Kimberly Shutters | HIPAA alli

What Happens When You Don’t …

Healthcare Breach / By Kimberly Shutters

In this week’s Know The Rules! I present a case study on what happens when you don’t perform your Business Associates Due Diligence. Do you know the expression … What you don’t know WILL hurt you!! That is what Advanced Care Hospitalists (ACH), a contractor physician group in West Florida, found out the hard way after a Business Associate (BA) of theirs had a healthcare data breach in 2014. Here Is What Happened Between November 2011 and June 2012, ACH engaged the services of an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a Florida-based provider of medical billing services. That individual used First Choice’s company name and website, but according to the owner of First Choice, those services were provided without the knowledge or permission of First Choice. A local hospital notified ACH on February 11, 2014 that some patient information – including names, birth dates, Social Security numbers, and some clinical information – was viewable on the First Choice website. The website was shut down the following day. In April 2014, ACH submitted a breach report to OCR about the impermissible disclosure of patients’ protected health information (PHI). Its initial breach report stated the PHI of 400 patients had been impermissibly disclosed, but later amended the breach report after it was discovered a further 8,855 patients’ PHI had also been impermissibly disclosed. What the OCR Investigation Revealed OCR investigated the breach and discovered that despite having been in operation since 2005, ACH DID NOT implement ANY HIPAA Privacy, Security, and Breach Notification Rule policies and procedures before April 1, 2014, and had failed to implement appropriate security measures. ACH also failed to conduct a complete and thorough risk analysis until March 4, 2014. All though PHI had been disclosed to the individual providing medical billing services, ACH failed to enter into a Business Associate Agreement (BAA). As a result of the lack of a BAA, ACH impermissibly disclosed the PHI of 9,255 patients to a third party for billing processing services – PHI that was subsequently exposed online. As OCR Director Roger Severino said: “This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA” Settlement Time Advanced Care Hospitalists PL (ACH) agreed to pay $500,000 to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) In addition to paying the fine, ACH has agreed to implement a robust 2 year Corrective Action Plan (CAP) to correct all HIPAA compliance failures … AND You know what that means don’t you – that means that the government is going to be in their business for at least the next two years. Not a place I’d like to be!! This organization could have saved themselves a whole lot of sleepless nights, financial expense and lost revenue before they signed the Business Associate Agreement. Don’t let this happen to your organization. Know that your Business Associates have performed ALL of the HIPAA compliance activities. Now I ask you … Have YOU done YOUR Business Associates Due Diligence? Do you need help getting started or with managing your Business Associate clients? Schedule a call, I’m here to help!!

Third-Party Vendors – Size Doesn’t Matter!

HIPAA Security / By Kimberly Shutters

Third-Party Vendors Size Doesn’t Matter That’s right folks – if you are a healthcare third-party vendor size doesn’t matter when it comes to HIPAA compliance. Healthcare third-party vendors that create, receive, maintain, and/or transmit protected health information is required by law to comply with the regulations. Did You Know? A healthcare third-party vendor, referred to by the Department of Health and Human Services (HHS) as a business associate (BA), were invited to the HIPAA party in February 2013. Even after all this time, HIPAA compliance still remains a challenge for many Covered Entities (CEs) and their third-party vendors alike. From Then Until Now As reported by HIPAA Journal in their August 25, 2017, blog post, “HIPAA Business Associate Compliance”: “In late 2016 – almost four years after the Final Omnibus Rule was enacted – the California Healthcare Foundation funded research into HIPAA Business Associate compliance. In the compilation of the “Business Associate Compliance with HIPAA” report, researchers conducted telephone interviews with sixteen Covered Entities ranging in size from small physician offices to large integrated health systems. The researchers focused on the number and size of contracted third-party vendors, the types of services performed by third-party vendors, the “sophistication levels” of BAs, and the Covered Entities efforts to conduct due diligence on BAs and oversee HIPAA Business Associate compliance. It is important to note that, in California, BAs may also be covered by the state´s Confidentiality of Medical Information Act (CMIA).” Sadly, even after almost ten years third-party vendors remain unaware of their responsibilities and/or unsure how to comply with the HIPAA Security Rule in their environment. Why Does It Matter? Simple, third-party vendors can and have been held directly liable to civil and, in some cases, criminal penalties for making uses and/or disclosures of PHI that were not authorized. In 2018, there were 71 healthcare breaches that affected 5.4 million patients. It is important that Covered Entities and their third-party vendors understand patients are entrusting them with their most private and intimate details. They do expect the provider and third-party vendors to comply with the HIPAA rules and keep their information secure!

