The State of Security, Privacy & Compliance
In This Issue
What Will HIPAA Enforcer Do in 2015
More State Laws to Come
Top 10 Tech Trends
CynergisTek to Support Several CHIME Events in 2015
Compliance Q&A 
Quick Links
Privacy & Security Services
Technical Testing Services
Managed Services
Where You'll Find Us







January 2015

2015 is already starting off to be a busy year for healthcare IT professionals. Emerging threats continue to plague the industry, OCR is likely to be more active in enforcing HIPAA and assessing penalties to those not in compliance, the next Meaningful Use deadlines are quickly approaching and states are proposing and implementing more stringent rules around protecting sensitive data. Read below to learn more of what 2015 might behold, as well as to view recent news from around the industry and CynergisTek.

A.What Will HIPAA Enforcer Do in 2015?
David Holtzman recently wrote a blog post discussing possible regulatory and enforcement activities we could see this year from OCR. Holtzman pointed out that while 2014 represented a year of change with new leadership at the agency, that the settlement made for an Alaska mental health group signals that OCR likely be more aggressive in pursuing enforcement of the HIPAA rules


David provides additional insight on OCR's efforts to produce a regulation expanding the requirements for Accounting of Disclosures and does not expect that we will see a final rule in the near future. In this blog post, David also provides analysis of steps OCR might take with the HITECH mandate to share monetary settlements with consumers and what HIPAA audits might look like

B.Obama Addresses Cybersecurity
As we all know, data security has been a challenge and we've seen major breaches across several industries. For healthcare, the Ponemon Institute's annual report found that 90% of respondents had at least one breach in the past two years. Cybersecurity has drawn some recent attention, and now is being addressed by President Obama.
C.Tips For Effective HIPAA Compliance

In the January edition of Report on Patient Privacy, several experts provide guidance for compliance officers and how they can be more effective with their role. David Holtzman starts with leadership. "Studies suggest that compliance programs are more effective when there is an identifiable leader and a face to go with the name." He also suggests more collaboration between privacy and information security professionals to stay on top of threats and reduce risk. Another expert advises getting on list servs, monitoring LinkedIn groups and asking security firms for updates to help stay on top of threats. As Heartbleed proved to us last year, this is more important now than ever as attacks become more sophisticated.


Other experts suggest that compliance officers should schedule compliance-related events in advance to demonstrate your commitment to compliance and the importance of training your staff and peers. One suggests refreshing colleagues and staff by playing some of OCR's short videos and podcasts when you have all of the staff together. These videos are short, free and as the OIG website states, "(the videos) cover major health care fraud and abuse laws, the basics of health care compliance programs, and what to do when a compliance issue arises." 

The article provides other guidance and can be accessed by subscribers of the publication. To access this month's newsletter or to subscribe, click the "Read More" button below. If you would like CynergisTek's tips on how to be effective at HIPAA compliance email us or attend one of our upcoming events.

D.More State Laws to Come in 2015
Some states made recent headlines for their efforts to protect sensitive data and PHI. Earlier this month New Jersey's Governor Christie signed a bill that will require health insurance carriers to encrypt sensitive data such as social security numbers. Meanwhile, New York has new proposed legislation for particular data security protections that would hold entities completely at fault for not properly protecting data. 
TrendsTop 10 Tech Trends: Hackers Are Here
Research shows that cyber attacks have doubled in the healthcare industry over the past five years and they are only going to increase. Phishing emails and application-level hacks will continue to pose a big cyber security threat in 2015. One CISO tells his story of how his hospital was the target of a distributed denial-of-service (DDoS) attack and how he survived it.
E.CynergisTek to Support CHIME & iHT2 Events
CynergisTek recently announced that it will continue to support the industry by participating in four CHIME LEAD Forum events in 2015. CynergisTek CEO, Mac McMillan will deliver the opening keynote address at all four events, entitled, "What is Cybersecurity and Why is it Crucial to Your Organization". McMillan's presentation will educate attendees on, and create awareness of, these important issues - the first step in making effective cyber security part of an organization's overall culture. Following the CHIME Forum events, CynergisTek will attend the Institute of Health Information Technology Transformation (iHT2) Health IT Summits. 
F.Compliance Q&A
This month, David Holtzman addresses the question, "How do I report a breach to HHS?" 

The Breach Notification Rule requires a covered entity to notify HHS through its web portal if the entity discovers a breach of unsecured protected health information. If a breach affects 500 or more individuals, a covered entity must notify HHS of the breach no later than 60 calendar days from the discovery of the breach. A covered entity is not required to wait until the end of the year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time it is discovered. The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident. Entities must notify HHS by February 28, 2015 of breaches that occurred in 2014 and affected fewer than 500 individuals.
Thank you for reading this month's newsletter. We appreciate any suggestions on the news you would like to receive by taking our short survey.


The CynergisTek Team

Want a printable version of January's news? Click below to download a PDF version of this email.