HIPAA Compliance for Medical Practices
61.1K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends?

Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends? | HIPAA Compliance for Medical Practices | Scoop.it

Buddy Dyer, the mayor of Orlando, requested a waiver of the HIPAA rules following the June 12 shooting at Pulse Nightclub. Families and loved ones were inquiring about the status of patients located at local hospitals, but were not provided timely reports. Many of the patients being treated at the hospitals in Orlando did not have formalized legal relationships, and the mayor felt HIPAA would slow down the sharing of information with partners.

Some healthcare professionals feel that HIPAA restricts them from providing information about patients to their families and loved ones. There are stories of loved ones denied information about elderly parents or adult children by medical professionals citing HIPAA. In many cases, healthcare professionals do not understand the flexibility of HIPAA.

In order to understand whether Mayor Dyer and healthcare providers need to be concerned about HIPAA restrictions, let’s look at the Law. The waiver described under Section 1135 of the Social Security Act includes suspending certain HIPAA provisions to protect physicians, emergency medical staff, and law enforcement agencies so that they will not face penalties and sanctions for the release of PHI in a crisis.

The suspended requirements are:

  1. 45 C.F.R. § 164.510 requiring healthcare providers to obtain a patient’s agreement so that a medical professional can speak with family members or friends or provide patients the right to opt out of the facility directory;
  2. 45 C.F.R. § 164.520, the requirement to distribute a Notice of Privacy Practices to patients; and
  3. 45 C.F.R. § 164.522, the patient’s right to request privacy restrictions or confidential communications.

In 2010 President Obama issued an executive memo ordering the Department of Health and Human Services (HHS) to address the issue of hospital visitation for same-sex couples. Later that same year, the department prohibited hospitals from discriminating against visitation rights based on sexual orientation and gender identity.

A statement from HHS Assistant Secretary for Public Affairs Kevin Griffis explained the reason why the waiver was not needed in Orlando:

 

Entities such as healthcare organizations, governmental agencies and law enforcement are allowed to exercise professional judgment as stated under HIPAA. For example, PHI communicated by Emergency Medical Technician (EMT) via a radio to the 911 Dispatcher or between other ambulance units is also permitted through the professional judgment definition in HIPAA. For most law enforcement personnel, as well as fire departments, the HIPAA Privacy Rule does not apply to them either as disclosures are needed to perform their job duties. They can release PHI about victims of a vehicle accident or for investigation of a crime scene. The essential part to note is as long as the conversations by the personnel covered under these provisions are related to treatment-related disclosures, there is no HIPAA violation. Hospitals and large health organizations must train their emergency staff on HIPAA and their specific policies and procedures to comply with the regulations.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Employees Are Your Biggest HIPAA Vulnerability 

Employees Are Your Biggest HIPAA Vulnerability  | HIPAA Compliance for Medical Practices | Scoop.it

While 2015 was accurately dubbed “The Year of the Healthcare Hack”, according to Experian’s 2016 Data Breach Report, 2016’s largest threat hits much closer to home – it’s your own employees.

The Experian report states, “While large breaches may be compromising millions of people’s records in one fell swoop, smaller incidents caused by employee negligence will also continue to compromise millions of records each year.” Experian predicts that these employee driven breaches will actually cause more damage.1

These smaller incidents collectively put you at a risk for an OCR audit, which in addition to being a distraction from your business can also lead to fines and penalties. Even if there are no fines or penalties, a minor breach can add up in legal fees, customer notices and above all the cost of customer retention communication.

In most cases these are not malicious employee breaches. The majority will be caused by lack of understanding and complacency. The first is very easy to address, you train and test your employees on your HIPAA Policies and Procedures, as required by HIPAA, so they understand the role they play in protecting health information they touch..

Complacency can be a little more difficult to remedy. Once you have trained your employees on your Policies and Procedures, they go back to their daily routine. Initially, they are more aware of HIPAA and protecting important data, but after a short while they let down their guard. After all, they know their job; they know your customers and a breach has never happened before so they begin to feel immune to the potential dangers. Fortunately, there are two steps you can take to keep your employees sharp:

  1. Educate them about the Value of Healthcare Data – It can be difficult for employees to understand why anyone would go to great lengths to get this health information. Helping them see what that data is worth in the wrong hands will give them more of an appreciation for the Policies and Procedures you’ve put in place to protect it.
  2. Remind them regularly – To maintain your HIPAA compliance, all of your employees should be trained annually, but it is unrealistic to expect them to keep that information at the top of their minds long term. Brief monthly trainings or reminders that touch on just one piece of your Policies and Procedures can be enough to make HIPAA a priority all year long.

Employee breaches may be the biggest threat to healthcare data this year, but it doesn’t have to affect you. The Experian Report points out that, “Organisation that implement regular security training with employees and a culture of security committed to safeguarding data will be better positioned for success.”1

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Personally Identifiable Information: HIPAA Best Practices

Personally Identifiable Information: HIPAA Best Practices | HIPAA Compliance for Medical Practices | Scoop.it

For most healthcare organizations, protecting patient privacy is the most important aspect of HIPAA, and the most difficult. HIPAA uses the term Protected Health Information (PHI) to refer to protected data, but the concept is very similar to the term Personally Identifiable Information (PII), which is used in other compliance regimes. Understanding how PII and PHI overlap can help organizations unify compliance efforts across regimes, reducing the risk, cost and complexity of keeping data safe.

 

PHI vs. PII: As the name implies, personally identifiable information is any data that can identify a person. Certain information like full name, date of birth, address and biometric data are always considered PII. Other data, like first name, first initial and last name or even height or weight may only count as PII in certain circumstances, or when combined with other information.

 

For example, a record that referred to “Mr. Smith in New York” would be unlikely to contain enough information to give away the subject’s identity. If the patient had a less common name and lived in a small city, however, it would probably count as PII, since it would be easy to deduce who the subject was.

 

Although it doesn’t explicitly address personally identifiable information, HIPAA regulates situations like this under the term Protected Health Information. PHI includes anything used in a medical context that can identify patients, such as:

 

  • Name
  • Address
  • Birthday
  • Credit card number
  • Driver’s license
  • Medical records

 

PHI is subject to strict confidentiality and disclosure requirements that don’t apply to most other industries in the United States. In other words, protecting PHI is always legally required, but protecting PII is only mandated in some cases.

 

Developing a Unified Compliance Approach

 

The United States is unusual in having no single privacy and data protection standard or government entity. Instead, American companies face industry-specific laws, along with city, state and international compliance regulations.

 

Although this allows many industries to use consumer data more extensively, it also creates serious compliance risks. For example, because California has tougher PII laws than other states, a company that legally tracks users from Nevada when they visit its website could breach compliance if a Californian surfed in.

Although PHI requirements are strict, a HIPAA compliance checklist won’t necessarily address PCI, EU data protection laws and other regulations. Rather than developing individual programs for each regime, organizations should implement PII security best practices across the board, then iterate to meet remaining, regime-specific rules.

 

Auditing PII: Developing Compliance-Ready Security

 

Good security starts with identifying PII across your organization, whether it’s in medical databases, email, backups or a partner’s IT environment. PII then needs to be categorized by how much harm a breach could cause — a measurement known as the confidentiality impact level. The NIST recommends considering the following factors:

 

  • Identifiability: Is it easy to uniquely identify the individual using the PII?

 

  • Quantity of PII: How many identities could be compromised by a breach? The way your data is organized is a factor. For example, a clinic would likely have more PII at risk if it shared a database with allied clinics than if it maintained a separate database.

 

  • Data Field Sensitivity: How much harm could the data cause, if breached? A phone number is less sensitive than a credit card or social security number, for example. However, if a breach of the phone number would most likely also compromise name, SSN or other personal data, that phone number should be considered sensitive.

 

  • Context of Use: Does the way the information is used affect its impact? For example, imagine your hospital had an opt-in a newsletter to patients, doctors, organizations and other community members. A list of newsletter subscribers would contain the PII of some patients, but that info would be less sensitive than the same PII in patient medical records, since it wouldn’t necessarily indicate patient status.

 

  • Obligations to Protect Confidentiality: What information are you required to protect under HIPAA, HITECH, PCI and other regimes? This is obviously a key consideration for healthcare organizations.

 

  • Access to and Location of PII: The personally identifiable information HIPAA governs is often stored, transported and processed by third party IT services, accessed offsite by medical professionals who aren’t employees of the organization and processed by a variety of business associates. This creates risks that wouldn’t be present, for example, if the PII were locked in a vault, and could only be accessed by one doctor.

 

Implementing PII Security Best Practices

 

Any data you store is potentially vulnerable. Collecting less data and purging unnecessary PII from your records is the easiest way to reduce that vulnerability. You should also de-identify data where possible. When done properly, measures like anonymizing patient feedback and remove or tokenizing PII can take that data out of the scope of HIPAA entirely.

 

Access control is another valuable PII security best practice. Sensitive information should only be accessible by people who need it to do their jobs. For example, front desk staff that don’t handle billing, don’t need access to complete medical records.

In any compliance regime, all sensitive information should be encrypted by default. HIPAA compliant email and encrypted cloud storage prevent hackers from deciphering PII, even if they intercept it.

 

 

Beyond Personally Identifiably Information — HIPAA Business Associates

 

HIPAA goes beyond PII security best practices in its requirements for partner organizations. Under the HIPAA privacy rule, health care providers have considerable legal liability for breaches caused by business associates.

 

Cloud services, contractors, medical claim processors and most other organizations which use, store or process PHI all count as business associates. You need to sign Business Associate Agreements (BAAs) with each of these organizations, describing:

 

  • Appropriate use of PHI
  • Safeguards for protecting breaches
  • Steps to remediate breaches and violations
  • Breach notification procedures

 

Your organization should evaluate business associates carefully to ensure they’re actually capable of holding up their end of the bargain. Organizations should have clearly documented data security policies and practices in place before they sign a BAA, and should voluntarily undergo regular audits to ensure compliance.

