HIPAA Compliance for Medical Practices
65.0K views | +1 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Use the Right Tools to Protect Patient Data and HIPAA Compliance

Use the Right Tools to Protect Patient Data and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The focus on securely storing and protecting your patients' information mandate that you use the right tools and systems to fulfill this requirement. This necessity should generate at least two questions.

  • Are you using the right tools now to protect your patient data?
  • How can you ensure that you use the best systems to securely store and protect your patient information?

Consider these suggestions to create a checklist of features your system should include to meet privacy, storage and protection guidelines. These tips will help you identify the right tools to safely protect patient data and satisfy security mandates.

 

How to Identify the Right Tools for Patient Data Security

A. Examine current administrative safeguards:

  • Perform a risk assessment.
  • Design a risk management procedure.
  • Create practice policies for safe and secure storage of patient data.

B. Evaluate Your Physical Security Measures:

  • Limit physical access to your systems that store patient information.
  • Password protect workstations that have access to patient health information (PHI).
  • Prohibit removal of electronic media with PHI from the workplace.

C. Analyze Your Technical Security Procedures:

  • Give access to PHI only to those that need it, on a "need to know" basis.
  • Create an internal audit procedure to examine your IT tools that contain PHI.
  • Ensure your electronic systems have high-level integrity to prevent others from altering, destroying or changing PHI.
  • Evaluate the security of your transmission of PHI over electronic networks.

 

Suggesttions to Have the Right Tools to Meet Meaningful Use and PHI Security Requirements

  • Display leadership by emphasizing the importance of protecting patient information to ensure privacy and security.
  • Document all policies, procedures and efforts to ensure security.
  • Evaluate your security analysis results to identify risks to PHI.
  • After analysis and evaluation, create a new action plan, if necessary.
  • Be sure your action plan and tools mitigate risks, which can be lowered to manageable levels.
  • Ensure your electronic health records (EHRs) are protected by having locked server rooms, using strong passwords, performing regular backups and having disaster plans for data recovery after server crashes.
  • Give your staff thorough education and training on protecting PHI.
  • Advise your patients their information is confidential and protected to minimize patient privacy fconcerns.
  • Ensure your "business associate agreements" contain language that mandates they remain in HIPAA privacy and security compliance.
  • Register for EHR Incentive Programs only after you can attest (with confidence) that your practice meets or exceeds meaningful use requirements, including documentation that you've performed a security risk analysis and identified potential problems with PHI security.
  • Consider using a top third-party medical documentation and billing firm, such as M-Scribe Technologies, to minimize the staff burden of compliance with regulations and better ensure practice compliance.

Hopefully, you have not made a major investment in IT systems that fall short of ensuring security and protection of patient information and EHRs. However, going through this checklist will determine if your systems and procedures are sufficient to be considered the right tools and policies to securely protect your patient data.

Understand that your objectivity in evaluating your current tools is critical to installing the best systems to ensure patient privacy and information protection. Spending time analyzing the tools now in use is more efficient than needing to fix leaked or unlawfully changed patient data. Solutions are more like putting toothpaste back into its tube or unringing a bell, than finding answers to problems: Serious damage may already been done.

Identifying the right tools to protect patient data--and yourself--will eliminate (or minimize) the need for costly solutions after a problem occurs. Once you take action to maintain security, if appropriate, or improve EHR safety, if necessary, be sure to document your efforts. Should HIPAA or other regulators ask for evidence, you'll have it, further protecting yourself from challenges.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Could Hurt, Not Help, Data Privacy and Security

HIPAA Could Hurt, Not Help, Data Privacy and Security | HIPAA Compliance for Medical Practices | Scoop.it

By now, you have probably heard about the theft of more than 14 million dossiers on federal employees and the theft of the personal health information (PHI) of 80 million people from Anthem-Blue Cross. You may not have heard about many of the other computer security flaws and breaches that are reported almost daily.

Here are a few from the last couple of weeks:


• A vulnerability in Samsung's Android keyboard installed on over 600m devices worldwide could allow hackers to take full control of the smartphone or tablet.


• Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users' personal information, including passwords, addresses, door codes, and location data, vulnerable to hackers.


• Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction.


• Professor Phil Koopman , an expert who testified at one of the Toyota "sticking throttle" trials, detailed a myriad of defects in the software of the throttle control system and in Toyota's software development process. Michael Barr, another expert, cited a heavily redacted report that suggests the presence of at least 243 violations of the " Power of 10—Rules for Developing Safety Critical Code," published in IEEE Computer in 2006 by NASA team member Gerard Holzmann.


• The Boeing 787 aircraft's electrical power control units shut down if powered without interruption for 248 days. As a result, the FAA is telling the airlines they have to do a maintenance reboot of their planes every 120 days.


I've always assumed, as I imagine that you have, that, if any organizations could be expected to use "best practices" and thereby avoid flaws and breaches, it would be Anthem, the feds, Google, Samsung, Apple, Boeing, and Toyota. The only reasonable conclusion is that impenetrable, flaw-free systems are simply not possible and this will not change any time soon. Keep that in mind during the upcoming discussion.


The government, at the behest of lawmakers, loves to tell people what to do. Feasibility and relevance are annoying details =best dispensed with. Even vocal conservatives and libertarians, who should be staying out of other people's business on principle, love to tell people what to do. These folks got together in 1996 and enacted HIPAA (in full disclosure, I testified before a congressional subcommittee on this bill before it was enacted).


Among other things HIPAA tells people what to do about privacy and security of patient data, but without much evidence that they needed telling.


I always wondered:


1. Were privacy and security a huge, out-of-control problem before HIPAA?


2. What was the evidence that existing laws regarding inappropriate release of PHI were not sufficient to induce people to exercise due diligence? If they were adequate, were they being enforced? If they were inadequate could they not have been strengthened?


