HIPAA Compliance for Medical Practices
69.3K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Navigating Mobile Devices and HIPAA

Navigating Mobile Devices and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The mobile technology revolution has impacted nearly every industry across the globe, with healthcare being no exception. Hospitals, clinics, and providers have all quickly embraced the use of smartphones and other mobile devices along with the convenience of accessing important medical information quickly.  

Many healthcare organizations are capitalizing on the benefits that mobile devices provide by permitting physicians, nurses, and other healthcare staff to bring their own personal devices (BYOD) to use at work. Other organizations choose to provide their staff with company-owned mobile devices, finding it easier to maintain control and protect their networks. 

 

Although the convenience of mobile technology provides many advantages, it also comes with risks. If mobile data security measures are inadequate, covered entities are at risk of violating HIPAA regulations that can incur heavy fines. HIPAA fines of up to $1.5 million per violation category, per year that the violation has been allowed to persist can be issued by the HHS. In addition, other federal agencies can issue fines, such as the state attorneys general. There is also the considerable cost of a breach response to cover if data is potentially exposed. 

 

The majority of mobile devices do not have robust security controls which can allow devices to be easily compromised. For example, if an unprotected device connects to a network via public Wi-Fi, there is an increased risk of theft. Cybercriminals view mobile devices as an accessible entry point into healthcare networks allowing them to access valuable electronic Protected Health Information.

 

As mobile devices are rapidly becoming an integral part of daily healthcare operations, it is important that organizations fully comprehend healthcare mobile security. (1) HIPAA covered entities that choose to use mobile devices in the workplace must implement controls to protect patient health data.  (2) It is also necessary they review and address all potential mobile data security risks.

 

The HIPAA Security Rule does not require specific technology solutions when it comes to technical safeguards for mobile devices. However, HHS does require organizations to implement reasonable and appropriate security measures for standard operating procedures. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What's in Our 2018 SecurityMetrics HIPAA Guide?

What's in Our 2018 SecurityMetrics HIPAA Guide? | HIPAA Compliance for Medical Practices | Scoop.it
 We are thrilled to announce the release of our brand-new HIPAA Guide! No matter the size of your organization, you can use this guide to understand and handle the more challenging requirements of HIPAA. In fact, it's already coming in handy for many of our partners. See what some of them have to say:

"The HIPAA Guidebook is one of the best references. It's well-organized and easy for our medical office staff and providers to understand." -Hedy Haun, Sr. Process Analyst,  SHARP Medical Group

"Words cannot express what the HIPAA Guide represents to me and all of Curis. It's like an encyclopedia for us." -George Arnau,  Curis Practice Solutions

A better way to read and utilize our HIPAA guide


Just like many of our partners report back to us, our HIPAA Guide is best utilized as "desk-side reference." In order to increase the guide's usefulness to you, we've added a new section called "How to Read This Guide." It includes a color-coded system, with reading suggestions based on your familiarity with HIPAA: beginning, intermediate, and advanced. This section discusses the skill levels likely required for policy and procedure implementation.

We understand there are many job descriptions that require HIPAA understanding, so whether you're a brand-new employee or a seasoned systems administrator--our guide is meant for you.

 We also include a "Terms and Definitions" glossary at the end of the 135-page guide. This is meant to help familiarize you with data security and tech terms you may not already know.

Ultimately, we want to help you keep your patients' and customers' data safe and secure. By helping you address the most complicated aspects of data security and HIPAA , we aim to equip you with practical knowledge you can use in meetings and trainings, while drafting policies and procedures, and when making decisions about security at your practice.

Survey Data and HIPAA industry trends

This year, we conducted four surveys and received responses from over 300 healthcare professionals. These professionals are responsible for HIPAA compliance at their organizations, and work primarily at companies with less than 500 employees. And while larger organizations tend to have better HIPAA compliance, it's important that those larger organizations still take note of compliance trends at organizations of all sizes, since they will likely share data and interact with them (for instance, when a large hospital sends patient records to a smaller specialty clinic).

We asked respondents about security habits at their organizations. Training and encryption continue to challenge HIPAA teams, while many organizations fare well in the area of risk analysis. Here are just a few of our survey results:

  • 6% of organizations do not conduct a formal risk analysis
  • 16% of organizations report they send emails with unencrypted patient data
  • 34% of organizations train employees on the HIPAA Breach Notification Rule

Top Tips for Better Data Security 

As lead SecurityMetrics HIPAA auditor Brand Barney says, "Our guide was specifically created to help covered entities and business associates address the most problematic issues within HIPAA compliance.”

So, the guide focuses on commonly challenging aspects of the HIPAA Privacy, Breach Notification, and Security Rules, including:

•   Incident response plans
•   PHI encryption
•   Business associate agreements
•   Mobile device security
•   HIPAA-compliant emails
•   Remote access
•   Vulnerability scanning
•   Penetration testing

A proactive, offense-minded approach

Even with steep penalties in place, HIPAA compliance--particularly when it comes to security--is often not as complete as is thought or hoped for. In fact, according to the Identity Theft Resource Center , 24.7% of data breaches in 2017 were healthcare-related. Education is the first line of defense, so becoming familiar with the guide is one of the best ways you can proactively protect your organization from a potentially devastating data breach.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

6 things software vendors need to know about HIPAA compliance

6 things software vendors need to know about HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance

 

Many people are loosely familiar with the Health Insurance Portability and Accountability Act (HIPAA) and usually associate it with hospitals, clinics, and health insurance companies. However, it can be less clear how HIPAA compliance standards apply to countless other software vendors, SaaS providers that work with healthcare-related businesses or handle protected health information (PHI). In recent months, the Office for Civil Rights has been coming down hard on HIPAA violators, doling out some of the large fines – upwards of $5 million. So in order to ensure your business is protected and to maintain your brand reputation, it is vital to know the ins and outs of HIPAA compliance. With this in mind,

 

How do you know if you need to be HIPAA compliant?

 

In short, HIPAA rules apply to both Covered Entities (health insurance companies, HMOs, company health plans, etc.) and their business associates (a vendor or subcontractor who has access to PHI). What this means for business associates is that even if you’re a service provider or vendor who isn’t in the healthcare industry - like an all-flash storage company - you may still need to be HIPAA compliant indirectly due to the fact that your organization stores PHI. The first step here is to determine whether your organization handles PHI. If you do, your next step is to look through the

 

Look to your current vendors for guidance

 

Once you determine that you need to be compliant, there’s no need to go on a hiring spree to ensure you have the necessary resources in-house. Many of your existing vendors may already cover key HIPAA compliance requirements. Any good service provider should be able to tell you whether they are HIPAA compliant and what controls they can cover. If so, it is important that they are also willing to sign a Business Associate Agreement (BAA) - a negotiation between Covered Entities and any third-party vendors that have access to their PHI.