Healthcare Security Incident

Breach Notification / By Kimberly Shutters

What if your Business Associates Had A Security Incident? Covered Entities (CEs) believe it’s impossible to determine whether the policies and procedures of their Business Associates (BAs) are adequate to respond effectively to a security incident. To complicate matters, more believe their Business Associates would NOT notify them in the event of a security incident. It is crucial that BAs notify CEs in the event of inappropriate use or disclosure of Protected Health Information (PHI) not provided for in the contract. This includes any breaches of unsecured PHI, as well as any security incidents. The Business Associate Agreement (BAA) should specify how and for what purpose the PHI will be used by each BA or subcontractor. HIPAA defines security incidents as attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. (See the definition of security incident at 45 CFR 164.304). HIPAA also identifies breaches as access, use, or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of PHI. (See the definition of breach at 45 CFR 164.402). Did You Know? Business Associates (BAs) are at a greater risk by their limited knowledge, understanding, and/or implementation of the HIPAA Security and Breach Notification Rules in their organization. BAs can be, and have been, held directly liable and subject to civil and, in some cases, criminal penalties for making uses and/or disclosures of protected health information (PHI) that were not authorized. A Bad Year for Business Associates During 2018, there were a total of 74 different Business Associate healthcare breaches added to the Office of Civil Right (OCR) ‘Wall of Shame’, potentially compromising the health information of 5,726,824 individuals. Here are the breach types by the numbers: • Unauthorized Access/Disclosure = 34 • Hacking/IT Incident = 33 • Loss = 5 • Theft = 2 That’s 71 new Business Associate breaches added to the ‘Wall of Shame’ and who now could have OCR in their business affairs – this is NOT a position you EVER want for YOUR business. But wait, didn’t I just tell you there were 74 different BA healthcare breaches? Clearly, you were paying attention; that is because 3 different organizations had already made the list in 2018!! Find out who made the list by requesting your copy of the ‘2018 Business Associate Healthcare Data Breach Report’. Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility! Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? For tips like this and more request your copy of “HIPAA Security Rule – Know The Rules!” Newsletter Today.

2018 Third-Party Healthcare Data Breaches – Update

Healthcare Breach / By Kimberly Shutters

Business Associate Healthcare Data Breaches In “Episode 63: Know The Rules!”, I reported what I thought were all of the healthcare data breaches reported on the Health & Human Services (HHS) Office of Civil Rights (OCR) Breach Portal website by Business Associates (BAs) in 2018. This is what I reported last week: The year 2018 was very bad for healthcare data breaches reported by BAs. Between January – December 2018, there were 39 different BA healthcare breaches added to the OCR ‘Wall of Shame’, potentially compromising the health information of 5,487,456 individuals. Seems I was wrong! Why is this and how did it happen? On January 9, 2019, after a quick review of the Breach Protocol website, I noticed a new breach affecting a health plan. Nothing new, but I knew this breach was a phishing attack on their BAs. In last week’s episode, I only reported the breaches identified as “Business Associate” under the Covered Entity Type report column. However, there were many more breaches hiding in the wings. This caused me to dig deeper into the report, and this is what I found: An Even Worse Year for Business Associates and Their Clients It turns out, 2018, was worse than I thought! During 2018, there were a total of 74 different healthcare breaches on the wall. Here are the numbers: Unauthorized Access/Disclosure = 34 Hacking/IT Incident = 33 Loss = 5 Theft = 2 That’s 71 new Business Associate breaches added to the ‘Wall of Shame’ and who now could have OCR in their business affairs – this is NOT a place you EVER want YOUR business to be in. But wait, didn’t I just tell you there were 74 different BA healthcare breaches? Clearly, you were paying attention; that is because 3 different organizations had already made the list in 2018!! Remember: Keeping your PHI secured and maintaining HIPAA compliance is YOUR responsibility! Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks? Request your copy today of the ‘2018 Business Associate Healthcare Data Breach Report’ and find out who made the list.