 

Beyond Personally Identifiably Information — HIPAA Notices and Notifications

 

HIPAA also has strict requirements for how health information can be used and disclosed, and requires a notice of privacy practices be provided to the patient. The notice of privacy should cover a range of information, including:

 

  • How the organization can use and disclose the patient’s information
  • The patient’s rights
  • The organization’s duty to protect the information, and other legal duties
  • Who the patient should contact for more information

 

HIPAA also has specific rules for breach notification. Under HIPAA compliance best practices organizations must notify anyone whose data has been compromised within 60 days of the breach. Making sure your partners use encryption is crucial. Encrypted data is exempt from breach notification, unless the key is exposed as well. In many cases, this can make the difference between a close call and a costly breach notification.

 

Following PII security best practices helps organizations err on the side of caution. HIPAA isn’t a set of arcane and arbitrary rules to make your life difficult — it’s a useful framework to ensure a high standard of care and confidentiality for your patients. A PII best practices approach simplifies compliance by turning it into a single set of rules that can be used across your organization. That makes it easier to keep patients safe, and ensure sensitive information doesn’t fall through the cracks.

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA’s Role in Fostering Trust between Patients and Providers

HIPAA’s Role in Fostering Trust between Patients and Providers | HIPAA Compliance for Medical Practices | Scoop.it

The following scenario is true, but some of the details have been changed to protect the innocent, and the guilty. The setting is the cramped reception area of a small dental practice. The office manager, who also works the front desk, is on the phone there with a patient.

 

“Julie Jones? This is Dr. Burton’s office. Your lab results are in and they indicate you’ve tested positive for an STD. You’ll need to schedule an appointment as soon as possible with your primary care physician.”

 

Her voice drifts over into the nearby waiting room. A few people look up from the magazines they’ve been flipping through. One of them, who happens to be a neighbor of Ms. Jones, arches an eyebrow and softly clucks her tongue. Information that should be confidential between this office and patient is now dangerously close to public knowledge. With this particular neighbor in the know, people in Julie’s cul-de-sac will probably hear these results well before her current boyfriend.

 

Informing patients of test results is a normal and necessary part of the workday at every office that deals in healthcare. But in this case, having that conversation where it can be overheard violates Ms. Jones’ right to privacy. A right protected by the law known as HIPAA.

 

Privacy. A fundamental patient right.

 

With so much involved in running a successful healthcare practice today, it’s easy to understand how HIPAA has come to be viewed as more of a nuisance than a necessary part of good care. But at its core, HIPAA isn’t about extra logistical hassles or additional work, it’s really about best practices — and creating and maintaining a professional environment that protects every patient’s rights.

 

The relationship patients have with healthcare professionals is one that involves openness, honesty, and a deep level of trust. Patients tell their providers things about themselves that few others know, intimate details of their lives and health histories.

And they expect that their privacy will be respected – by their doctors and dentists, staff members, and other providers such as labs, XRAY services, and anyone and everyone involved in their treatment. Patients expect that outsiders will not be able to access their information, and that those who need to know will be able to view only the information that’s necessary for treatment.

 

This way of dealing with health information is more than professional courtesy, it’s a fundamental patient right – the very issue that HIPAA speaks to, ensuring that patients will know when their rights have been violated and can feel confident that the law will be enforced and violations punished.

 

If patient information isn’t protected, the effects can be far-reaching. In the wrong hands, a person’s health information can be used to tarnish his or her reputation or cause financial harm. In some cases, compromised information can even negatively impact care.

 

HIPAA helps keep patient data safe

Modern technology has facilitated the quick dispersal of information among various entities; HIPAA helps keep all that data safe. From installing firewalls in the office’s computer system to training employees in the proper protocols when contacting patients, HIPAA, in essence, is all about safeguarding every patient’s right to privacy, security and respect.

 

Ensuring a patient’s right to privacy is essential to the practice of good healthcare — and a vital part of the covenant between providers and patients. Implementing the mandates of HIPAA plays an important role in building and maintaining patient trust and a thriving practice.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why Should HIPAA Compliance Matter to You

Why Should HIPAA Compliance Matter to You | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare Professionals

If you are a healthcare provider or business associate, HIPAA compliance should matter because it is the law. According to the Code of Federal Regulation (CFR), if you are a provider or business associate who utilizes electronic health records, you must ensure the confidentiality, integrity, and availability of all records created, received, maintained, or transmitted. Civil monetary penalties for noncompliance that cause a breach of electronic patient records can be assessed up to $1.5 million. Criminal penalties can range from one to ten years in prison.

I believe one of the biggest issues facing small healthcare providers is lack of knowledge of exact requirements for HIPAA security compliance. Part of the problem for small providers is they often have an unclear understanding of what safeguards need to be in place for electronic health records. I see this as a huge concern. The U.S. Department of Health and Human Services (HHS) does an inadequate job providing specific guidance to small providers. It is difficult to navigate through the HHS website to find particular HIPAA compliance information.

I should know because I used to work for HHS and had oversight of complex health care fraud investigations. We had teams of lawyers and analysts to guide us in the regulatory world, whereas a small healthcare provider, if lucky, maybe will find the necessary guidance on the HHS website. Even then, the information becomes subject to interpretation by a provider with limited exposure to HIPAA regulatory compliance. Ask yourself how comfortable you are with this.

Patients

With more and more healthcare providers utilizing electronic health records, consumers (patients) need to ask those providers if they are doing everything they can to secure their health information. For consumers, HIPAA compliance matters because it equals assurance that the proper safeguards are in place to prevent unauthorized access, tampering, and theft of medical records.

A recent study by the Ponemon Institute found criminal attacks on healthcare providers have increased dramatically, up 100% since 2010. Unlike having credit information stolen where the bank or credit card company may notify the consumer about suspicious activity in a timely manner, health information compromises take longer to recognize. With all the recent emphasis on newsworthy data breaches, this is a wake-up call for patients who must treat their online health information as they would their credit information.

Medical identity theft is a profitable industry for criminals who can make a lot more money selling health information than credit card numbers. According to Dell Secure Works, an information security services company, criminals can get paid $20 for a person’s stolen health identity information, as compared to credit card numbers that may yield $1 to $2 apiece. As a former Assistant Inspector General for Investigations at HHS, I know that Medicare card numbers could be sold for up to $50 apiece. In addition, there is much more personal data at stake with health records, which can include sensitive information such as pre-existing conditions, full-blown medical histories, and prescriptions, along with a plethora of financial, employment, and family information.

So the next time you go to your healthcare provider and you are asked to sign a HIPAA release form, read the fine print. Know your rights and expectations of privacy. Most importantly, ask your providers what they are doing to protect your electronic health records.

Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General. In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations throughout the eastern United States.

His company provides assistance with HIPAA Security Rule compliance by conducting risk assessments and writing practice specific risk management plans. The assessments identify vulnerabilities and risks; determine the potential impact and provide a gap analysis action plan to prevent unauthorized access, tampering and theft.

Technical Dr. Inc.'s insight:

<p>Contact Details :<br>inquiry@technicaldr.com or 877-910-0004<br><a href="http://www.technicaldr.com/tdr" rel="nofollow">www.technicaldr.com/tdr</a></p>;

more...
No comment yet.
Scoop.it!

HIPAA Guidance For Small To Mid-Size Medical Practices

HIPAA Guidance For Small To Mid-Size Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

For small and mid-size medical practices, HIPAA compliance has long been a small problem. After all, it wasn’t very long ago that all but the largest practices could rest relatively easy, knowing their very smallness made them unappealing targets for regulators looking for bigger fish to fry.

 

As long as they didn’t blatantly, repeatedly or intentionally violate HIPAA’s strictures, they rarely rated government action beyond (at most) a warning letter.

 

Those days are now over. The federal government is cracking down harder on practices that violate HIPAA privacy and security regulations by scheduling more frequent audits and issuing stiffer fines. And practices are being forced to respond with more rigorous compliance plans. The same federal stimulus law that offered incentives for practices to purchase electronic health records (EHR) systems also beefed up HIPAA’s privacy and security regulations. If your practice hasn’t reviewed and updated your HIPAA policy recently, then now’s the time.

 

It’s been 12 years since the April 14, 2003, compliance date for the HIPAA Privacy Rule, so most, if not all, physician practices should know better than to post protected health information (PHI) in a public forum such as Google Docs or Dropbox.

 

Here are some simple common sense tips for keeping your practice on the right side of the law:

 

Train your staff. HIPAA requires that you have a training program in place regarding the proper handling of PHI. All staff members must know what they are authorized to view, how to manage computer passwords, what they may and may not say in front of patients, and so on. Providing an annual refresher on this type of training is highly recommended. Make sure everyone, including physicians, receives the training. Document it.

 

Establish written protocols for information access. Staff should have access to the portions of patients’ PHI that are necessary to perform their jobs — and that’s all. This should be perfectly clear and in writing. And your protocols should include examples of the specific types of information that different staff members are authorized to view, based on job function.

 

Use discretion in the reception area. Don’t use public sign-in sheets. Don’t make any mention of the reason for a patient’s appointment until you’re both out of earshot of the waiting room. Make sure computer screens aren’t visible to non-staff members in any public areas of the office.

 

Plan for breaches. What would happen if there were an accidental breach of patient information? Say, someone mistakenly includes patient information in an email attachment, and the attached document includes patient names and Social Security numbers? Or how would you handle an intentional breach? You should prepare a specific response for scenarios like these because they do happen.

 

Use computer passwords correctly. If you have any centralized computer terminals that get used by more than one staffer, make sure everyone logs out whenever they’re finished. To be safe, set up those computers so a login is required after brief periods of inactivity, say two or three minutes. Even if you don’t have centralized computer stations (and most small practices don’t), you should require your employees to change their own passwords every few months.

 

If necessary, hire a consultant to help you comply with HIPAA’s security provisions, which are far more technical than the Privacy Rule. Alas, mere common sense won’t help you determine whether your computer network is properly encrypted. Get help. What’s new is that the government is no longer limiting its enforcement actions to hospitals and the biggest practices.