 

Look for specific types of technology that can help to streamline the process

 

If none of your existing vendors can help with HIPAA compliance, turn to a managed service provider to do the heavy lifting and help your business attain and maintain compliance, so you can focus resources on driving business. Additionally, they can strengthen the security technology, processes, and controls they use to keep customer information secure. For example, if you’re looking for a secure way to continue work-from-home programs at your organization through remote desktops, HIPAA compliant Desktop-as-a-Service (DaaS) vendors are a great option to both fill specific needs for your business and drastically simplify compliance.

 

Don’t forget about maintenance

 

A key stumbling block for many organizations tends to be maintaining a constantly evolving set of compliance standards. HIPAA compliance certification is valid only at that moment – it is then up to the company to maintain compliance which is easier said than done. Some important things to keep the top of mind for maintenance include 1) completing a HIPAA Risk Analysis document and audit at least once a year, and 2) assessing employees year-round to make sure they are doing their jobs in a HIPAA compliant manner, following all stated company policies and procedures.

 

Know who is responsible for HIPAA compliance

 

Another challenge accompanying HIPAA compliance may sound simple, but is one that oftentimes goes overlooked - precisely who internally is responsible for compliance? For non-healthcare organizations, a company is unlikely to have a designated in-house role such as a Privacy and Security Officer, and therefore the responsibility often falls on security or operations departments. However, it’s likely that neither of these departments has a full understanding or stake in HIPAA compliance. Regardless of who is taking the reins, it is important that the role is clearly demarcated and that person or department knows what is expected of them. Additionally, it’s critical that they work together with other departments as needed to ensure a well-rounded HIPAA strategy. Case in point - a recent

 

Keep HIPAA compliance top of mind for staff

 

Regardless of who is in charge, it is important that all your staff be mindful of maintaining HIPAA compliance. Human error can become one of the biggest obstacles to maintaining compliance, especially when employees may not even realize their company deals with PHI. For example, the same NueMD survey also found that only 58% of respondents were providing training for their staff annually. HR teams can proactively assist with this by reminding staff of regular HIPAA training, updates on compliance standards changes and keeping visible HIPAA compliance checklists posted in work areas.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The HIPAA Privacy and HIPAA Security Rules

The HIPAA Privacy and HIPAA Security Rules | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

THE HIPAA PRIVACY AND HIPAA SECURITY RULES

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-PHI). Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

THE NEED FOR HIPAA COMPLIANCE

As HHS points out, as health care providers and other entities dealing with PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever. Similarly, health plans provide access to claims as well as care management and self-service applications. While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data. The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI.

PHYSICAL AND TECHNICAL SAFEGUARDS, POLICIES, AND HIPAA COMPLIANCE

The HHS requires physical and technical safeguards for organizations hosting sensitive patient data. These physical safeguards include…

  • Limited facility access and control with authorized access in place
  • Policies about use and access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI. Access control includes…

  • Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
  • Audit reports or tracking logs that record activity on hardware and software

Other technical policies for HIPAA compliance need to cover integrity controls, or measures put in place to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact. One final technical safeguard is a network or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private network, such as a private cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health Information Technology for Economic and Clinical Health (HITECH) Act, which raises penalties for health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to the development of health technology and the increased use, storage, and transmission of electronic health information.

DATA PROTECTION FOR HEALTHCARE ORGANIZATIONS AND MEETING HIPAA COMPLIANCE

Clearly, the need for data security has grown as the proliferation of electronic patient data grows. High-quality care today requires healthcare organizations to meet the accelerated demand for data; yet, they must ensure HIPAA compliance and protect PHI. Make sure that you have a data protection strategy in place that allows your organization to:

  • Ensure the security and availability of PHI to maintain the trust of practitioners and patients
  • Meet HIPAA and HITECH regulations for access, audit, and integrity controls as well as for data transmission and device security
  • Maintain greater visibility and control of sensitive data throughout the organization

The best data protection solutions recognize and protect patient data in all forms, including structured and unstructured data, emails, documents, and scans while allowing healthcare providers to share data securely to ensure the best possible patient care. Patients entrust their health care to your organization; you need to take care of their protected health information as well.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Where Is HIPAA Taking Physician Practices?

Where Is HIPAA Taking Physician Practices? | HIPAA Compliance for Medical Practices | Scoop.it

Introduction:

Several provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, were intended to encourage electronic data interchange (EDI) and safeguard the security, privacy, and confidentiality of patient health information In the context of this act, security is the means by which confidentiality and privacy are insured. Confidentially defines how patient data can be protected from inappropriate access, while privacy is concerned with who should have access to the patient data. This article explores how the policies stipulated by HIPAA are shaping the practice of medicine and will likely affect your practice in the future.

 

HIPAA Security vs Innovation:

If you're a typical small-practice physician, odds are that you view HIPAA as simply another federally mandated cost of practising medicine, regardless of the intended outcome of the act. This position is understandable, given the cost of mandated training for you and your office staff. Furthermore, if your practice is computerised, then you'll need to spend even more money on software upgrades and possibly additional training from the vendor.

HIPAA rules and regulations are complex, in part because much of compliance is open to interpretation. For example, security issues, which are predominantly in the domain of software and hardware vendors, are based on “risk assessment,” not specific technology standards. The act doesn't stipulate specific technologies or endorse nationally recognised procedures, but leaves it up to the physician practice or medical enterprise to ensure that patient health data are secure. (HIPAA's security standards take effect on April 20, 2005, for all “covered entities” except small health plans However, because HIPAA enforcement is complaint-driven – there are no “HIPAA Police” checking to see that your practice meets the law's requirements – differences in interpretation of the act are likely to end up in a courtroom at some point. For this reason, some experts recommend assessment of HIPAA compliance by outside counsel.

Most physicians are understandably concerned with the immediate compliance issues surrounding HIPAA and privacy and confidentiality of patient data. Even though the security standards were designed to be “technology-neutral,” the vagaries of these requirements are having a direct impact on medicine beyond the acute phase of compliance, especially in the introduction of new technologies in the clinical arena. New technologies, from wireless to tablet PCs, bring with them added functionality, potential workflow enhancements, and efficiencies – as well as new HIPAA security compliance issues.

Consider, for example, the effect of HIPAA's privacy rules on a physician contemplating the purchase of a Palm Pilot or other PDA. Even late adopters have probably observed the benefit of PDAs. Need to share patient data? Just beam it across the infrared link from one PDA to the next. Need to review patient lab data? Just touch the screen and the data are only a second away.

But it isn't that simple once HIPAA enters into the picture. Now a PDA carrying patient data is a compliance concern, as HIPAA's privacy rule applies to all mediums of a patient's protected health information, whether it's print, verbal, or electronic. Does your PDA have a login and auto logout feature? If not, then anyone could take your PDA and look up patient data. Consider the liability issues if you forgot your PDA at a coffee shop and someone picked it up and scanned through your list of patients. But with a login screen, one of the major benefits of a PDA – instant access to data – is lost.

