HIPAA Compliance for Medical Practices
69.3K views | +9 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Navigating Mobile Devices and HIPAA

Navigating Mobile Devices and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The mobile technology revolution has impacted nearly every industry across the globe, with healthcare being no exception. Hospitals, clinics, and providers have all quickly embraced the use of smartphones and other mobile devices along with the convenience of accessing important medical information quickly.  

Many healthcare organizations are capitalizing on the benefits that mobile devices provide by permitting physicians, nurses, and other healthcare staff to bring their own personal devices (BYOD) to use at work. Other organizations choose to provide their staff with company-owned mobile devices, finding it easier to maintain control and protect their networks. 

 

Although the convenience of mobile technology provides many advantages, it also comes with risks. If mobile data security measures are inadequate, covered entities are at risk of violating HIPAA regulations that can incur heavy fines. HIPAA fines of up to $1.5 million per violation category, per year that the violation has been allowed to persist can be issued by the HHS. In addition, other federal agencies can issue fines, such as the state attorneys general. There is also the considerable cost of a breach response to cover if data is potentially exposed. 

 

The majority of mobile devices do not have robust security controls which can allow devices to be easily compromised. For example, if an unprotected device connects to a network via public Wi-Fi, there is an increased risk of theft. Cybercriminals view mobile devices as an accessible entry point into healthcare networks allowing them to access valuable electronic Protected Health Information.

 

As mobile devices are rapidly becoming an integral part of daily healthcare operations, it is important that organizations fully comprehend healthcare mobile security. (1) HIPAA covered entities that choose to use mobile devices in the workplace must implement controls to protect patient health data.  (2) It is also necessary they review and address all potential mobile data security risks.

 

The HIPAA Security Rule does not require specific technology solutions when it comes to technical safeguards for mobile devices. However, HHS does require organizations to implement reasonable and appropriate security measures for standard operating procedures. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Your Dental or Medical Website Needs To Be HIPAA Compliant?

Why Your Dental or Medical Website Needs To Be HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

As the digital world becomes ever more entrenched in our lives, so does crime and information gathering start becoming more advanced. Patient privacy is a serious issue, and while the majority of websites can safely be hosted on the internet without special considerations regarding safety and security, healthcare has no such luxury. In fact, it is vital that all healthcare websites take extra steps to secure their site to be HIPAA compliant.

 

HIPAA And You, What Is It Exactly?

Developed some years ago, HIPAA stands for the Health Insurance Portability and Accountability Act (HIPAA) and was established to provides guidelines and regulations on the security of the personal information of patients. Two elements of this rule create conditions that must be met to be found in compliance with HIPAA rules. These rules are the Privacy Rule, outlining the protection of your patient’s private health information, and the security rule describing the requirements for data security measures.

 

How Can I Make My Website HIPAA Compliant?

It begins with going beyond basic encryption, websites that seek to be HIPAA compliant have to invest in higher level security measures. The only way you can avoid this as part of the medical industry would be if your site doesn’t do any collection or providing of personal information, and avoiding any third-party transactions of data.

 

The first step to securing your website is to utilize SSL security or Secure Sockets Layer. You’ve likely noticed sites like this when they contain the https:// prefix instead of http://. Those sites that have an SSL certificate encrypts communication between the web browser and the server. This is required to be found in compliant with HIPAA laws.

 

You can also make sure that your site is HIPAA compliant by using high security data collection forms that provide additional protection. The basic CMS (Content Management System) provided with most web hosts don’t provide that level of security, so it’s often wise to select a third party form builder that meets the requirements of HIPAA. 

 

Healthcare Website Design

HIPAA compliance is a vital element of your design for a healthcare website, especially as access to technology increases and becomes further integrated with our day to day lives. It is your responsibility as the owner of the website to ensure that your security system meets the strident requirements of this act. Whether you’re a public institution or serve the community as a private practice, your website design company can aid you in providing a secure website that will be approachable and informative for your clientele while maintaining the necessary security protocols.

 

Don’t put your practice at risk with a site that doesn’t protect your patients information appropriately,  To begin designing an attractive website that will serve your patients with the security and peace of mind they deserve. Violations of HIPAA are a serious concern and can result in costly fines and, more importantly, the compromising of your patients privacy.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

6 things software vendors need to know about HIPAA compliance

6 things software vendors need to know about HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance

 

Many people are loosely familiar with the Health Insurance Portability and Accountability Act (HIPAA) and usually associate it with hospitals, clinics, and health insurance companies. However, it can be less clear how HIPAA compliance standards apply to countless other software vendors, SaaS providers that work with healthcare-related businesses or handle protected health information (PHI). In recent months, the Office for Civil Rights has been coming down hard on HIPAA violators, doling out some of the large fines – upwards of $5 million. So in order to ensure your business is protected and to maintain your brand reputation, it is vital to know the ins and outs of HIPAA compliance. With this in mind,

 

How do you know if you need to be HIPAA compliant?

 

In short, HIPAA rules apply to both Covered Entities (health insurance companies, HMOs, company health plans, etc.) and their business associates (a vendor or subcontractor who has access to PHI). What this means for business associates is that even if you’re a service provider or vendor who isn’t in the healthcare industry - like an all-flash storage company - you may still need to be HIPAA compliant indirectly due to the fact that your organization stores PHI. The first step here is to determine whether your organization handles PHI. If you do, your next step is to look through the

 

Look to your current vendors for guidance

 

Once you determine that you need to be compliant, there’s no need to go on a hiring spree to ensure you have the necessary resources in-house. Many of your existing vendors may already cover key HIPAA compliance requirements. Any good service provider should be able to tell you whether they are HIPAA compliant and what controls they can cover. If so, it is important that they are also willing to sign a Business Associate Agreement (BAA) - a negotiation between Covered Entities and any third-party vendors that have access to their PHI.

 

Look for specific types of technology that can help to streamline the process

 

If none of your existing vendors can help with HIPAA compliance, turn to a managed service provider to do the heavy lifting and help your business attain and maintain compliance, so you can focus resources on driving business. Additionally, they can strengthen the security technology, processes, and controls they use to keep customer information secure. For example, if you’re looking for a secure way to continue work-from-home programs at your organization through remote desktops, HIPAA compliant Desktop-as-a-Service (DaaS) vendors are a great option to both fill specific needs for your business and drastically simplify compliance.

 

Don’t forget about maintenance

 

A key stumbling block for many organizations tends to be maintaining a constantly evolving set of compliance standards. HIPAA compliance certification is valid only at that moment – it is then up to the company to maintain compliance which is easier said than done. Some important things to keep the top of mind for maintenance include 1) completing a HIPAA Risk Analysis document and audit at least once a year, and 2) assessing employees year-round to make sure they are doing their jobs in a HIPAA compliant manner, following all stated company policies and procedures.

 

Know who is responsible for HIPAA compliance

 

Another challenge accompanying HIPAA compliance may sound simple, but is one that oftentimes goes overlooked - precisely who internally is responsible for compliance? For non-healthcare organizations, a company is unlikely to have a designated in-house role such as a Privacy and Security Officer, and therefore the responsibility often falls on security or operations departments. However, it’s likely that neither of these departments has a full understanding or stake in HIPAA compliance. Regardless of who is taking the reins, it is important that the role is clearly demarcated and that person or department knows what is expected of them. Additionally, it’s critical that they work together with other departments as needed to ensure a well-rounded HIPAA strategy. Case in point - a recent

 

Keep HIPAA compliance top of mind for staff

 

Regardless of who is in charge, it is important that all your staff be mindful of maintaining HIPAA compliance. Human error can become one of the biggest obstacles to maintaining compliance, especially when employees may not even realize their company deals with PHI. For example, the same NueMD survey also found that only 58% of respondents were providing training for their staff annually. HR teams can proactively assist with this by reminding staff of regular HIPAA training, updates on compliance standards changes and keeping visible HIPAA compliance checklists posted in work areas.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Easiest Complete HIPAA Compliance Checklist You'll Ever See

The Easiest Complete HIPAA Compliance Checklist You'll Ever See | HIPAA Compliance for Medical Practices | Scoop.it
The Best HIPAA Checklist Is…HIPAA Itself?

Yes, basically. First, let’s make sure we’re on the same page about what HIPAA is exactly. HIPAA is federal legislation, as is the HITECH act that updated parts of it. Title II of that legislation relates to the privacy and security of protected health information, and this is the meat of what most physicians need to care about when “HIPAA compliance” comes up.

 

Title II of HIPAA also requires HHS to create federal regulations that implement the ideas in the rest of the act. These regulations spell out exactly what healthcare providers must do, and they are now complete and published in the Code of Federal Regulations (CFR),

 

Luckily, HHS also grouped these regulations into six sections, called “rules,” and these are really the ultimate HIPAA compliance checklist. If you can understand and comply with each of these six rules, you’ll have a good claim to HIPAA compliance. So let’s do it; let’s count down the checklist that HHS gives us:

The Six Rules of the HIPAA Compliance Checklist:

#1: Standardize Your Coding and Electronic Transmissions

This one is easy. HIPAA seeks to make sure that everybody is communicating about healthcare issues in one unified way, and regulations in its “Transactions and Code Sets” rule accomplish this.

One part of this rule specifies what code sets are allowable for describing medical data, including ICD-CM for conditions, NDC for drug names, and CPT/HCPCS for procedures. Another part then defines and mandates the specific electronic transmission formats that can be used to convey the encoded data.

 HIPAA Checklist: How to Comply with Rule 1

  1. Use a compliant electronic health record (EHR).

Simply pick a modern EHR to use in your practice. They will typically use the correct encoding and transmission formats automatically, and you can confirm this with the vendor before you buy anything.

That’s it. Done. Check.

#2: Get Unique Identifiers for You and Your Organization

In the “Identifier Standards” rule, HIPAA mandates that every individual or organization that renders healthcare have a unique 10-digit National Provider Identifier (NPI). Type 1 NPIs are for individuals, and type 2 NPIs are for organizations. NPIs are used in encoding and transmitting healthcare data, and they help enforce clarity. Two doctors may have the same name and practice in the same city, but their differing NPIs will ensure that they are not mistaken for one another.

 HIPAA Checklist: How to Comply with Rule 2

  1. Make sure that all HIPAA-covered entities in your practice have an NPI.

You probably already have an NPI. If you don’t,  you can get one through the National Plan and Provider Enumeration System (NPPES) that HHS runs.

That’s it. Done. Check.

#3: Protect Your Patients’ Privacy

The HIPAA Privacy Rule, in conjunction with the HIPAA Security Rule, constitutes the most important part of HIPAA for most providers. Fundamentally, the Privacy Rule is all about individuals’ health information, termed “protected health information (PHI).” The rule spells out how healthcare entities may use PHI, and it also delineates patients’ rights to be informed of and control those uses.

HHS has written an important summary of the Privacy Rule, and it’s worth a read. High-level points from the summary to internalize:

  • The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “PHI.”
  • A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A [healthcare] entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish [an intended purpose].
  • Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI and any of its uses and disclosures. They may also demand corrections to it.
  • Each [healthcare] entity, with certain exceptions, must provide a notice of its privacy practices.

