HIPAA Compliance for Medical Practices
69.3K views | +8 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Navigating Mobile Devices and HIPAA

Navigating Mobile Devices and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The mobile technology revolution has impacted nearly every industry across the globe, with healthcare being no exception. Hospitals, clinics, and providers have all quickly embraced the use of smartphones and other mobile devices along with the convenience of accessing important medical information quickly.  

Many healthcare organizations are capitalizing on the benefits that mobile devices provide by permitting physicians, nurses, and other healthcare staff to bring their own personal devices (BYOD) to use at work. Other organizations choose to provide their staff with company-owned mobile devices, finding it easier to maintain control and protect their networks. 

 

Although the convenience of mobile technology provides many advantages, it also comes with risks. If mobile data security measures are inadequate, covered entities are at risk of violating HIPAA regulations that can incur heavy fines. HIPAA fines of up to $1.5 million per violation category, per year that the violation has been allowed to persist can be issued by the HHS. In addition, other federal agencies can issue fines, such as the state attorneys general. There is also the considerable cost of a breach response to cover if data is potentially exposed. 

 

The majority of mobile devices do not have robust security controls which can allow devices to be easily compromised. For example, if an unprotected device connects to a network via public Wi-Fi, there is an increased risk of theft. Cybercriminals view mobile devices as an accessible entry point into healthcare networks allowing them to access valuable electronic Protected Health Information.

 

As mobile devices are rapidly becoming an integral part of daily healthcare operations, it is important that organizations fully comprehend healthcare mobile security. (1) HIPAA covered entities that choose to use mobile devices in the workplace must implement controls to protect patient health data.  (2) It is also necessary they review and address all potential mobile data security risks.

 

The HIPAA Security Rule does not require specific technology solutions when it comes to technical safeguards for mobile devices. However, HHS does require organizations to implement reasonable and appropriate security measures for standard operating procedures. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Your Dental or Medical Website Needs To Be HIPAA Compliant?

Why Your Dental or Medical Website Needs To Be HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

As the digital world becomes ever more entrenched in our lives, so does crime and information gathering start becoming more advanced. Patient privacy is a serious issue, and while the majority of websites can safely be hosted on the internet without special considerations regarding safety and security, healthcare has no such luxury. In fact, it is vital that all healthcare websites take extra steps to secure their site to be HIPAA compliant.

 

HIPAA And You, What Is It Exactly?

Developed some years ago, HIPAA stands for the Health Insurance Portability and Accountability Act (HIPAA) and was established to provides guidelines and regulations on the security of the personal information of patients. Two elements of this rule create conditions that must be met to be found in compliance with HIPAA rules. These rules are the Privacy Rule, outlining the protection of your patient’s private health information, and the security rule describing the requirements for data security measures.

 

How Can I Make My Website HIPAA Compliant?

It begins with going beyond basic encryption, websites that seek to be HIPAA compliant have to invest in higher level security measures. The only way you can avoid this as part of the medical industry would be if your site doesn’t do any collection or providing of personal information, and avoiding any third-party transactions of data.

 

The first step to securing your website is to utilize SSL security or Secure Sockets Layer. You’ve likely noticed sites like this when they contain the https:// prefix instead of http://. Those sites that have an SSL certificate encrypts communication between the web browser and the server. This is required to be found in compliant with HIPAA laws.

 

You can also make sure that your site is HIPAA compliant by using high security data collection forms that provide additional protection. The basic CMS (Content Management System) provided with most web hosts don’t provide that level of security, so it’s often wise to select a third party form builder that meets the requirements of HIPAA. 

 

Healthcare Website Design

HIPAA compliance is a vital element of your design for a healthcare website, especially as access to technology increases and becomes further integrated with our day to day lives. It is your responsibility as the owner of the website to ensure that your security system meets the strident requirements of this act. Whether you’re a public institution or serve the community as a private practice, your website design company can aid you in providing a secure website that will be approachable and informative for your clientele while maintaining the necessary security protocols.

 

Don’t put your practice at risk with a site that doesn’t protect your patients information appropriately,  To begin designing an attractive website that will serve your patients with the security and peace of mind they deserve. Violations of HIPAA are a serious concern and can result in costly fines and, more importantly, the compromising of your patients privacy.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

9 keys to having a HIPAA-compliant cloud

9 keys to having a HIPAA-compliant cloud | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are increasingly open to the idea of using public cloud services, whether it be applications or infrastructure. But to do so requires thorough planning and vigilant execution of IT operations.

 

Chris Bowen, founder and chief privacy and security officer for ClearDATA, a company that helps healthcare organizations use public cloud services, provides nine examples of controls that can be put in place. 

 

  1. Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
  2. Review system activity: Leverage audit logs to enable the review of activity within your system.
  3. Identity and Access management control: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed. 
  4. Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
  5. Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scan on systems processing Personal Health Information (PHI).
  6. Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
  7. Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
  8. Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
  9. Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA as an umbrella for county/municipal cybersecurity

HIPAA as an umbrella for county/municipal cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Are you a covered entity?

Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.

 

How do you know if you have or are a CE? If some department or division within your organization is a health care provider, a health plan or a health care clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), health care clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.

Are you in compliance?

If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.

 

In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?

 

I suspect what often happens is that executives look at something like information security policy requirements and say:

This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.

 

What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.'

Trust but verify

There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances, and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.

Extend HIPAA to your enterprise

If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that level while also getting compliant with federal law.

 

Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted good practices.

Develop your policy with the HIPAA Security Rule

There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.

The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).

The security standards in HIPAA are broken down into three sections, each of which has multiple layers and subcomponents:

  • Administrative Safeguards (9 components)
  • Physical Safeguards (4 components)
  • Technical Safeguards (5 components)

 

These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.

 

Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.

 

These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.

Next Steps

1. Find out where your organization stands in terms of information security policies and procedures.

2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?

3. Meet with your IG committee to discuss your findings.

4. If you don’t have an IG committee — start one!

5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.

6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintaining continuous improvement.

7. Begin building a culture of security in your organization.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Easiest Complete HIPAA Compliance Checklist You'll Ever See

The Easiest Complete HIPAA Compliance Checklist You'll Ever See | HIPAA Compliance for Medical Practices | Scoop.it
The Best HIPAA Checklist Is…HIPAA Itself?

Yes, basically. First, let’s make sure we’re on the same page about what HIPAA is exactly. HIPAA is federal legislation, as is the HITECH act that updated parts of it. Title II of that legislation relates to the privacy and security of protected health information, and this is the meat of what most physicians need to care about when “HIPAA compliance” comes up.

 

Title II of HIPAA also requires HHS to create federal regulations that implement the ideas in the rest of the act. These regulations spell out exactly what healthcare providers must do, and they are now complete and published in the Code of Federal Regulations (CFR),

 

Luckily, HHS also grouped these regulations into six sections, called “rules,” and these are really the ultimate HIPAA compliance checklist. If you can understand and comply with each of these six rules, you’ll have a good claim to HIPAA compliance. So let’s do it; let’s count down the checklist that HHS gives us:

The Six Rules of the HIPAA Compliance Checklist:

#1: Standardize Your Coding and Electronic Transmissions

This one is easy. HIPAA seeks to make sure that everybody is communicating about healthcare issues in one unified way, and regulations in its “Transactions and Code Sets” rule accomplish this.

One part of this rule specifies what code sets are allowable for describing medical data, including ICD-CM for conditions, NDC for drug names, and CPT/HCPCS for procedures. Another part then defines and mandates the specific electronic transmission formats that can be used to convey the encoded data.

 HIPAA Checklist: How to Comply with Rule 1

  1. Use a compliant electronic health record (EHR).

Simply pick a modern EHR to use in your practice. They will typically use the correct encoding and transmission formats automatically, and you can confirm this with the vendor before you buy anything.

That’s it. Done. Check.

#2: Get Unique Identifiers for You and Your Organization

In the “Identifier Standards” rule, HIPAA mandates that every individual or organization that renders healthcare have a unique 10-digit National Provider Identifier (NPI). Type 1 NPIs are for individuals, and type 2 NPIs are for organizations. NPIs are used in encoding and transmitting healthcare data, and they help enforce clarity. Two doctors may have the same name and practice in the same city, but their differing NPIs will ensure that they are not mistaken for one another.

 HIPAA Checklist: How to Comply with Rule 2

  1. Make sure that all HIPAA-covered entities in your practice have an NPI.

You probably already have an NPI. If you don’t,  you can get one through the National Plan and Provider Enumeration System (NPPES) that HHS runs.