If you use one of the wireless PDAs, such as the BlackBerry, then there are additional HIPAA-related issues: Does your PDA support the encryption of email and patient data it sends over the Internet? Is the encryption enabled? Is the level of encryption good enough for HIPAA?

Perhaps you've been considering adding a wireless (WiFi) LAN to your clinic or practice. You may have good reason to; wireless will allow you to carry a laptop into examining rooms for decision support and not have to worry about Ethernet cords. But considering HIPAA, is your WiFi system secure? Is the data encryption good enough? If not, will you have to buy new PCs and PDAs, or simply upgrade the operating systems? Do you need to hire a consultant? Maybe it's easier to simply string cables to each office and forget about the laptop this year. Or maybe it would be better to hold off on the computer-assisted decision support project altogether.

Paradoxically, although proponents of HIPAA once thought that it would enhance the move toward the electronic medical record (EMR), I believe that it is having the opposite effect. Because of the uncertainty surrounding HIPAA compliance and whether the legal system will be swamped with cases alleging violations of privacy, it's simply safer for small practices to stay with paper charts, and let the big medical practices deal with the inevitable lawsuits.

This brings up another cost issue: Does your insurance cover a patient suit over HIPAA? If so, how inclusive is the insurance? For example, let's say your practice regularly sends digital audio files overseas for transcription. You send the audio files and receive text documents a day later. Do you know how the patient data are handled at the transcription service? If a transcriptionist overseas decides to protest his or her low wages by posting a transcription of your patient's clinic visit openly on the Web, are you liable? Will your insurer pay? This example isn't as far-fetched as it might seem. In October 2003, a disgruntled Pakistani transcriber threatened the University of California-San Francisco over back pay.[3] She threatened to post patients' confidential files on the Internet unless she was paid more money. To show that she was serious, she sent UCSF an unencrypted email with a patient record attached.

 

HIPAA, Privacy, and the Physician:

Whereas compliance with HIPAA's upcoming security requirements is largely in the purview of vendors and the information services department in most larger medical centres, privacy concerns are usually addressed at the physician level. Consider the major privacy provisions of the act, most of which took effect in April 2003, listed in the Table.

Major Privacy Components of HIPAA, Based on Data From the DHHS.

Implementing each of these privacy components falls squarely on you and your office staff. You, your office manager, or someone else in your practice must be designated the Privacy Officer and given the responsibility of ensuring compliance with the act. If you haven't already had at least 1 practice walk-through with the major privacy provisions, make sure you do so.

 

 

 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Website Error Leads to Data Breach

Website Error Leads to Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

An error in a coding upgrade for a Blue Shield of California website resulted in a breach affecting 843 individuals. The incident is a reminder to all organizations about the importance of sound systems development life cycle practices.


In a notification letter being mailed by Blue Shield of California to affected members, the insurer says the breach involved a secure website that group health benefit plan adminstrators and brokers use to manage information about their own plans' members. "As the unintended result of a computer code update Blue Shield made to the website on May 9," the letter states, three users who logged into their own website accounts simultaneously were able to view member information associated with the other users' accounts. The problem was reported to Blue Shield's privacy office on May 18.


Blue Shield of California tells Information Security Media Group that the site affected was the company's Blue Shield Employer Portal. "This issue did not impact Blue Shield's public/member website," the company says. When the issue was discovered, the website was promptly taken offline to identify and fix the problem, according to the insurer.


"The website was returned to service on May 19, 2015," according to the notification letter. The insurer is offering all impacted individuals free credit monitoring and identity theft resolution services for one year.


Exposed information included names, Social Security numbers, Blue Shield identification numbers, dates of birth and home addresses. "None of your financial information was made available as a result of this incident," the notification letter says. "The users who had unauthorized access to PHI as a result of this incident have confirmed that they did not retain copies, they did not use or further disclose your PHI, and that they have deleted, returned to Blue Shield, and/or securely destroyed all records of the PHI they accessed without authorization."


The Blue Shield of California notification letter also notes that the company's investigation revealed that the breach "was the result of human error on the part of Blue Shield staff members, and the matter was not reported to law enforcement authorities for further investigation."

Similar Incidents

The coding error at Blue Shield of California that led to the users being able to view other individuals' information isn't a first in terms of programming mistakes on a healthcare-sector website leading to privacy concerns.


For example, in the early weeks of the launch of HealthCare.gov in the fall of 2013, a software glitch allowed a North Carolina consumer to access personal information of a South Carolina man. The Department of Health and Human Services' Centers for Medicare and Medicaid Services said at the time that the mistake was "immediately" fixed once the problem was reported. Still, the incident raised more concerns about the overall security of the Affordable Care Act health information exchange site.


Software design and coding mistakes that leave PHI viewable on websites led to at least one healthcare entity paying a financial penalty to HHS' Office for Civil Rights.


An OCR investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

The investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to the healthcare practice signing an OCR resolution agreement, which included a corrective action plan and a $100,000 financial penalty.


The corrective action plan required the physicians practice, among other measures, to conduct arisk assessment and implement appropriate policies and procedures.

Measures to Take

Security and privacy expert Andrew Hicks, director and healthcare practice lead at the risk management consulting firm Coalfire, says that to avoid website-related mistakes that can lead toprivacy breaches, it's important that entities implement appropriate controls as well as follow the right systems development steps.


"Organizations should have a sound systems development life cycle - SDLC - in place to assess all systems in a production environment, especially those that are externally facing," he says. "Components of a mature SDLC would include code reviews, user acceptance testing, change management, systems analysis, penetration testing, and application validation testing."


Healthcare entities and business associates need to strive for more than just HIPAA compliance to avoid similar mishaps, he notes.

"Organizations that are solely seeking HIPAA compliance - rather than a comprehensive information security program - will never have the assurance that website vulnerabilities have been mitigated through the implementation of appropriate controls," he says. "In other words, HIPAA does not explicitly require penetration testing, secure code reviews, change management, and patch management, to name a few. These concepts are fundamental to IT security, but absent from any OCR regulation, including HIPAA."

Earlier Blue Shield Breach

About a year ago, Blue Shield of California reported a data breach involving several spreadsheet reports that inadvertently contained the Social Security numbers of 18,000 physicians and other healthcare providers.


The spreadsheets submitted by the plan were released 10 times by the state's Department of Managed Health Care. In California, health plans electronically submit monthly to the state agency a roster of all physicians and other medical providers who have contracts with the insurers. Those rosters are supposed to contain the healthcare providers' names, business addresses, business phones, medical groups and practice areas - but not Social Security numbers. DMHC makes those rosters available to the public, upon request.

more...
No comment yet.
Scoop.it!

HIPAA audits to resume soon

HIPAA audits to resume soon | HIPAA Compliance for Medical Practices | Scoop.it

Long-term care providers should get ready for the second round of HIPAA compliance audits this year, but the agency in charge of them is keeping mum about the exact date.

