, and sales During their 2018 Fall Conference OCR shared that they will be paying more attention to social media!! Remember – they are always watching. Need help developing your social media policy? Let HIPAA alli help develop your healthcare social media strategy before you start connecting.

Social Media – The Good, The Bad, and The Ugly

Social Media – The Good, The Bad, and The Ugly … Without guidance from Health and Human Services, it can be difficult to know how to navigate the healthcare social media rules. Providers, agencies, and brands need to create informative, engaging social content. At the same time, you need to follow industry rules and regulations. For all the potential good, there are many risks associated with the use of social media.  These are well documented, and in the case of the newer devices and technologies are only just evolving.  Remembering back only a few years, computing was done on a larger and less portable device.  The risks of today and tomorrow will not only be based on the applications themselves but on the smaller and more portable devices, we find them running on.     Social Media – The Good Healthcare organizations can use social media for “The Good” is to develop social media campaigns to drive awareness on a specific topic. Examples include: • Breast Cancer Awareness – for patients and families • Babies – targeting new moms • Pediatric – focusing on children’s health   Social Media – The Bad Patients have been discussed by their caregivers. Names may not have been used, but still, references to a patient in a certain room or a description of the patient or why they are being treated may still provide enough information to identify individuals. Negative comments can get posted about patients, co-workers, providers, working conditions, salary, and benefits, or administration. A potential risk that should not be overlooked is that on many sites anything can be posted regardless of the truth. These postings may include information that may be protected under HIPAA or can affect your brand, reputation or good name. While you may be able to block or remove posted content, you will have no control of where it may have been copied to or whom it was seen by. A disclosure or incident may have occurred which will require time and resources to address, even though your organization may have had nothing to do with posting it in the first place.   Social Media – The Ugly When I say ugly, I MEAN UGLY!! This was reported in June 2018, after an EMS worker from Tennessee responded to a call after a patient suffered a heart attack in his chicken coop. But … Posted the following on her Facebook account: “Well, we had a first… We worked a code in a chicken coop! Knee deep in chicken droppings.” In the comment section to her post, the worker also wrote, “It was awful,” and “I’m pretty sure y’ all could smell us in dispatch” The patient’s wife called the County EMS to complain about the post, but they didn’t return her call. DO NOT IGNORE PATIENT PRIVACY COMPLAINTS – even if it IS social media!! Healthcare social media is NOT something anyone should do without understanding the implications of their actions. Do you think this Facebook post is a HIPAA violation?     Let HIPAA alli help develop your healthcare social media strategy before you start connecting.      

Social Media – When Things Get Really Ugly

When Things Get Really Ugly … Here is an example of what NOT to do on social media!! This post was made in a PUBLIC Facebook group for medical billers. When I saw it …     That’s right it did make my blood boil.     I immediately sent a private message to the originator of the post to let them know they had shared protected health information (PHI). I waited over 24 hours and if you know me and HIPAA that was a REALLY LONG, LONG, LONG TIME!! When that didn’t work I added a public comment that the post violated HIPAA. Then added an image to help clarify my point: The post was eventually taken down but not before I was able to capture it. Who knows who else also has a copy of it too since it was in a PUBLIC Facebook group!! Here is exactly what they wrote including spelling errors (PHI redacted for this article): Good Afternoon. I am in need of some advice regarding a BBB complaint filed by a patient and how to respond to the complaint without violating HIPAA. We treated an entire family (xxxxxxxxxxxxxxxxx [patient genders identified] that ranged in age from xxxxxxxxx [ages identified]) for physicaltherapy (PT) following an xxxxxxxxxxx, from the onset the Mom lied to us and told us that she did not have an attorney then she refused to give us the xxxxxxxxxxx information to file claims to and the list goes on and on. One of the last visits that we saw the Mother she was sitting in a chair in one of our PT roooms when one of our PT aides dropped a small padded board (weights less than half an ounce) that we use for physical therapy treatment and it hit the Mom on the forehead, we called the physical therapist in, he looked at it, there was no bruising or any mark whatsoever. Patient stated she was fine. The physical therapist even asked the patient if she needed to go to the ER. The patient replied, NO, that she was fine. The patient continued her treatment that day and returned for 4 more additional visits which completed her PT treatment plan. One month later we receive notice that we are being sued by this patient because of her ongoing injury caused by being hit in the head. She states she has severe whiplash and has been having heaaches sincee the incident. We had filed all the claims for the husband and the kids to Tricare, they paid all of the claims but the patient had a copay on each visit (Current Balance approximately $2000.00) The Mom’s claims were sent to Medicare, all of the claims were denied beacuse of the “auto accident” therefore the Mom currently has a balance of over $6000.00! In August, a representative from her auto insurance called and requested a copy of itemized billing records on the husband and the four daughters so that they could write us a check for the outstanding baalnce. This information was sent to them. A few weeks later the Mom started calling requesting itemized statements as well stating that she wanted to get reimbursed from her auto insurance for the copays. I was told by the owner that we were not to speak her, that since she had a pending lawsuit that she needed to direct all of her questions through her attorney. She refuses to do so and continues to call and leave very vulgar messages on our voice mail. First of all, the patient is receiving statements each and every month so she knows exactly what her balance is! I think she found out that the insurance company would reimburse her for the copays so she thought she would try to get the check written directly to her instead and then never pay us. Now she has filed a BBB complaint against us stating that she has been requesting a statement from us for over 6 months so that she can pay us and that we refuse to take her calls and we will not send her a statment. I am so fed up with this account! I share this post with you to make a point of how easy it is to violate patients’ privacy on social media. As you can see the post contains enough information to identify who the patients are by linking it to where the person works. Healthcare social media is not something anyone should do without understanding the implications of their actions.   Let HIPAA alli help develop your healthcare social media strategy before you start connecting.