 HIPAA Checklist: How to Comply with Rule 3

  1. Designate a “privacy official” in your organization who will be tasked with developing and implementing your privacy policies and procedures and ensure that this person is available to receive requests and complaints related to the Privacy Rule.
  2. Understand the definition of PHI and identify information in your practice that is PHI.
  3. Keep a record of all uses and disclosures of PHI in your practice.
  4. Understand the things your practice must do under the Privacy Rule, especially including those things that relate to your patients’ control over their own PHI.
  5. Understand the things your practice may do under the Privacy Rule, especially including those uses and disclosures of PHI that are allowable without explicit, written patient consent. Always use the concept of “minimum necessary” to guide your uses and disclosures.
  6. Identify your “business associates,” as defined by HIPAA. If another company interacts with PHI from your practice, they are likely a business associate, and you need to have a formal “business associate contract” with them that extends the duties of HIPAA to their operations.
  7. Create a Notice of Privacy Practices. This must contain specific items, and it’s best to start with a template that HHS provides. Know when, where, and to whom this notice must be made available.
  8. Implement administrative, technical, and physical safeguards to prevent impermissible intentional or unintentional use or disclosure of PHI. These should also act to limit incidental uses or disclosures.
  9. Ensure ongoing training of your practice’s workforce on your privacy policies and procedures.
  10. Have your privacy official create and maintain a written document of the policies and procedures that you have developed to accomplish the above items.

Well, this section was a bit longer than the first two, but that’s because the Privacy Rule is so crucial to HIPAA. It is, unfortunately, also critical that you review the Privacy Rule yourself. The checklist above is a good start on minimum necessary activities, but there is no perfect, comprehensive checklist that will work for every type of practice. HIPAA is about ensuring best practices in every type of healthcare provider, and there is no substitute for figuring out what that means for you and your exact practice.

HHS states that the Privacy Rule is comprised of 45 CFR Part 160 and Subparts A and E of 45 CFR Part 164, and you can refer to these directly or, at least, to the HHS Privacy Rule summary to make sure that you are creating and following all of the privacy policies and procedures that your specific practice needs.

#4: Secure Your Electronic Medical Information

The HIPAA Security Rule is a nitty-gritty rundown of “the technical and non-technical safeguards that organizations […] must put in place to secure individuals’ electronic PHI.” That quote comes directly from a Security Rule summary that HHS has written, in which they explain that the Security Rule takes the somewhat amorphous concepts of the Privacy Rule and lays out a more exact framework to implement them.

Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to PHI that your practice “receives, maintains or transmits in electronic form.” To comply with the Security Rule, your organization must adopt an ongoing process of risk analysis that has the following general form:

  1. Assess risks to electronic PHI in your organization, the current state of your security measures, and any gaps between the two
  2. Implement “administrative, technical, and physical safeguards” to address the gaps
  3. Document all of steps 1 and 2 and keep the records
  4. Repeat steps 1 to 3 on a periodic basis

That’s it, really. And continuing their pattern of being hugely helpful, HHS has created a seven-part educational paper series that will walk you through this. For the checklist in this section, we’ll lean on these papers heavily…since HHS literally provides checklists in them.

 HIPAA Checklist: How to Comply with Rule 4

  1. Perform a risk analysis for electronic PHI in your organization
  2. Implement safeguards to address security gaps identified by the risk analysis:
    1. Administrative
    2. Physical
    3. Technical
  3. Make sure everything is documented appropriately
  4. Repeat steps 1 to 3 on a periodic basis

Each HHS document linked above has a reproduction of Appendix A of the actual Security Rule, which is effectively a checklist of necessary items to consider for the administrative, physical, and technical safeguards that you need. Some of the documents extend this list with other items, such as the document linked in step 3 above.

As with the Privacy Rule, it’s important that you read the Security Rule yourself at least one time. HHS wrote the rules generally so that they could function for organizations of any size, from one person to thousands, and because of this, only you can decide exactly how your organization can best comply. Per HHS, “The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.” And again, they’ve also written a summary of it.

#5: Understand the Penalties for Violations

The HIPAA Enforcement Rule (codified at 45 CFR Part 160, Subparts C, D, and E) establish procedures for the investigation of possible HIPAA violations and sets civil fines for infractions. Fines can be up to $50,000 per violation per day, so it can add up quickly and is not a joke. Violations can also carry criminal penalties, including fines and jail time, but these are not covered by HHS regulation.

 HIPAA Checklist: How to Comply with Rule 5

  1. You don’t have to do anything ahead of time

If HHS investigates your practice, then this rule becomes relevant to you, but there’s nothing here that you need to do proactively.

#6: Learn How to Handle Information Breaches

The HIPAA Breach Notification Rule (codified at 45 CFR §§ 164.400-414) requires healthcare organizations to provide notification after breaches of PHI. A “breach” is, basically, an impermissible use or disclosure of PHI, as detailed in the HIPAA Privacy Rule. Depending on the type of breach, the notification might need to be made to the affected individuals, the media, or the HHS Secretary. HHS has further guidance available on the topic.

 HIPAA Checklist: How to Comply with Rule 6

  1. You don’t have to do anything ahead of time

Once again, you only need to worry about this rule if you identify a PHI breach, which you should be monitoring for as part of your compliance with the HIPAA Privacy Rule and Security Rule.

 

HIPAA compliance is all about adopting good processes in your organization, and HHS has laid out a path to compliance that is nearly a checklist. All you have to do is follow it.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Alliance Marketplace Connects CEs and BAs

HIPAA Alliance Marketplace Connects CEs and BAs | HIPAA Compliance for Medical Practices | Scoop.it

For many healthcare providers, finding HIPAA compliant business associates poses a significant challenge–one with implications on the security of their sensitive healthcare data. The newly launched HIPAA Alliance Marketplace is a platform that simplifies the process for covered entities to find HIPAA compliant business associates.

 

Health care providers can connect with healthcare vendors like never before with confidence that their prospective business partners will keep their data safe and secure.

 

Access to the marketplace is limited to vendors that have been verified by the Compliance Group HIPAA Seal of Compliance. The HIPAA Seal of Compliance is the industry standard, third-party HIPAA verification tool used by health care providers and vendors across the country. The Seal of Compliance demonstrates that the organization in question has executed all of the necessary standards mandated by HIPAA regulation.

 

Vendors can use the marketplace to break into the valuable healthcare market. Whether already HIPAA compliant, or just starting on their journey, vendors can speak with one of Compliance Group’s HIPAA experts to determine the status of their compliance and get listed on the marketplace today.

About the HIPAA Alliance:

 

The HIPAA Alliance Marketplace is a closed ecosystem that allows healthcare professionals (covered entities, CE) to find HIPAA compliant solution providers (business associates, BA). HIPAA compliant vendors in the HIPAA Alliance Marketplace are heavily vetted against the HIPAA rules and verified by the Compliance Group HIPAA Seal of Compliance

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Think Your Practice is HIPAA Compliant? Think Again.

Think Your Practice is HIPAA Compliant? Think Again. | HIPAA Compliance for Medical Practices | Scoop.it

You may think you know HIPAA inside and out, but experts say many practices and physicians are making mistakes regarding protected health information (PHI) that could get them into big trouble with the law. Here are nine of the most common compliance missteps they say practices and physicians are making.

1. TEXTING UNENCRYPTED PHI

For most physicians, texting is an easy, convenient, and efficient way to communicate with patients and colleagues. But if a text contains unencrypted PHI, that could raise serious HIPAA problems.


"One of the big things people are doing these days is texting PHI, and people seem to be ignoring the fact that text messages can be read by anyone, they can be forwarded to anyone, [and] they're not encrypted in any fashion when they reside on a telecommunications provider's server," says Jim Hook, director of consulting services at healthcare consulting firm The Fox Group, LLC. "People really need to understand that [short message service (SMS)] text messaging is inherently nonsecure, and it's noncompliant with HIPAA."


That's not to say that texting PHI is never appropriate, it just means that physicians must find a way to do so securely. While the privacy and security rules don't provide explicit text messaging guidelines, they do state that covered entities must have "reasonable and appropriate safeguards to protect the confidentiality, availability, and integrity of protected health information," says Michelle Caswell, senior director, legal and compliance, at healthcare risk-management consulting firm Clearwater Compliance, LLC. As a result, Caswell, who formerly worked for HHS' Office for Civil Rights, says physicians must consider, "What would I put on my [smart] phone to reasonably and appropriately safeguard that information?" Most likely, the answer will be a secure messaging service with encryption, she says, adding that many inexpensive solutions are available to providers.


2. E-MAILING UNENCRYPTED PHI

Similar to text messaging, many physicians are e-mailing unencrypted PHI to patients and colleagues. As Robert Tennant, senior policy adviser of government affairs for the Medical Group Management Association says, e-mailing is becoming ubiquitous in our society, and healthcare is no exception.


If your providers are e-mailing PHI, consider implementing a secure e-mail application; for instance, one that recognizes when content included in the e-mail contains sensitive information and therefore automatically encrypts the e-mail. Your practice could use the application to specify certain circumstances in which e-mails should be encrypted; such as the inclusion of social security numbers or credit card numbers. The application would then filter e-mails for that specified content, and when it finds that content, encrypt those e-mails automatically, says Caswell.


Another option is to use a secure e-mail application to set up filters to automatically encrypt e-mails sent with attachments, or encrypt e-mails when senders include a word like "sensitive" or "encrypt" in the subject line, she says. An added benefit of encrypting e-mail is if a potential breach occurs, like the theft of a laptop containing e-mails with PHI, that is not considered a reportable breach if the e-mails stored on the laptop are encrypted, says Tennant. "You don't need to go through all of the rigmarole in terms of reporting the breach to the affected individual, and ultimately, to the government," he says. "So it's sort of a get out of jail free card in that sense."


If your practice would rather prohibit the use of e-mail altogether, a great alternative might be a patient portal that enables secure messaging.


Finally, if patients insist on having PHI e-mailed to them despite the risks, get their permission in writing for you to send and receive their e-mails, says Tennant.


3. FAILING TO CONDUCT A RISK ANALYSIS

If your practice has not conducted a security risk analysis — and about 31 percent of you have not, according to our 2014 Technology Survey, Sponsored by Kareo — it is violating HIPAA. The security rule requires any covered entity creating or storing PHI electronically to perform one. Essentially, this means practices must go through a series of steps to assess potential risks and vulnerabilities to the confidentiality, integrity, and availability of their electronic protected health information (ePHI).


Though the security risk analysis requirement has been in place since the security rule was formally adopted in 2003, it's been pretty widely ignored by practices, says Hook. Part of the reason, he says, is lack of enforcement of the requirement until recently. Since conducting a security risk analysis is now an attestation requirement in the EHR incentive program, auditors are increasingly noting whether practices are in compliance.


4. FAILING TO UPDATE THE NPP

If your practice has not updated its Notice of Privacy Practices (NPP) recently, it could be violating HIPAA. The HIPAA Omnibus Rule requires practices to update these policies and take additional steps to ensure patients are aware of them, says Tennant.

Some of the required updates to the NPP include:


• Information regarding uses and disclosures that require authorization;

• Information about an individual's right to restrict certain disclosures of PHI to a health plan; and

• Information regarding an affected individual's right to be notified following a privacy or security breach.


In addition to updating the NPP, a practice must post it prominently in its facility and on the website, and have new patients sign it and offer a copy to them, says Tennant. "I'd say of every 10 practices, hospitals, dental offices I go into, nine of them don't have their privacy notice in the waiting room," he says.


5. IGNORING RECORD AMMENDMENT REQUESTS

Don't hesitate to take action when patients request an amendment to information in their medical records, cautions Cindy Winn, deputy director of consulting services at The Fox Group, LLC. Under the HIPAA Privacy Rule, patients have the right to request a change to their records, and providers must act on those requests within 60 days, she says.


If you disagree with a patient's requested change, you must explain, in writing, why you are not making the requested change, says Hook. Then, share that reasoning with the patient and store a copy of it in the patient's medical record, as well as a copy of the patient's written request for the amendment.