And while Health & Human Services' Office for Civil Rights (OCR) expects to single out only around 110 providers, long-term care facilities are being urged to begin preparations as soon as possible, Kelly McLendon, managing director of CompliancePro Solutions, said during a recent Health Care Compliance Association webinar. That includes performing security and risk analyses, updating privacy and security incident response plans and automating privacy and security investigation, tracking and management protocols, according to published reports.

The agency has not announced specifics yet, but the coming round of audits could focus heavily on HIPAA security and privacy risk management, breach notification and Notice of Privacy practices.

OCR was scheduled to do the audits last year but went idle because of funding problems. Providers are advised not to rely on audit protocols issued in 2012, the last time OCR performed audits, and watch for phase two protocols to be posted on the OCR website. Audits will likely begin about 90 days after posting, McLendon said.

The news will do little to help a Denver-area pharmacy that specializes in compounded medications for area hospice agencies, according to published reports. The business will have to pay $125,000 and take corrective measures after local media notified the OCR it allegedly disposed of unsecured documents in an unlocked, open container. The documents reportedly contained private health data on more than 1,600 patients.


more...
No comment yet.
Scoop.it!

4 keys to HIPAA audit prep

4 keys to HIPAA audit prep | HIPAA Compliance for Medical Practices | Scoop.it

With the delay of the Office for Civil Rights (OCR) HIPAA audits, organizations would be wise to not push compliance further down the priority list. Yet many are woefully unprepared for both data breaches and the audits, writes Mark Fulford, partner at LBMC Security & Risk Services in an article at Health IT and Security Review.


"If organizations let down their guard, they will become vulnerable to both data breaches and the OCR audits themselves when they inevitably arrive," he says. "And all indications are that the audits will bring an unprecedented level of scrutiny and enforcement to healthcare security."


Being chosen for an audit means submitting documentation of your organization's compliance. Yet HIPAA guidance isn't specific, he says, allowing you to explain your reasoning behind your security approach.

Among his recommendations:

  1. Conduct a risk assessment. Evaluate your organization before OCR does, making sure you have everything covered including servers, personal computers, mobile devices and more
  2. Document everything. Keep detailed records of your security measures and procedures, as well as your incident response plans
  3. Identify your business associates. Verify that these entities also maintain appropriate security
  4. Train your team and stay-up-to-date. Security is a team effort; ensure that your employees are trained to respond to phishing, social engineering, malware and other attacks.


Despite a proliferation of healthcare breaches and warnings from the Office of Civil Rights that it plans to crack down on organizations that don't effectively protect patient data, research from ProPublica found that few organizations actually have been fined for it.


However, that's expected to change. Privacy attorney Adam Greene said he's heard that OCR has pipeline of "unprecedented" settlements in the works.


An OCR attorney made a similar statement nearly a year ago. Jerome B. Meites, OCR chief regional counsel for the Chicago area, said the HIPAA enforcement actions over the past year would pale in comparison to the following 12 months.


more...
No comment yet.
Scoop.it!

Health system sees 7th HIPAA data breach

Health system sees 7th HIPAA data breach | HIPAA Compliance for Medical Practices | Scoop.it

How many breaches, how many compromises of patients' confidential medical information does it take before there are some questions asked of an organization and its security policies? One health system recently announced its seventh large HIPAA breach.

 
The 20-hospital St. Vincent health system in Indianapolis, part of Ascension Health, most recently notified 760 of its medical group patients that their Social Security numbers and clinicaldata was compromised in an email phishing incident. The breach, which was discovered by hospital officials back in December 2014, marked the seventh breach for the health system in a less than five years.
 
It wasn't until March 12, 2015, that officials said they discovered which patients were impacted by the breach, which involved the compromise of an employee's network username and password. 
 
"St.Vincent Medical Group sincerely apologizes for any inconvenience this unfortunate incident may cause," St. Vincent officials wrote in the patient notification letter. 
 
According to data from the Office for Civil Rights, which keeps track of HIPAA breaches involving 500 people or more, St. Vincent health system has been a repeat HIPAA offender. Its most recent breach, reported in July 2014, compromised the health data of 63,325 patients after a clerical error sent patients letters to the wrong patients. 
 
The health system has also reported two breaches involving the theft of unencrypted laptops, which collectively compromised the health data of 2,341 patients. 


more...
No comment yet.
Scoop.it!

HIPAA Privacy and Security Guidance Updated

HIPAA Privacy and Security Guidance Updated | HIPAA Compliance for Medical Practices | Scoop.it

The Office of the National Coordinator for Health IT this week released an updated version of its privacy and security guidance to help healthcare providers better understand how to integrate federal health information privacy and security requirements into their practices. The guidance was last published in 2011.


The new version of the guidance provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, Security, and Breach Notification Rules.


Some of the areas covered in the new guidance include real-world application of how the HIPAA Privacy and Security Rules apply to a practice and the rules surrounding use and disclosure of private health information. The guidance also addresses “Meaningful Use” programs in more detail. Meaningful Use programs encourage health care organizations to adopt EHRs through a staged approach. Each stage contains core requirements that providers must meet.


Unlike the first guidance, which focused on Stage 1 privacy and security objectives, the updated version adds in core objectives for Stage 2 of the Meaningful Use program. Under Stage 2, providers must respond to patient requests regarding how their electronic health information is being handled.


The guidance also provides examples designed to assist providers in understanding whether someone is a business associate. These examples reflect changes made under the Health and Human Services Department’s Omnibus Rule, which makes contractors, subcontractors, and other business associates of healthcare entities that process health insurance claims liable for the protection of private patient information.


Additionally, the guidance outlines a seven-step approach for providers looking to create a security management process. Steps include selecting a team, documenting the process, developing an action plan, and managing and mitigating risk.

more...
No comment yet.
Scoop.it!

Why Understanding HIPAA Rules Will Help With ONC Certification

Why Understanding HIPAA Rules Will Help With ONC Certification | HIPAA Compliance for Medical Practices | Scoop.it

Understanding HIPAA rules will have far reaching benefits for covered entities. Not only will they be compliant in terms of keeping patient PHI secure, but it will also ensure that those facilities are able to adhere to other federal certification programs. With the push for nationwide interoperability, it is extremely important that organizations of all sizes understand how they can exchange information in a secure and federally compliant way.


Earlier this year, the Office of the National Coordinator (ONC) released its proposal for the 2015 Health IT Certification Criteria. The ONC said that it will “ensure all health IT presented for certification possess the relevant privacy and security capabilities.” Moreover, certified health IT will be more transparent and reliable through surveillance and disclosure requirements.


ONC Senior Policy Analyst Michael Lipinski spoke with HealthITSecurity.com at HIMSS last week, and broke down why understanding HIPAA rules will help covered entities on their way to compliance and with ONC certification.