 

But since most private practices should have been following HIPAA plans for at least 10 years now, it’s likely they’ll need to do little more than review, update, and continue to implement their plan, assuming of course you have a HIPAA compliance plan currently in place.

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

A To-Do List for Medical Practice Compliance Officers

A To-Do List for Medical Practice Compliance Officers | HIPAA Compliance for Medical Practices | Scoop.it

An effective compliance program should encompass all areas of regulation that are applicable to your practice. Many practices address billing and reimbursement and HIPAA compliance, but compliance programs also should cover employment, Occupational Safety and Health Administration (OSHA) requirements, Clinical Laboratory Improvement Amendments of 1998 (CLIA) regulations, the Employee Retirement Income Security Act requirements, and other healthcare regulatory areas, including self-referral/stark law and anti-kickback regulations. Every practice is unique, and so should be every compliance program. 

 

A principle element of a compliance program is an effective and empowered compliance officer or compliance committee. If the practice designates a compliance committee, the compliance officer will be the chairperson and will coordinate the responsibilities between the members. The compliance officer’s two main responsibilities are (1) to develop and (2) to implement the practice's compliance program.

 

The compliance officer should have knowledge in many areas, including business administration, clinical activities, coding, billing, reimbursement, risk management, and at least a general knowledge of the laws and regulations applicable to the medical practice environment. The compliance officer should have good judgment, the ability to prioritize, and — to create the necessary culture — he should be respected, and considered to be approachable, by the other members of the practice.

 

Below is a list of responsibilities of the compliance officer and/or committee. This list can help your practice to develop a job description and focus on key requirements when recruiting a compliance officer. AAPC and the Health Care Compliance Association are two organizations that offer certifications for individuals who have proven competency through rigorous study and examination. Hiring a certified individual provides additional assurances that the individual understands and can apply key areas of compliance required to development and implement an effective program.

 

List of Responsibilities


1. The compliance officer will be responsible for development of the corporate compliance program. After the performance of a baseline assessment, the compliance officer will draft the formal compliance program documents.

 

2. The compliance officer will review all relevant documents, perform, and coordinate an organization-wide audit, and review all areas of possible noncompliance within the organization.

 

3. The compliance officer will distribute the written documentation of the compliance program.

 

4. The compliance officer will be responsible for periodically reviewing and updating the compliance program, and for dissemination of any changes to the employees and agents of the organization.

 

5. The compliance officer is responsible for developing, coordinating, and/conducting the necessary training programs for all members of the healthcare organization. The initial training will include complete education regarding the corporate compliance program.

 

6. The compliance officer will be responsible for auditing the training records that are to be maintained by the organization as an element of compliance.

 

7. The compliance officer will review/or coordinate the review of independent contractor arrangements to ensure that all of the applicable laws and regulations have been followed.

 

8. The compliance officer is responsible for the coordinating and/or screening of employees, agents, and independent contractors. This will involve making inquiries to the cumulative sanction report, and the U.S. Government Accountability Office debarred contractors listing.

 

9. The compliance officer is responsible for conducting and/or coordinating internal and external compliance audits. This is to ensure that all areas of the corporate compliance program are being adhered to. The compliance officer will also coordinate and/or audit the training and reporting elements of all the regulatory compliance manuals.

 

10. The compliance officer will coordinate and/or develop policies and programs for reporting noncompliance issues. This will include developing a reporting system for all persons associated with the practice to utilize when necessary to inform the compliance officer of potential noncompliance issues.

 

11. The compliance officer will perform and/or coordinate all investigations of deficiencies resulting from the reporting system or identified through the periodic assessments.

 

12. The compliance officer will initiate and/or coordinate corrective and preventive action for areas of noncompliance as identified in the periodic audits and/or through the reporting system.

 

13. The compliance officer will be responsible for maintaining a file of all areas of the compliance plan. This will include documentation of the initial baseline audit, the periodic compliance audits, training of personnel and agents of the practice, results of screening of individuals, any reports of suspected or actual noncompliance, all reports of investigations, and all reports of corrective action taken after the investigation has been completed.

 

14. The compliance officer will report regularly to the owner(s), managing physician, and/or board of directors of the organization.

 

15. The compliance officer will develop a budget necessary to perform all of the compliance duties including items such as training for the staff, compliance officer, and compliance committee.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why HIPAA Compliance is the Key For Preventing Cyber Attacks

Why HIPAA Compliance is the Key For Preventing Cyber Attacks | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is required in order to avoid large fines from the federal government, but there is another issue you can address when you implement HIPAA compliance – strengthening your practice’s network security.

 

Your patients’ data is worth a lot of money on the black market, and hacks of medical practices and hospitals are on the rise with the latest trend in cyber-attacks being ransomware. This is malware that restricts access to your computer system and demands that the you pay a ransom to access your data. If you are not prepared for these attacks, your practice could be destroyed.

 

Most medical practices don’t have a plan for regular backups, or a disaster recovery plan, and choose to pay the ransom to hackers in order to regain access to the data that is vital for their day-to-day operations. In March 2016 alone, more than a dozen medical facilities were attacked. Hollywood Presbyterian Medical Center is one location that decided to pay the ransom of 40 Bitcoin, almost $17,000, in order to restore their systems. The FBI recommends businesses not pay the ransom, because there is no guarantee that the hackers will unlock your systems, and simply decrypting files does not mean the malware infection has been removed from the system.

 

According to a recent Washington Post article, Sinan Eren, who has worked incybersecurity for government and healthcare organizations said, “Medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked.”

 

The threat is not going away anytime soon. March 2016, the US and Canada issued a rare joint cyber alert warning about the recent surge in ransomware attacks. A report from Intel Corp.’s McAfee Labs, predicts ransomware will remain a major and rapidly growing threat in 2016, and will expand to new industry sectors including financial institutions and local government. These groups will want to quickly pay ransoms to restore their critical operations – stimulating more attacks.

 

 

How Do I Protect My Data?


HIPAA compliance may be your best bet. The guidelines set forth by HIPAA serve as an excellent road map to protect your information.

 

Here’s how it works. There are three parts to the HIPAA compliance process:

 

  1. Documentation,
  2. Training, and
  3. Implementation

 

 

Documentation

 

The first step in the HIPAA documentation process is to conduct a Risk Assessment. The Risk Assessment gathers information about the use of electronic devices in your practice, how you handle and safeguard data, and what procedures your employees must follow. Once the Risk Assessment is completed, you’ll have the foundation for your Privacy and Security Policies and Procedures. You’ll have identified what improvements need to be made in your systems and what procedures to follow to keep them safe. Additional required HIPAA documents can also be completed from data collected in the Risk Assessment.

 

 

Training


As the Washington Post article highlighted, a lack of or inadequate employee training makes an organization vulnerable to attacks. HIPAA requires employees be trained annually, not only on the HIPAA law, but specifically on your organization’s security policies and procedures. Developing the two training programs on your own would be daunting; however, when you partner with a compliance company like Total HIPAA the training on the law is already developed for you. We also summarize your practice’s key points – saving you both time and money.

 

 

Implementation


What good is a plan and training without rolling it out to your entire practice? Your HIPAA Compliance Plan isn’t a document that just sits on the shelf and only gets dusted off once a year. Once you have a plan everyone on your Compliance Team can agree on, it’s time to put that plan into action!

Cyber attacks can cost you thousands of dollars when you notify staff or patients of a breach. In addition to these costs, HIPAA fines and penalties as high as $50,000 per violation can be added to your final bill. When you examine the option of implementing HIPAA or waiting until something happens, the choice is clear – meeting HIPAA compliance is only a fraction of the costs you will face if you are hacked. Protect your practice today.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA-compliant file sharing tools for the medical practice 

HIPAA-compliant file sharing tools for the medical practice  | HIPAA Compliance for Medical Practices | Scoop.it

The same formula that birthed Napster and re-defined the music industry is slowly taking on medicine — and small practitioners stand to be the prime beneficiaries.

 

“HIPAA is driving a lot of small healthcare providers to look for solutions for securing data,” according to Asaf Cidon, the inventor of a secure file-sharing tool called Sookasa. “Medical information is extremely private, and regulation is becoming tighter, enforcement is becoming tighter.”

 

 

Emerging offerings


Sookasa, the application that CEO Cidon helped to create two years ago, takes a popular layperson’s platform, DropBox, and transforms it into a tool that providers can use to adhere to HIPAA in a way that Cidon claims is inexpensive. At least relatively speaking.

 

“Doctors used to hire a full-time admin to be faxing, scanning and shredding all day long. With something like DropBox, you can just write the bill on your computer, put it in a folder and then it appears in your medical billing company's folder and there’s a record for it,” Cidon explained. “There’s no paper and you’re done.”

Other file-sharing technologies with healthcare connections include Clincate, a service that allows clinicians to share medical files and videos with colleagues and patients; Box, which allows doctors, researchers and administrators to quickly swap PHI files; and kiteworks from Accellion, which offers file sharing via any mobile devices in an organization.  

 

Most file-sharing platforms offer a free personal-use membership, but as more storage and members accumulate, price increases. For Box, 10GB of secure storage is free while the starter package is $5 per user/per month (up to 10 users allowed) with 100GB of storage. Meanwhile, Clincate charges $195 per year for 25GB of storage per user. Sookasa charges $100 per user/per year for an unlimited number of devices and files.

 

 

Untapped potential


HIPAA-compliant file-sharing software tools — if they gain widespread purchase — also promise to ease small practices interoperability burden in interesting, if incomplete, ways.

“EHR systems, while I think they’re better than paper, they have this one glaring problem — they can’t communicate with each other,” Sookasa’s Cidon said. “EHR systems are very closed.”

The ability to take, say a radiological image, and put that in a HIPAA-compliant DropBox folder from which another authorized doctor at a separate facility can access it could make for a compelling option in some cases. 

 

Similarly, the ability to share that image with a patient at the tap of a folder is also an intriguing perk. 