6. NOT PROVIDING ENOUGH TRAINING

The privacy and security rules require formal HIPAA education and training of staff. Though the rules don't provide detailed guidance regarding what training is required, Hook recommends training all the members of your workforce on policies and procedures that address privacy and security at the time of hire, and at least annually thereafter.


The HIPAA Security Rule also requires practices to provide "periodic security reminders" to staff, says Caswell, adding that many practices are unaware of this. Actions that might satisfy this requirement include sending e-mails to staff when privacy and security issues come up in the news, such as information about a recent malware outbreak; or inserting a regular "security awareness" column in staff e-newsletters.

Finally, be sure to document any HIPAA training provided to staff.


7. OVERCHARING FOR RECORD COPIES

With few exceptions, the privacy rule requires practices to provide patients with copies of their medical records when requested. It also requires you to provide access to the record in the form requested by the individual, if it is readily producible in that manner.


While practices can charge for copies of records, some practices may be getting into trouble due to the fee they are charging, says Tennant. "HIPAA is pretty clear that you can only charge a cost-based fee and most of those are set by the state, so most states have [limits such as] 50 cents a page up to maybe $1 a page ... but you can't charge a $50 handling fee or processing fee; at least it's highly discouraged," says Tennant.


To ensure you are following the appropriate guidelines when dealing with record copy requests, review your state's regulations and consult an attorney. Also, keep in mind that though the privacy rule requires practices to provide copies within 30 days of the request, some states require even shorter timeframes.


8. BEING TOO OPEN WITH ACCESS

If your practice does not have security controls in place regarding who can access what medical records and in what situations, it's setting itself up for a HIPAA violation. The privacy rule requires that only those who have a valid reason to access a patient's record — treatment purposes, payment purposes, or healthcare operations — should do so, says Caswell. "If none of those things exist, then a person shouldn't [access] an individual's chart."


Caswell says practices need to take steps to ensure that staff members do not participate in "record snooping" — inappropriately accessing a neighbor's record, a family member's record, or even their own record.


She recommends practices take the following precautions:


• Train staff on appropriate record access;

• Implement policies related to appropriate record access; and

• Run EHR audits regularly to determine whether inappropriate access is occurring.


9. RELEASING TOO MUCH INFORMATION

Similar to providing too much access to staff, some practices provide too much access to outside entities, says Caswell. For instance, they release too much PHI when responding to requests such as subpoenas for medical records, requests for immunization information from schools, or requests for information from a payer.


"If there's, say, for instance, litigation going on and an attorney says, 'I need the record from December 2012 to February 2014,' it is your responsibility to only send that amount of information and not send anything else, so sort of applying what's called the minimum necessary standard," says Caswell. "When you receive outside requests for PHI, pay close attention to the dates for which information is requested, as well as the specific information requested."

more...
No comment yet.
Scoop.it!

Is your cloud provider HIPAA compliant? An 11 point checklist

Is your cloud provider HIPAA compliant? An 11 point checklist | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organisations frequently turn to managed service providers (MSPs) to deploy and manage private, hybrid or public cloud solutions. MSPs play a crucial role in ensuring that healthcare organisations maintain secure and HIPAA compliant infrastructure.


Although most MSPs offer the same basic services – cloud design, migration, and maintenance – the MSP’s security expertise and their ability to build compliant solutions on both private and public clouds can vary widely.


Hospitals, healthcare ISVs and SaaS providers need an MSP that meets and exceeds the administrative, technical, and physical safeguards established in HIPAA Security Rule. The following criteria either must or should be met by an MSP:


1. Must offer business associate agreements


An MSP must offer a Business Associate Agreement (BAA) if it hopes to attract healthcare business. When a Business Associate is under a BAA, they are subject to audits by the Office for Civil Rights (OCR) and could be accountable for a data breach and fined for noncompliance.

According to HHS, covered entities are not required to monitor or oversee how their Business Associates carry out privacy safeguards, or in what ways MSPs abide by the privacy requirements of the contract. Furthermore, HHS has stated that a healthcare organisation is not liable for the actions of an MSP under BAA unless otherwise specified.


An MSP should be able to provide a detailed responsibility matrix that outlines which aspects of compliance are the responsibility of whom. Overall, while an MSP allows healthcare organisations to outsource a significant amount of both the technical effort and the risk of HIPAA compliance, organisations should still play an active role in monitoring MSPs. After all, an OCR fine is often the least of an organisation’s worries in the event of a security breach; negative publicity is potentially even more damaging.


2. Should maintain credentials


There is no “seal of approval” for HIPAA compliance that an MSP can earn. The OCR grants no such qualifications. However, any hosting provider offering HIPAA compliant hosting should have had their offering audited by a reputable auditor against the HIPAA requirements as defined by HHS.


In addition, the presence of other certifications can assist healthcare organisations in choosing an MSP that takes security and compliance concerns very seriously. A well-qualified MSP will maintain the following certifications:

  •      SSAE-16
  •      SAS70 Type II
  •      SOX Compliance
  •      PCI DSS Compliance


While these certifications are by no means required for HIPAA compliance, the ability to earn such qualifications indicates a high level of security and compliance expertise. They require extensive (and expensive) investigations by 3rd party auditors of physical infrastructure and team practices.


3. Should offer guaranteed response times


Providers should indicate guaranteed response times within their Service Level Agreement. While 24/7/365 NOC support is crucial, the mere existence of a NOC team is not sufficient for mission-critical applications; healthcare organisations need a guarantee that the MSP’s NOC and security teams will respond to routine changes and to security threats in a timely manner.  Every enterprise should have guaranteed response times for non-critical additions and changes, as well.


How such changes and threats are prioritized and what response is appropriate for each should be the subject of intense scrutiny by healthcare organisations, who also have HIPAA-regulated obligations in notifying authorities of security breaches.


4. Must meet data encryption standards


The right MSP will create infrastructure that is highly secure by default, meaning that the highest security measures should be applied to any component where such measures do not interfere with the function of the application. In the case of data encryption, while HIPAA’s Security Rule only requires encryption for data in transit, data should reasonable be encrypted everywhere by default, including at rest and in transit.


When MSPs and healthcare organisations encrypt PHI, they are within the “encryption safe harbor.” Unauthorised disclosure will not be considered a breach and will not necessitate a breach notification if the disclosed PHI is encrypted.


Strong encryption policies are particularly important in public cloud deployments. The MSP should be familiar with best practices for encrypting data both within the AWS environment and in transit between AWS and on-site back-ups or co-location facilities. We discuss data encryption best practices for HIPAA compliant hosting on AWS here.


It is important to note that not all encryption is created equal; look for an MSP that guarantees at least AES-256 Encryption, the level enforced by federal agencies. It is useful to note that AWS’ check-box encryption of EBS volumes meets this standard.


5. Should have “traditional IT” and cloud expertise


Major healthcare organisations have begun to explore public cloud solutions. However, maintaining security in public clouds and in hybrid environments across on-premises and cloud infrastructure is a specialty few MSPs have learned. “Born in the Cloud” providers, whose businesses started recently and are made up exclusively of cloud experts, are quite simply lacking the necessary experience in complex, traditional database and networking that would enable them to migrate legacy healthcare applications and aging EHR systems onto the public cloud without either a) over-provisioning or b) exposing not-fully-understood components to security threats.


No matter the marketing hype around “Born in the Cloud” providers, it certainly is possible to have best-in-classDevOps and cloud security expertise and a strong background in traditional database and networking. In fact, this is what any enterprise with legacy applications should expect.


Hiring an MSP that provides private cloud, bare metal hosting, database migrations, legacy application hosting, and also has a dedicated senior cloud team is optimal. This ensures that the team is aware of the unique features of the custom hardware that currently supports the infrastructure, and will not expose the application to security risks by running the application using their “standard” instance configuration.


6. Must provide ongoing auditing and reporting


HIPAA Security Rule requires that the covered entity “regularly” audit their own environment for security threats. It does not, however, define “regularly,” so healthcare organisations should request the following from their MSPs:


  • Monthly or quarterly engineering reviews, both for security concerns and cost effectiveness
  • Annual 3rd party audits
  • Regular IAM reports. A credential report can be generated every four hours; it lists all of the organisations users and access keys.
  • Monthly re-certification of staff’s IAM roles
  • Weekly or daily reports from 3rd party security providers, like Alert Logic or New Relic


7. Must maintain compliant staffers and staffing procedures


HIPAA requires organisations to provide training for new workforce members as well as periodic reminder training. As a business associate, the MSP has certain obligations for training their own technical and non-technical staff in HIPAA compliance. There are also certain staff controls and procedures that must be in place and others that are strongly advisable. A covered entity should ask the MSP the following questions:


  • What formal sanctions exist against employees who fail to comply with security procedures?
  • What supervision exists of employees who deal with PHI?
  • What is the approval process for internal collaboration software or cloud technologies?
  • How do employees gain access to your office? Is a FOB required?
  • What is your email encryption policy?
  • How will your staff inform our internal IT staff of newly deployed instances/servers? How will keys be communicated, if necessary?
  • Is there a central authorisation hub such as Active Directory for the rapid decommissioning of employees?
  • Can you provide us with your staff’s HIPAA training documents?
  • Do you provide security threat updates to staff?
  • What are internal policies for password rotation?
  • (For Public Cloud) How are root account keys stored?
  • (For Public Cloud) How many staff members have Administrative access to our account?
  • (For Public Cloud) What logging is in place for employee access to the account? Is it distinct by employee, and if federated access is employed, where is this information logged?


While the answers to certain of these questions do not confirm or deny an MSP’s degree of HIPAA compliance, they may help distinguish a new company that just wants to attract lucrative healthcare business versus a company already well versed in such procedures.


8. Must secure physical access to servers


In the case of a public cloud MSP, the MSP should be able to communicate why their cloud platform of choice maintains physical data centres that meet HIPAA standards. To review AWS’s physical data centre security measures, see their white paper on the subject. If a hybrid or private cloud is also maintained with the MSP, they should provide a list of global security standards for their data centres, including ISO 27001, SOC, FIPS 140-2, FISMA, and DoD CSM Levels 1-5, among others. The specific best practices for physical data centre security that healthcare organisations should look out for is well covered in ISO 27001 documentation.


9. Should conduct risk analysis in accordance with NIST guidelines


The National Institute of Standards and Technology, or NIST, is a non-regulatory federal agency under the Department of Commerce. NIST develops information security standards that set the minimum requirements for any information technology system used by the federal government.


NIST produces Standard Reference Materials (SRMs) that outline the security practices, and their most recent Guide for Conducting Risk Assessments provides guidance on how to prepare for, conduct, communicate, and maintain a risk assessment as well as how to identify and monitor specific risk factors. NIST-800 has become a foundational document for service providers and organisations in the information systems industry.


An MSP should be able to provide a report that communicates the results of the most recent risk assessment, as well as the procedure by which the assessment was accomplished and the frequency of risk assessments.


Organisations can also obtain NIST 800-53 Certification from NIST as a further qualification of security procedures. While again this is not required of HIPAA Business Associates, it indicates a sophisticated risk management procedure — and is a much more powerful piece of evidence than standard marketing material around disaster recovery and security auditing.


10. Must develop a disaster recovery plan and business continuity plan


The HIPAA Contingency Plan standard requires the implementation of a disaster recovery plan. This plan must anticipate how natural disasters, security attacks, and other events could impact systems that contain PHI and develops policies and procedures for responding to such situations.