That’s it. Done. Check.

#3: Protect Your Patients’ Privacy

The HIPAA Privacy Rule, in conjunction with the HIPAA Security Rule, constitutes the most important part of HIPAA for most providers. Fundamentally, the Privacy Rule is all about individuals’ health information, termed “protected health information (PHI).” The rule spells out how healthcare entities may use PHI, and it also delineates patients’ rights to be informed of and control those uses.

HHS has written an important summary of the Privacy Rule, and it’s worth a read. High-level points from the summary to internalize:

  • The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “PHI.”
  • A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A [healthcare] entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish [an intended purpose].
  • Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI and any of its uses and disclosures. They may also demand corrections to it.
  • Each [healthcare] entity, with certain exceptions, must provide a notice of its privacy practices.

 HIPAA Checklist: How to Comply with Rule 3

  1. Designate a “privacy official” in your organization who will be tasked with developing and implementing your privacy policies and procedures and ensure that this person is available to receive requests and complaints related to the Privacy Rule.
  2. Understand the definition of PHI and identify information in your practice that is PHI.
  3. Keep a record of all uses and disclosures of PHI in your practice.
  4. Understand the things your practice must do under the Privacy Rule, especially including those things that relate to your patients’ control over their own PHI.
  5. Understand the things your practice may do under the Privacy Rule, especially including those uses and disclosures of PHI that are allowable without explicit, written patient consent. Always use the concept of “minimum necessary” to guide your uses and disclosures.
  6. Identify your “business associates,” as defined by HIPAA. If another company interacts with PHI from your practice, they are likely a business associate, and you need to have a formal “business associate contract” with them that extends the duties of HIPAA to their operations.
  7. Create a Notice of Privacy Practices. This must contain specific items, and it’s best to start with a template that HHS provides. Know when, where, and to whom this notice must be made available.
  8. Implement administrative, technical, and physical safeguards to prevent impermissible intentional or unintentional use or disclosure of PHI. These should also act to limit incidental uses or disclosures.
  9. Ensure ongoing training of your practice’s workforce on your privacy policies and procedures.
  10. Have your privacy official create and maintain a written document of the policies and procedures that you have developed to accomplish the above items.

Well, this section was a bit longer than the first two, but that’s because the Privacy Rule is so crucial to HIPAA. It is, unfortunately, also critical that you review the Privacy Rule yourself. The checklist above is a good start on minimum necessary activities, but there is no perfect, comprehensive checklist that will work for every type of practice. HIPAA is about ensuring best practices in every type of healthcare provider, and there is no substitute for figuring out what that means for you and your exact practice.

HHS states that the Privacy Rule is comprised of 45 CFR Part 160 and Subparts A and E of 45 CFR Part 164, and you can refer to these directly or, at least, to the HHS Privacy Rule summary to make sure that you are creating and following all of the privacy policies and procedures that your specific practice needs.

#4: Secure Your Electronic Medical Information

The HIPAA Security Rule is a nitty-gritty rundown of “the technical and non-technical safeguards that organizations […] must put in place to secure individuals’ electronic PHI.” That quote comes directly from a Security Rule summary that HHS has written, in which they explain that the Security Rule takes the somewhat amorphous concepts of the Privacy Rule and lays out a more exact framework to implement them.

Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to PHI that your practice “receives, maintains or transmits in electronic form.” To comply with the Security Rule, your organization must adopt an ongoing process of risk analysis that has the following general form:

  1. Assess risks to electronic PHI in your organization, the current state of your security measures, and any gaps between the two
  2. Implement “administrative, technical, and physical safeguards” to address the gaps
  3. Document all of steps 1 and 2 and keep the records
  4. Repeat steps 1 to 3 on a periodic basis

That’s it, really. And continuing their pattern of being hugely helpful, HHS has created a seven-part educational paper series that will walk you through this. For the checklist in this section, we’ll lean on these papers heavily…since HHS literally provides checklists in them.

 HIPAA Checklist: How to Comply with Rule 4

  1. Perform a risk analysis for electronic PHI in your organization
  2. Implement safeguards to address security gaps identified by the risk analysis:
    1. Administrative
    2. Physical
    3. Technical
  3. Make sure everything is documented appropriately
  4. Repeat steps 1 to 3 on a periodic basis

Each HHS document linked above has a reproduction of Appendix A of the actual Security Rule, which is effectively a checklist of necessary items to consider for the administrative, physical, and technical safeguards that you need. Some of the documents extend this list with other items, such as the document linked in step 3 above.

As with the Privacy Rule, it’s important that you read the Security Rule yourself at least one time. HHS wrote the rules generally so that they could function for organizations of any size, from one person to thousands, and because of this, only you can decide exactly how your organization can best comply. Per HHS, “The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.” And again, they’ve also written a summary of it.

#5: Understand the Penalties for Violations

The HIPAA Enforcement Rule (codified at 45 CFR Part 160, Subparts C, D, and E) establish procedures for the investigation of possible HIPAA violations and sets civil fines for infractions. Fines can be up to $50,000 per violation per day, so it can add up quickly and is not a joke. Violations can also carry criminal penalties, including fines and jail time, but these are not covered by HHS regulation.

 HIPAA Checklist: How to Comply with Rule 5

  1. You don’t have to do anything ahead of time

If HHS investigates your practice, then this rule becomes relevant to you, but there’s nothing here that you need to do proactively.

#6: Learn How to Handle Information Breaches

The HIPAA Breach Notification Rule (codified at 45 CFR §§ 164.400-414) requires healthcare organizations to provide notification after breaches of PHI. A “breach” is, basically, an impermissible use or disclosure of PHI, as detailed in the HIPAA Privacy Rule. Depending on the type of breach, the notification might need to be made to the affected individuals, the media, or the HHS Secretary. HHS has further guidance available on the topic.

 HIPAA Checklist: How to Comply with Rule 6

  1. You don’t have to do anything ahead of time

Once again, you only need to worry about this rule if you identify a PHI breach, which you should be monitoring for as part of your compliance with the HIPAA Privacy Rule and Security Rule.

 

HIPAA compliance is all about adopting good processes in your organization, and HHS has laid out a path to compliance that is nearly a checklist. All you have to do is follow it.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Our Partners at Compliancy Group Help Client Pass HIPAA Audit

Our Partners at Compliancy Group Help Client Pass HIPAA Audit | HIPAA Compliance for Medical Practices | Scoop.it

Compliancy Group announced today that it has helped a long-time client pass a HIPAA audit. The Department of Health

and Human Services (HHS) Office for Civil Rights (OCR) investigation into a potential HIPAA violation resulted in no fine for a user of their web-based compliance solution, The Guard.

HIPAA audits target hundreds of healthcare professionals a year, according to the HHS Wall of Shame.

 

Compliance Group is the only HIPAA solution on the market today that gives clients access to a HIPAA Audit Response Program (ARP). The Compliance Group HIPAA Audit Response Program gives clients the ability to formulate all the necessary reports that OCR auditors are requesting in order to illustrate their compliance efforts. Compliance Group’s team of expert Compliance Coaches gather the reports and adhere to strict audit deadlines to ensure that clients stand their best chance at emerging from an audit without being fined.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Alliance Marketplace Connects CEs and BAs

HIPAA Alliance Marketplace Connects CEs and BAs | HIPAA Compliance for Medical Practices | Scoop.it

For many healthcare providers, finding HIPAA compliant business associates poses a significant challenge–one with implications on the security of their sensitive healthcare data. The newly launched HIPAA Alliance Marketplace is a platform that simplifies the process for covered entities to find HIPAA compliant business associates.

 

Health care providers can connect with healthcare vendors like never before with confidence that their prospective business partners will keep their data safe and secure.

 

Access to the marketplace is limited to vendors that have been verified by the Compliance Group HIPAA Seal of Compliance. The HIPAA Seal of Compliance is the industry standard, third-party HIPAA verification tool used by health care providers and vendors across the country. The Seal of Compliance demonstrates that the organization in question has executed all of the necessary standards mandated by HIPAA regulation.

 

Vendors can use the marketplace to break into the valuable healthcare market. Whether already HIPAA compliant, or just starting on their journey, vendors can speak with one of Compliance Group’s HIPAA experts to determine the status of their compliance and get listed on the marketplace today.

About the HIPAA Alliance:

 

The HIPAA Alliance Marketplace is a closed ecosystem that allows healthcare professionals (covered entities, CE) to find HIPAA compliant solution providers (business associates, BA). HIPAA compliant vendors in the HIPAA Alliance Marketplace are heavily vetted against the HIPAA rules and verified by the Compliance Group HIPAA Seal of Compliance

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends?

Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends? | HIPAA Compliance for Medical Practices | Scoop.it

Buddy Dyer, the mayor of Orlando, requested a waiver of the HIPAA rules following the June 12 shooting at Pulse Nightclub. Families and loved ones were inquiring about the status of patients located at local hospitals, but were not provided timely reports. Many of the patients being treated at the hospitals in Orlando did not have formalized legal relationships, and the mayor felt HIPAA would slow down the sharing of information with partners.

Some healthcare professionals feel that HIPAA restricts them from providing information about patients to their families and loved ones. There are stories of loved ones denied information about elderly parents or adult children by medical professionals citing HIPAA. In many cases, healthcare professionals do not understand the flexibility of HIPAA.

In order to understand whether Mayor Dyer and healthcare providers need to be concerned about HIPAA restrictions, let’s look at the Law. The waiver described under Section 1135 of the Social Security Act includes suspending certain HIPAA provisions to protect physicians, emergency medical staff, and law enforcement agencies so that they will not face penalties and sanctions for the release of PHI in a crisis.

The suspended requirements are:

  1. 45 C.F.R. § 164.510 requiring healthcare providers to obtain a patient’s agreement so that a medical professional can speak with family members or friends or provide patients the right to opt out of the facility directory;
  2. 45 C.F.R. § 164.520, the requirement to distribute a Notice of Privacy Practices to patients; and
  3. 45 C.F.R. § 164.522, the patient’s right to request privacy restrictions or confidential communications.

In 2010 President Obama issued an executive memo ordering the Department of Health and Human Services (HHS) to address the issue of hospital visitation for same-sex couples. Later that same year, the department prohibited hospitals from discriminating against visitation rights based on sexual orientation and gender identity.

A statement from HHS Assistant Secretary for Public Affairs Kevin Griffis explained the reason why the waiver was not needed in Orlando:

 

Entities such as healthcare organizations, governmental agencies and law enforcement are allowed to exercise professional judgment as stated under HIPAA. For example, PHI communicated by Emergency Medical Technician (EMT) via a radio to the 911 Dispatcher or between other ambulance units is also permitted through the professional judgment definition in HIPAA. For most law enforcement personnel, as well as fire departments, the HIPAA Privacy Rule does not apply to them either as disclosures are needed to perform their job duties. They can release PHI about victims of a vehicle accident or for investigation of a crime scene. The essential part to note is as long as the conversations by the personnel covered under these provisions are related to treatment-related disclosures, there is no HIPAA violation. Hospitals and large health organizations must train their emergency staff on HIPAA and their specific policies and procedures to comply with the regulations.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Employees Are Your Biggest HIPAA Vulnerability 

Employees Are Your Biggest HIPAA Vulnerability  | HIPAA Compliance for Medical Practices | Scoop.it

While 2015 was accurately dubbed “The Year of the Healthcare Hack”, according to Experian’s 2016 Data Breach Report, 2016’s largest threat hits much closer to home – it’s your own employees.

The Experian report states, “While large breaches may be compromising millions of people’s records in one fell swoop, smaller incidents caused by employee negligence will also continue to compromise millions of records each year.” Experian predicts that these employee driven breaches will actually cause more damage.1

These smaller incidents collectively put you at a risk for an OCR audit, which in addition to being a distraction from your business can also lead to fines and penalties. Even if there are no fines or penalties, a minor breach can add up in legal fees, customer notices and above all the cost of customer retention communication.

In most cases these are not malicious employee breaches. The majority will be caused by lack of understanding and complacency. The first is very easy to address, you train and test your employees on your HIPAA Policies and Procedures, as required by HIPAA, so they understand the role they play in protecting health information they touch..

Complacency can be a little more difficult to remedy. Once you have trained your employees on your Policies and Procedures, they go back to their daily routine. Initially, they are more aware of HIPAA and protecting important data, but after a short while they let down their guard. After all, they know their job; they know your customers and a breach has never happened before so they begin to feel immune to the potential dangers. Fortunately, there are two steps you can take to keep your employees sharp:

  1. Educate them about the Value of Healthcare Data – It can be difficult for employees to understand why anyone would go to great lengths to get this health information. Helping them see what that data is worth in the wrong hands will give them more of an appreciation for the Policies and Procedures you’ve put in place to protect it.
  2. Remind them regularly – To maintain your HIPAA compliance, all of your employees should be trained annually, but it is unrealistic to expect them to keep that information at the top of their minds long term. Brief monthly trainings or reminders that touch on just one piece of your Policies and Procedures can be enough to make HIPAA a priority all year long.

Employee breaches may be the biggest threat to healthcare data this year, but it doesn’t have to affect you. The Experian Report points out that, “Organisation that implement regular security training with employees and a culture of security committed to safeguarding data will be better positioned for success.”1

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Personally Identifiable Information: HIPAA Best Practices

Personally Identifiable Information: HIPAA Best Practices | HIPAA Compliance for Medical Practices | Scoop.it

For most healthcare organizations, protecting patient privacy is the most important aspect of HIPAA, and the most difficult. HIPAA uses the term Protected Health Information (PHI) to refer to protected data, but the concept is very similar to the term Personally Identifiable Information (PII), which is used in other compliance regimes. Understanding how PII and PHI overlap can help organizations unify compliance efforts across regimes, reducing the risk, cost and complexity of keeping data safe.

 

PHI vs. PII: As the name implies, personally identifiable information is any data that can identify a person. Certain information like full name, date of birth, address and biometric data are always considered PII. Other data, like first name, first initial and last name or even height or weight may only count as PII in certain circumstances, or when combined with other information.

 

For example, a record that referred to “Mr. Smith in New York” would be unlikely to contain enough information to give away the subject’s identity. If the patient had a less common name and lived in a small city, however, it would probably count as PII, since it would be easy to deduce who the subject was.

 

Although it doesn’t explicitly address personally identifiable information, HIPAA regulates situations like this under the term Protected Health Information. PHI includes anything used in a medical context that can identify patients, such as:

 

  • Name
  • Address
  • Birthday
  • Credit card number
  • Driver’s license
  • Medical records

 

PHI is subject to strict confidentiality and disclosure requirements that don’t apply to most other industries in the United States. In other words, protecting PHI is always legally required, but protecting PII is only mandated in some cases.

 

Developing a Unified Compliance Approach

 

The United States is unusual in having no single privacy and data protection standard or government entity. Instead, American companies face industry-specific laws, along with city, state and international compliance regulations.

 

Although this allows many industries to use consumer data more extensively, it also creates serious compliance risks. For example, because California has tougher PII laws than other states, a company that legally tracks users from Nevada when they visit its website could breach compliance if a Californian surfed in.

Although PHI requirements are strict, a HIPAA compliance checklist won’t necessarily address PCI, EU data protection laws and other regulations. Rather than developing individual programs for each regime, organizations should implement PII security best practices across the board, then iterate to meet remaining, regime-specific rules.

 

Auditing PII: Developing Compliance-Ready Security

 

Good security starts with identifying PII across your organization, whether it’s in medical databases, email, backups or a partner’s IT environment. PII then needs to be categorized by how much harm a breach could cause — a measurement known as the confidentiality impact level. The NIST recommends considering the following factors:

 

  • Identifiability: Is it easy to uniquely identify the individual using the PII?

 

  • Quantity of PII: How many identities could be compromised by a breach? The way your data is organized is a factor. For example, a clinic would likely have more PII at risk if it shared a database with allied clinics than if it maintained a separate database.

 

  • Data Field Sensitivity: How much harm could the data cause, if breached? A phone number is less sensitive than a credit card or social security number, for example. However, if a breach of the phone number would most likely also compromise name, SSN or other personal data, that phone number should be considered sensitive.

 

  • Context of Use: Does the way the information is used affect its impact? For example, imagine your hospital had an opt-in a newsletter to patients, doctors, organizations and other community members. A list of newsletter subscribers would contain the PII of some patients, but that info would be less sensitive than the same PII in patient medical records, since it wouldn’t necessarily indicate patient status.

 

  • Obligations to Protect Confidentiality: What information are you required to protect under HIPAA, HITECH, PCI and other regimes? This is obviously a key consideration for healthcare organizations.

 

  • Access to and Location of PII: The personally identifiable information HIPAA governs is often stored, transported and processed by third party IT services, accessed offsite by medical professionals who aren’t employees of the organization and processed by a variety of business associates. This creates risks that wouldn’t be present, for example, if the PII were locked in a vault, and could only be accessed by one doctor.