 

Cidon has even seen physician customers practically move their entire EHRs onto the Sookasa platform to curb expenses and be more interoperable across devices in a HIPAA-complaint fashion.

This emerging crop of file sharing tools won’t solve the ongoing and ubiquitous EHR interoperability problem facing the entire healthcare industry, of course, but particularly for doctors who need to access patients medical records from multiple locations one or more of the tools may be an attractive option.

 

“Especially in the healthcare industry,” Cidon concluded, “it can change your entire workflow.”

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Five Common HIPAA Compliance Issues to Avoid | Physicians Practice

Five Common HIPAA Compliance Issues to Avoid | Physicians Practice | HIPAA Compliance for Medical Practices | Scoop.it

In the news recently was a story about surgeons in China who were punished after taking group photos next to apparently unconscious patients.  In the photo, doctors and nurses in scrubs pose with a supposedly unconscious patient on the operating table in the operating room.  Of course, you cannot see the patient and, but for the headline, you could not tell from the photo whether it was even real or staged.  The public apparently found the #surgeryselfie unacceptable and the surgeons and nurses are now facing unknown consequences.

 

• In Florida, Walgreens Co. mailed free samples of Prozac Weekly to patients who were taking Prozac Daily.
• A Fort Lauderdale physician gave his fishing buddy, a drug company representative, a list of patients suffering from depression and the salesman arranged to send trial packages of Prozac Weekly to their homes without the patients’ knowledge or permission.
• A Pakistani woman threatened to post the entire medical files of over 300,000 patients of UC Medical Center (San Francisco) if she wasn’t paid for her medical transcribing services. The hospital was surprised to learn that the company awarded the job of transcribing the medical records had sub-contracted all those records to a company outside of the United States.


• A hospital employee easily viewed and stole Tammy Wynette’s medical records from the hospital’s databases and sold the information to the National Enquirer and Star.

 

• A banker who also served on his county’s health board cross-referenced customer accounts with patient information. He then called due the mortgages of anyone suffering from cancer.

Although these examples may be shocking, they are but a few of the routine HIPAA violations that occur daily across the country.   According to the Office for Civil Rights (OCR), since the compliance date of the Privacy Rule in April 2003, OCR has received over 105,960 HIPAA complaints and has initiated over 1,157 compliance reviews. 

 

Most HIPAA cases (23,181) have been resolved by requiring changes in privacy practices and corrective actions by, or providing technical assistance to, HIPAA covered entities and their business associates. 

 

OCR has investigated complaints against many different types of entities including: national pharmacy chains, major medical centers, group health plans, hospital chains, and small provider offices.

 

Based on OCR’s report, the compliance issues investigated most (in order of frequency) were:


1. Impermissible uses and disclosures of protected health information;
2. Lack of safeguards of protected health information;
3. Lack of patient access to their protected health information;
4. Lack of administrative safeguards of electronic protected health information; and
5. Use or disclosure of more than the minimum necessary protected health information.

 

Although most HIPAA cases appear to be resolved by the OCR, 540 referrals were made by the OCR to the Department of Justice for criminal investigation.  This would be for cases that involved the knowing disclosure or obtaining of protected health information in violation of the rules.

 

Finally, the most common types of covered entities that have been required to take corrective action to achieve voluntary compliance are, in order of frequency:

1. Private practices;
2. General hospitals;
3. Outpatient facilities;
4. Pharmacies; and
5. Health plans (group health plans and health insurance issuers).

 

As you will note, private practice are at the top of that list!  

As we head into 2015, among the many items to consider is whether your practice’s operations are compliant with HIPAA.   Although many groups complete required training, too many have become disinterested in HIPAA over time.  It’s a good idea to remind your staff of the consequences of violating HIPAA and to emphasize that comments on Twitter about patients, posting #surgeryselfies, or otherwise allowing curiosity to lead to inappropriate records review, will not be tolerated. 

 

 

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Make Sure Business Associates Don’t Violate HIPAA

Make Sure Business Associates Don’t Violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

A violation of HIPAA by a practice’s business associate underscores the importance for conducting adequate due diligence, having business associate agreements (BAAs) in place, and ensuring that the level of encryption is adequate.


The U.S. Federal Trade Commission (FTC) recently released a statement indicating that a business associate, Henry Schein Practice Solutions, Inc. (“Schein”), a dental practice software company, will pay the government $250,000 for false advertising associated with what was relayed to the public and what was actually used in its products in relation to the level of encryption. While the fine is not considered large by any means, the implications for medical professionals, business associates, and subcontractors alike, are significant. 


The ramifications to the company, in relation to the issuance of the administrative complaint and the consent agreement are:


• Pay a $250,000 fine;

• Prohibition on “misleading customers about the extent to which its products use industry-standard encryption or how its products are used to ensure regulatory compliance”;

• Prohibition on claims that patient data was protected; and

• Schein needs notify all of its clients who purchased during the period when the material misstatements were made; and

• That the consent agreement will be published in the Federal Register.


Of equal or greater significance is the “NOTE” on the FTC’s press release, which states:


NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions for twenty years. Each violation of such an order may result in a civil penalty of up to $16,000.


The takeaways for providers and business associates alike are significant. All government agencies are taking a hard look at material misrepresentations related to HIPAA compliance. The potential implications are significant and underscore the importance of not cutting corners in relation to risk assessments and compliance.

more...
No comment yet.
Scoop.it!

HIPAA Compliance is a Business Risk

HIPAA Compliance is a Business Risk | HIPAA Compliance for Medical Practices | Scoop.it

Medicine is Risky


The practice of medicine is a risky business. There is always the risk that a certain treatment will fail to help a patient. There is a risk of being accused of malpractice. There is a risk of being accused of incorrectly billing a patient, insurance company or government agency. There is a risk of being sued by an employee or ex-employee for HR related issues. The list of risks goes on and on.


Healthcare is not unique when it comes to risk. Lawyers, accountants, architects and engineers all have associated business risk. In fact, it can be argued that every business has associated risk. The risk of a business failing is with every business no matter what vertical that business operates in. Just ask Enron and RadioShack and Joe’s pizza.


Manage Risk


The key to business risk is how an organization manages the risk. Healthcare organizations have malpractice insurance which usually comes with a malpractice risk management program. The program identifies areas of risk, provides steps to reduce risk and defines steps to minimize impact of losses when they occur 


Risk management refers to strategies that reduce and minimize the possibility of an adverse outcome, harm, or a loss. The systematic gathering and utilization of data are essential to loss prevention. Good risk management techniques improve the quality of patient care and reduce the probability of an adverse outcome or a medical malpractice claim. This core curriculum outlines the attitudes, knowledge, and skills currently recommended for residents in the area of risk management. The primary goal of a successful risk management is to reduce untoward events to patients. Risk management programs are designed to reduce the risk to patients and resulting liability to the health care provider. Standard of care is the foundation for risk management. The main factors in risk management include the following.


Nonmedical and medical risk management is a three-step process which involves: 1) identifying risk; 2) avoiding or minimizing the risk of loss; and 3) reducing the impact of losses when they occur. Medical risk management focuses on risk reduction through improvement of patient care.


Patient Data Risk


The practice of creating, storing and accessing electronic patient data brings with it new risks to healthcare organizations. Sure in the past there was a risk of someone breaking into an office and stealing patients’ paper charts but the risk exponentially increases now that a majority of new patient data is electronic. All this data is spread across electronic health records (EHRs), patient portals, digital x-ray machines, email, desktops, laptops, USB drives, smartphones and tablets. There are risks of an employee mistake like losing a laptop with patient information or falling for a fake email that tricks them into giving up information that thieves can use to access and steal patient data.


Like any other business risk, the risk to patient data needs to be properly managed. Just like with a malpractice risk management program, the risk to patient data needs to be addresses with 3 steps:


  1. Identifying Risk – it is critical that organizations understand what risks are associated with electronic patient data. Where is the data stored or accessed? As mentioned previously, the data could be stored on servers in an office, in a cloud-based EHR, on laptops or mobile devices. It is critical to get a thorough inventory of all patient data that is created, stored or accessed. The next step is understanding the risk to all of this patient data. The risk to data stored on a digital ultrasound machine is much different than data stored on laptops that leave an office.
  2. Minimize Risk – once the various risks are identified to patient data, it is critical to take steps to reduce the risk. Implementing the proper safeguards such as security policies and procedures and employee training can go a long way to lower the risk to patient data.
  3. Reduce the Impact – unfortunately it is very difficult to eliminate the risk to patient data. Steps can be taken to lower the risk but the amount of patient data is increasing every day and the risk of employee mistakes or criminals stealing the data increases as well. Organizations need to have a plan in place to respond to a patient data breach. That plan may include a breach response program that defines the steps the organization will take if there is a breach, or ensuring that an organization’s IT department or company is prepared to respond and/or stop a suspected data breach. Reducing the impact of a patient data breach might include cyber insurance that will provide financial resources to help the organization in the event of a data breach.


Don’t Hate HIPAA


Many people I talk to tell me they hate HIPAA regulations. I don’t blame them. Most people don’t like forced government regulations that have the threat of audits and fines. But HIPAA regulations are really just a risk management program for patient data. HIPAA calls for organizations to take inventory of where patient information is created, stored or accessed. It requires organizations to identify and manage associated risk to patient data. And it calls for organizations to be prepared to respond and lower the impact if patient data is lost, stolen or breached. When compared to a malpractice risk management program, the HIPAA risk management program is very similar.


When I talk to people about HIPAA I make it clear that the risk of a random HIPAA audit is very low. But the risk that patient data is lost, stolen or breached is increasing every day. Patient data needs to be thought of as a business risk that needs to be properly managed.

more...
No comment yet.
Scoop.it!

OCR launches new HIPAA resource on mobile app development

OCR launches new HIPAA resource on mobile app development | HIPAA Compliance for Medical Practices | Scoop.it

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently launched a new resource: a platform for mobile health developers and “others interested in the intersection of health information technology and HIPAA privacy protection.”


