Summary: CMS proposes new Medicare Conditions of Participation for hospitals (including psychiatric and critical access hospitals) that will require the hospital EHR to send electronic event notifications to other providers when a patient has been admitted, discharged or transferred. What must hospitals do, and how much time is needed, to operationalize the new CoPs, considering a process will need to be developed that identifies providers who should and can receive these event notices? What will be required, and how much time is needed, to reconfigure EHRs to send the notifications and demonstrate compliance with the multiple facets of the CoP? CMS is seeking stakeholder input on the proposal, including a reasonable time frame for implementation. UPDATE: On April 19, 2019, CMS extended the comments deadline from May 3, 2019 until June 3, 2019.
Among the many mandates of the Affordable Care Act (ACA) (a/k/a “Obama Care”) still in force today is Section 1557. Section 1557 prohibits discrimination on the basis of race, color, national origin, sex, age, or disability in certain health programs or activities. The U.S. Department of Health & Human Services (HHS) Office for Civil Rights (OCR) is the agency vested with responsibility for implementing and enforcing Section 1557. On May 16, 2016, OCR issued a Final Rule that requires entities covered by the ACA to notify beneficiaries, enrollees, applicants, or members of the public of Section 1557’s nondiscrimination prohibitions. This notice must be included in the entity’s “significant” publications and communications.
You might ask, “Why am I reading about this on a legal blog about privacy and security?” This is because OCR determined that the Notice of Privacy Practices, which healthcare providers and health plans issue to patients and plan members, is a “significant” publication or communication. As a result, health care providers and health plans that are subject to both Section 1557 and the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) must add the Section 1557 nondiscrimination notices and taglines to their Notice of Privacy Practices. Health plans should add such notices and taglines to their Summary of Benefits and Coverage as well.
What Happened. According to several healthcare news sources, on Thursday, January 18, 2018, Allscripts experienced a ransomware attack on the computer servers that host the Allscripts cloud-based EHR and the Allscripts cloud-based Electronic Prescriptions for Controlled Substances (“EPCS”) platform. Allscripts did not pay the ransom because it had recent data backups that were unaffected by the attack.¹
Initial Impact on Allscripts’ Clients. The EPCS reportedly was restored on Saturday, January 20, 2018. The EHR system reportedly continued to be adversely affected through at least Monday, January 22, 2018, with some providers still reporting log-in issues through Wednesday, January 24, 2018. Allscripts held a conference call with providers in which it advised providers that they may continue to experience usage interruptions with the cloud-based products until Allscripts completed a roll-out of security updates. During down times, Allscripts urged providers to use the Allscripts mobile solution (only available on the iPhone) to view medical histories and schedules but acknowledged that providers would be unable to Continue reading
A massive email phishing campaign started Wednesday afternoon. The email attacks target Google accounts but have spread to other email accounts as people have been tricked into clicking on the link in the email and have unwittingly supplied their Google account access credentials and access to their contacts.
The reports of the malicious emails are coming from people across a range of industries. The emails contain what looks like a link to a Google Docs and appears to come from someone you know. These emails, however, are malicious and are designed to trick the recipient in a way that allows the cybercriminal to hijack email accounts or infect the user’s computer.
If you receive an email with a link to Google Docs, BEWARE! These emails are designed to look like they come from a trusted or known source. Do not click on any links in emails that you were not expecting.
A screen shot of one of the Google Docs phishing emails is shown below. If you receive one of these emails, delete it ASAP. If you use Gmail or Google Inbox, consider activating the 2-factor authentication feature to secure your account.
Several major news organizations and cable networks are reporting on this story. For the most up-to-date news on this developing story, use your favorite internet search engine to search for “google phishing email scam”.
A sample Google Docs phishing email. The form and style of the email may vary from this sample.
To read Google’s Gmail Help on phishing emails, use your preferred internet search engine and search for: “Google Help and how to avoid and report phishing emails”.
If you are attacked by malware or a phishing email that compromises your organization’s privacy and security, Wyatt’s experienced Data Security Incident Response Team is ready to help.