Passwords and Passphrases

Why Does It Matter? The Administrative Safeguards of the HIPAA Security Rule requires Covered Entities (CEs) and Business Associates(BAs) to: Implement procedures for creating, changing and safeguarding passwords [For details see: Security Awareness and Training, §164.308(a)(5)]. Make sure you create and regularly use strong passwords (i.e. usually 10 characters or more and includes uppercase and lowercase letters, numbers, and special characters like #$&*). When creating your passwords, consider using unique “passphrases,” which are sentences may be easier to remember than a very complex password (e.g. “I got A new bike for my 8th birthday!” would be ItAwkry8b!). Do NOT use passwords or phrases that would be easy to guess, such as a pet’s name or your birth date. This might surprise you but some actually fell for it:   Maintaining strong and unique passwords will decreases the risk of password guessing based on commonly used passwords, information about you that might be publicly available, or password cracking tools that hackers use. Are You Using the Same Password for All Users? Does the HIPAA Security Rule permit a CE or BA to assign the same log-on ID or user ID to multiple employees? Answer: No!! Under the HIPAA Security Rule, CEs and BAs, regardless of their size, are required, under § 164.312(a)(2)(i) to “assign a unique name and/or number for identifying and tracking user identity.” A “user” is defined in § 164.304 as a “person or entity with authorized access.” Accordingly, the HIPAA Security Rule requires CEs and BAs to assign a unique name and/or number to each employee or workforce member who uses a system that maintains electronic protected health information (ePHI), so that system access and activity can be identified and tracked by user. This pertains to workforce members within small or large healthcare provider offices, health plans, group health plans, and healthcare clearinghouses. Over the past years, the healthcare sector has been one of the biggest targets of cyber crimes resulting in breaches due to weak authentication. Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility. Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks?     For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.

HIPAA Security Incident vs Breach

HIPAA Security Incident vs Breach What’s the Difference?