In the announcement of this platform, OCR noted that there has been an “explosion” of technology using data regarding the health of individuals in innovative ways to improve health outcomes. However, OCR said that “many mHealth developers are not familiar with the HIPAA Rules and how the rules would apply to their products,” and that “[b]uilding privacy and security protections into technology products enhances their value by providing some assurance to users that the information is safe and secure and will be used and disclosed only as approved or expected.”


The OCR platform for mobile app developers has its own website. Anyone – not just mobile app developers – may browse and use the website. Users may submit questions, offer comments on other submissions and vote on a topic's relevance. OCR noted that to do so users will need to sign in using their email address, “but their identities and addresses will be anonymous to OCR.” 


OCR asked stakeholders to provide input on the following issues related to mobile app development: What topics should we address in guidance? What current provisions leave you scratching your heads? How should this guidance look in order to make it more understandable and more accessible?


Users can also submit questions about HIPAA or use cases through this website. OCR explained that, “we cannot respond individually to questions, we will try to post links to existing relevant resources when we can.” Finally, in the announcement OCR stated that posting or commenting on a question on this website, “will not subject anyone to enforcement action.” 

more...
No comment yet.
Scoop.it!

Health Data Collected by App Developers not regulated by HIPAA

Health Data Collected by App Developers not regulated by HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

It seems that your medical data may not be as protected as you might first assume.

A recent report from the Department of Health and Human Services showed that the vast majority of mobile health apps on the marketplace aren’t covered by HIPAA, the Health Information Portability and Accountability Act of 1996.

HIPAA currently applies only to traditional medical establishments, such as hospitals, doctors and health insurance providers. Apps or devices used in conjunction with a doctor’s office or a hospital are not legally allowed to share or sell your information. However, there is no definitive federal law governing what happens to the data that an app developer, tech company or private individual collects.

Typically a patient using a third-party developed app enters medical information, which is then sent in some form to a physician. The data in a patients medical record would be covered by HIPAA, however the data that the third-party app developer collected would not be.

Despite being identical sets of data, stored in different computers, they have different levels of protection.

App companies although not governed by HIPAA, are better to be focussed on abiding by the standards. Any app developer found to be using unfair or deceptive practices with regards to user medical data, could be held accountable by the FTC.

As Federal regulations are increased to include app data collected by third-party developers, this will continue to be a legal grey area, and one that patients, doctors and developers all need to be aware of.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Where Is HIPAA Taking Physician Practices?

Where Is HIPAA Taking Physician Practices? | HIPAA Compliance for Medical Practices | Scoop.it

Introduction:

Several provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, were intended to encourage electronic data interchange (EDI) and safeguard the security, privacy, and confidentiality of patient health information In the context of this act, security is the means by which confidentiality and privacy are insured. Confidentially defines how patient data can be protected from inappropriate access, while privacy is concerned with who should have access to the patient data. This article explores how the policies stipulated by HIPAA are shaping the practice of medicine and will likely affect your practice in the future.

 

HIPAA Security vs Innovation:

If you're a typical small-practice physician, odds are that you view HIPAA as simply another federally mandated cost of practising medicine, regardless of the intended outcome of the act. This position is understandable, given the cost of mandated training for you and your office staff. Furthermore, if your practice is computerised, then you'll need to spend even more money on software upgrades and possibly additional training from the vendor.

HIPAA rules and regulations are complex, in part because much of compliance is open to interpretation. For example, security issues, which are predominantly in the domain of software and hardware vendors, are based on “risk assessment,” not specific technology standards. The act doesn't stipulate specific technologies or endorse nationally recognised procedures, but leaves it up to the physician practice or medical enterprise to ensure that patient health data are secure. (HIPAA's security standards take effect on April 20, 2005, for all “covered entities” except small health plans However, because HIPAA enforcement is complaint-driven – there are no “HIPAA Police” checking to see that your practice meets the law's requirements – differences in interpretation of the act are likely to end up in a courtroom at some point. For this reason, some experts recommend assessment of HIPAA compliance by outside counsel.

Most physicians are understandably concerned with the immediate compliance issues surrounding HIPAA and privacy and confidentiality of patient data. Even though the security standards were designed to be “technology-neutral,” the vagaries of these requirements are having a direct impact on medicine beyond the acute phase of compliance, especially in the introduction of new technologies in the clinical arena. New technologies, from wireless to tablet PCs, bring with them added functionality, potential workflow enhancements, and efficiencies – as well as new HIPAA security compliance issues.

Consider, for example, the effect of HIPAA's privacy rules on a physician contemplating the purchase of a Palm Pilot or other PDA. Even late adopters have probably observed the benefit of PDAs. Need to share patient data? Just beam it across the infrared link from one PDA to the next. Need to review patient lab data? Just touch the screen and the data are only a second away.

But it isn't that simple once HIPAA enters into the picture. Now a PDA carrying patient data is a compliance concern, as HIPAA's privacy rule applies to all mediums of a patient's protected health information, whether it's print, verbal, or electronic. Does your PDA have a login and auto logout feature? If not, then anyone could take your PDA and look up patient data. Consider the liability issues if you forgot your PDA at a coffee shop and someone picked it up and scanned through your list of patients. But with a login screen, one of the major benefits of a PDA – instant access to data – is lost.

If you use one of the wireless PDAs, such as the BlackBerry, then there are additional HIPAA-related issues: Does your PDA support the encryption of email and patient data it sends over the Internet? Is the encryption enabled? Is the level of encryption good enough for HIPAA?

Perhaps you've been considering adding a wireless (WiFi) LAN to your clinic or practice. You may have good reason to; wireless will allow you to carry a laptop into examining rooms for decision support and not have to worry about Ethernet cords. But considering HIPAA, is your WiFi system secure? Is the data encryption good enough? If not, will you have to buy new PCs and PDAs, or simply upgrade the operating systems? Do you need to hire a consultant? Maybe it's easier to simply string cables to each office and forget about the laptop this year. Or maybe it would be better to hold off on the computer-assisted decision support project altogether.

Paradoxically, although proponents of HIPAA once thought that it would enhance the move toward the electronic medical record (EMR), I believe that it is having the opposite effect. Because of the uncertainty surrounding HIPAA compliance and whether the legal system will be swamped with cases alleging violations of privacy, it's simply safer for small practices to stay with paper charts, and let the big medical practices deal with the inevitable lawsuits.

This brings up another cost issue: Does your insurance cover a patient suit over HIPAA? If so, how inclusive is the insurance? For example, let's say your practice regularly sends digital audio files overseas for transcription. You send the audio files and receive text documents a day later. Do you know how the patient data are handled at the transcription service? If a transcriptionist overseas decides to protest his or her low wages by posting a transcription of your patient's clinic visit openly on the Web, are you liable? Will your insurer pay? This example isn't as far-fetched as it might seem. In October 2003, a disgruntled Pakistani transcriber threatened the University of California-San Francisco over back pay.[3] She threatened to post patients' confidential files on the Internet unless she was paid more money. To show that she was serious, she sent UCSF an unencrypted email with a patient record attached.

 

HIPAA, Privacy, and the Physician:

Whereas compliance with HIPAA's upcoming security requirements is largely in the purview of vendors and the information services department in most larger medical centres, privacy concerns are usually addressed at the physician level. Consider the major privacy provisions of the act, most of which took effect in April 2003, listed in the Table.

Major Privacy Components of HIPAA, Based on Data From the DHHS.

Implementing each of these privacy components falls squarely on you and your office staff. You, your office manager, or someone else in your practice must be designated the Privacy Officer and given the responsibility of ensuring compliance with the act. If you haven't already had at least 1 practice walk-through with the major privacy provisions, make sure you do so.

 

 

 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Should You Consider HIPAA Compliance?

Should You Consider HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

Protecting private patient information is crucial, especially in this day and age of online storage and transactions. As the media reports more and more healthcare-related security breaches, it may be time for you to find out if you need to be HIPAA Compliant. Designed to protect patients, HIPAA is required for many businesses that deal with private health data. While there is much more to HIPAA than the data center where your data is stored, Liquid Web can be an important part of your overall compliance with HIPAA standards. At Liquid Web, we provide the utmost in security with our compliant network solutions, physical and data security measures, highly available infrastructure, and 24/7/365 onsite HIPAA trained staff. In combination with our recommended HIPAA Compliant hosting plans, we can help you achieve the compliance you need.

So how do you know if you should become HIPAA Compliant? We’ve gathered some helpful information that might set you on the right track.

What is HIPAA anyway?

HIPAA, or Health Insurance Portability & Accountability Act, is a strict set of regulations created in order to keep critical health information secure and confidential. This is especially important as many organizations that deal with patient health information store that data digitally. Recent large healthcare security breaches have only cemented the importance of HIPAA Compliance for your business and customers.

What kind of data is protected by HIPAA standards?

Any private medical data needs to remain confidential and secure, including but not limited to health records, patient charts, health insurance claim information, lab results, x-rays, and surgery documentation. HIPAA calls this data “ePHI,” or electronic protected health information.

What kind of businesses are required to comply with HIPAA?

The U.S. Department of Health & Human Services (HHS) have defined the businesses required to comply with HIPAA as “Covered Entities,” but only if they transmit any information in an electronic form in connection with a transaction for which HHS has developed a standard. Covered Entities included are as follows:

  • Healthcare Providers – Including doctor’s offices, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
  • Health Plans – Including health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid.
  • Healthcare Clearinghouses – Including businesses that process health information from another entity either from a non-standard form to a standard form, or vice versa.

 

In addition, HIPAA applies to any business working with a covered entity to carry out its health care activities. Liquid Web could be one such “Business Associate” or “Sub-Contractor Business Associate.” When a covered entity enlists a business associate like Liquid Web for assistance in storing health information, a Business Associate Agreement might be needed to lay out the responsibilities of each party.

 

 

Why comply with HIPAA Standards?