An MSP must be able to provide their disaster recovery plan to a healthcare organisation, which should include answers to questions like these:

  • Where is backup data hosted? What procedure maintains retrievable copies of ePHI?
  • What procedures identify suspected security incidents?
  • Who must be notified in the event of a security incident? How are such incidents documented?
  • What procedure documents and restores the loss of ePHI?
  • What is the business continuity plan for maintaining operations during a security incident?
  • How often is the disaster recovery plan tested?


11. Should already provide service to large, complex healthcare clients


Although the qualifications listed above are more valuable evidence of HIPAA compliance, a roster of clients with large, complex, HIPAA-compliant deployments should provide extra assurance. This pedigree will be particularly useful in vendor decision discussions with non-technical business executives. The MSPs ability to maintain healthcare clients in the long-term (2-3+ years) is important to consider.

more...
No comment yet.
Scoop.it!

Drug kingpin imprisoned on numerous charges, including HIPAA violations

Drug kingpin imprisoned on numerous charges, including HIPAA violations | HIPAA Compliance for Medical Practices | Scoop.it

Drug kingpin Stuart Seugasala was just convicted and sentenced on a string of federal charges that includes HIPAA violations in the course of running a violent drug trafficking ring in Alaska. Authorities said the trafficking ring imported and distributed illicit drugs, perpetrated armed home invasions, drive-by shootings, kidnappings, and sexual assaults.

The Alaska U.S. Attorney’s Office said it was the state’s first HIPAA conviction and one of only a few such cases nationwide.


Seugasala, 40, was sentenced May 15 to three life terms in prison following his conviction on drug trafficking and kidnapping charges earlier this year, but separate from that sentence was another 20 years for unauthorized access to medical records of two victims he hospitalized in 2013.


On March 13, 2013, Seugasala and his associates kidnapped, tortured, and sexually assaulted two men with a hot curling iron because one of the men owed them a large, past due debt on heroin, according to prosecutors. They said Seugasala ordered the rape to be videotaped so he could use the footage to intimidate other debtors.

One of the victims was so badly injured after three hours of torture that he was admitted to Providence Hospital in Anchorage. Two days later, Seugasala shot and wounded another man in an unrelated incident. That man also checked himself in to the hospital.


At that point, Seugasala contacted a friend who worked at the hospital–Stacy Laulu–and asked her via a text message to find out the extent of the men’s injuries and whether they were cooperating with police, prosecutors said.


They said Laulu, who was then employed as a financial counselor, accessed both men’s medical files and reported back to Seugasala, violating the men’s privacy rights.


According to prosecutors, Laulu’s husband, who was in jail on unrelated murder charges, was a close associate of Seugasala and the couple was receiving drug money from Seugasala.


Laulu was also convicted in January on the HIPAA felony violations and is scheduled for sentencing May 29. The maximum sentence is 10 years for each of those convictions. Three other members of the drug ring have also been sentenced or are due for sentencing in June.


more...
No comment yet.
Scoop.it!

Partners HealthCare Reports Breach

Partners HealthCare Reports Breach | HIPAA Compliance for Medical Practices | Scoop.it

Partners HealthCare System is the latest healthcare organization hit by a data breach attributed to a phishing attack.

The Boston-based integrated health delivery network, which operates several hospitals, including Massachusetts General, says it is notifying 3,300 individuals that their protected health information may have been compromised by a phishing attack late last year.


In a statement, Partners says on Nov. 25, 2014, it learned that a group of its workforce members had received phishing emails and provided information in response to the email, believing the messages were legitimate.


Partners says it conducted a comprehensive review of the affected email accounts and determined that some of the emails contained patient demographic information, such as names, addresses, dates of birth, telephone numbers and, in some instances, Social Security numbers, and some of its patients' clinical information, such as diagnosis, treatment received, medical record numbers, medical diagnosis codes, or health insurance information.


However, the organization's electronic health records system was not compromised by the attack. Upon learning of the phishing scheme, Partners says it took steps to secure the email accounts and contacted law enforcement. Partners also began an investigation into the phishing attack on the organization, including working with an expert computer forensic firm.


"To date, Partners HealthCare has no evidence that any patient information in the emails has been misused," the organization says. However, as a precaution, Partners is recommends that affected patients regularly review the explanation of benefits statement that they receive from their health insurers. If patients identify services listed on their explanation of benefits that they 1did not receive, they should immediately contact their insurer.

Rise in Phishing Attacks

The official federal tally of major health data breaches also shows that the healthcare sector continues to be a growing target for hackers, including those waging phishing attacks.


As of April 29, the Department of Health and Human Service's "wall of shame" website of breaches affecting 500 or more individuals shows 1,211 incidents affecting more than 133.2 million individuals since September 2009, when the HIPAA breach notification rule went into effect. One incident, the recent hacking attack against health insurer Anthem Inc., accounts for 78.8 million of those victims.


Among the breaches most recently added to the list is an incident involving phishing email targeted at employees of St. Agnes Health Care Inc. in Baltimore, which affected nearly 25,000 individuals.

Also, recently added to the federal tally was a phishing incident at Seton Family of Hospitals in Texas. The healthcare organization revealed last week that a phishing attack that occured in December, but discovered in February, affected 39,000 individuals.


Other healthcare entities have also been defending against a spike in phishing schemes. Over the past six months, the University of Vermont Medical Center has seen an uptick in phishing attempts, including those "laced with malware in an attempt to steal credentials," says CISO Heather Roszkowski in a recent interview with Information Security Media Group.


"I've really been trying to increase user awareness training around phishing to avoid those credentials from being exploited," she says. This extra vigilance in defense of phishing comes in the wake of massive hacking attacks in the healthcare sector, including those affecting Anthem, Premera Blue Cross and Community Health System.

VA Under Attack

During a media briefing on April 30, Steph Warren, CIO of the VA, says the VA also has seen "a rampant increase" in malware and intrusion attempts in recent months.


Last November, the VA blocked 15 million intrusion attempts in one month. By March, that number had climbed to 350 million, he says.

As for malware, the VA blocked or contained about 300 million malicious software last November, but by March, that monthly number had exploded to 1.2 billion.


"It's something that concerns us. If we're not able to knock this back, as some point we'll be overwhelmed."


more...
No comment yet.
Scoop.it!

Medicare smart cards would bring benefits, challenges

Medicare smart cards would bring benefits, challenges | HIPAA Compliance for Medical Practices | Scoop.it

The use of electronically readable cards in Medicare could help with the administrative process, but would have a limited impact on eliminating fraud, according to a report publicly released April 24 by the Government Accountability Office.


Much of the success of using such technology would depend on how it compares to the costs and benefits of current paper card systems. Participation by providers would also be a boon or challenge to a new program, the report says.


The GAO looked at the functions of electronic cards, the benefits and limitations to using them and what steps the Centers for Medicare & Medicaid Services and providers would need to take to use the tools.

Some of the ways in which the cards could show promise include:


  • Authentication of beneficiary and provider presence at the point of care
  • Electronic exchange of beneficiary medical information
  • Electronic conveyance of beneficiary identity and insurance information to providers


However, the report's authors add that while some in support of the cards say that fraud reduction could be a benefit of the new system as well, that might not be true.


The federal government puts Social Security numbers on Medicare identification cards, which raises the odds of identity theft and fraudulent billing.


Still, electronic cards could have a limited impact in this area because "CMS officials stated that Medicare would continue to pay claims regardless of whether a card was used due to legitimate reasons why a card may not be present," the report says.


GAO adds that storing medical data on the cards in addition to electronic health record systems could lead to problems with ensuring information is synchronized and current.


To implement electronically readable cards would also be a time and resource consuming endeavor, the report's authors say. They evaluated the success of such programs in France and Germany, which proved a readable card system could be implemented, but only after many years of work.


more...
No comment yet.
Scoop.it!

HIPAA Rules and Procedures in the Event of a Data Breach, Part One

HIPAA Rules and Procedures in the Event of a Data Breach, Part One | HIPAA Compliance for Medical Practices | Scoop.it

As discussed in my prior post, recent massive data breaches at major retailers and health insurance providers paint a bleak picture of modern data and emphasize the importance of strong security safeguards and plans for handling suspected security breaches for electronic protected health information (“ePHI”). In the healthcare context, a security breach of a covered entity or a Business Associate’s (BA) data security system triggers the Security Rule and can trigger certain breach notification requirements under Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”). This post will discuss the investigation needed to determine whether a breach has taken place, while the next post will discuss the necessary notifications in the event of a breach.

Determining Whether an Actionable Breach Has Taken Place

HIPAA defines a security breach as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted…which compromises the security or privacy of the protected health information.” Pursuant to this definition, the first thing a CE must do is investigate the breach and determine whether unsecured PHI has been compromised. Data is compromised when there is “a significant risk of financial, reputational, or other harm to the individual.”

PHI is unsecured when the PHI “is not … unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary…” Thus, PHI is secure when the data is either encrypted to certain technology standards or the ePHI has been destroyed, which means breach notification is not required. However, encrypted PHI is only secure if the key to decrypt the data is secure and remains confidential.

If ePHI is not encrypted or the decryption key is no longer secure, the data is not secure and data breach will trigger breach notification.

Thus, the best compliance practice is to encrypt all ePHI, whenever practicable, to take advantage of this regulatory safe harbor. Because breach notification can cause irreparable harm to an entity’s reputation and financial status, encryption is an important means to mitigate damages and risks of a data security breach.

In the case of a suspected security breach, covered entities need to take steps to thoroughly investigate the incident, determine if a security breach of unsecured PHI occurred, and determine the extent of the security breach or leak of information and the amount of PHI breached before the covered entity can take steps to stop the leak of PHI and reduce the damage caused by the security breach.

In 2013, the Omnibus Final Rule (“Final Rule”) released by the Department of Health and Human Services (“HHS”) redefined what was considered a security breach. Now, a security breach is presumed unless the entity can demonstrate that there is a low probability that any unsecured ePHI has been compromised.

The only way to show a low probability of compromise is by conducting a risk assessment to consider at least four significant factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.

If a covered entity cannot identify a low probability that unsecured ePHI has been compromised, breach notification is triggered.


more...
No comment yet.
Scoop.it!

As Health Apps Hop On The Apple Watch, Privacy Will Be Key

As Health Apps Hop On The Apple Watch, Privacy Will Be Key | HIPAA Compliance for Medical Practices | Scoop.it

One day soon, you may be waiting in line for a coffee, eyeing a pastry, when your smart watch buzzes with a warning.


Flashing on the tiny screen of your Apple Watch is a message from an app called Lark, suggesting that you lay off the carbs for today. Speak into the Apple Watch's built-in mic about your food, sleep and exercise, and the app will send helpful tips back to you.


The notion of receiving nutrition advice from artificial intelligence on your wrist may seem like science fiction. But health developers like Lark are making a bet that Apple's first wearable device, the Apple Watch, will fly off the shelves and this kind of behavior will become the norm.

Lark is just one of over a dozen health developers with new apps for the Apple Watch, which ships to consumers this week. These apps range from medication management to a button that provides instant, virtual access to a doctor.


Apple has made no secret of its health and fitness plans for the Apple Watch. And in recent months, it has recruited medical experts to work on services like ResearchKit and HealthKit, which aim to open up the flow of health data between consumers, mobile developers and medical researchers.


But is Apple doing enough to protect the privacy of your sensitive health data?


In advance of the Apple Watch's release, the company has taken some steps to put you in control of how your data is shared. You can choose to share health information with third-party apps like Lark via Apple's Health app, which comes with the device. Your health data, collected via the Apple Watch or the iPhone, is stored on Apple's HealthKit.