HIPAA Security Incident vs BreachWhat’s the Difference? Today I am breaking down the difference between a HIPAA security incident vs breach. First, allow me to set the stage with definitions to provide some clarification. What are HIPAA Security Incidents? The HIPAA Security Rule defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of a security incident at 45 CFR 164.304). When a security incident happens, and they do happen, effective response planning can be a major factor in how significantly an organization suffers operational, reputational harm, and/or legal liability. Being able to respond to incidents in a systematic way ensures appropriate response steps are taken each time, helping to minimize the impact of breaches. What would you do? What if this scenario happened in your organization, would your workforce know what to do? ⇒ My office just experienced a cyber-attack! The previous example emphasizes the importance of creating a security incident response plan for your organization. Incident Response Plan Your Incident Response Plan is intended to assist your Covered Entities (CEs) and their third-party vendors, referred to by the Department of Health and Human Services (HHS) as Business Associates (BA), in detecting breaches, decreasing loss and damage, mitigating the weaknesses that were exploited, protecting the confidentiality, integrity, and availability of data, and restoring IT services back to normal. When establishing your incident response capabilities, CEs and BAs should consider: Developing written incident response policies, plans and procedures Building relationships and setting up plans for communicating with internal and external parties regarding incidents Staffing and training What is a HIPAA Security Breach? The HIPAA Security Rule identifies breaches as an impermissible acquisition, access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protected health information (PHI). (See the definition of a breach at 45 CFR 164.402). An impermissible use and/or disclosure of PHI is presumed to be a breach unless the CE or BA, as applicable, demonstrates there is a low probability the PHI has been compromised based on a risk assessment. OCR provides an All Case Examples list of HIPAA compliance enforcements organized by CE type or Issue. The list contains several case studies of impermissible uses and/or disclosures. I recommend reviewing the list to see how OCR addresses each one. It is a HIPAA Breach, Now What … The HIPAA Breach Notification Rule requires that after experiencing a breach, CEs and their BAs notify affected individuals, the Secretary, and when required, the media following a breach of unsecured protected health information (PHI) 45 § 164.400-414. Notification By a Third-Party Vendor BAs must notify CEs if a breach occurs at or by the BA. The BA must provide notice to the CE without unreasonable delay, and no later than 60 days from the discovery of the breach. Where possible, the BA should provide the CE with the identification of each individual affected as well as any other available information to the CE. The Office of Civil Rights “Wall of Shame” More and more people are hearing of OCR’s “Wall of Shame.” All it takes to join this infamous list is a breach of unsecured PHI that affects 500 or more individuals. After you’ve reached that magic number (500 or more patient records breached), you must notify the media. If a breach affects fewer than 500 individuals, the CE must notify the Secretary and affected individuals. Reports of breaches affecting fewer than 500 individuals are due to the Secretary no later than 60 days after the end of the calendar year in which the breaches occurred. Did You Know? Breaches are not the ONLY way to make it on the wall. Oh no, all it takes is for someone to file a complaint about your organization involving any of these reasons: Civil Rights Conscience and Religious Freedom Health Information Privacy Once OCR receives a complaint they begin their investigation. When they come calling, they don’t ONLY look at areas related to the complaint. Instead they look at your ENTIRE compliance program. Now I ask you if this happened – Would YOU Be Ready For OCR? See Why it Matters In 2018, there were 76 healthcare data breaches involving Business Associates added to the “Wall of Shame”. 5,730,242 patients’ medical records were breached Hacking/IT Incidents = 35 Unauthorized Access/Disclosure = 34 Loss = 5 Theft = 2 For more details about the HIPAA Breach Notification Rule, visit the HHS website. It doesn’t matter what size you are, hackers know healthcare is rich with unsecured data worth approximately $408.00 per record on the Dark Web. Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility. Providers and third-party vendors need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Why You Need A Current HIPAA Risk Analysis

Why You Need A Current HIPAA Risk Analysis Conducting a HIPAA risk analysis is the first step in identifying the risks in your organization. The Department of Health and Human Services (HHS) requires healthcare organizations and their third-party vendors that create, receive, maintain or transmit identify risks and vulnerabilities that effects electronic protected health information (e-PHI).  Once the risks have been identified it is imperative to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Failure to implement the appropriate security measures leaves your organization vulnerable and that’s not a good place to be. https://youtu.be/QWRn2r5R7ts HIPAA Risk Analysis Audit Results In December 2020, HHS Office of Civil Rights released their 2016 – 2017 HIPAA Audit Industry Report. The audit included 150 healthcare organizations (55% were provider) and 41 third-party vendors (14% were billing & claims). The results for healthcare [organizations and third-party vendors audited were:  Security Risk Analysis – OCR found less than 20% fulfilled their regulatory responsibilities to safeguard electronic PHI (ePHI) through risk analysis activities.  Risk Management Standards – OCR found that because both healthcare providers and their third-party vendors failed to conduct appropriate risk analyses, they were then unable to connect their security plans to the management of identified risks. An overwhelming percentage of healthcare providers (94%) and third-party vendors (88%) failed to implement appropriate risk management activities. Clues Found in the Audit Report OCR found that both providers and third-party vendors failed to implement effective risk analysis and risk management activities to safeguard ePHI. As a result of these findings likely to draw closer scrutiny from investigators during breach and individual complaint investigations. Providers and third-party vendors should consider the following takeaways from OCR’s audit findings:  Conduct a security risk analysis of the potential risks and vulnerabilities to ePHI – Providers and their third-party vendors are responsible for maintaining an appropriate and current risk analysis consistent with policies, procedures, and changes in their environment, operations, or security incidents.  Implement appropriate risk management strategies – providers and their third-party vendors must focus on their security risk analysis findings to inform and link their security plans to the management of identified risks.  Why Does It Matter? Your HIPAA Risk Analysis helps you measure the impact of threats and vulnerabilities that pose a risk to the PHI in your organization. While there is no single method or “best practice” that guarantees compliance; however, most HIPAA Risk Analysis and risk management processes have these steps in common. Your HIPAA Risk Analysis should include, but is not be limited to, the following activities: Evaluate the likelihood and impact of potential risks to your ePHI. Implement appropriate security measures to address the risks identified in your HIPAA Risk Analysis. Implement appropriate security measures to address the risks you identified in your HIPAA Risk Analysis. Document the chosen security measures and, where required, the rationale for adopting those measures. Maintain continuous, reasonable, and appropriate security protections. The results of your HIPAA Risk Analysis will be used to determine reasonable and appropriate security measures for your organization. Remember: ANY change made to the hardware, software and/or medical devices used to create, receive, maintain, or transmit, an organization’s PHI requires an update to the HIPAA Risk Analysis.