These HIPAA standards exist to protect your patients’ confidentiality and privacy, ensuring your business has a trustworthy reputation. In addition, those that do not comply with the standards face being shut down and/or heavily fined. HIPAA’s standards are enforced through investigating complaints filed with the HHS and through conducting compliance reviews.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Don't Confuse EHR HIPAA Compliance With Total HIPAA Compliance

Don't Confuse EHR HIPAA Compliance With Total HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records (EHR) systems are revolutionizing the collection and standardization of patient medical information. Never before has it been so easy for healthcare practitioners to have patient information so readily available, allowing for more efficient and accurate care.

Unfortunately, what many organizations today don’t realize is, just because their EHRsystem is compliant with HIPAA security standards, their entity as a whole may not be fully compliant.

Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.

Privacy and security are much more than simply having a HIPAA compliant EHR. It is truly frightening when I hear a healthcare company, or even worse, an EHR vendor, claim their EHR system covers all of a healthcare company’s HIPAA requirements. Even for cloud-based EHR systems, this simply is not the case.

Maintaining a secure EHR system

The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI.

In our ever-changing digital environment, it’s critical that healthcare organizations regularly assess their security programs as a whole to ensure they have the policies, procedures, and security measures in place to better protect patient information and avoid costly regulatory enforcements.

Unfortunately, addressing risks to electronic patient data is not always a top priority.

We need to get the message out that HIPAA compliance (and the protection of patient data) cannot be relegated to simply checking a box (i.e., my EHR system is compliant, therefore, my practice is compliant, too). HIPAA compliance must, instead, be addressed across an organization wherever patient data is present.

Understand current security measures

The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they shouldbe doing in the future.

While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.

As the guardian of patient health information, it is up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.

There are a number of actions an entity can take to make sure that their EHR systems and IT assets are secure. Such measures leverage an integrated use of data loss prevention tools, intrusion prevention, anti-malware, file integrity monitoring, robust identity management and authentication programs, role-based access and data security solutions.

The road to HIPAA compliance

Creating adequate safeguards does not happen overnight. While it may seem overwhelming and time-consuming at first (due to HIPAA’s complex nature), the biggest obstacle to overcome is actually getting the entire process started.

Begin by carving out a regular, weekly routine – perhaps starting at 30 minutes per week when your staff members who are responsible for HIPAA compliance can meet to discuss the privacy and security of patient data.

Here are some specific actions your entity should take when working to protect patient information:

  • Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
  • Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
  • Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
  • Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
  • Make sure your policies and procedures match up to the requirements of HIPAA.
  • Require user authentication, such as passwords or PIN numbers that limit access to patient information to authorized-only individuals.
  • Encrypt patient information using a key known or made available only to authorized individuals.
  • Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
  • Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.
  • Privacy and security concerns are key when it comes to HIPAA, but it’s also important to ensure your enterprise as a whole is protected. With 75 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure all systems where ePHI resides are protected. Otherwise, organizations are placing themselves and their patients at serious risk.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA Survey Reveals A Reportable Benchmarking Breaches

HIPAA Survey Reveals A Reportable Benchmarking Breaches | HIPAA Compliance for Medical Practices | Scoop.it

In early, HCPro’s Medical Records Briefing (MRB)newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, implementation date. This year, MRBasked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.

 

With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% .However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase.

 

Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.

 

The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches.

 

The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.

 

This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the survey also serve as the privacy officer.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Six Tips For Providers To Reduce The Risk Of Obtaining Unreliable HIPAA Compliance & Protection Software

Six Tips For Providers To Reduce The Risk Of Obtaining Unreliable HIPAA Compliance & Protection Software | HIPAA Compliance for Medical Practices | Scoop.it

Our partner Elizabeth Litten and I had a recent conversation with our good friend Marla Durben Hirsch who quoted us in her Medical Practice Compliance Alert article, “Beware False Promises From Software Vendors Regarding HIPAA Compliance.” Full text can be found in the February, 2016, issue, but some excerpts regarding 6 tips to reduce the risk of obtaining unreliable HIPAA compliance and protection software from vendors are summarized below.

 

As the backdrop for her article, Marla used the $250,000 settlement of the Federal Trade Commission (the “FTC”) with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for alleged false advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA. Elizabeth has already posted a blog entry on aspects of the Henry Schein matter that may be found here.

 

“This type of problem risk of using unreliable HIPAA software vendors is going to increase as more physi­cians and health care professionals adopt EHR systems, practice management systems, patient portals and other health IT.”

 

The six tips listed by Marla are summarized as follows:

 

  1. Litten and Kline:"Vet the software vendor regarding the statements it’s making to secure and protect your data. If the vendor is claiming to provide NIST-standard encryption, ask for proof. See what it’s saying in its marketing brochures. Check references, Google the company for lawsuits or other bad press, and ask whether it suffered a security breach and if so, how the vendor responded.

 

  1. Kline: Make sure that you have a valid business associate agreement that protects your interests when the software vendor is a business associate.” However, a provider must be cautious to determine first whether the vendor is actually a business associate before entering into a business associate agreement.

 

  1. Litten: “Check whether your cyberinsurance covers this type of contingency. It’s possible that it doesn’t cover misrepresentations, and you should know where you stand.”

 

  1. Litten and Kline: See what protections a software vendor contract may provide you.”   For instance, if a problem occurs with the software or it’s not as advertised, if the vendor is not obligated to provide you with remedies, you might want to add such protections, using the Henry Schein settlement as leverage.

 

  1. Litten and Kline: Don’t market or advertise that you provide a level of HIPAA protection or compliance on your web-site, Notice of Privacy Practices or elsewhere unless you’re absolutely sure that you do so.” The FTC is greatly increasing its enforcement activity.

 

  1. Kline:Look at your legal options if you find yourself defrauded.” For instance, the dentists who purchased the software [from Henry Schein] under allegedly false pretenses have grounds for legal action.

 

The primary responsibility for compliance with healthcare data privacy and security standards rests with the covered entity. It must show reasonable due diligence in selecting, contracting with, and monitoring performance of, software vendors to avoid liability for the foibles of its vendors.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

5 Steps for Implementing a Successful HIPAA Compliance Plan

5 Steps for Implementing a Successful HIPAA Compliance Plan | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance Plan

First, why do you need a HIPAA Compliance Plan? This Plan will tell your employees, Business Associates and patients how you secure Protected Health Information (PHI). Just as important is effectively communicating the plan to your staff.  

 

So, where do you begin? The purpose of this blog is to highlight what goes into making your plan. 

Five Key StepsStep 1 – Choose a Privacy and Security Officer

For a smaller practice, your Privacy and Security Officer may be the same person. For larger practices, these duties will probably be split between two people. These are the folks who are going to be spearheading your Compliance Plan.  If you don’t have someone designated to fill this role, you are not compliant.

Step 2 – Risk Assessment

This step requires you to review your workplace and electronic devices to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the Covered Entity or Business Associate. According to Atlanta healthcare attorney Daniel Brown, “a Risk Assessment extends not only to the accessibility of ePHI -- such as passwords -- but also to threats to your access of ePHI caused by natural risks, such as hurricanes and tornadoes, and even human risks, such as malicious hacking.”

 

You can perform the Assessment yourself or hire an outside contractor to come in and complete the process for you. If you're thinking about performing the assessment yourself, HHS has developed a Risk Assessment tool to help you get started.

The first option is obviously the cheapest and the second can be costly, or you can use a combination of the two. The key is to be very detailed and identify where all your potential Privacy and Security issues may lie. This will include listing all computing and mobile devices, where paper files are stored, how you will secure your offices when you are closed, etc. This is not a one-time event and will change over time as technology and risks change. You will want to revisit your Risk Assessment anytime you have a Breach, theft, or major change in hardware or software, but at a minimum every 2-3 years.

Step 3 – Privacy and Security Policies and Procedures

After completing your Risk Assessment, it’s time to create your blueprint for achieving HIPAA Compliance. The Compliance Plan should include Policies and Procedures - ensuring the Privacy of Protected Health Information and the Security of such information. The Security Policies and Procedures deal with ePHI (electronic PHI) and how you will protect that information.

 

Policies and Procedures need to be updated regularly and any changes need to be clearly notated and communicated to your staff. As you saw in the Penalties Section of our last blog, “I didn’t know” isn’t an acceptable defense!

Step 4 – Business Associate Agreements

Most of you use vendors or contractors to help run your practice or business. Under HIPAA, persons or entities outside your workforce who use or have access to your patient’s PHI or ePHI in performing service on your behalf are “Business Associates” and hold special status in the Privacy equation. Some examples of Business Associatesinclude third party billing agents, attorneys, laboratories, cloud storage companies, IT vendors, email encryption companies, web hosts, etc. This list can get pretty long, and should be documented in your Risk Assessment.

 

Make sure you do an audit of your Business Associates before you accept a signed Agreement from them. We’ve seen a lot of folks sign these Agreements, and have no clue what they’ve agreed to. Auditing means looking at their Compliance Plan. They have to have one, or you can’t do business with them. Your legal counsel should have an Agreement you can use, or you can use a third party Agreement from a HIPAA compliance company.

Step 5 – Training Employees

You’ve got your Risk Assessment, Privacy and Security Policies and Procedures and Business Associate Agreements in hand. You’re all good, right? NO! Employees are many times your weakest link.

 

You need to annually train your employees on the HIPAA Rule and communicate information about your Privacy and Security Policies and Procedures that you’ve worked so hard to create. What good is all the work you’ve done on a Compliance Plan when no one knows about it, or how to use it? Train employees both on the HIPAA Law and your specific plan. In addition, you must keep records that they have been trained.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why Physicians Should Note Recent HIPAA Guidelines For Apps ?

Why Physicians Should Note Recent HIPAA Guidelines For Apps ? | HIPAA Compliance for Medical Practices | Scoop.it

Although the department of Health and Human Services (HHS) has provided guidance for app developers working with providers, there may still be some confusion surrounding the issue. The uses of apps and the extent to which they must adhere to HIPAA vary widely.