 

Implementing PII Security Best Practices

 

Any data you store is potentially vulnerable. Collecting less data and purging unnecessary PII from your records is the easiest way to reduce that vulnerability. You should also de-identify data where possible. When done properly, measures like anonymizing patient feedback and remove or tokenizing PII can take that data out of the scope of HIPAA entirely.

 

Access control is another valuable PII security best practice. Sensitive information should only be accessible by people who need it to do their jobs. For example, front desk staff that don’t handle billing, don’t need access to complete medical records.

In any compliance regime, all sensitive information should be encrypted by default. HIPAA compliant email and encrypted cloud storage prevent hackers from deciphering PII, even if they intercept it.

 

 

Beyond Personally Identifiably Information — HIPAA Business Associates

 

HIPAA goes beyond PII security best practices in its requirements for partner organizations. Under the HIPAA privacy rule, health care providers have considerable legal liability for breaches caused by business associates.

 

Cloud services, contractors, medical claim processors and most other organizations which use, store or process PHI all count as business associates. You need to sign Business Associate Agreements (BAAs) with each of these organizations, describing:

 

  • Appropriate use of PHI
  • Safeguards for protecting breaches
  • Steps to remediate breaches and violations
  • Breach notification procedures

 

Your organization should evaluate business associates carefully to ensure they’re actually capable of holding up their end of the bargain. Organizations should have clearly documented data security policies and practices in place before they sign a BAA, and should voluntarily undergo regular audits to ensure compliance.

 

Beyond Personally Identifiably Information — HIPAA Notices and Notifications

 

HIPAA also has strict requirements for how health information can be used and disclosed, and requires a notice of privacy practices be provided to the patient. The notice of privacy should cover a range of information, including:

 

  • How the organization can use and disclose the patient’s information
  • The patient’s rights
  • The organization’s duty to protect the information, and other legal duties
  • Who the patient should contact for more information

 

HIPAA also has specific rules for breach notification. Under HIPAA compliance best practices organizations must notify anyone whose data has been compromised within 60 days of the breach. Making sure your partners use encryption is crucial. Encrypted data is exempt from breach notification, unless the key is exposed as well. In many cases, this can make the difference between a close call and a costly breach notification.

 

Following PII security best practices helps organizations err on the side of caution. HIPAA isn’t a set of arcane and arbitrary rules to make your life difficult — it’s a useful framework to ensure a high standard of care and confidentiality for your patients. A PII best practices approach simplifies compliance by turning it into a single set of rules that can be used across your organization. That makes it easier to keep patients safe, and ensure sensitive information doesn’t fall through the cracks.

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA’s Role in Fostering Trust between Patients and Providers

HIPAA’s Role in Fostering Trust between Patients and Providers | HIPAA Compliance for Medical Practices | Scoop.it

The following scenario is true, but some of the details have been changed to protect the innocent, and the guilty. The setting is the cramped reception area of a small dental practice. The office manager, who also works the front desk, is on the phone there with a patient.

 

“Julie Jones? This is Dr. Burton’s office. Your lab results are in and they indicate you’ve tested positive for an STD. You’ll need to schedule an appointment as soon as possible with your primary care physician.”

 

Her voice drifts over into the nearby waiting room. A few people look up from the magazines they’ve been flipping through. One of them, who happens to be a neighbor of Ms. Jones, arches an eyebrow and softly clucks her tongue. Information that should be confidential between this office and patient is now dangerously close to public knowledge. With this particular neighbor in the know, people in Julie’s cul-de-sac will probably hear these results well before her current boyfriend.

 

Informing patients of test results is a normal and necessary part of the workday at every office that deals in healthcare. But in this case, having that conversation where it can be overheard violates Ms. Jones’ right to privacy. A right protected by the law known as HIPAA.

 

Privacy. A fundamental patient right.

 

With so much involved in running a successful healthcare practice today, it’s easy to understand how HIPAA has come to be viewed as more of a nuisance than a necessary part of good care. But at its core, HIPAA isn’t about extra logistical hassles or additional work, it’s really about best practices — and creating and maintaining a professional environment that protects every patient’s rights.

 

The relationship patients have with healthcare professionals is one that involves openness, honesty, and a deep level of trust. Patients tell their providers things about themselves that few others know, intimate details of their lives and health histories.

And they expect that their privacy will be respected – by their doctors and dentists, staff members, and other providers such as labs, XRAY services, and anyone and everyone involved in their treatment. Patients expect that outsiders will not be able to access their information, and that those who need to know will be able to view only the information that’s necessary for treatment.

 

This way of dealing with health information is more than professional courtesy, it’s a fundamental patient right – the very issue that HIPAA speaks to, ensuring that patients will know when their rights have been violated and can feel confident that the law will be enforced and violations punished.

 

If patient information isn’t protected, the effects can be far-reaching. In the wrong hands, a person’s health information can be used to tarnish his or her reputation or cause financial harm. In some cases, compromised information can even negatively impact care.

 

HIPAA helps keep patient data safe

Modern technology has facilitated the quick dispersal of information among various entities; HIPAA helps keep all that data safe. From installing firewalls in the office’s computer system to training employees in the proper protocols when contacting patients, HIPAA, in essence, is all about safeguarding every patient’s right to privacy, security and respect.

 

Ensuring a patient’s right to privacy is essential to the practice of good healthcare — and a vital part of the covenant between providers and patients. Implementing the mandates of HIPAA plays an important role in building and maintaining patient trust and a thriving practice.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why Should HIPAA Compliance Matter to You

Why Should HIPAA Compliance Matter to You | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare Professionals

If you are a healthcare provider or business associate, HIPAA compliance should matter because it is the law. According to the Code of Federal Regulation (CFR), if you are a provider or business associate who utilizes electronic health records, you must ensure the confidentiality, integrity, and availability of all records created, received, maintained, or transmitted. Civil monetary penalties for noncompliance that cause a breach of electronic patient records can be assessed up to $1.5 million. Criminal penalties can range from one to ten years in prison.

I believe one of the biggest issues facing small healthcare providers is lack of knowledge of exact requirements for HIPAA security compliance. Part of the problem for small providers is they often have an unclear understanding of what safeguards need to be in place for electronic health records. I see this as a huge concern. The U.S. Department of Health and Human Services (HHS) does an inadequate job providing specific guidance to small providers. It is difficult to navigate through the HHS website to find particular HIPAA compliance information.

I should know because I used to work for HHS and had oversight of complex health care fraud investigations. We had teams of lawyers and analysts to guide us in the regulatory world, whereas a small healthcare provider, if lucky, maybe will find the necessary guidance on the HHS website. Even then, the information becomes subject to interpretation by a provider with limited exposure to HIPAA regulatory compliance. Ask yourself how comfortable you are with this.

Patients

With more and more healthcare providers utilizing electronic health records, consumers (patients) need to ask those providers if they are doing everything they can to secure their health information. For consumers, HIPAA compliance matters because it equals assurance that the proper safeguards are in place to prevent unauthorized access, tampering, and theft of medical records.

A recent study by the Ponemon Institute found criminal attacks on healthcare providers have increased dramatically, up 100% since 2010. Unlike having credit information stolen where the bank or credit card company may notify the consumer about suspicious activity in a timely manner, health information compromises take longer to recognize. With all the recent emphasis on newsworthy data breaches, this is a wake-up call for patients who must treat their online health information as they would their credit information.

Medical identity theft is a profitable industry for criminals who can make a lot more money selling health information than credit card numbers. According to Dell Secure Works, an information security services company, criminals can get paid $20 for a person’s stolen health identity information, as compared to credit card numbers that may yield $1 to $2 apiece. As a former Assistant Inspector General for Investigations at HHS, I know that Medicare card numbers could be sold for up to $50 apiece. In addition, there is much more personal data at stake with health records, which can include sensitive information such as pre-existing conditions, full-blown medical histories, and prescriptions, along with a plethora of financial, employment, and family information.

So the next time you go to your healthcare provider and you are asked to sign a HIPAA release form, read the fine print. Know your rights and expectations of privacy. Most importantly, ask your providers what they are doing to protect your electronic health records.

Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General. In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations throughout the eastern United States.

His company provides assistance with HIPAA Security Rule compliance by conducting risk assessments and writing practice specific risk management plans. The assessments identify vulnerabilities and risks; determine the potential impact and provide a gap analysis action plan to prevent unauthorized access, tampering and theft.

