The State of Security, Privacy & Compliance
In This Issue
OCR Fines Small Pharmacy $125,000 
Takeaways from HIMSS15
Reactions to Meaningful Use Changes
Phishing Attack Leads to Another Breach 
OCR Audits 
New Compliance Program for Business Associates 
More From HIMSS15
Compliance Q&A 
Quick Links
Privacy & Security Services
Technical Testing Services
Managed Services
Where You'll Find Us


April 2015

Thank you to everyone that came by our booth at HIMSS and HCCA Compliance Institute. It was good to see everyone and we look forward to next year's conferences. This month's newsletter includes a few takeaways from HIMSS, as well as information on OCR audits, changes to Meaningful Use and the latest breaches and enforcement action around the industry. 

vOCR Issues $125,000 Enforcement Penalty
A small pharmacy was issued a $125,000 enforcement penalty by OCR this week and agreed upon a corrective action plan. OCR fined the pharmacy for improperly disposing the records of more than 1,600 patients. Upon investigation OCR found that they violated the HIPAA Privacy Rule by not implementing patient privacy policies or procedures. 

"Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons," says OCR Director Jocelyn Samuels. "Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper."

a HIMSS15: 3 Privacy, Security Takeaways
Interoperability, Cyberthreats & New Targets

EHR interoperability was a huge topic at HIMSS. ONC Privacy Officer Lucia Savage spoke about how they are working with HHS on it. There was also a lot of buzz about merging and evolving cyberthreats post Anthem and Premera Blue Cross breaches. Both are reminders of why we need to ramp up our risk management programs. Everyone was talking about how healthcare will continue to be a big target because of the large amount of sensitive data we have.
zReactions to MU Stage 3 - in 20 Seconds or Less
Becker's Health IT & CIO Review asked several industry experts on their take of Meaningful Use stage 3 while at HIMSS. Experts had a mix of reactions ranging from it is a step backwards to hoping it will make interoperability really happen. 
yAnother Breach Caused by a Phishing Attack
Several experts and research reports have said that phishing will continue to trend and be a common cause of breaches this year. Employees are being targeted every day by cyber criminals. In the latest healthcare breach a user name and password were compromised from a phishing scam. As a result, nearly 760 patients' records were exposed, including names, dates of birth, phone numbers, some Social Security numbers and some clinical information. We still have not heard what for sure caused Anthem and Premera Blue Cross but many believe that both were the result of a spear-phishing attack.
xPodcast: OCR Audits for CEs & BAs

CynergisTek's VP of Compliance, David Holtzman recently recorded a two-part podcast with Shaun Sutner of SearchHealthIT. In the podcast they cover multiple topics related to the forthcoming OCR HIPAA audits. Listen to Part One: Expert warns OCR HIPAA audits ahead" and Part Two: "Healthcare business associates to be audited"

qCynergisTek Offers New Compliance Program for Business Associates
CynergisTek now offers a managed service designed to  provide Business Associates of Covered Entities with the same ongoing technical testing, advisory services, and executive reviews of security infrastructure that the company offers its provider clients. CynergisTek is offering the Business Associate Compliance Assist Partner Program (BA CAPP) to meet growing demand by these organizations for trusted, outsourced support in managing their liability for the data they receive, create, transmit or retain given the advent of the HIPAA Omnibus Rule. 
rMore From HIMSS15

HITECH Answers featured several podcasts from the floor at HIMSS15. Each podcast is with various thought leaders, including CynergisTek's CEO Mac McMillan. He gives advice on addressing privacy and security as the threat landscape continues to grow.


iCompliance Q&A
This month's compliance Q&A is about the recent proposed changes to Meaningful Use (MU). David Holtzman addresses what providers should take into consideration about attesting to MU this year.

CMS has recently published two major rule makings changing the requirements for the Meaningful Use program. One of these proposed rules seeks to make changes for the 2015 reporting year. What decisions should I make now concerning our attesting to MU this year?   

CMS published a proposed rule that would make changes to the reporting period for hospitals and the data collection period. 

CMS is using this new 2015 MU proposed rule to make changes now extending the reporting period for Critical Access Hospitals (CAH) and Eligible Hospitals (EH) so that the reporting period to attest to MU will be the end of the calendar year. This means that for an EH or CAH the current MU reporting period that began on October 1, 2014 would not end on  September 30, 2015, but would be extended to  December 31st. Beginning in 2016, the reporting period for an EH or CAH would be the calendar year. The reporting period for Eligible Providers (EP) would not change under this proposal.

An EH, CAH or EP would still have 60 days from the end of the reporting year to file its attestation for MU. If the CMS rule is adopted as proposed, the deadline for all filers to attest to MU in this current reporting year would be  February 29, 2016.

CMS is also proposing to make the data collection period for the 2015 reporting year 90 consecutive days for any hospital or provider attesting for MU. If the CMS rule is adopted as proposed, an EH or CAH could use data collected for any continuous 90 day period beginning October 1, 2014 through  December 31, 2015. EPs would report data from 90 consecutive days collected during its calendar year reporting period.

The current Stage 2 MU Rules calls for a 12 month data collection to support this year's demonstration of MU. In the new 2015 MU proposed rule CMS affirms that it is offering the 90 day data collection period for 2015 MU reporting period only. The 12 month data collection will be required for the 2016 and 2017 MU reporting periods.  
The proposed rule making issued by CMS for changes to the 2015-17 Meaningful Use Program is just that; a proposal. There is no firm date by which CMS would adopt a final rule. CMS could also make modifications to the rule making when it is adopted in its final form. However, there is a high level of confidence in the major provisions of these regulatory changes because CMS officials had been speaking for many months of the changes the agency was contemplating.

Thank you for reading this month's newsletter. Email us if you have a compliance question you would like answered in next month's newsletter.


The CynergisTek Team

Want a printable version of the April newsletter? Click below to download a PDF version of this email.