 

For example, simple calorie and activity trackers for patients who would like to lose weight are not required to be HIPAA compliant.  The same is true for apps that help patients remember when to take medications.

 

However, things become more complex when an app performs a calculation to determine what dosage of medication a patient should take, or when information the app collects is recorded in the patient’s electronic health record (EHR). Physicians should evaluate the apps they recommend to patients to determine whether or not they must comply with HIPAA regulations, and when working directly with developers, physicians must ascertain how whether or not the developer understands HIPAA requirements.

 

The questions to ask will vary, depending on the situation. In cases of recommending an off-the-shelf app, the evaluation process should be fairly simple. If the data collected is for the patient’s personal use and will not be transmitted to their EHR, there are no worries.

 

If a physician decides to work directly with a developer to create an app for a specific patient population, the necessity for HIPAA compliance is greater. A good place to start is with the recent guidance from HHS. Whether or not the developer is familiar with it may serve as a sort of gauge as to whether or not the developer is a professional working within the healthcare space.

 

“I think the first question a physician should ask is whether the developer has taken the recent [HHS Office of Civil Rights (OCR)] guidance into account,” says Scott Chase, an attorney who is board certified in health law in Texas, with Farrow-Gillespie & Heath, LLP. If the developer has not taken the guidance into consideration, “the physician may want to re-think the professionalism of the developer,” he adds.

 

Whether or not any app must be HIPAA compliant hinges on how personal health information (PHI),is used. According to HHS, PHI is defined as “individually identifiable health information that is transmitted or maintained in any form or medium (electronic, oral, or paper) by a covered entity or its business associates, excluding certain educational and employment records.”

 

Regardless of the intended use of the app in question, Chase adds that encryption should be part of the conversation. If a developer or physician makes a mistake in determining whether or not an app should comply with HIPAA, he says “HIPAA-compliant encryption could save them from a HIPAA complaint, in case of a breach of PHI.”

 

In other words, regardless of whether or not the developer has taken HIPAA into consideration in the process of creating an app, if patients’ PHI is properly encrypted, the physician who suggests patients use the app has a layer of protection in the event of a complaint.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Medical Staff Resistance to HIPAA Compliance

Medical Staff Resistance to HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Recently, while reading a 2013 article in Information Week, "Doctors Push Back Against Health ITs Workflow Demands," I thought about various scenarios individuals have brought to my attention. It is indisputable that both the healthcare industry and physicians have been dealing with a dramatic shift in the landscape and, in turn, having to adapt to and implement a variety of new processes. In the article, the authors say, "There's a powerful force working against the spread of health IT: physician anger, as doctors resist adopting workflows that can feel to them more like manufacturing than traditional treatment." There are several reasons for this: uncertainty in reimbursement, the transition to ICD-10, and compliance requirements related to HIPAA and the Affordable Care Act.

 

Some of the situations that have been brought to my attention include: entities refusing to sign a Business Associate Agreement (BAA), refusing to choose a vendor because a password is required to be utilized and periodically changed in order to text message, and giving a username/password to other members of the care team to change or augment the electronic health record. Needless to say, all of these scenarios are problematic for several reasons. First and foremost, they violate the legal standards set forth in HIPAA, the HITECH Act, and the 2013 Final Omnibus Rule. Second, engaging in these practices makes the person more vulnerable. Lastly, refusing to utilize a password in order to optimize both IT security and compliance is foolish. 

 

At its core, a Business Associate Agreement is required between parties who create, receive, maintain, or transmit protected health information (PHI) on behalf of or for a covered entity. The phrase "on behalf of or for" is crucial because it extends beyond the relationship between the covered entity and a single business associate. This is the requirement of federal HIPAA. States may, and in fact do, have more stringent requirements.

 

One of the greatest areas of vulnerability is texting sensitive data using smartphones. Hence, it is crucial to make sure that the iPhone App is encrypted and requires a password (ideally, this would be a two-factor identification method). Yet, I have heard stories where physicians belligerently refuse to adopt a technology because of the requirement.

 

Lastly, providing a nurse or PA with access to a medical record utilizing the physician's user name and password is absurd. Think of the Ebola case in Dallas, Texas, where the nurses left notes in one section that the physicians did not read. What if both individuals had used the same user ID and password? How easy would it be to look at the audit log and determine who made the entry? The level of legal liability associated with this practice is exponential. 

 

Given that these scenarios really do happen, what steps can be taken by physicians and other entities? Here are a few suggestions:

 

• Adopt a "no tolerance" policy and sanctions for non-compliance from the medical staff in relation to HIPAA compliance. Many organizations have these in place.

 

• Get your Business Associate Agreements in order and keep a log of all the vendors, business associates, and other entities that need to have one — along with the date they were executed.

 

• Never give your user id/password to anyone; the system administrator has it.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Will 2016 be Another Year of Healthcare Breaches?

Will 2016 be Another Year of Healthcare Breaches? | HIPAA Compliance for Medical Practices | Scoop.it

As I listened to a healthcare data security webinar from a leading security vendor, I had to ask: “Are we now experiencing a ‘New Normal’ of complacency with healthcare breaches?” The speaker’s reply: “The only time we hear from healthcare stakeholders isAFTER they have been compromised.”

 

This did not surprise me. I have seen this trend across the board throughout the healthcare industry. The growing number of cyberattacks and breaches are further evidence there is a ‘New Normal’ of security acceptance — a culture of ‘it-is-what-it-is.’ After eye-popping headlines reveal household names were compromised, one would think security controls would be on the forefront of every healthcare action list. Why then are we seeing more reports on healthcare breaches, year after year? 

 

This idea comes from the fact that, due to a lack of enforcement, acceptable penalties, and a culture of risk mitigation, more breaches are to be expected in the healthcare industry. Until stricter enforcements and penalties are implemented, a continuation of breaches will occur throughout the industry.

 

The Office of Civil Rights (OCR), the agency overseeing HIPAA for Health and Human Services, originally scheduled security audits for HIPAA to begin in October 2014. Unfortunately, very few audits have occurred due to the agency being woefully understaffed for their mandate covering the healthcare industry, which accounts for more than 17 percent of the U.S. economy.

 

Why Sweat a Breach?

Last September, newly appointed OCR deputy director of health information privacy, Deven McGraw, announced the launching of random HIPAA audits. In 2016, it is expected 200 to 300 covered entities will experience a HIPAA audit, with at least 24 on-site audits anticipated. However, this anticipated figure only accounts for less than one percent of all covered entities —not much of an incentive for a CIO/CISO to request additional resources dedicated to cybersecurity.

 

Organizations within the industry are approaching cybersecurity from a cost/benefit perspective, rather than how this potentially affects the individual patients. For payers who have been compromised, where will their larger customers go anyway? Is it really worth a customer’s effort to lift-and-shift 30,000, 60,000 or 100,000 employee health plans to another payer in the state? This issue is similar to the financial services industry’s protocol when an individual’s credit card has been compromised and then replaced, or when individual’s want to close down a bank account due to poor service: Does anyone really want to go through the frustration with an unknown company?

 

For some of the more well-known breaches, class-action lawsuits can take years to adjudicate. By then, an individual’s protected health information (PHI) and personally identifiable information (PII) has already been shared on the cybercriminal underground market. In the meantime, customers receive their free two-year’s worth of personal security monitoring and protection. Problem solved. Right?

 

The Cost of Doing Business?

When violations occur, the penalties can sting, but it’s just considered part of the cost of doing business. In March 2012, Triple-S of Puerto Rico and the U.S. Virgin Islands, an independent licensee of the Blue Cross Blue Shield Association, agreed to a $3.5 million HIPAA settlement with HHS. In 2012, Blue Cross Blue Shield of Tennessee paid a $1.5 million fine to turn around and have another HIPAA violation in January 2015..

As of December 2015, the total number of data breaches for the year was 690, exposing 120 million records. However, organizations are unlikely to be penalized unless they fail to prove they have steps in place to prevent attacks. If an organization does not have a plan to respond to a lost or stolen laptop, OCR will possibly discover areas for fines, but this can be a difficult process. Essentially, accruing a fine after a cyberattack or breach is relative.

 

A more recent $750,000 fine in September 2015 with Cancer Care group was settled, but the occurrence happened in August of 2012 — nearly three years later. A 2010 breach reported by New York-Presbyterian Hospital and Columbia University wasn’t settled until 2014 for $4.8 million. Lahey Hospital and Medical Center’s 2011 violation was only settled in November 2015 for $850,000. With settlements taking place several years after an event, settling may appear to be a legitimate risk assessment, further reinforcing the ‘New Normal’ of cybersecurity acceptance.

 

At one HIMSS conference, the speaker emphasized to a Florida hospital the need to enforce security controls. They replied with, “If we had to put in to place the expected security controls, we would be out of business.”

 

Simply put: The risks of a breach and a related fine do not outweigh the perceived costs of enhancing security controls. For now, cybersecurity professionals may want to keep their cell phones next to the nightstand.

more...
Guillaume Ivaldi's curator insight, April 2, 2016 10:18 AM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...
Elisa's curator insight, April 2, 2016 5:47 PM
Simply amazing: cost of providing a decent security is clearly not aligned with the business outcomes, and therefore it is economically better to endure the fine than being fully compliant to the regulation ...
Scoop.it!

Did Doctor Violate HIPAA for Political Campaign?

Did Doctor Violate HIPAA for Political Campaign? | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are reportedly investigating whether a physician in Richmond, Va., violatedHIPAA privacy regulations by using patient information to help her campaign for the state senate.


The Philadelphia office of the Department of Health and Human Services' Office for Civil Rights is investigating potential HIPAA violations by Siobhan Dunnavant, M.D., a Republican state senate candidate, after a complaint alleged the obstetrician-gynecologist used her patients' protected health information - including names and addresses - to solicit contributions, volunteers and votes, according to an NBC news report.