3. Has HIPAA helped?


4. Do billions of signed statements acknowledging privacy policies actually protect anyone's privacy?


5. If there was an incremental improvement as a result of HIPAA, was it worth the billions that have been spent?


6. Do the penalties reduce the chances of a breach?


7.  And finally, is there any chance that the technical measures that are demanded will be effective, given the state of the art.


The approach to the first six questions has basically been one of "don't ask, don't tell," so we will never be able to judge whether the whole thing was worth the trouble or not. The answer to the last question, based on the material presented in the introduction, is: No. The technical expectations embodied in HIPAA are little more than someone's dream. There is no evidence that even the most capable, best resourced organizations in the country are capable of satisfying them (that doesn't mean they shouldn't try). A great deal of time and money could be saved or redirected to patient care if a more realistic approach was taken toward privacy and security. The magnitude and prevalence of breaches has been growing steadily. As it stands, HIPAA may actually harmful because it distracts attention and diverts resources away from those actions that might actually improve privacy and security.

more...
No comment yet.
Scoop.it!

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

Have you been the victim of a breach? Maybe not, but perhaps you know someone who has. Either way, deciding what to do next can be challenging if you're unprepared. 

First, it's important to determine whether the incident is truly a breach or simply a false alarm, then follow these guidelines to quickly respond.

What is Considered a Breach?
The Department of Health and Human Services (HHS) defines a breach as:

“The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

The reason I bring this up is that the definition was updated with the latest Omnibus Ruling which no longer includes the “Harm Standard.” This means if you have a release of information of any kind, be it a fax or email to the wrong person, malware attack, loss of unencrypted device, etc., you have a breach. This is different from the early version of the law which required you to prove the information had been compromised. Now, it’s presumed a breach unless proven otherwise.

Steps to Mitigating a Breach
When responding to a breach, HHS expects you to have your response protocol in place BEFORE a breach happens, so we highly recommend including this as part of your HIPAA Compliance Plan. This is the best way to protect yourself if and when a breach does occur. To get started, follow these four steps: 

Step 1: Perform A Risk Analysis
This first step is important and is required by HIPAA. Your Risk Analysis needs to be conducted quickly and should be as thorough as possible. Here's what to look for:

  1. When did the breach start and end?
  2. What date did you discover the breach?
  3. Approximately how many individuals are affected?
  4. What type of breach has occurred?
    • Hacking/IT Incident
    • Improper disposal of PHI
    • Loss 
    • Theft 
    • Unauthorized Access/Disclosure
  5. Where did the breach occur?
  6. What type of PHI is involved?
    • Clinical
    • Demographic
    • Financial
    • Other

As you review this information, you will have a better idea of what happened and whether or not a breach actually took place.

Step 2: Contact the Authorities
At this point, if you’ve discovered that indeed this is a breach, and if you determine a criminal act has transpired, contact your local authorities. For malware issues, you may be referred to the FBI to file an official complaint. 

Step 3: Notification of Patients
Each patient must be notified of the breach by U.S. Mail, unless you have clearly outlined in your Notice of Privacy Practices that notifications will be sent by email. However, if you determine notifications will be sent electronically, all patients must agree and sign off on this method of communication. This can save you a lot of time and money, so we highly recommend including this clause in your compliance plan. To add this clause, contact your lawyer, or the team at Total HIPAA to make sure this is properly laid out.

The Substitute Notice: This is required when you cannot reach 10 or more individuals. You now have two options: 1) You may post the Notice on your website for 90 days, or 2) You can contact local media outlets and have them post the breach notification.

What is Required to be in the Patient Notification?

  1. A brief description of what happened, the date of the breach and the date the breach was discovered.

  2. A description of the types of unsecured PHI involved in the breach (name, address, date of birth, SSN, health information, treatment codes, etc.)

  3. The steps individuals should take to protect themselves from potential harm. The action could be different for each incident.

  4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate damage, and to protect against future breaches.

  5. Contact procedures for individuals to ask questions or learn additional information, a phone number, an email address, website or postal address.

Step 4: Notifying HHS of the Breach, or The Rule of 500

Under 500 Patients Affected
If you have a breach of fewer than 500 patients’ information, you are not required to notify HHS at the time the breach is discovered. You will however need to document all the items described above and report the breach to HHS at the end of the calendar year. Notifications must be submitted to HHS within 60 days of the last day of the year and can be filed online using the OCR's notification portal.

Over 500 Patients Affected
If you have a breach affecting more than 500 patients’ information, you are required to notify HHS immediately. You should also verify the HIPAA breach notification rules for your respective state, as these may vary. In several states, such as California, you are also required to notify the Office of the Attorney General. As always, check with your attorney if you have any questions about your specific state’s notification requirements.

What Happens if You Don’t Self-Report a Breach?
If you are chosen for a HIPAA audit and the auditor discovers you have not self-reported breaches, this falls under the Willful Neglect provision, and you may be fined starting at $10,000 per violation. As you can see self-reporting is the better action here.

Exceptions to Notification Rules
Law enforcement officials may ask the Covered Entity to refrain from posting any notification if they believe it could impede a criminal investigation or may cause damage to national security.

What Happens if your Business Associate is responsible for a Breach?
Unfortunately, this is happening more and more, and though you have a Business Associate Agreement in place, this could still open you up to an audit from HHS as a result of the Common Agency Provision in the Omnibus Ruling.

We recommend that you have a clause in your Business Associate Agreement that states you will be notified within 15 days of a suspected breach of information. Since you are the Covered Entity, it's best that you take the lead on patient notification. Make sure you get a full report from your Business Associate, and what they are doing to mitigate the breach. It’s important to communicate all relevant information to your patients so they can protect themselves.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.