The ONC certification program has certain capabilities that it certifies to, Lipinski explained, and the way the ONC set up its approach depends on what a facility is bringing forward to be certified.

“What we’ve always said about our privacy and security criteria is that it helps support compliance, but it doesn’t guarantee compliance with the HIPAA Privacy or Security rules,” Lipinski said. “Or even with meeting your requirements under the EHR incentive program.”


One complaint that the ONC has received in terms of information sharing is that covered entities claim they cannot exchange data because of HIPAA rules. However, that likely stems from a lack of understanding what the HIPAA Privacy and Security Rules actually entail, Lipinski said. If that misunderstanding of what HIPAA compliance actually is exists, it can make it more difficult for healthcare organizations to move forward.


“I think that issue is not so much a certification issue, because it’s about payment, treatment, and operations, and you can exchange for those reasons,” Lipinski said. “I think maybe what they found is that there are those instances where they could do it, and they’re making the misinterpretation that they could have done that for treatment and exchange that information.”


Healthcare facilities are using that as an excuse not to exchange, when under HIPAA they could have done so for payment, treatment or operations options, he added.


“It’s not so much in the wheelhouse of certification, but more like we said in the report that we would work with OCR and make sure there’s appropriate guidance and understanding of the HIPAA Privacy and Security rules so that hopefully that will enable more free flow of the information.”


That sentiment echoes what ONC Chief Privacy Officer Lucia Savage said about interoperability and the future of information sharing for healthcare. In a HIMSS interview Savage explained that HIPAA supports information sharing, but that support depends on the decisions made by healthcare providers.


However, a difficult aspect of creating nationwide interoperability will be in relation to state law and state policies on health IT privacy, Savage said, mainly because states have diverse rules.


“That’s a very long dialogue, and has a very long time frame in where we can accomplish what we want to accomplish,” Savage said. “I think people are concerned about that.”


more...
No comment yet.
Scoop.it!

ONC issues new privacy, security handbook

ONC issues new privacy, security handbook | HIPAA Compliance for Medical Practices | Scoop.it

During the HIMSS15 annual conference in Chicago last week, the Office of the National Coordinator for Health IT announced the release of a new and improved guide for securing electronic health information that hospitals, providers and business associates can integrate into their practice.

How to comply with MU security requirements, questions you should ask your health IT vendors and everything from cybersecurity and HIPAA to action plans and checklists are among the big highlights.
 
Many useful tips, permitted use cases, compliance requirements and HIPAA explanations have been added since the last update, four years ago.
 
The guide, as ONC Chief Privacy Officer Lucia Savage explained in a blog post, has been revised to include new "practical information" on topics such as cybersecurity, encryption, patient access and HIPAA privacy and security rules in action. The revised version also include information on compliance with the EHR Incentive Programs' security requirements.
 
And for those looking for more guidance on what questions to ask your health IT vendors, look no further.
 
The handbook "also offers suggested questions providers may want to ask their health IT developers or EHR companies so they can be confident that the systems they buy and use will meet their privacy and security needs," Savage explained.
 
Top of this list are questions such as: "How does my backup and recovery system work? How often do I test this recovery system? How much remote access will the health IT developer have to my system?" and "How much of the health IT developer's training covers privacy and security awareness, requirements and functions?"
 
According to a new Verizon data breach report that analyzed the healthcare vertical, physical theft or loss accounted for the lion's share, some 26 percent, of security incidents by pattern. Another 20 percent of security incidents were due to insider privilege and insider misuse; "miscellaneous errors" accounted for 19 percent. Other patterns noted in the report for the healthcare vertical were upticks in DoS and Web app attacks, at 9 percent and 7 percent respectively. 


more...
No comment yet.
Scoop.it!

Could Big HIPAA Settlements Be Coming?

Could Big HIPAA Settlements Be Coming? | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators will likely announce a number of eye-popping financial settlements for HIPAA violations later this year as a result of breach investigations, predicts privacy attorney Adam Greene.

So far this year, the Department of Health and Human Services' Office for Civil Rights hasn't revealed any HIPAA settlement agreements with covered entities or business associates. But in an interview with Information Security Media Group during the HIMSS 2015 conference in Chicago, Greene predicts a big change in the second half of the year.


"We've heard anecdotally that [OCR] has a significant pipeline of unprecedented settlement agreements, meaning particularly high amounts [of financial penalties] and a particularly large number," says Greene, who formerly worked at OCR. "So it wouldn't be surprising for us to start seeing in the latter part of this year some really surprising settlement agreements with respect to potential record-breaking [financial penalties]. I think the delay, this gap in settlement agreements, relates to the change in leadership at OCR and for that new leadership to get settled in."


Last July, Jocelyn Samuels was named the new director of OCR. Samuels, who was formerly acting assistant attorney general for the Civil Rights Division at the U.S. Department of Justice, replaced Leon Rodriguez, who was named director of U.S. Citizenship and Immigration Services, a unit of the Department of Homeland Security.

In 2014, OCR announced six resolution agreements involving monetary penalties for cases involving violations of HIPAA. The biggest enforcement action was in May 2014, when OCR announced a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University. That case involved a breach of unsecured patient data on a network, affecting about 6,800 patients.


As for potential OCR settlements with business associates, who became directly liable for HIPAA compliance under the HIPAA Omnibus Rule, Greene doesn't expect OCR action until next year.

"We see that [the time between] an actual [HIPAA] incident happening and an actual settlement agreement tends to be two to three years. And business associates were not being held liable by HHS for [HIPAA] compliance until September 2013," he notes. "So it seems that if you had a breach by a business associate at the end of 2013, that could lead to an investigation of the business associate ... and we could see the fruition of that investigation by the end of this year, but more likely next year."


In the interview, Greene also discusses:


  • What's likely to come next in OCR's plans for a permanent HIPAA compliance audit program, which has been on hold since 2012;
  • The OCR enforcement activities that organizations should be most worried about;
  • Why the Centers for Medicare and Medicaid Services is proposing to lower the requirements for patients electronically accessing their health records in Stages 1 and 2 of the HITECH Act "meaningful use" financial incentive program for electronic health records.


As a partner at the law firm Davis Wright Tremaine LLP in Washington, Greene specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.

more...
No comment yet.
Scoop.it!

HIPAA Compliance Tips for Mobile Data Security 

HIPAA Compliance Tips for Mobile Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance Tips for Mobile Data Security

Nearly 4 out of 5 healthcare providers use a mobile device for professional purposes. These numbers continue to rise as healthcare organizations place an increased focus on efficiency and productivity. (1) Although mobile devices are incredibly efficient and convenient, they also harbor measurable risks for data breach and the exposure of protected health information (PHI).

 

Mobile devices are often more susceptible to theft because they lack the appropriate security controls. In fact, mobile device malware infections have surged 96% from 2015 to 2016. (2)  To avoid hefty penalties and the risk of a data breach, healthcare organizations must develop and implement mobile device procedures and policies that will protect the patient’s health information.