Technical Dr. Inc.'s insight:

<p>Contact Details :<br>inquiry@technicaldr.com or 877-910-0004<br><a href="http://www.technicaldr.com/tdr" rel="nofollow">www.technicaldr.com/tdr</a></p>;

more...
No comment yet.
Scoop.it!

HIPAA Guidance For Small To Mid-Size Medical Practices

HIPAA Guidance For Small To Mid-Size Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

For small and mid-size medical practices, HIPAA compliance has long been a small problem. After all, it wasn’t very long ago that all but the largest practices could rest relatively easy, knowing their very smallness made them unappealing targets for regulators looking for bigger fish to fry.

 

As long as they didn’t blatantly, repeatedly or intentionally violate HIPAA’s strictures, they rarely rated government action beyond (at most) a warning letter.

 

Those days are now over. The federal government is cracking down harder on practices that violate HIPAA privacy and security regulations by scheduling more frequent audits and issuing stiffer fines. And practices are being forced to respond with more rigorous compliance plans. The same federal stimulus law that offered incentives for practices to purchase electronic health records (EHR) systems also beefed up HIPAA’s privacy and security regulations. If your practice hasn’t reviewed and updated your HIPAA policy recently, then now’s the time.

 

It’s been 12 years since the April 14, 2003, compliance date for the HIPAA Privacy Rule, so most, if not all, physician practices should know better than to post protected health information (PHI) in a public forum such as Google Docs or Dropbox.

 

Here are some simple common sense tips for keeping your practice on the right side of the law:

 

Train your staff. HIPAA requires that you have a training program in place regarding the proper handling of PHI. All staff members must know what they are authorized to view, how to manage computer passwords, what they may and may not say in front of patients, and so on. Providing an annual refresher on this type of training is highly recommended. Make sure everyone, including physicians, receives the training. Document it.

 

Establish written protocols for information access. Staff should have access to the portions of patients’ PHI that are necessary to perform their jobs — and that’s all. This should be perfectly clear and in writing. And your protocols should include examples of the specific types of information that different staff members are authorized to view, based on job function.

 

Use discretion in the reception area. Don’t use public sign-in sheets. Don’t make any mention of the reason for a patient’s appointment until you’re both out of earshot of the waiting room. Make sure computer screens aren’t visible to non-staff members in any public areas of the office.

 

Plan for breaches. What would happen if there were an accidental breach of patient information? Say, someone mistakenly includes patient information in an email attachment, and the attached document includes patient names and Social Security numbers? Or how would you handle an intentional breach? You should prepare a specific response for scenarios like these because they do happen.

 

Use computer passwords correctly. If you have any centralized computer terminals that get used by more than one staffer, make sure everyone logs out whenever they’re finished. To be safe, set up those computers so a login is required after brief periods of inactivity, say two or three minutes. Even if you don’t have centralized computer stations (and most small practices don’t), you should require your employees to change their own passwords every few months.

 

If necessary, hire a consultant to help you comply with HIPAA’s security provisions, which are far more technical than the Privacy Rule. Alas, mere common sense won’t help you determine whether your computer network is properly encrypted. Get help. What’s new is that the government is no longer limiting its enforcement actions to hospitals and the biggest practices.

 

But since most private practices should have been following HIPAA plans for at least 10 years now, it’s likely they’ll need to do little more than review, update, and continue to implement their plan, assuming of course you have a HIPAA compliance plan currently in place.

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA Compliance Tips for Mobile Data Security 

HIPAA Compliance Tips for Mobile Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance Tips for Mobile Data Security

Nearly 4 out of 5 healthcare providers use a mobile device for professional purposes. These numbers continue to rise as healthcare organizations place an increased focus on efficiency and productivity. (1) Although mobile devices are incredibly efficient and convenient, they also harbor measurable risks for data breach and the exposure of protected health information (PHI).

 

Mobile devices are often more susceptible to theft because they lack the appropriate security controls. In fact, mobile device malware infections have surged 96% from 2015 to 2016. (2)  To avoid hefty penalties and the risk of a data breach, healthcare organizations must develop and implement mobile device procedures and policies that will protect the patient’s health information.

 

Below are five recommendations from HHS (The Department of Health and Human Services) that organizations can take to help manage mobile devices in the healthcare setting:

 

  1. Understand the risks before allowing the use of mobile devices- Decide whether healthcare providers or medical staff will be permitted to use mobile devices to access, receive, transmit, or store patients’ health information or if they will be used as part of the organization’s internal network or systems, such as an electronic health record system.
  2. Conduct a risk analysis to identify threats and vulnerabilities- Consider the risks to your organization when permitting the use of mobile devices to transmit health information Solo providers may conduct the risk analysis on their practice, however, those working for a large provider, the organization may conduct it.
  3. Identify a mobile device risk management strategy, including privacy and security safeguards- A risk management strategy will help healthcare organizations develop and implement mobile device safeguards to reduce risks identified in the risk analysis. Include the evaluation and regular maintenance of the mobile device safeguards put in place.
  4. Develop, document, and implement mobile device policies and procedures to safeguard health information. Some topics to consider when developing mobile device policies and procedures are:
    1. Mobile device management
    2. Using your own device
    3. Restrictions on mobile device use
    4. Security or configuration settings for mobile devices
  5. Conduct mobile device privacy and security awareness and ongoing training/education for providers and professionals.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What's in Our 2018 SecurityMetrics HIPAA Guide?

What's in Our 2018 SecurityMetrics HIPAA Guide? | HIPAA Compliance for Medical Practices | Scoop.it
 We are thrilled to announce the release of our brand-new HIPAA Guide! No matter the size of your organization, you can use this guide to understand and handle the more challenging requirements of HIPAA. In fact, it's already coming in handy for many of our partners. See what some of them have to say:

"The HIPAA Guidebook is one of the best references. It's well-organized and easy for our medical office staff and providers to understand." -Hedy Haun, Sr. Process Analyst,  SHARP Medical Group

"Words cannot express what the HIPAA Guide represents to me and all of Curis. It's like an encyclopedia for us." -George Arnau,  Curis Practice Solutions

A better way to read and utilize our HIPAA guide


Just like many of our partners report back to us, our HIPAA Guide is best utilized as "desk-side reference." In order to increase the guide's usefulness to you, we've added a new section called "How to Read This Guide." It includes a color-coded system, with reading suggestions based on your familiarity with HIPAA: beginning, intermediate, and advanced. This section discusses the skill levels likely required for policy and procedure implementation.

We understand there are many job descriptions that require HIPAA understanding, so whether you're a brand-new employee or a seasoned systems administrator--our guide is meant for you.

 We also include a "Terms and Definitions" glossary at the end of the 135-page guide. This is meant to help familiarize you with data security and tech terms you may not already know.

Ultimately, we want to help you keep your patients' and customers' data safe and secure. By helping you address the most complicated aspects of data security and HIPAA , we aim to equip you with practical knowledge you can use in meetings and trainings, while drafting policies and procedures, and when making decisions about security at your practice.

Survey Data and HIPAA industry trends

This year, we conducted four surveys and received responses from over 300 healthcare professionals. These professionals are responsible for HIPAA compliance at their organizations, and work primarily at companies with less than 500 employees. And while larger organizations tend to have better HIPAA compliance, it's important that those larger organizations still take note of compliance trends at organizations of all sizes, since they will likely share data and interact with them (for instance, when a large hospital sends patient records to a smaller specialty clinic).

We asked respondents about security habits at their organizations. Training and encryption continue to challenge HIPAA teams, while many organizations fare well in the area of risk analysis. Here are just a few of our survey results:

  • 6% of organizations do not conduct a formal risk analysis
  • 16% of organizations report they send emails with unencrypted patient data
  • 34% of organizations train employees on the HIPAA Breach Notification Rule

Top Tips for Better Data Security 

As lead SecurityMetrics HIPAA auditor Brand Barney says, "Our guide was specifically created to help covered entities and business associates address the most problematic issues within HIPAA compliance.”