"Apple is leaving your HealthKit data on the device and not collecting it," said Morgan Reed, executive director at The App Association, a Washington, D.C., nonprofit that works with patient advocates and app developers.


According to Reed, this prevents third-party app developers from selling your health data without your consent.

"It also means that if an employer wants access to your health care information, they would have to demand that you give it to them," he said.


But it's still early days for the Apple Watch, and it remains to be seen whether health developers will follow Apple's privacy guidelines.

"We haven't had a developer ecosystem for a product like a smart watch," said Ben Bajarin, who specializes in consumer technology for Creative Strategies, a consulting firm. "This is [uncharted] territory."


A Message On The Wrist


Health app developers hope the Apple Watch will improve how doctors and patients communicate.


Imagine a doctor receiving a buzz on the wrist for an e-prescription request, which could be approved with a few taps. A patient could receive a similar alert when test results are available.


Developers are exploring these possibilities and more.

"We are predisposed to small changes on the skin. It was not that long ago — and is still the case in parts of the world — that mosquitoes used to kill us with a light touch," said Ron Gutman, chief executive of HealthTap, a website and mobile app for secure video calls with a doctor.


"It is so easy to turn off a notification from a website, but you can't ignore what's on your wrist," he said.

Gutman was so intrigued by Apple's smart watch that he developed three apps: one to help you manage your meds; another that connects you to a doctor with the touch of a button; and a third, which helps physicians reach new patients.


"Be prepared to take charge of your health information, and feel free to say no to sharing data with apps."

- Morgan Reed, executive director at The App Association

Managing Medications

For patients who are juggling a variety of meds — all with different dose requirements — an Apple Watch app that sends alerts to the wrist could prove useful.


WebMD, used by millions of people to check their medical symptoms, tossed around a bunch of ideas before settling on medication adherence.


"All we wanted is for the user to be reminded that it's time to take their medication, and then quickly tell us whether they plan to take it or skip it or snooze," said Ben Greenberg, who heads up WebMD's mobile products. "That interaction demands so little." The app also instructs people whether to take their medication with food, or at a certain time of day.


Other companies that are developing medication adherence apps for the Apple Watch include MangoHealth, which can also tell you how well you've managed your prescriptions over time, and pharmacy giant Walgreens.


Appealing To Doctors


Some app developers hope that doctors will flock to buy the Apple Watch to help them manage an overload of patient information.

"Doctors are finally getting amazing hardware that just works, and they're willing to pay a premium for it," said Daniel Kivatinos, cofounder of Drchrono, an electronic medical record company.


Using Drchrono's app for the watch, a doctor can receive alerts, such as when a patient has arrived at their office.


The watch could prove useful in helping doctors communicate with each other about tricky medical cases. Doximity, the Facebook for doctors, has developed a secure app that care providers can use to dictate notes, send messages and receive notifications that a fax has arrived.


But the Apple Watch's appeal may be limited to certain specialties, such as family physicians and dermatologists. Surgeons routinely remove their rings and watches before procedures, to ensure their hands stay sterile.


Moreover, doctors will need to do the work to ensure that apps they use are taking adequate steps to protect patient data. Apps may say that they are meeting privacy requirements, but most aren't properly vetted. The government has long been concerned about the proliferation of mobile health apps that make false or misleading medical claims.


Opportunities And Challenges


Privacy experts and policymakers have been worried about developers that collect and sell personal health information.


The U.S. Federal Trade Commission concluded in a recent study that developers of 12 mobile health and fitness apps were sharing user information with 76 different parties, such as advertisers.


Apple has responded to some of these fears by barring developers from selling health data that it collects via Apple devices to advertisers. After some high-profile hacks to celebrities' accounts, Apple also forbade developers to store sensitive health information in iCloud.

"Apple has clear privacy rules, but consumers should still be on guard," said Reed from the App Association. "Be prepared to take charge of your health information, and feel free to say no to sharing data with apps."


more...
No comment yet.
Scoop.it!

Former Therapist Charged in HIPAA Case

Former Therapist Charged in HIPAA Case | HIPAA Compliance for Medical Practices | Scoop.it

A former respiratory therapist at an Ohio hospital has been indicted for HIPAA violations in connection with alleged inappropriate access to the records of nearly 600 patients.


The indictment of Jamie Knapp, who had formerly worked at ProMedica Bay Park Hospital in Oregon, Ohio, is one of only a handful of criminal prosecutions of individuals for HIPAA violations.


"Overall, criminal prosecutions under HIPAA have not been that common, although we have seen an increase in recent years," says privacy attorney Scot Ganow of the law firm Faruki Ireland & Cox PLL. "I do expect us to see more prosecutions as the interest in healthcare information increases for a variety of purposes, including identity theft, cyberstalking, public shaming and celebrity watching."


According to indictment documents filed this month in a federal court in Ohio, a grand jury indicted Knapp for unlawfully obtaining identifiable health information of 596 patients in violation of HIPAA. The grand jury also charged Knapp with unauthorized access of a protected computer, in violation of federal laws.


"In her capacity as a respiratory therapist, Knapp was authorized to access individually identifiable health information and protected health information of certain respiratory patients," according to the indictment. "Knapp was not authorized to access the individually identifiable health information and protected health information of other hospital patients."

Federal prosecutors involved in the case did not immediately respond to Information Security Media Group's request for more details about the alleged HIPAA violations.


Accessing protected health information without authorization and the disclosure of this information to a third party carries a jail term of up to 10 years in addition to a maximum fine of $500,000 if the disclosure is made for personal gain, Ganow says.


On May 28, 2014, ProMedica, the parent company of the 72-bed hospital where Knapp worked, began notifying the affected patients that their records were inappropriately accessed between April 1, 2013, and April 1, 2014. The breach was also reported to the U.S. Department of Health and Human Services, which has listed the incident on its "wall of shame" website of major breaches as an unauthorized access/disclosure incident involving electronic medical records and a network server.

Other HIPAA Cases

There have been only a handful of other HIPAA-related indictments of individuals that have resulted in convictions and prison sentences.

"Most recently, we saw the criminal conviction of hospital employee Joshua Hippler in Texas for wrongful disclosure of individually identifiable health information for personal gain," Ganow notes. In February, Hippler was sentenced to serve 18 months in prison after pleading guilty on Aug. 28, 2014, to wrongful disclosure of individually identifiable health information.


Federal prosecutors say that from December 2012 through January 2013, Hippler was an employee of an unidentified East Texas hospital, where he obtained protected health information with the intent to use it for personal gain.


In another case in October 2013, Denetria Barnes, a former nursing assistant at a Florida assisted living facility, was sentenced to 37 months in prison after pleading guilty to several federal offenses, including conspiracy to defraud the U.S. government and wrongful disclosure of HIPAA protected information.


Ganow predicts prosecutors will pursue more of these criminal HIPAA cases. "As long as the healthcare industry continues to actively use Social Security numbers and not take steps to redact them or commit to a minimum use policy, we will see increased criminal activity and related prosecutions," he says. "Because healthcare records have names, dates of births and SSNs, they are a tempting target for one-stop shop identity thieves. "


Still, there are steps that healthcare entities can take to minimize insider breaches.


"It's not enough to have your policies, procedures and safeguards in place. You have to continually assess your security posture for new threats or new risks as a result of a new use of information," he says.

"In some instances, such as transactions under the Affordable Care Act, SSNs are required and a necessary evil because of tax implications. That said, healthcare entities would do well to isolate SSNs from other data, encrypt or redact SSNs whenever possible, and embrace the 'minimum necessary' use principle under HIPAA to mitigate risks to SSN's and all PHI," Ganow suggests.


"Technology can only do so much. Data governance still comes down to people," he adds. "Train employees well and audit their compliance. We stress to clients that data privacy and security is everyone's business. You will always have bad actors, but you can prevent their bad acts or mitigate resulting harms from such bad acts with solid policies, procedures, training and oversight."


more...
No comment yet.
Scoop.it!

HIPAA Compliance Tips for Mobile Data Security 

HIPAA Compliance Tips for Mobile Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance Tips for Mobile Data Security

Nearly 4 out of 5 healthcare providers use a mobile device for professional purposes. These numbers continue to rise as healthcare organizations place an increased focus on efficiency and productivity. (1) Although mobile devices are incredibly efficient and convenient, they also harbor measurable risks for data breach and the exposure of protected health information (PHI).

 

Mobile devices are often more susceptible to theft because they lack the appropriate security controls. In fact, mobile device malware infections have surged 96% from 2015 to 2016. (2)  To avoid hefty penalties and the risk of a data breach, healthcare organizations must develop and implement mobile device procedures and policies that will protect the patient’s health information.

 

Below are five recommendations from HHS (The Department of Health and Human Services) that organizations can take to help manage mobile devices in the healthcare setting:

 

  1. Understand the risks before allowing the use of mobile devices- Decide whether healthcare providers or medical staff will be permitted to use mobile devices to access, receive, transmit, or store patients’ health information or if they will be used as part of the organization’s internal network or systems, such as an electronic health record system.
  2. Conduct a risk analysis to identify threats and vulnerabilities- Consider the risks to your organization when permitting the use of mobile devices to transmit health information Solo providers may conduct the risk analysis on their practice, however, those working for a large provider, the organization may conduct it.
  3. Identify a mobile device risk management strategy, including privacy and security safeguards- A risk management strategy will help healthcare organizations develop and implement mobile device safeguards to reduce risks identified in the risk analysis. Include the evaluation and regular maintenance of the mobile device safeguards put in place.
  4. Develop, document, and implement mobile device policies and procedures to safeguard health information. Some topics to consider when developing mobile device policies and procedures are:
    1. Mobile device management
    2. Using your own device
    3. Restrictions on mobile device use
    4. Security or configuration settings for mobile devices
  5. Conduct mobile device privacy and security awareness and ongoing training/education for providers and professionals.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What's in Our 2018 SecurityMetrics HIPAA Guide?

What's in Our 2018 SecurityMetrics HIPAA Guide? | HIPAA Compliance for Medical Practices | Scoop.it
 We are thrilled to announce the release of our brand-new HIPAA Guide! No matter the size of your organization, you can use this guide to understand and handle the more challenging requirements of HIPAA. In fact, it's already coming in handy for many of our partners. See what some of them have to say:

"The HIPAA Guidebook is one of the best references. It's well-organized and easy for our medical office staff and providers to understand." -Hedy Haun, Sr. Process Analyst,  SHARP Medical Group

"Words cannot express what the HIPAA Guide represents to me and all of Curis. It's like an encyclopedia for us." -George Arnau,  Curis Practice Solutions

A better way to read and utilize our HIPAA guide


Just like many of our partners report back to us, our HIPAA Guide is best utilized as "desk-side reference." In order to increase the guide's usefulness to you, we've added a new section called "How to Read This Guide." It includes a color-coded system, with reading suggestions based on your familiarity with HIPAA: beginning, intermediate, and advanced. This section discusses the skill levels likely required for policy and procedure implementation.

We understand there are many job descriptions that require HIPAA understanding, so whether you're a brand-new employee or a seasoned systems administrator--our guide is meant for you.

 We also include a "Terms and Definitions" glossary at the end of the 135-page guide. This is meant to help familiarize you with data security and tech terms you may not already know.

Ultimately, we want to help you keep your patients' and customers' data safe and secure. By helping you address the most complicated aspects of data security and HIPAA , we aim to equip you with practical knowledge you can use in meetings and trainings, while drafting policies and procedures, and when making decisions about security at your practice.