 

Below are five recommendations from HHS (The Department of Health and Human Services) that organizations can take to help manage mobile devices in the healthcare setting:

 

  1. Understand the risks before allowing the use of mobile devices- Decide whether healthcare providers or medical staff will be permitted to use mobile devices to access, receive, transmit, or store patients’ health information or if they will be used as part of the organization’s internal network or systems, such as an electronic health record system.
  2. Conduct a risk analysis to identify threats and vulnerabilities- Consider the risks to your organization when permitting the use of mobile devices to transmit health information Solo providers may conduct the risk analysis on their practice, however, those working for a large provider, the organization may conduct it.
  3. Identify a mobile device risk management strategy, including privacy and security safeguards- A risk management strategy will help healthcare organizations develop and implement mobile device safeguards to reduce risks identified in the risk analysis. Include the evaluation and regular maintenance of the mobile device safeguards put in place.
  4. Develop, document, and implement mobile device policies and procedures to safeguard health information. Some topics to consider when developing mobile device policies and procedures are:
    1. Mobile device management
    2. Using your own device
    3. Restrictions on mobile device use
    4. Security or configuration settings for mobile devices
  5. Conduct mobile device privacy and security awareness and ongoing training/education for providers and professionals.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

9 keys to having a HIPAA-compliant cloud

9 keys to having a HIPAA-compliant cloud | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are increasingly open to the idea of using public cloud services, whether it be applications or infrastructure. But to do so requires thorough planning and vigilant execution of IT operations.

 

Chris Bowen, founder and chief privacy and security officer for ClearDATA, a company that helps healthcare organizations use public cloud services, provides nine examples of controls that can be put in place. 

 

  1. Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
  2. Review system activity: Leverage audit logs to enable the review of activity within your system.
  3. Identity and Access management control: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed. 
  4. Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
  5. Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scan on systems processing Personal Health Information (PHI).
  6. Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
  7. Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
  8. Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
  9. Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA as an umbrella for county/municipal cybersecurity

HIPAA as an umbrella for county/municipal cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Are you a covered entity?

Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.

 

How do you know if you have or are a CE? If some department or division within your organization is a health care provider, a health plan or a health care clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), health care clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.

Are you in compliance?

If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.

 

In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?

 

I suspect what often happens is that executives look at something like information security policy requirements and say:

This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.

 

What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.'

Trust but verify

There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances, and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.

Extend HIPAA to your enterprise

If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that level while also getting compliant with federal law.

 

Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted good practices.

Develop your policy with the HIPAA Security Rule

There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.

The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).

The security standards in HIPAA are broken down into three sections, each of which has multiple layers and subcomponents:

  • Administrative Safeguards (9 components)
  • Physical Safeguards (4 components)
  • Technical Safeguards (5 components)

 

These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.

 

Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.

 

These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.

Next Steps

1. Find out where your organization stands in terms of information security policies and procedures.

2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?

3. Meet with your IG committee to discuss your findings.

4. If you don’t have an IG committee — start one!

5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.

6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintaining continuous improvement.

7. Begin building a culture of security in your organization.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

A Doctors Guide to HIPAA Compliance in 2017

A Doctors Guide to HIPAA Compliance in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance in 2017 is a key issue that many doctors are focussed on.

Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for between $100 to $50,000 for each violation. The maximum HIPAA Violation is $1.5 million for identical provisions during a calendar year. Some HIPAA violations can lead to imprisonment in extreme circumstances. This is why HIPAA compliance in 2017 is such an important factor for doctors.

To ensure that your practice has effective HIPAA compliance in 2017, here are 5 steps to follow:

1) Correct Sharing of Patient Information

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Secured Paper Files

While paper charts are slowly becoming a relic, it is important that past files are stored securely.  Doctors who have moved to using an EHR for all patient records may still have old patient files that need to be transferred. Once converting from paper documents to electronic format is complete, be sure to shred any patient records before you dispose of them.

If your medical practice still uses paper documents, be sure not to leave them in unsecured or unattended areas. This includes charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

3) Encrypted Emails

Never underestimate the importance of email encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you should consider an encrypted email or file sharing service for pertinent patient information.

When sending bulk emails to patients, or many emails in a row, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient address or an email attachment.

This is one of those areas where slow, steady careful checking pays off.

4) HIPAA Secured Patient Portals

If you use or are considering creating a patient portal, ensure it has secure login compliance. Any personal patient information should not be easily accessible without a username and password.

If sharing information with family members of patients, be sure to get written authorization from the patient first. A good practice is to require identity verification for password reminders. You can also remind patients to access their patient portal when they have a secure internet connection (i.e. not in public places).

5) Ensure your Telemedicine platform is HIPAA compliant

Some doctors have considered using Skype or Facetime to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end.

Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. Having HIPAA Compliance in 2017 is as important as it has been for the past 20 years.

When doctors treating patient information caution they can and enjoy the peace of mind that comes with being HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why HIPAA Compliance Need Security Risk Analysis?

Why HIPAA Compliance Need Security Risk Analysis? | HIPAA Compliance for Medical Practices | Scoop.it

There are many important elements to implementing an effective HIPAA Program, but none are more important than completing a security risk analysis. Conducting a risk analysis will give your practice an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of your electronic protected health information.

Completing a security risk analysis is a required element. This means that most specifications must be evaluated and if applicable, implemented, in order to achieve compliance with the Security Rule. It is important to remember that certain specifications in the risk analysis are considered addressable, meaning it is up to the covered entity to determine (in writing) if the specification is a “reasonable and appropriate” safeguard for its environment, taking into consideration how it will protect ePHI.

According to the Security Rule, your security risk analysis should be broken down into the implementation of 3 categories of electronic protected health information safeguards: Administrative, Physical and Technical. The following is an overview of each category, including differentiation between those specifications that are required and those that are addressable.