So, the guide focuses on commonly challenging aspects of the HIPAA Privacy, Breach Notification, and Security Rules, including:

•   Incident response plans
•   PHI encryption
•   Business associate agreements
•   Mobile device security
•   HIPAA-compliant emails
•   Remote access
•   Vulnerability scanning
•   Penetration testing

A proactive, offense-minded approach

Even with steep penalties in place, HIPAA compliance--particularly when it comes to security--is often not as complete as is thought or hoped for. In fact, according to the Identity Theft Resource Center , 24.7% of data breaches in 2017 were healthcare-related. Education is the first line of defense, so becoming familiar with the guide is one of the best ways you can proactively protect your organization from a potentially devastating data breach.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

6 things software vendors need to know about HIPAA compliance

6 things software vendors need to know about HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance

 

Many people are loosely familiar with the Health Insurance Portability and Accountability Act (HIPAA) and usually associate it with hospitals, clinics, and health insurance companies. However, it can be less clear how HIPAA compliance standards apply to countless other software vendors, SaaS providers that work with healthcare-related businesses or handle protected health information (PHI). In recent months, the Office for Civil Rights has been coming down hard on HIPAA violators, doling out some of the large fines – upwards of $5 million. So in order to ensure your business is protected and to maintain your brand reputation, it is vital to know the ins and outs of HIPAA compliance. With this in mind,

 

How do you know if you need to be HIPAA compliant?

 

In short, HIPAA rules apply to both Covered Entities (health insurance companies, HMOs, company health plans, etc.) and their business associates (a vendor or subcontractor who has access to PHI). What this means for business associates is that even if you’re a service provider or vendor who isn’t in the healthcare industry - like an all-flash storage company - you may still need to be HIPAA compliant indirectly due to the fact that your organization stores PHI. The first step here is to determine whether your organization handles PHI. If you do, your next step is to look through the

 

Look to your current vendors for guidance

 

Once you determine that you need to be compliant, there’s no need to go on a hiring spree to ensure you have the necessary resources in-house. Many of your existing vendors may already cover key HIPAA compliance requirements. Any good service provider should be able to tell you whether they are HIPAA compliant and what controls they can cover. If so, it is important that they are also willing to sign a Business Associate Agreement (BAA) - a negotiation between Covered Entities and any third-party vendors that have access to their PHI.

 

Look for specific types of technology that can help to streamline the process

 

If none of your existing vendors can help with HIPAA compliance, turn to a managed service provider to do the heavy lifting and help your business attain and maintain compliance, so you can focus resources on driving business. Additionally, they can strengthen the security technology, processes, and controls they use to keep customer information secure. For example, if you’re looking for a secure way to continue work-from-home programs at your organization through remote desktops, HIPAA compliant Desktop-as-a-Service (DaaS) vendors are a great option to both fill specific needs for your business and drastically simplify compliance.

 

Don’t forget about maintenance

 

A key stumbling block for many organizations tends to be maintaining a constantly evolving set of compliance standards. HIPAA compliance certification is valid only at that moment – it is then up to the company to maintain compliance which is easier said than done. Some important things to keep the top of mind for maintenance include 1) completing a HIPAA Risk Analysis document and audit at least once a year, and 2) assessing employees year-round to make sure they are doing their jobs in a HIPAA compliant manner, following all stated company policies and procedures.

 

Know who is responsible for HIPAA compliance

 

Another challenge accompanying HIPAA compliance may sound simple, but is one that oftentimes goes overlooked - precisely who internally is responsible for compliance? For non-healthcare organizations, a company is unlikely to have a designated in-house role such as a Privacy and Security Officer, and therefore the responsibility often falls on security or operations departments. However, it’s likely that neither of these departments has a full understanding or stake in HIPAA compliance. Regardless of who is taking the reins, it is important that the role is clearly demarcated and that person or department knows what is expected of them. Additionally, it’s critical that they work together with other departments as needed to ensure a well-rounded HIPAA strategy. Case in point - a recent

 

Keep HIPAA compliance top of mind for staff

 

Regardless of who is in charge, it is important that all your staff be mindful of maintaining HIPAA compliance. Human error can become one of the biggest obstacles to maintaining compliance, especially when employees may not even realize their company deals with PHI. For example, the same NueMD survey also found that only 58% of respondents were providing training for their staff annually. HR teams can proactively assist with this by reminding staff of regular HIPAA training, updates on compliance standards changes and keeping visible HIPAA compliance checklists posted in work areas.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Keep Your Practice’s Communication HIPAA-Compliant

How to Keep Your Practice’s Communication HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is a top concern for medical practices, and for good reason–violations can result in serious consequences, including large fines and potentially even jail time. To make things more complicated, the laws themselves tend to be rather vague on what actions practices need to take to become HIPAA-compliant.

Medical practices need to protect private patient data, but they also need to be able to go about the daily business of running a practice as efficiently as possible. Technology can certainly make day-to-day operations more efficient, but new technologies also bring about new concerns with HIPAA compliance. Many practices are hesitant to adopt new technology for that very reason.

When practices do decide that they want to use technology to communicate with patients and other practices, it can be difficult to figure out where to begin because HIPAA laws can be quite vague. Practices don’t want to slip up and have to pay the price (often, quite literally) for a violation.

 

So, what can you do to keep your practice’s communications on the right side of HIPAA guidelines? We highly recommend working with an expert on HIPAA laws to make sure your communication is always compliant.

 

If you’d like to learn more on what HIPAA-compliant communication entails throughout your practice, including marketing efforts, emails, appointment reminders, patient portals, and communication with other practices, we have put together this list of helpful resources to help you stay up to date on the latest recommended best practices for HIPAA-compliant communication.

Emailing Patients

Patients who are always on-the-go may prefer to communicate with you via email. If patients request email communication, you must make that option available to them, but you still need to take the proper precautions to protect your patients and your practice from HIPAA violations.

Appointment Reminders

Even appointment reminders can be considered private health information if done improperly. You may wish to use technology to automate this routine process and free up your employees’ time for other tasks, but you need to make sure that you aren’t inadvertently giving away private patient information in the process.

Patient Portals

Practices are required to implement and use a patient portal to meet Meaningful Use requirements. However, patient portals are still subject to HIPAA laws and may, in fact, pose the greatest security risk of all practice communications because of the amount of information they contain. Always do your research before choosing a vendor for your patient portal to make sure they will keep you covered.

 

Communicating with Other Practices

It’s important for your practice to be able to communicate with your patients’ other health care providers to be able to provide the most comprehensive care possible. However, it can be quite challenging to communicate with other practices in a manner that is both efficient and HIPAA-compliant. These resources include suggestions on improving your communication strategies while protecting private information.

 

The Dangers of Sharing Patient Information via Text/IM

As a healthcare provider, your days are usually very busy, and it’s likely that the doctors you need to communicate with are equally as busy. When you need to share information, whether it’s a quick update on a patient or a request for a consult, it can be tempting to just send a quick text or instant message. If texting/instant messaging is your preferred form of communication with other doctors, you need to approach with caution.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 FAQs on HIPAA Compliance In The Cloud

5 FAQs on HIPAA Compliance In The Cloud | HIPAA Compliance for Medical Practices | Scoop.it

The Cloud Is Viable For HIPAA Applications
To ensure the protection of patient data, the Health Insurance Portability and Accountability Act (HIPAA) lays out guidelines that all companies in the health industry must follow—from primary care providers to data-handling agencies and third-party vendors. HIPAA rules often are complex, however. As a result, some companies inadvertently make mistakes, and others simply remain noncompliant for a variety of other reasons, leaving them subject to penalties that could add up to millions of dollars. Here’s a look at five key FAQs about HIPAA compliance and cloud computing.

 

FAQ 1: What’s Covered Under HIPAA?
The short answer: just about everything. Any piece of data that contains personally identifiable information about a patient, any type of treatment plan, or even aggregate data samples that could be traced back to individuals is covered by HIPAA. Your best bet: Assume everything falls under the scope of the law rather than trying to pick and choose.

 

FAQ 2: Is Cloud Storage Acceptable?
Absolutely. There’s no requirement for HIPAA data to be stored on-site or handled by a specific agency. In fact, it’s not the cloud itself that’s the problem when there is a problem—it’s how data is transmitted, handled, and stored in the cloud that often lands companies in hot water.

 

FAQ 3: What’s the Difference Between Covered Entities and Business Associates?
A covered entity is effectively the “owner” of a health record—for example, the primary care facility that first creates a patient profile or enters test results into its electronic health records system. Business associates, meanwhile, include any other company that handles this data. This means that cloud providers, third parties that offer on-site IT services, or other health agencies that access this data all qualify as business associates.

 

FAQ 4: Who Is Responsible for Health Data in the Cloud?
Ultimately, the covered entity bears responsibility for HIPAA-compliant handling. While business associates also can come under fire for not properly storing or encrypting data in their care, it’s up to the covered entity to ensure they’re able to audit the movement, storage and use of their HIPAA data over time.

