The State of Security, Privacy & Compliance
In This Issue
The Next Mega Breach: CareFirst 
Focus on Security & Compliance Will Follow 
New Infographic on Breaches
Reducing Business Associate Risks Podcast
Bill That Would Alter HIPAA Advances
Compliance Q&A: OCR Audits Are Back 
Quick Links
Privacy & Security Services
Technical Testing Services
Managed Services
Where You'll Find Us
















 

June 2015
 

Mega breaches are starting to become a monthly occurrence across the healthcare industry. By the end of May, OCR's wall of shame showed more than 93 million individuals affected by a breach. Check out our infographic to learn more about breaches around the industry. 

 

Additionally, CynergisTek would like to share some other important news from the month of May, such as updates on a potential bill that could change HIPAA, as well as a podcast on how to reduce risks with third party vendors. Also be sure to read this month's compliance question to learn more about the return of OCR's random audit program.

 

Top Articles From May
The Next Mega Breach: CareFirst
Recently CareFirst reported the next mega breach, with 1.1 million records exposed. Compromised information includes usernames, names, date of births, email addresses and subscriber identification numbers. According to CynergisTek CEO Mac McMillan, "These breaches we're seeing wouldn't be near as large as they are if they weren't holding on to so much data."
AFocus on Security & Compliance Will Follow
Some experts say that improving security helps lead to compliance. CIOs should look at improving the maturity of their information security program, and compliance will be part of the result of improving the program. 
BInfographic: Healthcare Data Breaches
Did you know that 91% of healthcare organizations have experienced at least one breach in the past two years?* So far in 2015 one-third of breaches have been caused by hacking/IT incidents. Download our latest infographic to learn more.
CReduce Business Associate Risks Podcast

A recent survey conducted by Health Information Security Today found that healthcare organizations are most worried about their business associates not taking security serious enough. Despite this, a lot of providers aren't taking any action to address this challenge. According to the survey, "Some 48 percent have revised their policies for BAs reporting beaches. But only 26 percent have asked BAs to provide a copy of a security audit; 24 percent have obtained a copy of their BAs' security policies; and 15 percent have commissioned third-party validation of the BA's policies and procedures."

DBill That Would Alter HIPAA Privacy Rule Advances
The 21st Century Cure bill made progress by passing the first Congressional hurdle. The bill would make substantial changes to the HIPAA Privacy Rule. Some of the significant changes include provisions to potentially penalize for not meeting interoperable and secure information exchange standards. It also could cause monetary penalties against healthcare entities for blocking inappropriate information sharing. 
Compliance Q&A: OCR Audits Are Back
This month's compliance Q&A is about the upcoming OCR audits now that covered entities are starting to receive surveys. 

What steps should my organization take to get a head start?   

One thing is for sure: You don ' t want to wait until you get a notification letter from the Office for Civil Rights before you start preparing for a HIPAA audit. OCR plans to audit 200(+) covered entities, including healthcare providers and employer sponsored group health plans to measure their compliance with the HIPAA Privacy Rule, Security Rule, and breach notification requirements.  These CE audits will be followed by up to 400 audits of business associates to measure their compliance with the Security Rule and how they intend to approach their obligations under the Privacy and Breach Notification Rules. 

One thing organizations should be doing to prepare is reviewing OCR's audit protocol, as well as the HIPAA and HITECH regulations themselves. Then they need to make sure they have guidelines, policies, and procedures in place to support the regulations and assure those documents are revised to stay up-to-date.

Thank you for reading this month's newsletter. Email us if you have a compliance question you would like answered in next month's newsletter.

Sincerely,

The CynergisTek Team

Want a printable version of the June newsletter? Click below to download a PDF version of this email.