ADMINISTRATIVE SAFEGUARDS

Administrative safeguards are administrative actions and functions to manage the security measures in place that protect electronic protected health information. Administrative safeguards must state how the covered entity will conduct oversight and management of staff members who have access to, and handle ePHI. Administrative safeguards include:

  • Risk Assessment (R)
  • Sanctions Policy (R)
  • Information System Activity Review (R)
  • Security Officer Assignment (R)
  • Security Awareness and Training (A)
  • Security Incident Procedures (R)
  • Disaster Recovery and Data Backup Plan (R)
  • Periodic Security Evaluations (R)
  • Business Associate Contracts (R)

 

PHYSICAL SAFEGUARDS

Physical safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards and unauthorized intrusion. It includes restricted access to ePHI and retaining off-site computer backups. Applying physical safeguards means establishing:

  • Facility Access Controls (A)
  • Workstation Use and Controls (R)
  • Device and Media Controls (R)

 

           

TECHNICAL SAFEGUARDS

Technical safeguards are the automated processes used to protect and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted. Technical Safeguards are:

  • Unique User Login (R)
  • Emergency Access Procedures (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls (R)
  • Authentication of Integrity of ePHI (A)
  • Authentication of Person or Entity (R)
  • Transmission Security (A)

Completing your security risk analysis is not only an essential component of your HIPAA program, but it will enable you to identify and rectify any risks and vulnerabilities to the access and confidentiality of your electronic protected health information. The results of your risk analysis will be used to determine the appropriate security measures to be taken. Be sure and revaluate your risk analysis periodically, especially if there have been any known or suspected threats to your security program.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Bill Altering HIPAA Privacy Rule Advances

Bill Altering HIPAA Privacy Rule Advances | HIPAA Compliance for Medical Practices | Scoop.it

An amended version of the bipartisan 21st Century Cure bill, which aims to advance medical innovation, has passed its first Congressional hurdle without any revisions to controversial provisions that propose to make significant changes to the HIPAA Privacy Rule.


In addition to the privacy provisions, the bill calls for penalizing vendors of electronic health records and other health IT systems that fail to meet standards for interoperable and secure information exchange. Plus, the bill also contains provisions for potential civil monetary penalties against healthcare entities that inappropriately block information sharing.


The House Energy and Commerce's health subcommittee on May 14 approved a 302-page "markup," or amended, version of the 21st Century Cure bill that was first unveiled on April 29 and forwarded it to the full committee for the next round of work on the legislation. The full committee is expected to prepare its markup of the bill next week.


The version of the bill approved by the subcommittee proposes that the Secretary of Health and Human Services would "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.

Under the current HIPAA Privacy Rule, PHI is allowed be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If the proposed provision in the draft legislation is signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved.


That provision - as well as many others in the bill - aim to help fuel more speedy research development and availability to patients of promising medical treatments and devices, in part, by removing barriers. But some privacy advocates are opposed to the HIPAA-related provisions because of the potential of watering down patient control over how sensitive health information is used or disclosed.

"This legislation will bring into the public forum the question of whether the road to developing the 21st century advances in healthcare requires removing individual choice and control in how health information is disclosed and whether [individuals] have a say when their treatment information is sold by healthcare providers, insurers or the business associates who have access to this information," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.


If the legislation is signed into law with the existing proposals related to the use and disclosure of PHI for research purposes, healthcare entities and business associates would need to change their policies related to how they handle PHI.


"If the bill is enacted, it will not place additional responsibilities on covered entities and business associates. Rather, it will provide them with greater flexibility to use and disclose protected health information for research," says privacy attorney Adam Greene, partner at law firm Davis Wright Tremaine. "Covered entities and business associates who seek to take advantage of these changes would need to revise their policies and procedures accordingly." For instance, some covered entities also may need to revise their notices of privacy practices if their notices get into great detail on research, Greene notes.

New Burdens?

Legislation that requires significant changes to the HIPAA privacy regulations could result in "significant administrative hurdles and burdens," Holtzman says.


"For example, if there would be significant changes to when healthcare providers and health plans can use or disclose PHI, they would be required under existing regulations to update their notices of privacy practices," he says. "As we saw with the implementation of the Omnibus Rule in 2013, there are significant costs in developing and distributing the notices."


If the legislation is approved, it could take some time for the privacy changes to affect healthcare providers and business associates.

"If the bill is passed into law - always a big if - it provides HHS with a year to implement the law through regulations," Greene notes. "Realistically, though, it may take far longer before HHS is able to publish a final rule."

Info Exchange Blocking Provisions

In addition to proposing less restrictive rules for healthcare entities to use or disclose PHI for research purposes, as part of the aim to remove various barriers to medical innovation, the 21st Century Cures legislation also promotes electronic health record interoperability and secure data transfer and discourages so-called "information blocking" that prevents patient data from being shared.


The bill calls for the Department of Health and Human Services to develop methods to measure whether EHRs and other health information technology are interoperable, and authorizes HHS to penalize EHR vendors with decertification of their products if their software fails to meet interoperability requirements.


Under the HITECH Act financial incentive program for "meaningful use" of EHRs, participating healthcare providers must attest to using software that has been certified as meeting ONC's criteria. Under the proposed bill, HHS would be able to "decertify" software that fails to meet interoperability requirements.


"Health information interoperability is fundamental to advancing healthcare," said Rep. Gene Green, D-Texas, during the May 14 house subcommittee markup hearing for the bill. The legislation provides HHS' Office of the National Coordinator for Health IT "the tools to hold EHR vendors accountable for interoperability," noted Rep. Doris Matsui, D-Calif.


But it's not just vendors that can be penalized under enforcement provisions of the bill. The measure also would allow HHS to impose civil monetary penalties on healthcare providers that engage in inappropriate blocking of information sharing.


ONC last month issued a report to Congress about information blocking by technology vendors and healthcare providers, noting that organizations sometimes intentionally and unreasonably block patient data from being shared. In some cases, the players are inappropriately invoking HIPAA privacy and security concerns, the report said.

A Congressional source tells Information Security Media Group that the bill doesn't specify dollar figures for the potential civil monetary penalties. Rather, the amounts would follow "current parameters" for other enforcement activities at HHS' Centers for Medicare and Medicaid Services and Office of Inspector General.


more...
No comment yet.
Scoop.it!

How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity

How Rush Medical Stays HIPAA Compliant, Uses Cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Staying HIPAA compliant is not always an easy task, especially as new technological options develop, such as cloud computing, mobile devices, and EMRs.


Rush University Medical Center has altered its cybersecurity measures over the last few years in order to keep pace with changing technologies. However, Rush VP of IT Operations and Associate CIO Jaime Parent told HealthITSecurity.com that even with new systems, the facility works hard to stay HIPAA compliant and keep all employees educated.


HealthITSecurity.com: Tell me a little about Rush Medical’s approach to cybersecurity. What steps have been taken over the last few years to ensure patient data security?


Jaime Parent: Over the last several years our threat protection has moved from reactive to proactive. Gone are the days where a standard firewall, anti-viral software, and anti-spam software, offer adequate protection. Today’s threats are much more sophisticated and now include ransomware and network exploits. Organizations must be agile, dynamic, flexible and adaptable. With the onset of zero day viruses and latency threats such as Heartbleed, new threats require new ways of thinking in cybersecurity.


I would say the only thing that’s consistent with protection strategies used five years ago would be the continuing need for end user education. Social engineering is still the largest vulnerability for any organization.


HITS.com: That ties into employee education as well, right?


JP: Employee education and awareness is a vital part of any comprehensive cybersecurity plan.  At Rush, we have patients, staff, faculty, students and visitors – a very difficult environment to manage and protect. We have to be cognizant of the security parameters that need to be in place to protect the network, even though we may have non-Rush assets on our public network. Our awareness campaign is called “ICARE/IProtect,” and it is both comprehensive and easy to understand. Making everyone vigilant goes a long way.