When it comes to healthcare, what does Minimum Necessary mean?

HIPAA Privacy / By Kimberly Shutters

HIPAA Privacy Rule Minimum Necessary In this week’s “Know The Rules!,” I am discussing the Privacy Rule minimum necessary standard, [45 CFR 164.502(b), 164.514(d)]. Minimum necessary applies: When using or disclosing protected health information (PHI) or when requesting PHI from another Covered Entity (CE) or Business Associate (BA), a CE or BA must make reasonable efforts to limit PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure or request. Here Is How the Rule Works The Privacy Rule requires CEs and their BAs evaluate their practices and take reasonable steps to limit uses, disclosures, or requests of PHI. The minimum necessary standard does not apply to the following: • Disclosures to or requests by a healthcare provider for treatment purposes. • Disclosures to the individual who is the subject of the information. • Uses or disclosures made following an individual’s authorization. • Uses or disclosures required for compliance with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules. • Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the Privacy Rule for enforcement purposes. • Uses or disclosures that are required by other law. CEs and BAs are required to develop and implement policies and procedures appropriate for their organization, reflecting the organizations business practices and workforce. Your policies and procedures must identify the persons or classes of persons who need access to the information to carry out their job duties, the categories or types of PHI needed, and conditions appropriate to such access. What Does This Mean? PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function. For example, hospitals may implement policies that permit doctors, nurses, or others involved in treatment to have access to the entire medical record, as needed. Likewise, for a small practice your receptionists should not have access to treatment records and nurses should not have access to patient financial data. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Don’t forget keeping your patient’s PHI secure IS your responsibility! Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks? For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

What is Phishing anyway?

HIPAA Security / By Kimberly Shutters

How To Spot Phishing In this week’s “Know The Rules!,” I present different methods Covered Entities (CEs) and Business Associates (BAs) can use to detect and avoid phishing attacks. Spam & Phishing on Social Networks Spam, phishing and other scams aren’t limited to just email. They’re also prevalent on social networking sites, like Facebook, WhatsApp, Instagram and Twitter. The same rules apply on social networks: When in doubt, throw it out. This rule applies to links in online ads, status updates, tweets and other posts. How Do You Avoid Being a Victim? Don’t reveal personal or financial information in an email and do not respond to email solicitations or phone calls for this type information. Before sending sensitive information over the Internet, check the security of the website. Pay attention to the website’s URL Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com versus .net). If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Contact the company using information provided on an account statement, not information provided in an email. Information about known phishing attacks is available online from groups such as the Anti-Phishing Working Group. Keep a clean machine Having the latest operating system, software, web browsers, anti-virus protection and apps are the best defenses against viruses, malware, and other online threats. What Should You Do if You Think You are a Victim? Report it to the appropriate individuals within the organization, including network administrators. If you believe your financial accounts may be compromised, contact your financial institution immediately and close the account(s). Watch for any unauthorized charges to your account. When in doubt, throw it out – links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, even if you know the source, it’s best to delete or, if appropriate, mark it as junk. Here are a few tips to help you keep your information secure: Think before you act: Be wary of communications that implores you to act immediately, offers something that sounds too good to be true or asks for personal information. Make your password a sentence: A strong password is a sentence that is at least 12 characters long. Focus on positive sentences or phrases that you like to think about and are easy to remember (for example, “I love country music.”). On many sites, you can even use spaces! Unique account, unique password: Having separate passwords for every account helps to thwart cybercriminals. At a minimum, separate your work and personal accounts and make sure that your critical accounts have the strongest passwords. Lock down your login: Fortify your online accounts by enabling the strongest authentication tools available, such as biometrics, security keys or a unique one-time code through an app on your mobile device. Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks? For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