 

FAQ 5: What Does “HIPAA Compliant” Really Mean?
While there is no official “HIPAA compliance” standard or certification that providers can obtain, it’s worth looking for other certifications that indicate good data-handling practices, such as PCI-DSS, SSAE 16, ISO 27001 and FIPS 140.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The HIPAA Privacy and HIPAA Security Rules

The HIPAA Privacy and HIPAA Security Rules | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

THE HIPAA PRIVACY AND HIPAA SECURITY RULES

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-PHI). Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

THE NEED FOR HIPAA COMPLIANCE

As HHS points out, as health care providers and other entities dealing with PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever. Similarly, health plans provide access to claims as well as care management and self-service applications. While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data. The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI.

PHYSICAL AND TECHNICAL SAFEGUARDS, POLICIES, AND HIPAA COMPLIANCE

The HHS requires physical and technical safeguards for organizations hosting sensitive patient data. These physical safeguards include…

  • Limited facility access and control with authorized access in place
  • Policies about use and access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI. Access control includes…

  • Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
  • Audit reports or tracking logs that record activity on hardware and software

Other technical policies for HIPAA compliance need to cover integrity controls, or measures put in place to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact. One final technical safeguard is a network or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private network, such as a private cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health Information Technology for Economic and Clinical Health (HITECH) Act, which raises penalties for health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to the development of health technology and the increased use, storage, and transmission of electronic health information.

DATA PROTECTION FOR HEALTHCARE ORGANIZATIONS AND MEETING HIPAA COMPLIANCE

Clearly, the need for data security has grown as the proliferation of electronic patient data grows. High-quality care today requires healthcare organizations to meet the accelerated demand for data; yet, they must ensure HIPAA compliance and protect PHI. Make sure that you have a data protection strategy in place that allows your organization to:

  • Ensure the security and availability of PHI to maintain the trust of practitioners and patients
  • Meet HIPAA and HITECH regulations for access, audit, and integrity controls as well as for data transmission and device security
  • Maintain greater visibility and control of sensitive data throughout the organization

The best data protection solutions recognize and protect patient data in all forms, including structured and unstructured data, emails, documents, and scans while allowing healthcare providers to share data securely to ensure the best possible patient care. Patients entrust their health care to your organization; you need to take care of their protected health information as well.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Consequences for HIPAA Violations

Consequences for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before, another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 in order to settle potential violations of the HIPAA Privacy Rule. Once a medical records storage company for covered entities, Filefax shut their doors during the OCR investigation yet could not escape additional fines and penalties that followed after their doors were closed. The bottom line, HIPAA violations do not stop just because a business closes.

 

The consequences of HIPAA violations are significant and far reaching. Beyond the financial ramifications, organizations stand to lose their good standing reputation, client/patient trust and their ability to operate a business. It can take organizations months, even years to recover from penalties if they ever do, so why have so many of us read the headlines but not heeded the warnings?

What Qualifies as a HIPAA Violation?

A HIPAA violation occurs when either a covered entity (CE) or business associate (BA) fails to comply with one of more provisions of the HIPAA Security, Privacy or Breach Notification Rules. Violations may result for a number of reasons and may be deliberate or unintentional.

  • Example of a Deliberate Violation – Inadequate Privacy training for clinical staff which results in a patient complaint regarding disclosing their full identity through a verbal announcement in a waiting area or hospital emergency room.
  • Example of a Unintentional Violation – Commonly this is a symptom of negligence such as: failure to complete a Security Risk Analysis, failure to employ encryption for laptops/electronic media resulting in loss/theft or failure to maintain policies and procedures instructing staff members on how to appropriately handle protected health information (PHI.)
Penalties and Fines

The penalties and/or fines administered by OCR are based on the severity of each HIPAA violation. Some HIPAA violations can be expensive and vary greatly in cost based on the level of negligence displayed. Contrary to what the headlines may lead you to believe, OCR will first strive to resolve violations using non-punitive measures such as issuing guidance to help the provider fix the areas without issuing a fine however that is not always possible.

If a penalty is issued, it can range in cost from $100 to $50,000 per violation (or record) with a maximum penalty of $1.5 million per year of violations of an identical provision. OCR takes many different factors into account when determining what is the appropriate financial penalty and uses a four tiered approach as shown in the image below. A few of these factors include: number of patients affected, what specific data was exposed and for how long, etc. Along with the financial ramifications, HIPAA violations can also carry criminal charges that may result in jail time if warranted.

 

Avoidance is Key

Being that the stakes are high and much is on the line, how does a practice or organization protect themselves against HIPAA violations? Show due-diligence.  The best task to start with is complete a comprehensive, organization wide HIPAA risk analysis to determine any gaps in compliance. Without a baseline knowledge about their security, privacy and breach-notification posture, both CE’s and BA’s operate day to day unaware of their security vulnerabilities which can directly lead to HIPAA violations and data breaches.

 

Unsure where your organization stands? Take our short 5-minute HIPAA compliance quiz designed to quickly outline your organization’s basic level of compliance.

 

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Health Data Collected by App Developers not regulated by HIPAA

Health Data Collected by App Developers not regulated by HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

It seems that your medical data may not be as protected as you might first assume.

A recent report from the Department of Health and Human Services showed that the vast majority of mobile health apps on the marketplace aren’t covered by HIPAA, the Health Information Portability and Accountability Act of 1996.

HIPAA currently applies only to traditional medical establishments, such as hospitals, doctors and health insurance providers. Apps or devices used in conjunction with a doctor’s office or a hospital are not legally allowed to share or sell your information. However, there is no definitive federal law governing what happens to the data that an app developer, tech company or private individual collects.

Typically a patient using a third-party developed app enters medical information, which is then sent in some form to a physician. The data in a patients medical record would be covered by HIPAA, however the data that the third-party app developer collected would not be.

Despite being identical sets of data, stored in different computers, they have different levels of protection.

App companies although not governed by HIPAA, are better to be focussed on abiding by the standards. Any app developer found to be using unfair or deceptive practices with regards to user medical data, could be held accountable by the FTC.

As Federal regulations are increased to include app data collected by third-party developers, this will continue to be a legal grey area, and one that patients, doctors and developers all need to be aware of.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Where Is HIPAA Taking Physician Practices?

Where Is HIPAA Taking Physician Practices? | HIPAA Compliance for Medical Practices | Scoop.it

Introduction:

Several provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, were intended to encourage electronic data interchange (EDI) and safeguard the security, privacy, and confidentiality of patient health information In the context of this act, security is the means by which confidentiality and privacy are insured. Confidentially defines how patient data can be protected from inappropriate access, while privacy is concerned with who should have access to the patient data. This article explores how the policies stipulated by HIPAA are shaping the practice of medicine and will likely affect your practice in the future.

 

HIPAA Security vs Innovation:

If you're a typical small-practice physician, odds are that you view HIPAA as simply another federally mandated cost of practising medicine, regardless of the intended outcome of the act. This position is understandable, given the cost of mandated training for you and your office staff. Furthermore, if your practice is computerised, then you'll need to spend even more money on software upgrades and possibly additional training from the vendor.

HIPAA rules and regulations are complex, in part because much of compliance is open to interpretation. For example, security issues, which are predominantly in the domain of software and hardware vendors, are based on “risk assessment,” not specific technology standards. The act doesn't stipulate specific technologies or endorse nationally recognised procedures, but leaves it up to the physician practice or medical enterprise to ensure that patient health data are secure. (HIPAA's security standards take effect on April 20, 2005, for all “covered entities” except small health plans However, because HIPAA enforcement is complaint-driven – there are no “HIPAA Police” checking to see that your practice meets the law's requirements – differences in interpretation of the act are likely to end up in a courtroom at some point. For this reason, some experts recommend assessment of HIPAA compliance by outside counsel.

Most physicians are understandably concerned with the immediate compliance issues surrounding HIPAA and privacy and confidentiality of patient data. Even though the security standards were designed to be “technology-neutral,” the vagaries of these requirements are having a direct impact on medicine beyond the acute phase of compliance, especially in the introduction of new technologies in the clinical arena. New technologies, from wireless to tablet PCs, bring with them added functionality, potential workflow enhancements, and efficiencies – as well as new HIPAA security compliance issues.

Consider, for example, the effect of HIPAA's privacy rules on a physician contemplating the purchase of a Palm Pilot or other PDA. Even late adopters have probably observed the benefit of PDAs. Need to share patient data? Just beam it across the infrared link from one PDA to the next. Need to review patient lab data? Just touch the screen and the data are only a second away.