Survey Data and HIPAA industry trends

This year, we conducted four surveys and received responses from over 300 healthcare professionals. These professionals are responsible for HIPAA compliance at their organizations, and work primarily at companies with less than 500 employees. And while larger organizations tend to have better HIPAA compliance, it's important that those larger organizations still take note of compliance trends at organizations of all sizes, since they will likely share data and interact with them (for instance, when a large hospital sends patient records to a smaller specialty clinic).

We asked respondents about security habits at their organizations. Training and encryption continue to challenge HIPAA teams, while many organizations fare well in the area of risk analysis. Here are just a few of our survey results:

  • 6% of organizations do not conduct a formal risk analysis
  • 16% of organizations report they send emails with unencrypted patient data
  • 34% of organizations train employees on the HIPAA Breach Notification Rule

Top Tips for Better Data Security 

As lead SecurityMetrics HIPAA auditor Brand Barney says, "Our guide was specifically created to help covered entities and business associates address the most problematic issues within HIPAA compliance.”

So, the guide focuses on commonly challenging aspects of the HIPAA Privacy, Breach Notification, and Security Rules, including:

•   Incident response plans
•   PHI encryption
•   Business associate agreements
•   Mobile device security
•   HIPAA-compliant emails
•   Remote access
•   Vulnerability scanning
•   Penetration testing

A proactive, offense-minded approach

Even with steep penalties in place, HIPAA compliance--particularly when it comes to security--is often not as complete as is thought or hoped for. In fact, according to the Identity Theft Resource Center , 24.7% of data breaches in 2017 were healthcare-related. Education is the first line of defense, so becoming familiar with the guide is one of the best ways you can proactively protect your organization from a potentially devastating data breach.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Keep Your Practice’s Communication HIPAA-Compliant

How to Keep Your Practice’s Communication HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is a top concern for medical practices, and for good reason–violations can result in serious consequences, including large fines and potentially even jail time. To make things more complicated, the laws themselves tend to be rather vague on what actions practices need to take to become HIPAA-compliant.

Medical practices need to protect private patient data, but they also need to be able to go about the daily business of running a practice as efficiently as possible. Technology can certainly make day-to-day operations more efficient, but new technologies also bring about new concerns with HIPAA compliance. Many practices are hesitant to adopt new technology for that very reason.

When practices do decide that they want to use technology to communicate with patients and other practices, it can be difficult to figure out where to begin because HIPAA laws can be quite vague. Practices don’t want to slip up and have to pay the price (often, quite literally) for a violation.

 

So, what can you do to keep your practice’s communications on the right side of HIPAA guidelines? We highly recommend working with an expert on HIPAA laws to make sure your communication is always compliant.

 

If you’d like to learn more on what HIPAA-compliant communication entails throughout your practice, including marketing efforts, emails, appointment reminders, patient portals, and communication with other practices, we have put together this list of helpful resources to help you stay up to date on the latest recommended best practices for HIPAA-compliant communication.

Emailing Patients

Patients who are always on-the-go may prefer to communicate with you via email. If patients request email communication, you must make that option available to them, but you still need to take the proper precautions to protect your patients and your practice from HIPAA violations.

Appointment Reminders

Even appointment reminders can be considered private health information if done improperly. You may wish to use technology to automate this routine process and free up your employees’ time for other tasks, but you need to make sure that you aren’t inadvertently giving away private patient information in the process.

Patient Portals

Practices are required to implement and use a patient portal to meet Meaningful Use requirements. However, patient portals are still subject to HIPAA laws and may, in fact, pose the greatest security risk of all practice communications because of the amount of information they contain. Always do your research before choosing a vendor for your patient portal to make sure they will keep you covered.

 

Communicating with Other Practices

It’s important for your practice to be able to communicate with your patients’ other health care providers to be able to provide the most comprehensive care possible. However, it can be quite challenging to communicate with other practices in a manner that is both efficient and HIPAA-compliant. These resources include suggestions on improving your communication strategies while protecting private information.

 

The Dangers of Sharing Patient Information via Text/IM

As a healthcare provider, your days are usually very busy, and it’s likely that the doctors you need to communicate with are equally as busy. When you need to share information, whether it’s a quick update on a patient or a request for a consult, it can be tempting to just send a quick text or instant message. If texting/instant messaging is your preferred form of communication with other doctors, you need to approach with caution.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The HIPAA Privacy and HIPAA Security Rules

The HIPAA Privacy and HIPAA Security Rules | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

THE HIPAA PRIVACY AND HIPAA SECURITY RULES

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-PHI). Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

THE NEED FOR HIPAA COMPLIANCE

As HHS points out, as health care providers and other entities dealing with PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever. Similarly, health plans provide access to claims as well as care management and self-service applications. While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data. The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI.

PHYSICAL AND TECHNICAL SAFEGUARDS, POLICIES, AND HIPAA COMPLIANCE

The HHS requires physical and technical safeguards for organizations hosting sensitive patient data. These physical safeguards include…

  • Limited facility access and control with authorized access in place
  • Policies about use and access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI. Access control includes…

  • Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
  • Audit reports or tracking logs that record activity on hardware and software

Other technical policies for HIPAA compliance need to cover integrity controls, or measures put in place to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact. One final technical safeguard is a network or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private network, such as a private cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health Information Technology for Economic and Clinical Health (HITECH) Act, which raises penalties for health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to the development of health technology and the increased use, storage, and transmission of electronic health information.

DATA PROTECTION FOR HEALTHCARE ORGANIZATIONS AND MEETING HIPAA COMPLIANCE

Clearly, the need for data security has grown as the proliferation of electronic patient data grows. High-quality care today requires healthcare organizations to meet the accelerated demand for data; yet, they must ensure HIPAA compliance and protect PHI. Make sure that you have a data protection strategy in place that allows your organization to:

  • Ensure the security and availability of PHI to maintain the trust of practitioners and patients
  • Meet HIPAA and HITECH regulations for access, audit, and integrity controls as well as for data transmission and device security
  • Maintain greater visibility and control of sensitive data throughout the organization

The best data protection solutions recognize and protect patient data in all forms, including structured and unstructured data, emails, documents, and scans while allowing healthcare providers to share data securely to ensure the best possible patient care. Patients entrust their health care to your organization; you need to take care of their protected health information as well.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAAChat: secure messaging and telemedicine platform

HIPAAChat: secure messaging and telemedicine platform | HIPAA Compliance for Medical Practices | Scoop.it

To provide the best care for our patients, physicians and healthcare workers must communicate constantly.  For many of us, text messaging, push-to-talk messages, and video calling have become the preferred method of contact.


However, SMS, FaceTime, Skype, and iMessage are not technically HIPAA-compliant platforms. Even though some like FaceTime may meet data security standards that could make them HIPAA compliant, they don’t necessarily commit to it.


We have seen an influx of HIPAA-compliant secure messaging apps over the past few years like AthenaTextDoximityTigerText, and others. HIPAAChat enters into this market as an easy to use app with an intuitive format and some pretty unique features that make it stand out. Following the acquisition by Everbridge, a world leader in cloud-based, unified critical communications, HIPAAChat also incorporates advanced Enterprise utility and interoperability. Secure text, group chat, image transfer – check. Dictate/audio transfer/push-to-talk – check. Real-time, live video calling? You bet! HIPAAChat provides all these features packaged in an app that is as easy to use as iMessage and FaceTime.


User Interface


After downloading the HIPAAChat app, setup was extremely simple and only required input of your name, email, and phone number. Optional information included a photo upload and a 4-digit pin setup if your phone isn’t fingerprint or password protected. In order to connect with colleagues, both parties must have the app on their smartphone. However, within the app, you can select people from your existing contacts or enter a phone number or email and an invitation will be sent prompting them to download the app to begin HIPAA-compliant communication.


HIPAAChat is available for both Android and iPhone devices. As a result, the app facilitates secure messaging between all members of the care team, including physicians, nurses, social workers, consultants, etc. One of the main features that kept me using the HIPAAChat app is the simple, clean, and intuitive interface. I have been using this app to answer questions about patients from residents and referring doctors. Despite a busy clinical and surgical volume, the app allows for minimal disruption in my current routine.


Functions


Messaging


The messaging features are standard and work the same as SMS or iMessage. The interface shows when a message was read and also displays when a message is being typed. A nice feature of this and other secure messaging apps is the ability to group text with users. The Enterprise software allows for additional features, including the creation of group distribution lists via active directory/ADAM and LDAP synchronization. This would be particularly useful for alerting specialized medical teams, such as a Stroke Team, Code Team, Trauma Team, etc. In our practice, we have been using HIPAAChat to relay information on surgical or clinic add-ons, questions on patient management, and consultations from other doctors. 


Photos


In ophthalmology, as with many other medical specialties, we heavily rely on imaging for patient care. A picture is often worth a thousand words. HIPAAChat allows for secure transmission of photos with a simple tap of the camera icon. Users can choose to take a new photo or choose an existing photo, without leaving the app interface. One feature missing in the current version is the ability to transmit saved videos asynchronously.


Touch-to-talk/Talk-to-text


Walkie-talkie or push-to-talk allows recording voice messages with the touch of a button. This feature actually plays the audio message instead of converting to text. However, the audio message is played back over the speaker, so you must be cognizant of people around as they will hear the message. In addition to touch-to-talk, the app also allows talk-to-text, making it extremely easy to dictate text messages on the fly. With the release of smart watches like the Apple Watch, these features could open the door to efficient audio messaging on your wrist since these devices won’t allow texting on the screens. Message alerts show up on the Apple Watch, but the current version will not display actual messages. Although future versions are likely to incorporate the use of the smart watches.


Audio/Video calling


A main distinguishing feature of HIPAAChat from several competitors is the ability for real-time audio and video calling. As a result, the HIPAAChat app can also serve as a telemedicine platform. The video calling has a similar interface as FaceTime or Skype, again contributing to the ease-of-use and intuitive nature of the app. Call clarity and picture quality was very good, without any significant delays or picture freezes when I used it on our Wifi network.


Security


With maximum fines of $50,000 per violation and up to $1.5 million annually for repeat violations, secure messaging of PHI is imperative. HIPAAChat allows for secure, encrypted transmission of messages as part of the Everbridge platform. The app meets all the administrative, technical, and physical safeguards.


Enterprise


I have been using the basic HIPAAChat lite, which is free for download and offers the core secure communication features. The Enterprise-level adds an IT administrator console for managing users and devices, an Active Directory sync, archiving and data retention, auditing, reporting, and analytics. Additionally, the Enterprise version facilitates system integration with EHRs, labs, admissions/discharge/transfer systems, and nurse call/intercom systems. For institutions wanting custom integration, fully documented APIs are available and based on specific needs.


Telemedicine


The live video calling feature of the HIPAAChat app sets it apart from other secure messaging apps that I have used. Whereas two systems are usually needed for secure messaging and telemedicine, HIPAAChat combines the two in one platform. Additionally, unlike many telemedicine platforms, the physician can access secure video on their smartphone or tablet, making it truly portable.


The HIPAAChat platform enables physicians to communicate virtually with other medical staff, consultants, and even patients from anywhere. I have found that the video consultations can be very useful in the emergency room setting, often preventing unneeded transfers, follow-up, or unnecessary treatment. Everbridge also offers an iCart that serves as a mobile telemedicine platform, ideally suited for the emergency room. The iCart is a mobile cart on wheels with the attachment of a tablet. The housing of the tablet allows for attachment of video lights, a Wood’s lamp, and macro lenses specifically for ophthalmology and dermatology.

more...
Lyfe Media's curator insight, June 19, 2015 1:48 PM

Technology is quickly coming to the medical fields rescue by improving processes and cutting costs. HIPAACHAT is just one of the tools doing exactly that. This article explains the different features the app has and how it's making incredible improvements to a necessary industry. LyfeNews

Scoop.it!