HIPAA Security Audit Controls and Audit Logs

HIPAA Security / By Kimberly Shutters

HIPAA Audit Controls and Audit Logs Today I am breaking down the one of the Technical Safeguard standards, Audit Controls, 45 § 164.312(b), into byte-size portions to help you understand how it is significant to your organization. Audit Logs are The HIPAA Security Rule provision on requires regulated entities to: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Audit Controls – What Are They? The majority of information systems provide some level of audit controls with a reporting method, such as audit logs. These controls are useful for recording and examining information system activity which also includes users and applications activity. Audit controls that produce audit reports work in conjunction with audit logs and audit trails. Audit logs and trails assist regulated entities with reducing risk associated with: reviewing inappropriate access; tracking unauthorized disclosures of ePHI; detecting performance problems and flaws in applications; detecting potential intrusions and other malicious activity; and providing forensic evidence during investigation of security incidents and breaches. As part of this process, regulated entities should consider which audit tools may best help them with reducing non-useful information contained in audit records, as well as with extracting useful information. Audit Logs and Audit Trails – What Are They? According to the National Institute of Standards and Technology (NIST), audit logs are records of events based on applications, users, and systems, and audit trails involve audit logs of applications, users, and systems. Audit trails’ main purpose is to maintain a record of system activity by application processes and by user activity within systems and applications. Regulated entities should make sure that they appropriately review and secure audit trails, and they use the proper tools to collect, monitor, and review audit trails. Protecting audit logs and audit trails prevent intruders from tampering with the audit records and protecting their integrity. Not safeguarding audit logs and audit trails can allow hackers or malevolent insiders to cover their electronic tracks, making it difficult for regulated entities to not only recover from breaches, but to prevent them before they happen. The HIPAA Security Rule does not identify what information should be collected from an audit log or trail or how often the audit reports should be reviewed. When determining reasonable and appropriate audit controls for information systems containing or using ePHI, regulated entities must consider their risk analysis results and organizational factors, such as: Technical infrastructure Hardware Software security Audit Trails Examples Different types of audit trails your practice should consider, including: Application audit trails – Normally monitor and log user activities in the application. This includes the application data files opened and closed, and the creating, reading, editing, and deleting of application records associated with ePHI. System-level audit trails – Usually capture successful or unsuccessful log-on attempts, log-on ID/username, date and time of each log-on/off attempt, devices used to log-on, and the application the user successfully or unsuccessfully accessed. User audit trails – Normally monitor and log user activity in a ePHI system or application by recording events initiated by the user, such as all commands directly initiated by the user, log on attempts with identification and authentication, and access to ePHI files and resources. It is important to point out that although the HIPAA Security Rule does not identify data that must be gathered by the audit controls or how often the audit reports should be reviewed. A regulated entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use ePHI. Is Anyone Looking at the Audit Logs? There are several reasons to implement and monitor audit controls. Over the last few weeks I’ve shared several of them, here are two: Doctor accessed medical records without authorization AND gave some of that PHI to an ATTORNEY!! Nurse viewed 13,000 patients’ medical records without authorization for 15 Months!! How do you know if, or who, is snooping in your medical records? . . Audit Logs! . . But it Doesn’t End There! Regulated entities should review and secure audit logs/trails, and use proper tools to collect, monitor, and review audit logs/trails. But, the HIPAA Security Rule does not identify what information should be collected in an audit log/trail or how often the audit reports should be reviewed. Each regulated entity must consider their complete and thorough risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities. The majority of information systems provide some level of audit controls with a reporting method, such as audit reports. These controls are useful for recording and examining information system activity which also includes users and applications activity. It is important to protect your audit logs and trails to prevent intruders from tampering with the audit records and protecting their integrity. Not safeguarding audit logs and audit trails can allow hackers or insider threats to cover their tracks electronically, making it difficult for regulated entities to not only recover from incidents or breaches, but to prevent them before they happen. Add Your Heading Text Here Understanding the Importance of Audit Controls The HIPAA Security Rule provision on Audit Controls (45 C.F.R. § 164.312(b)) requires regulated entities to apply hardware, software, and/or procedural mechanisms that record and examine activity within information systems that contain or use electronic protected health information (ePHI). Audit controls produce audit reports which work in conjunction with audit logs and audit trails. Audit logs and audit trails assist CEs and BAs in reducing associated risks by: → Tracking inappropriate access → Tracking unauthorized disclosures of ePHI → Detecting performance problems and flaws in applications → Detecting potential intrusions and other malicious activity → Providing forensic evidence during security incidents and breach investigations It is imperative for regulated entities to review their audit trails regularly, both particularly after security incidents or breaches, and during real-time operations. Regular review of information system activity should promote awareness of any information system activity that could suggest a security incident or breach. Access to audit trails should be strictly restricted, and should be provided only to authorized personnel. Covered Entities