But it isn't that simple once HIPAA enters into the picture. Now a PDA carrying patient data is a compliance concern, as HIPAA's privacy rule applies to all mediums of a patient's protected health information, whether it's print, verbal, or electronic. Does your PDA have a login and auto logout feature? If not, then anyone could take your PDA and look up patient data. Consider the liability issues if you forgot your PDA at a coffee shop and someone picked it up and scanned through your list of patients. But with a login screen, one of the major benefits of a PDA – instant access to data – is lost.

If you use one of the wireless PDAs, such as the BlackBerry, then there are additional HIPAA-related issues: Does your PDA support the encryption of email and patient data it sends over the Internet? Is the encryption enabled? Is the level of encryption good enough for HIPAA?

Perhaps you've been considering adding a wireless (WiFi) LAN to your clinic or practice. You may have good reason to; wireless will allow you to carry a laptop into examining rooms for decision support and not have to worry about Ethernet cords. But considering HIPAA, is your WiFi system secure? Is the data encryption good enough? If not, will you have to buy new PCs and PDAs, or simply upgrade the operating systems? Do you need to hire a consultant? Maybe it's easier to simply string cables to each office and forget about the laptop this year. Or maybe it would be better to hold off on the computer-assisted decision support project altogether.

Paradoxically, although proponents of HIPAA once thought that it would enhance the move toward the electronic medical record (EMR), I believe that it is having the opposite effect. Because of the uncertainty surrounding HIPAA compliance and whether the legal system will be swamped with cases alleging violations of privacy, it's simply safer for small practices to stay with paper charts, and let the big medical practices deal with the inevitable lawsuits.

This brings up another cost issue: Does your insurance cover a patient suit over HIPAA? If so, how inclusive is the insurance? For example, let's say your practice regularly sends digital audio files overseas for transcription. You send the audio files and receive text documents a day later. Do you know how the patient data are handled at the transcription service? If a transcriptionist overseas decides to protest his or her low wages by posting a transcription of your patient's clinic visit openly on the Web, are you liable? Will your insurer pay? This example isn't as far-fetched as it might seem. In October 2003, a disgruntled Pakistani transcriber threatened the University of California-San Francisco over back pay.[3] She threatened to post patients' confidential files on the Internet unless she was paid more money. To show that she was serious, she sent UCSF an unencrypted email with a patient record attached.

 

HIPAA, Privacy, and the Physician:

Whereas compliance with HIPAA's upcoming security requirements is largely in the purview of vendors and the information services department in most larger medical centres, privacy concerns are usually addressed at the physician level. Consider the major privacy provisions of the act, most of which took effect in April 2003, listed in the Table.

Major Privacy Components of HIPAA, Based on Data From the DHHS.

Implementing each of these privacy components falls squarely on you and your office staff. You, your office manager, or someone else in your practice must be designated the Privacy Officer and given the responsibility of ensuring compliance with the act. If you haven't already had at least 1 practice walk-through with the major privacy provisions, make sure you do so.

 

 

 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Should You Consider HIPAA Compliance?

Should You Consider HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

Protecting private patient information is crucial, especially in this day and age of online storage and transactions. As the media reports more and more healthcare-related security breaches, it may be time for you to find out if you need to be HIPAA Compliant. Designed to protect patients, HIPAA is required for many businesses that deal with private health data. While there is much more to HIPAA than the data center where your data is stored, Liquid Web can be an important part of your overall compliance with HIPAA standards. At Liquid Web, we provide the utmost in security with our compliant network solutions, physical and data security measures, highly available infrastructure, and 24/7/365 onsite HIPAA trained staff. In combination with our recommended HIPAA Compliant hosting plans, we can help you achieve the compliance you need.

So how do you know if you should become HIPAA Compliant? We’ve gathered some helpful information that might set you on the right track.

What is HIPAA anyway?

HIPAA, or Health Insurance Portability & Accountability Act, is a strict set of regulations created in order to keep critical health information secure and confidential. This is especially important as many organizations that deal with patient health information store that data digitally. Recent large healthcare security breaches have only cemented the importance of HIPAA Compliance for your business and customers.

What kind of data is protected by HIPAA standards?

Any private medical data needs to remain confidential and secure, including but not limited to health records, patient charts, health insurance claim information, lab results, x-rays, and surgery documentation. HIPAA calls this data “ePHI,” or electronic protected health information.

What kind of businesses are required to comply with HIPAA?

The U.S. Department of Health & Human Services (HHS) have defined the businesses required to comply with HIPAA as “Covered Entities,” but only if they transmit any information in an electronic form in connection with a transaction for which HHS has developed a standard. Covered Entities included are as follows:

  • Healthcare Providers – Including doctor’s offices, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
  • Health Plans – Including health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid.
  • Healthcare Clearinghouses – Including businesses that process health information from another entity either from a non-standard form to a standard form, or vice versa.

 

In addition, HIPAA applies to any business working with a covered entity to carry out its health care activities. Liquid Web could be one such “Business Associate” or “Sub-Contractor Business Associate.” When a covered entity enlists a business associate like Liquid Web for assistance in storing health information, a Business Associate Agreement might be needed to lay out the responsibilities of each party.

 

 

Why comply with HIPAA Standards?

These HIPAA standards exist to protect your patients’ confidentiality and privacy, ensuring your business has a trustworthy reputation. In addition, those that do not comply with the standards face being shut down and/or heavily fined. HIPAA’s standards are enforced through investigating complaints filed with the HHS and through conducting compliance reviews.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Don't Confuse EHR HIPAA Compliance With Total HIPAA Compliance

Don't Confuse EHR HIPAA Compliance With Total HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records (EHR) systems are revolutionizing the collection and standardization of patient medical information. Never before has it been so easy for healthcare practitioners to have patient information so readily available, allowing for more efficient and accurate care.

Unfortunately, what many organizations today don’t realize is, just because their EHRsystem is compliant with HIPAA security standards, their entity as a whole may not be fully compliant.

Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.

Privacy and security are much more than simply having a HIPAA compliant EHR. It is truly frightening when I hear a healthcare company, or even worse, an EHR vendor, claim their EHR system covers all of a healthcare company’s HIPAA requirements. Even for cloud-based EHR systems, this simply is not the case.

Maintaining a secure EHR system

The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI.

In our ever-changing digital environment, it’s critical that healthcare organizations regularly assess their security programs as a whole to ensure they have the policies, procedures, and security measures in place to better protect patient information and avoid costly regulatory enforcements.

Unfortunately, addressing risks to electronic patient data is not always a top priority.

We need to get the message out that HIPAA compliance (and the protection of patient data) cannot be relegated to simply checking a box (i.e., my EHR system is compliant, therefore, my practice is compliant, too). HIPAA compliance must, instead, be addressed across an organization wherever patient data is present.

Understand current security measures

The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they shouldbe doing in the future.

While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.

As the guardian of patient health information, it is up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.

There are a number of actions an entity can take to make sure that their EHR systems and IT assets are secure. Such measures leverage an integrated use of data loss prevention tools, intrusion prevention, anti-malware, file integrity monitoring, robust identity management and authentication programs, role-based access and data security solutions.

The road to HIPAA compliance

Creating adequate safeguards does not happen overnight. While it may seem overwhelming and time-consuming at first (due to HIPAA’s complex nature), the biggest obstacle to overcome is actually getting the entire process started.

Begin by carving out a regular, weekly routine – perhaps starting at 30 minutes per week when your staff members who are responsible for HIPAA compliance can meet to discuss the privacy and security of patient data.

Here are some specific actions your entity should take when working to protect patient information:

  • Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
  • Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
  • Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
  • Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
  • Make sure your policies and procedures match up to the requirements of HIPAA.
  • Require user authentication, such as passwords or PIN numbers that limit access to patient information to authorized-only individuals.
  • Encrypt patient information using a key known or made available only to authorized individuals.
  • Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
  • Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.
  • Privacy and security concerns are key when it comes to HIPAA, but it’s also important to ensure your enterprise as a whole is protected. With 75 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure all systems where ePHI resides are protected. Otherwise, organizations are placing themselves and their patients at serious risk.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA Survey Reveals A Reportable Benchmarking Breaches

HIPAA Survey Reveals A Reportable Benchmarking Breaches | HIPAA Compliance for Medical Practices | Scoop.it

In early, HCPro’s Medical Records Briefing (MRB)newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, implementation date. This year, MRBasked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.

 

With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% .However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase.

 

Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.

 

The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches.

 

The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.

 

This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the survey also serve as the privacy officer.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.