What Happens in HIPAA Audits: Breaking Down HIPAA Rules

What Happens in HIPAA Audits: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA audits are something that covered entities of all sizes must be prepared to potentially go through. As technology continues to evolve, facilities need to ensure that they are maintaining PHI security and understand how best to keep sensitive information secure.


The Department of Health & Human Services (HHS) Office for Civil Rights (OCR) had originally scheduled its second round of HIPAA audits for the fall of 2014, yet as of this publication, round two is still waiting to be scheduled. Regardless, HIPAA audits are an essential aspect to the HIPAA Privacy and Security Rules.


We’ll break down the finer points of the audit process and why it is important, while also highlighting tips for facilities in case they are selected for an OCR HIPAA audit.


What are the HIPAA audits?


The OCR HIPAA audit program was designed to analyze the processes, controls, and policies that selected covered entities have in place in relation to the HITECH Act audit mandate, according to the HHS website.

OCR established a comprehensive audit protocol that contains the requirements to be assessed through these performance audits. The entire audit protocol is organized around modules, representing separate elements of privacy, security, and breach notification. The combination of these multiple requirements may vary based on the type of covered entity selected for review.

The HIPAA audits also are designed to cover HIPAA Privacy Rule requirements in seven areas:

  • Notice of privacy practices for PHI
  • Rights to request privacy protection for PHI
  • Access of individuals to PHI
  • Administrative requirements
  • Uses and disclosures of PHI
  • Amendment of PHI
  • Accounting of disclosures.


Why are the HIPAA audits important?


HIPAA audits are not just a way for OCR to ensure that covered entities are keeping themselves HIPAA compliant. Having periodic reviews of audit logs can help healthcare facilities not only detect unauthorized access to patient information, but also provide forensic evidence during security investigations. Auditing also helps organizations track PHI disclosures, learn about new threats and intrusion attempts, and even help to determine the organization’s overall effectiveness of policies and user education.


In FY 2014 alone, the OCR resolved more than 15,000 complaints of alleged HIPAA violations, according to the national FY 2016 budget request proposal report.


“OCR conducted a pilot program to ensure that its audit functions could be performed in the most efficient and effective way, and in FY 2015 will continue designing, testing, and implementing its audit function to measure compliance with privacy, security, and breach notification requirements,” the report authors explained. “Audits are a proactive approach to evaluating and ensuring HIPAA privacy and security compliance.”


The HIPAA audits are important because they help incentivize covered entities to remain HIPAA compliant, but they are also an opportunity to strengthen up organization’s security measures and find any weak spots in their approach to security.


What if I am selected for the HIPAA audit program?


As previously mentioned, there is not yet an exact date for when the next round of HIPAA audits will take place, there have been several reports that preliminary surveys have been sent to covered entities that may be selected for audits.


According to a report in The National Law Review, OCR will audit approximately 150 of the 350 selected covered entities and 50 of the selected business associates for compliance with the Security Standards. Furthermore, OCR will audit 100 covered entities for compliance with the Privacy Standards and 100 covered entities for Breach Notification Standards compliance.


Whether your organization received one of those surveys or not, it’s important for entities to have at least a basic plan in place for potential audits. Healthcare organizations should not rely on a false sense of security, and they need to ensure that when their data systems and safeguards are being reviewed, that facilities try and keep in mind what the OCR would be looking for so no areas are missed.


Current physical safeguards, administrative safeguards, and technical safeguards are not only required by the Security Rule, but they work together to protect health information. In addition to those areas, here are a few key things for covered entities to maintain, as they may play a role in the HIPAA audit process:


  • Perform comprehensive and periodic risk analyses
  • Keep thorough inventories of business associates and their contracts or BAAs.
  • Maintain thorough accounts of where ePHI is stored, this includes but is not necessarily limited to internal databases, mobile devices and paper documents.
  • Thorough records of all security training that has taken place.
  • Documented evidence of the facility’s encryption capabilities.


If covered entities have performed a proper risk assessment, preparing for the HIPAA audits will not be as daunting. For further discussion on the legal implications of risk assessments and analyses.


Maintain compliance and stay prepared


Perhaps one of the best ways to prepare for a potential OCR HIPAA audit is to keep all three safeguards current, ensuring to adjust them as necessary as technology evolves.


It is also essential for covered entities to know their BAs, and have all appropriate contracts and business associate agreements in place and up to date.


Conducting periodic risk analysis will also be beneficial, and covered entities should be sure to be able to provide evidence of compliance. This can include documentation of policies and procedures being in place. For example, instances where a facility has sanctioned people and whether it was consistent with its sanctions policy will be beneficial if an audit takes place that looks at the sanction process.


Without a risk analysis, it is much more difficult for healthcare organizations to know where they are in terms of security. This can be detrimental not only for HIPAA audits, but also in maintaining comprehensive data security. Periodic reviews will help facilities continue to work toward maintaining HIPAA compliance and keeping sensitive data as secure as possible.

more...
No comment yet.
Scoop.it!

HIPAA Violation Leads to Probation for Radiologist

HIPAA Violation Leads to Probation for Radiologist | HIPAA Compliance for Medical Practices | Scoop.it

An Ohio radiologist is facing disciplinary actions from the state medical board after she reportedly committed a HIPAA violation.

Dr. Aimee Hawley unlawfully accessed a colleague’s medical record, according to a DOTmed News article, and her medical license is now on probation. However, Hawley will still be able to practice medicine during her probation period.


“No one can access a patient’s medical records unless they are a treating or consulting physician or have permission from the patient,” Joan Wehrle, education & outreach program manager at the State Medical Board of Ohio, told the news source, adding that this is a learning opportunity for all caregivers.


Wehrle added that the source of the complaint is protected and confidential.


Hawley is required under the consent agreement to comply with a reprimand and probationary punishment, according to DOTmed. The agreement states that Hawley  “intentionally accessed the electronic medical records of a physician colleague (and) further admits that she was not a treating physician, nor was she asked to consult, or provide diagnostic service.”


Hawley must also agree to certain terms under the consent agreement:


  • Quarterly declarations to confirm compliance
  • Face-to-face meetings as requested by the medical board
  • Attend medical ethics training, including submitting a written report on what she learned
  • Write a letter of apology to her physician colleague


Employees inappropriately accessing patient records is unfortunately not a new scenario. Toward the end of last year, an Indiana Court of Appeals upheld the ruling that Walgreens can be held liable for its employee being part of HIPAA violations.


In that case, a Walgreens pharmacist allegedly inappropriately accessed a woman’s prescription data and exposed it to her husband. A six-person Indiana jury awarded the woman $1.44 million from that health data breach. The plaintiff argued that Walgreens hadn’t done enough to properly train and supervise its employee on protecting patient data and that the employee hadn’t done her job to secure that data.


“By choosing to appeal, Walgreen has now created a precedent,” according to prosecuting attorney Neal Eggeson Jr. “Confirming that privacy breach victims may hold employers accountable for the HIPAA violations of their employees.”


In a February interview with HealthITSecurity.com, Marty Edwards, MS, CHC, CHPC, Compliance Officer at Dell Services Healthcare and Life Science division, also touched on this topic. Edwards explained that “the human factor” is critical for any healthcare organization, and that a lack of knowledge about HIPAA could be harmful.


“You have to keep in mind that all the users that have access to that data have a role or responsibility, and are using that information for a specific purpose,” Edwards said. “So it’s up to those users to make sure that they follow the necessary processes, procedures and policies in place for the disclosure of that information.”


Facilities must ensure that all employees understand what the Privacy and Security Rules are about, and also understand their obligations as staff members. Moreover, covered entities should teach employees how to tie those obligations back to existing practices within the organization.

more...
No comment yet.
Scoop.it!

Health Research Bill Would Alter HIPAA

Health Research Bill Would Alter HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Some privacy experts are concerned that a bipartisan 21st Century Cures bill, as drafted, would weaken HIPAA privacy protections for patient information. The measure, among other things, is designed to help the medical community speed up the development of new drugs and treatments.


A discussion draft unveiled on April 29 proposes that the Secretary of the Department of Health and Human Services would "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.


Under the current HIPAA Privacy Rule, PHI is allowed be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If a proposed provision in the draft legislation is signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved.

The draft was jointly issued by Fred Upton, R-Mich., chairman of the House Energy and Commerce Committee, Rep. Diana DeGette, D-Col., ranking member of the Oversight and Investigations Subcommittee, and several other Republican and Democratic House members. Work on the legislation began a year ago, and a markup version of the bill, which covers a broad range of topics, is expected this week.

"Most significantly, the bill would require HHS to revise the HIPAA regulations so that uses and disclosures for research are treated the same as uses and disclosures for a covered entity's own healthcare operations, as long as any disclosures go to a HIPAA covered entity or business associate," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.


"This seems to mean that such research uses and disclosures could occur without an individual's authorization or an Institutional Review Board's or Privacy Board's waiver of authorization," he says. Essentially, research uses and disclosures would only be restricted by the 'minimum necessary' standard, he says. The HIPAA Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of, and requests for, PHI to the "minimum necessary" to accomplish the intended purpose.

Easing Research

Backers of the bill say it's needed because it has the potential of helping to knock down barriers to advancing medical innovation and treatment, including tapping breakthroughs in molecular medicine, genomics and related health technologies.


"For the first time ever, we in Congress are going to take a comprehensive look at what steps we can take to accelerate the pace of cures in America," DeGette says in a statement. We are looking at the full arc of this process - from the discovery of clues in basic science, to streamlining the drug and device development process, to unleashing the power of digital medicine and social media at the treatment delivery phase."


A source at the Energy and Commerce Committee say the markup of the bill is expected on May 14. "We are very careful to limit the potential to use PHI for research purposes only to covered entities and business associates working for covered entities - trusted organizations that have a relationship with the individual and that are already allowed to use PHI to improve care," the source says. "The committee wants those covered entities to not only improve care in their own institution, but be able to publish the findings of their research - without disclosing any identifiable PHI, of course. The bill ensures that PHI used for research is fully covered by the protections of the HIPAA privacy, security and breach reporting rules."


But some privacy experts say the bill goes too far in potentially removing patient privacy protections when it comes to the use of PHI for research.


The privacy provisions, as they appear in the draft bill, "roll back essential protections of the control that patients have over how their information is used and disclosed," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "Because PHI used for research could involve genetic information, the [research exemption] could potentially provide [use and disclosure] of information on the genetic traits of family members. Once that data is out, you can't get it back."

Other Privacy Provisions

The bill also proposes providing individuals with one-time authorization that would allow the use and disclosure of their PHI for future research purposes.


"In cases where the covered entity or business associate needs an authorization, it would require HHS to put its interpretation into regulation that an authorization can encompass future research studies," Greene says. The bill's proposals appear to further expand the authority to use and disclose protected health information for research and codify in regulation a recent HHS interpretation allowing an advanced authorization for future research."


While HHS indicated in the HIPAA Omnibus Rule commentary that an authorization may authorize uses and disclosures of protected health information for future research studies, Greene says, "this bill would require HHS to put this into the HIPAA regulations themselves."

Deborah C. Peel, M.D., founder of Patient Privacy Rights, an advocacy group, tells Information Security Media Group the future-research proposal is "a very bad idea," adding "no data should ever be used except for a single purpose. It's especially bad because today we have no 'chain of custody' for our health data. It's impossible to know where in the world it is or how it's being used. The risks of today's ubiquitous data surveillance and collection systems are unknown. When has it ever been smart to agree to something you have no understanding of?"