Get to Know the HIPAA Notice of Privacy Practices

HIPAA Privacy / By Kimberly Shutters

Get to Know the HIPAA Notice of Privacy Practices The first time you see a healthcare provider or dentist, (known as a Covered Entity), or check in to a hospital or change health insurance coverage, you will likely be asked to read and sign several different forms. One of those forms, called the Notice of Privacy Practices (NPP). The NPP explains your rights regarding the privacy of your protected health information (PHI) and how it can be used or shared. Most providers must give you the NPP at your first appointment, and most health plans must give you the NPP when you enroll. A copy of the NPP must be posted in a clear, easy to find location in a doctor’s office, pharmacy or hospital, be mailed to you by your health insurance company, or be posted on a provider’s or health insurance company’s website. If you can’t find it, ask for it, your provider or health insurance company must give it to anyone who asks for it.it 4 Things the Notice of Privacy Practices Must Include The NPP must describe: How the HIPAA Privacy Rule allows providers to use and disclose PHI. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason. The organization’s duties to protect health information privacy. Your privacy rights, including the right to complain to HHS and to the organization if you believe your privacy rights have been violated. How to contact the organization for more information and/or to make a complaint. When Should I Receive the Notice of Privacy Practices? You will usually receive a copy of the organization’s NPP at your first appointment. In an emergency, you should receive the NPP as soon as possible after the emergency. The NPP must also be posted in a clear and easy to find location where patients are able to see it, and a copy must be provided to anyone who asks for one. If an organization has a website, it must also post the notice on their website. A health plan must give its notice to you at enrollment. It must also send a reminder at least once every three years, and you can ask for the notice at any time.* *Note: A health plan can give the notice to the “named insured” (subscriber for coverage). It does not also have to give separate notices to spouses and/or dependents. Do I Have to Sign it? The law requires your provider, hospital, or other care providers to ask for written proof that you received the Notice of Privacy Practices, or what they might call an “acknowledgement of receipt.” The law DOES NOT require you to sign the acknowledgement form. If you choose NOT to sign, your provider’s must keep a record that they did not get your signature, but they still have to treat you. But, if you sign it, you have NOT given up ANY of your rights or agreed to ANY special uses of your health records. It simply means you are acknowledging you received the providers Notice of Privacy Practices. Covered Entities and third-party vendors should understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Anti-Kickback Statute