Conservative blogger Thomas White tells Information Security Media Group that he reported to HHS earlier this year that letters and emails about Dunnavant's candidacy were sent to her patients prior to the June primary race in the state's 12th district, which includes western Hanover County. White says he notified HHS after receiving a copy of a letter from a Dunnavant patient who was annoyed at receiving the campaign-related communications from her doctor.


"I would love for you to be involved," Dunnavant wrote to patients, also reassuring them that their care would not be impacted if she's elected, according to a copy of a campaign letter posted on the NBC website."You can connect and get information on my website. There you can sign up to get information, a bumper sticker or yard sign and volunteer," the posted letter states. Other campaign-related material included emails sent to patients that were signed by "Friends of Siobhan Dunnavant," NBC reports and White confirmed, citing reports from patients.


The physician is one of three candidates seeking the state senate seat in the Nov. 3 election.

Patient Confidentiality

A spokeswoman for Dunnavant's medical practice declined to confirm to Information Security Media Group whether OCR is investigating Dunnavant for alleged HIPAA privacyviolations. However, in a statement, the spokeswoman said, "We are aware of concerns regarding patient communication, and we are reviewing the issue with the highest rigor and diligence. Please be assured we hold confidentiality of patient information of paramount importance, and thank patients for entrusting us with their care."


A spokeswoman in OCR's Washington headquarters also declined to comment on the situation. "As a matter of policy, the Office for Civil Rights does not release information about current or potential investigations, nor can we opine on this case," she says.


White, editor of varight.com, says he first received a copy of one of Dunnavant's campaign letters in May, and that he was the first to report on the issues raised by the letters. He tells ISMG he filed a complaint with the federal government after he confirmed that the use of patient information for campaign purposes was a potential violation of privacy laws.


Nearly four months later, an investigator in OCR's regional office in Philadelphia, which is responsible for Virginia, on Sept. 29 responded to White's complaint, indicating the doctor's actions would be examined. White says he also confirmed again in a call to OCR on Oct. 28 that the case is still under investigation.


"You allege that Dr. Dunnavant impermissibly used the protected health information of her patients. We have carefully reviewed your allegation and are initiating an investigation to determine if there has been a failure to comply with the requirements of the applicable regulation," OCR wrote to White, according to a copy of the OCR letter that appears on White's website.

HIPAA Regulations

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says Dunnavant's alleged use of patient information raises several HIPAA compliance concerns.


"HHS interprets HIPAA to cover demographic information held by a HIPAA-covered healthcare provider if it is in a context that indicates that the individuals are patients of the provider," he notes. "Healthcare providers must be careful when using patient contact information to mail anything to the patient - even if no specific diagnostic or payment information is used. If a patient's address is used to send marketing communications or other communications unrelated to treatment, payment, or healthcare operations without the patient's authorization, then this may be an impermissible use of protected health information under HIPAA."


If patient contact information is shared with someone else, such as a political campaign, that also could be a HIPAA violation, Greene adds. "The same information that can be found in a phone book - to the extent anyone uses phone books - may be restricted in the hands of healthcare providers."


Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes that the HIPAA Privacy Rule has "a blanket prohibition" on a HIPAA covered entity disclosing the protected health information of their patients without first seeking authorization of the individual - except where specifically permitted or required by the rule.


"There is no provision in the privacy rule where a healthcare provider who is a HIPAA covered entity can disclose patient information to a political campaign," he points out.


Because of those restrictions, federal regulators will carefully scrutinize the case, Holtzman predicts. "It is likely that OCR will look closely at the doctor's correspondence for its communication about her candidacy for political office, how to contact the campaign or obtain campaign products as well as the statement that the letter was paid for and authorized by the campaign organization."


An OCR investigation into the alleged violations of the HIPAA Privacy Rule could result in HHS imposing a civil monetary penalty, Holtzman notes. "There are criminal penalties under the HIPAA statute for 'knowingly obtaining or disclosing identifiable health information in violation of the HIPAA statute,'" he adds.

Potential Penalties

Offenses committed with the intent to view, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm are punishable by a fine of up to $250,000 and imprisonment for up to 10 years, Holtzman notes.


"The Department of Justice is responsible for investigating and prosecuting criminal violations of the HIPAA statute," he says. "And changes in the HITECH Act clarified that a covered entity can face both civil penalties for violations of the privacy rule and criminal prosecution for the same incident involving the prohibited disclosure of patient health information."


The U.S. Department of Justice did not respond to ISMG's request for comment on whether it's planning to investigate the Dunnavant case.

more...
No comment yet.
Scoop.it!

HIPAA Compliance and EHR Access

HIPAA Compliance and EHR Access | HIPAA Compliance for Medical Practices | Scoop.it

In light of the recent massive security breaches at UCLA Medical Center and Anthem Blue Cross, keeping your EHR secure has become all the more important. However, as organizations work to prevent data breaches, it can be difficult to find a balance between improving security and maintaining accessibility. To that end, HIPAA Chat host Steve Spearman addresses digital access controls, common authentication problems, and how authentication meets HIPAA compliance and helps ensure the integrity of your EHR, even after multiple revisions.


Q: What are access controls?


A: Access controls are mechanisms that appropriately limit access to resources. This includes both physical controls in a building, such as security guards, and digital controls in information systems, such as firewalls. Having and maintaining access controls are a critical and required aspect of HIPAA compliance, and is the first technical HIPAA Security Standard.


Q: What’s the most common form of digital access control we see in healthcare?


A: The username and password is the most common form of access control by far. The Access Control Standard requires covered entities to give each user a distinct and unique user ID and password in order to access protected information. These unique credentials for each employee enable covered entities to confirm (“authenticate”) the identity of users and to track and audit information access.


Q: What are the most common problems with access controls and use of passwords in healthcare?


A: The most common problem is that covered entities often use multiple systems which each may require its own set of usernames and passwords along with varying requirements for these credentials, such as minimum character length or use of capital letters. Memorizing multiple sets of passwords and usernames for multiple systems is difficult for most people. In addition, there is a conundrum between password complexity and memorization. Complex passwords (longer with multiple required character types) are better for security but much harder to memorize. This is the conundrum.


Q: Are stricter password policies always more secure?


A: No, if passwords requirement are too strict, users then use coping mechanisms such as writing them down or re-using the same password over and over and across multiple systems. This compromises security rather than enhancing it. For example, a policy that required 14 digit passwords and required, lower-case, upper-case, numbers and symbols and expired every 30 days would create huge problems for most organizations. With these policies, staff would simply write down their passwords. But this compromises security. If a bad person gets a hold of a written list of passwords they have the “keys to the kingdom”, the ability to access the accounts on that written list. So passwords should not be written down.

In addition, overly strict password policies tend to overwhelm technical support staff with password reset requests.

So passwords should be sufficiently complex to make them hard to crack which also makes them hard to memorize.


Q: This sounds like a big problem. Do you have any suggestions to make things better?


A: At a minimum, organizations need to provide training to staff on straightforward techniques to create memorable but complex passwords. I have an exquisitely terrible memory. But I have great passwords using one particular technique. Just google “create good memorable passwords” and you can find dozens of videos demonstrating how to do it. But, of course, our favorite is the video featuring our very own, Gypsy, the InfoSec Wonderdog.


Enterprises should seriously consider additional technical solutions such as two factor authentication with single sign on (2FA/SSO).


Q: What is a good, reasonable password policy?


A: I recommend a policy that:


  • Requires a minimum of 8 characters
  • Requires two or three of the options of lower-case, upper-case, numbers and symbols
  • Expire every 3 to 6 months
  • And limit limit use of historical passwords so that the previous two cannot be used.


Q: You mentioned authentication before. What is that? What is two-factor or multi-factor authentication?


A: Authentication is the process of confirming the identity of a person before granting access to a resource. Computer geeks refer to the three factors of authentication:


  • What a user has (an ID badge or phone).
  • What a user knows (a PIN number)
  • Who a user is (biometrics)


For example, ATMs use two-factor authentication:

  1. What the user has: an ATM card and
  2. What they know: a PIN.


One of my favorite tools for two factor authentication is Google Authenticator which runs as an app on my mobile phone. Another common form of two factor authentication is text codes. With this method, the website or app, after entering a correct username and password, sends a text with a numeric code that expires after a few minutes to your phone that is entered into another field in the website before access is granted.


Everyone should enable two factor authentication on their most essential systems such as to online banking and to email accounts such as gmail.


In healthcare, there is a growing trend toward biometric authentication, the use of fingerprint readers or palm readers, etc. to authenticate into systems. Biometric authentication is generally very secure and is also very easy to use since there is nothing to memorize.


Q: What is SSO?


A: Single sign-on (SSO) lets users access multiple applications through one authentication event. In other words, one password allows access to multiple systems. It enhances security because users only have to remember one password. And because it is just one, it is commonly a good complex password. Once entered, it will allow access to all the core systems (if enabled) without having to re-authenticate.


Single sign-on combined with two factor authentication or biometrics work great together in tandem and are often sold together by vendors. The leading SSO/2FA vendor in healthcare is Imprivata, but there are other vendors making great in-roads into healthcare such as Duo Security2FA.com and Secureauth.com.


Q: What do you mean by “integrity” and what does it have to do with access control and authentication?


A: Integrity in System Standards is the practices used to track and verify all changes made to a health record. It is a condition that allows us to prevent editing or deleting of records without proper authorization.


Authentication and access controls are the primary means we use to preserve integrity of a record. If the information system is programmed to track its users’ activity, then it’s possible to track who made changes to a record and how they changed it.


This is why users should never share usernames and passwords with other users. Integrity becomes impossible if a username does not signify the same user every time it appears.


Q: Any final thoughts?


A: Finding that balance between HIPAA compliance, security and accessibility can be tricky. We recommend reducing digital access controls to a single multi-factor authentication or biometrics event. This single, secure method of authentication could be the balance between security and efficiency needed to keep your EHR secure and yet accessible. In addition to improving accessibility to your system, an MFA or biometrics sign-in method could help improve your organization’s EHR integrity.

more...
No comment yet.