Another provision in the draft bill would give researchers remote access to PHI maintained by a covered entity if ''appropriate security and privacy safeguards are maintained by the covered entity and the researcher, and the protected health information is not copied or otherwise retained by the researcher."


Greene says that in cases where the disclosure of PHI is to a researcher that is not a covered entity or business associate, "the statute would broaden the permission for disclosing protected health information preparatory to research, allowing a covered entity to grant remote access to the researcher, rather than requiring that the review occurs at the facility."


Additionally the bill would make changes regarding PHI used in paid research. "The proposed bill appears to also allow covered entities and business associates to receive remuneration, such as payments, in exchange for disclosing protected health information for research," Greene notes. "Currently, such payment would be limited to the reasonable cost for preparation and transmittal of the protected health information."


The remuneration proposal also diminishes patients' control over how their PHI is used for paid research, Holtzman says. "The proposals remove key reforms in the HITECH Act [HIPAA Omnibus final rule] that require specific [patient] authorization for disclosures of information when money is changing hands," Holtzman says. "That [HITECH provision] is to give an individual a choice when there is remuneration involved. The proposal would roll back important rights requiring patient permission when their health information is disclosed in exchange for payment."

More Scrutiny Needed

Holtzman says he hopes the provisions in the draft bill are thoroughly vetted before the legislation progresses further. "This document appears to be in the early stages. I trust that the privacy community would undergo exhaustive debate and review of this document at it develops."


Greene predicts that the proposal "may garner strong views from both the research community and privacy advocates, with researchers perhaps indicating that HIPAA is standing in the way of good research and that these changes are necessary, while some privacy advocates may claim that these changes go too far in allowing uses and disclosures without an individual's consent or authorization.

Peel, the consumer advocate, contends: "These new provisions are really out-of-date and clearly designed for paper consents - a total nightmare."


Under the current language in the bill, HHS would be required to make the changes to HIPAA "not later than 12 months after the date of the enactment of the Act."


more...
No comment yet.
Scoop.it!

Data breaches focus of proposed Illinois law

Data breaches focus of proposed Illinois law | HIPAA Compliance for Medical Practices | Scoop.it

April 25--A bill that would strengthen the state's data breach notification law has passed the Senate by a vote of 35-13.

S.B. 1833, sponsored by state Sen. Dan Biss of Evanston, was quickly praised by Illinois Attorney General Lisa Madigan.

"The growing frequency and scope of data breaches has necessitated an overhaul of Illinois' notification law," Madigan said in a news release. "This measure will ensure that people receive timely information when a breach occurs so they can work to limit their exposure to identity theft."

Madigan drafted the bill to strengthen the state's Personal Information Protection Act. The original act was passed in 2005, at Madigan's behest. It made Illinois among the first states nationwide to require businesses and other entities that suffer a data breach to notify Illinois residents if the breached information included residents' drivers' license numbers, social security numbers, or financial account information.

Since then, the amount of sensitive information collected about consumers has expanded, and the threat of data breaches has increased significantly.

"Between computers, phones and tablets, information is almost always at our fingertips. But the downside to that connectivity is that there are new ways for individuals to access personal information," Biss said in a news release.

The bill was endorsed by Citizen Action Illinois and the Heartland Alliance, among others. It would expand the type of information that triggers a breach notification to consumers, including medical information outside of federal privacy laws, biometric data, geological location information, sensitive consumer marketing data, contact information when combined with identifying information, and login credentials for online accounts.

The bill would also require entities holding sensitive information to take reasonable steps to protect the information, to post a privacy policy describing their data collection practices, and to notify Madigan's office when breaches occur.

The Illinois Attorney General's office is creating a website that will list every data breach that affects Illinois residents in an effort to increase their awareness.

Edwardsville police reported Thursday that they have taken 129 such incident reports in 2015, compared to just 9 in 2014.

Edwardsville resident Joe Baird said Thursday that the joint income tax that he and his wife filed this year was rejected recently because someone had stolen his wife's social security number and used it to collect a refund. "We had to go in and sign affidavits and all kinds of paperwork and then send it back to the government," Baird said.

The return, he said, had been filed electronically. The refund would be relatively small, he said. Still, Baird says he's hoping to find out who got the original refund, and how much they received.

"In this day of computers, it seems like nobody's safe anymore."

With its passage this week, SB 1833 now goes to the House for consideration.

more...
Jan Vajda's curator insight, April 30, 2015 7:24 AM

Přidejte svůj pohled ...

Scoop.it!

Researchers examine balancing privacy risk, utility of de-identified health data

Researchers examine balancing privacy risk, utility of de-identified health data | HIPAA Compliance for Medical Practices | Scoop.it

Researchers have shown how easy it is to re-identify patients in de-identified data, yet de-identified data can lose its value as more identifying factors are stripped out.


In a study published in the Journal of the American Medical Informatics Association, researchers from Vanderbilt University and elsewhere extended an algorithm to explore policy options that balance risk of violating a patient's privacy vs. the use of data for society.

The Safe Harbor model defined by HIPAA is one policy that specifies 18 rules, including suppression of explicit identifiers such as names, and generalization of "quasi-identifiers," such as date of birth, requiring recording the age of all patients over 90 as 90+. This rigid rule-based policy might not be ideal for sharing every data set, such as studies on dementia patients.


So the law allows alternatives, provided the risk of re-identification is appropriately measured and mitigated. A Centers for Medicare & Medicaid Services dataset, for instance, published on the Internet would carry a high risk because the system is completely open and the users unknown. Health data to be used by a trusted party with a data-use agreement and strong information security practices could be allowed a policy that favors utility over risk.


The researchers used the Sublattice Heuristic Search algorithm with U.S. census data from 10 states to show it can be applied to recommended rule-based de-identification policy alternatives for patient-level datasets with less risk and more utility than Safe Harbor and other models.


Harvard researchers have shown that patients can be re-identified with just their Zip code, date of birth and gender, along with other publicly available data such as voter rolls.


The Health Information Trust Alliance recently released a new framework for de-identification of sensitive patient information as part of a risk-management strategy.


more...
No comment yet.
Scoop.it!

Pharmacy Fined $125,000 for Breach

Pharmacy Fined $125,000 for Breach | HIPAA Compliance for Medical Practices | Scoop.it

A small Denver compounding pharmacy has been slammed with a $125,000 federal penalty for a 2012 breach involving improper disposal of paper patient records. It's the second such HIPAA enforcement action within a year by federal regulators tied to an incident involving records dumping by a covered entity.


In an April 27 statement, the Department of Health and Human Services' Office for Civil Rights says Cornell Prescription Pharmacy has agreed to a HIPAA settlement that includes the $125,000 penalty and calls for adopting a corrective action plan to correct deficiencies in its compliance program.


Cornell is a single-location pharmacy that specializes in compounded medications and related services for hospice care agencies in the region.

Proper PHI Disposal

"Regardless of size, organizations cannot abandon protected health information or dispose of it in dumpsters or other containers that are accessible by the public or other unauthorized persons," says OCR Director Jocelyn Samuels. "Even in our increasingly electronic world, it is critical that policies and procedures be in place for secure disposal of patient information, whether that information is in electronic form or on paper."


OCR launched a compliance review and investigation in February 2012 after the agency received notification from a Denver news outlet regarding the disposal of unshredded documents containing the protected health information of 1,610 patients in an unlocked, open container on Cornell's premises.


OCR's investigation determined Cornell failed to implement any written policies and procedures as required by the HIPAA Privacy Rule. The pharmacy also failed to provide training on policies and procedures to its workforce as required by HIPAA, OCR says.

Similar Cases

OCR last June approved an $800,000 HIPAA settlement with Parkview Health System, an Indiana-based community health system, tied to an incident involving paper records dumping. In that case, the organization was cited for leaving 71 cardboard boxes of medical records on thousands of patients unattended and accessible to unauthorized persons on the driveway of a retiring physician's home.


An in addition to the Parkview case, OCR has issued hefty settlements for several other breaches involving improper disposal of PHI.

"The latest OCR settlement is almost identical to 2009 and 2010 settlements against CVS and Rite Aid over the pharmacies allegedly dumping protected health information in publicly-accessible waste containers," says privacy attorney Adam Greene of law firm Davis Wright Tremaine.


"In both of those cases, as in the current case with Cornell Prescription Pharmacy, the OCR investigation was triggered by a local television news report identifying the issue at local pharmacies," Greene notes. "In response to the CVS and Rite Aid cases, OCR issued specific guidance on properly disposing of protected health information. Apparently, when OCR learned of a news report indicating that a pharmacy was not heeding this guidance, OCR determined that an additional settlement was needed."


Covered entities and business associates should closely track OCR settlement agreements "and ensure that any similar issues are addressed within your own organization," Greene stresses.

Attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, says he's surprised there haven't been even more such enforcement actions by OCR for these kinds of improper disposal cases.


There have been approximately 30 large breaches since April 2011 that have involved covered entities or business associates that failed to make paper or printed PHI unreadable or indecipherable, "such as by shredding into itty-bitty pieces," says Holtzman, who was a senior adviser at OCR prior to joining CynergisTek in 2013. "This [latest] case represents a drop in the bucket."

Corrective Action Plan

As part of its resolution agreement with OCR, Cornell has agreed to implement a corrective action plan that includes developing, maintaining and revising, as necessary, written policies and procedures to comply with the HIPAA Privacy Rule and submitting documentation of those policies and procedures to OCR for its review and approval.

The policies and procedures must include administrative and physical safeguards for the disposal of all non-electronic PHI, including those records being "shredded, burned, pulped or pulverized so that the PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed."


The pharmacy also agreed to distribute those policies and procedures to all members of its workforce within 30 days of OCR approving them and to also issue those policies and procedures to new members of the workforce within 30 days of their beginning of service.


In addition, the pharmacy agreed to provide its workforce HIPAA privacy training and to report violations of its privacy policies and procedures by its workforce to OCR.

More Settlements Soon?

Some privacy and security experts believe the resolution agreement with Cornell could be the first of several additional enforcement actions in the works at OCR for 2015, including cases involving other examples of HIPAA non-compliance.


"This is likely the beginning of a more active phase of OCR enforcement that we have been anticipating," Holtzman says. "I believe that OCR has been investigating a number significant investigations and compliance reviews, many resulting from breaches reported to HHS."


Holtzman adds: "I do not believe that OCR limits itself to reserving its enforcement resources to a predetermined checklist or agenda prioritizing one type of incident over another."

In a recent interview with Information Security Media Group, Greene also predicted that OCR will likely announce a number of eye-popping financial settlements for HIPAA violations later this year.


more...
No comment yet.
Scoop.it!

Health system sees 7th HIPAA data breach

Health system sees 7th HIPAA data breach | HIPAA Compliance for Medical Practices | Scoop.it

How many breaches, how many compromises of patients' confidential medical information does it take before there are some questions asked of an organization and its security policies? One health system recently announced its seventh large HIPAA breach.

 
The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinicaldata was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
 
It wasn't until March 12, 2015, that officials said they discovered which patients were impacted by the breach, which involved the compromise of an employee's network username and password. 
 
"St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause," St. Vincent officials wrote in the patient notification letter. 
 
According to data from the Office for Civil Rights, which keeps track of HIPAA breaches involving 500 people or more, St. Vincent health system has been a repeat HIPAA offender. Its most recent breach, reported in July 2014, compromised the health data of 63,325 patients after a clerical error sent patients letters to the wrong patients. 
 
The health system has also reported two breaches involving the theft of unencrypted laptops, which collectively compromised the health data of 2,341 patients. 


more...
No comment yet.