HIPAA Privacy / By Kimberly Shutters

Today, I am presenting a case study of what happens when a Covered Entity (CE) and a pharmaceutical company collude to violate the Federal Anti-Kickback Statute and the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Healthcare has a Federal Anti-kickback Statute (AKS), 42 U.S.C. § 1320a-7b(b), that makes it illegal for providers to knowingly and willfully accept bribes or other forms of remuneration in return for generating Medicare, Medicaid or ANY other federal health care program business. What does remuneration mean under the Anti-Kickback Statute? The AKS provides criminal penalties, as defined in the table below, for individuals and entities that knowingly and willfully offer, pay, solicit or receive remuneration in order to induce business(es) for which payment(s) may be made under a federal healthcare program. Kickbacks in healthcare have lead to: → Over utilization → Increased program costs → Corruption of medical decision making → Patient steering → Unfair competition Did You Know? The kickback prohibition applies to ALL sources of referrals, even patients. For example, where the Medicare and Medicaid programs require patients to pay co-pays for services and CEs are generally required to collect that money from your patients. Routinely waiving co-pays could activate the AKS and you are not allowed to advertise that you will forgive co-payments. However, you are free to waive a co-payment IF you make an individual determination that the patient cannot afford to pay or if your reasonable collection efforts fail. The Government does not need to prove patient harm or financial loss to the programs to show that a physician violated the AKS. A physician can be guilty of violating the AKS even if the physician actually rendered the service and the service was medically necessary. Taking money or gifts from a drug or device company or a durable medical equipment (DME) supplier is not justified by the argument that you would have prescribed that drug or ordered that wheelchair even without a kickback. Now that I’ve shared all that with you it is time for… Drum Roll Please! Case Study: What Happens When Drug Company Offers Kick-backs To Doctors It doesn’t happen often, but when it does, the Department of Justice (DOJ) WILL impose criminal penalties for ANY HIPAA violation(s). This is one such case that resulted in two criminal convictions – a violation of HIPAA and obstructing a criminal healthcare investigation. Here is what happened: From January 2011 through November 2011, a Massachusetts gynecologist allowed a pharmaceutical company sales representative from Warner Chilcott to access the protected health information (PHI) in her patients’ medical files. When questioned later, she later provided false information to federal agents when interviewed about her relationship with Warner Chilcott. On October 29, 2015, Warner Chilcott U.S. Sales LLC, a subsidiary of pharmaceutical manufacturer Warner Chilcott PLC, pled guilty to paying kickbacks to induce physicians to prescribe their drugs. Warner Chilcott agreed to pay $125 Million to resolve criminal liability and several False Claims Acts allegations. The DOJ investigation didn’t end there; In September 2018, the gynecologist was sentenced to one year of probation for violating HIPAA and one count of obstruction of a criminal healthcare investigation. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks? For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.

Evaluation

Uncategorized / By Kimberly Shutters

Do I need my HIPAA Security Plan Evaluated? It is important for Covered Entities (CEs) and Business Associates (BAs) to know if their security plans and procedures continue to adequately protect their electronic protected health information (ePHI). To accomplish this, CEs and BAs must implement and monitor your Evaluation Plan. CEs and BAs must periodically evaluate their strategy and systems to ensure that the security requirements continue to meet their organizations’ operating environments. The Evaluation standard, § 164.308(a)(8), has no separate implementation specification. The standard requires CEs and BAs to: “Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart [the Security Rule].” The purpose of the evaluation is to establish a process for CEs and BAs to review and maintain reasonable and appropriate security measures to comply with the Security Rule. Initially the evaluation must be based on the security standards implemented to comply with the Security Rule. Subsequent periodic evaluations must be performed in response to environmental or operational changes that affect the security of your ePHI. On-going evaluations should also be performed on a scheduled basis, such as annually or every two years. The evaluations must include reviews of the technical and non-technical aspects of your security program. Sample questions for CEs and BAs to consider: How often should an evaluation be done? For example, are additional evaluations performed if security incidents are identified, changes are made in the organization, or new technology is implemented? Is an internal or external evaluation, or a combination of both, most appropriate for the CE or BA? Are periodic evaluation reports and the supporting materials considered in the analysis, recommendations, and subsequent changes fully documented? On-going evaluations of security measures is the best way to ensure all ePHI is adequately protected. Note: Security is not a one-time project, but rather an on-going, dynamic process that will create new challenges as CEs’ & BAs’ organizations and technologies change. Covered Entities and Business Associates need to understand your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure. Besides, it is YOUR practice, YOUR patients, YOUR reputation, and YOUR legacy! Why are you leaving yourself wide open to such risks? For tips like this and more request your copy of our “HIPAA Security Rule – Know The Rules!” Newsletter Today.