HITS.com: Have mobile devices been one of the greater challenges in staying HIPAA compliant?


JP: In addressing mobile device security, we take into account the user experience. Rush’s systems are configured in a way that promotes centralize storage and discourages local data storage. We also moved to encrypted USB drives and laptops.


Nobody wants to be the victim of a breach, but with the proper tools and awareness, users know how to protect their data and they learn to avoid phishing scheme. Preventing that click is extremely important.

HITS.com: How do large-scale data breaches, like Anthem and Premera, affect your privacy and security measures, if at all?


JP: We try to learn from these experiences. After these events, the question I get asked most often is – could this thing happen to us? And the short answer is that there really is no 100 percent ironclad way to keep all threats out. But, if you remember to address the basics, the latest anti-viral updates, patch management, user education, etc., you have the best combination in place to avoid being a victim.


HITS.com: What are some of the key privacy and security focal points for providers in 2015?


JP: Be proactive rather than reactive. Invest in smart technologies that work best for your organization. Patch aggressively. Deploy the latest updates. Finally, educate your users who continue to be vulnerable in this dynamic environment.


HITS.com: In terms of privacy and security, what do you think the current outlook is for the healthcare industry?


JP: In my personal opinion, the bad guys are winning right now. The digital age is here and not everyone thinks about security. Breaches are on the rise. It wasn’t too long ago that medical records were locked in the basement somewhere relatively inaccessible. Now, this information is at your fingertips on devices where some users may not even use a password. The genie is out of the bottle and it’s going to stay out of the bottle for a long time. Healthcare will continue to be a target.


HITS.com: After the Anthem data breach in particular, many people were upset over the notification process. In your opinion, how important is the aftermath of a data breach?


JP: Our first thoughts are always with the patient. That’s just our approach. Organizations should always take the appropriate steps to notify patients as soon as possible. At Rush, we cherish our patients and the relationships we have throughout the city of Chicago. Patient care and safety are at the core of what we do – our patients deserve nothing less.


more...
Quensetta Adams's curator insight, April 28, 2015 9:55 PM

Hipaa needs loud computing, mobile devices, and EMRs; let's add IoT!

Scoop.it!

Stage 3 Meaningful Use: Breaking Down HIPAA Rules

Stage 3 Meaningful Use: Breaking Down HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

CMS released its Stage 3 Meaningful Use proposal last month, with numerous aspects that covered entities (CEs) need to be aware of and pay attention to. While the proposal has a large focus on EHR interoperability, it continues to build on the previously established frameworks in Stage 1 and Stage 2 – including keeping patient information secure.


HIPAA rules and regulations cannot be thrown out the window as CEs work toward meeting meaningful use requirements. We’ll break down the finer points of Stage 3 Meaningful Use as it relates to data security, and how organizations can remain HIPAA compliant while also make progress in the Meaningful Use program.


Stage 3 further protects patient information


One of the top objectives for Stage 3 Meaningful Use is to protect patient information. New technical, physical, and administrative safeguards are recommended that provide more strict and narrow requirements for keeping patient data secure.


The new proposal addresses how the encryption of patient electronic health information continues to be essential for the EHR Incentive Programs. Moreover, it explains that relevant entities will need to conduct risk analysis and risk management processes, as well as develop contingency plans and training programs.


In order to receive EHR incentive payments, covered entities must perform a security risk analysis. However, these analyses must go beyond just reviewing the data that is stored in an organization’s EHR. CEs need to address all electronic protected health information they maintain.


It is also important to remember that installing a certified EHR does not fulfill the Meaningful Use security analysis requirement. This security aspect ensures that all ePHI maintained by an organization is reviewed.  For example, any electronic device – tablets, laptops, mobile phones – that store, capture or modify ePHI need to be examined for security.

“Review all electronic devices that store, capture, or modify electronic protected health information,” states the ONC website. “Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.”


It is also important to regularly review the existing security infrastructure, identify potential threats, and then prioritize the discovered risks. For example, a risk analysis could reveal that an organization needs to update its system software, change the workflow processes or storage methods, review and modify policies and procedures, schedule additional training for your staff, or take other necessary corrective action to eliminate identified security deficiency.

A security risk analysis does not necessarily need to be done every year. CEs only need to conduct one when they adopt an EHR. When a facility changes its setup or makes alterations to its electronic systems, for example, then it is time to review and make updates for any subsequent changes in risk.


Stage 3 works with HIPAA regulations


In terms of patient data security, it is important to understand that the Stage 3 Meaningful Use rule works with HIPAA – the two are able to compliment one another.


“Consistent with HIPAA and its implementing regulations, and as we stated under both the Stage 1 and Stage 2 final rules (75 FR 44368 through 44369 and 77 FR 54002 through 54003), protecting ePHI remains essential to all aspects of meaningful use under the EHR Incentive Programs,” CMS wrote in its proposal. “We remain cognizant that unintended or unlawful disclosures of ePHI could diminish consumer confidence in EHRs and the overall exchange of ePHI.”

As EHRs become more common, CMS explained that protecting ePHI becomes more instrumental in the EHR Incentive Program succeeding. However, CMS acknowledged that there had been some confusion in the previous rules when it came to HIPAA requirements and requirements for the meaningful use core objective:


For the proposed Stage 3 objective, we have added language to the security requirements for the implementation of appropriate technical, administrative, and physical safeguards. We propose to include administrative and physical safeguards because an entity would require technical, administrative, and physical safeguards to enable it to implement risk management security measures to reduce the risks and vulnerabilities identified.


CMS added that even as it worked to clarify security requirements under Stage 3, their proposal was not designed “to supersede or satisfy the broader, separate requirements under the HIPAA Security Rule and other rulemaking.”


For example, the CMS proposal narrows the requirements for a security risk analysis in terms of meaningful use requirements. Stage 3 states that the analysis must be done when CEHRT is installed or when a facility upgrades to a new certified EHR technology edition. From there, providers need to review the CEHRT security risk analysis, as well as the implemented safeguards, “as necessary, but at least once per EHR reporting period.”


However, CMS points out that HIPAA requirements “must assess the potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization creates, receives, maintains, or transmits” in all electronic forms.


Working toward exchange securely


The Stage 3 Meaningful Use proposal encourages CEs to work toward health information exchange and to focus on better health outcomes for patients. As healthcare facilities work toward both of these goals, it is essential that health data security still remains a priority and that PHI stays safe.


While HIPAA compliance ensures that CEs avoid any federal fines, it also ensures that those facilities are keeping patient information out of the wrong hands. The right balance needs to be found between health information security and health information exchange.


more...
No comment yet.
Scoop.it!

ONC Updates its Privacy and Security Guide

ONC Updates its Privacy and Security Guide | HIPAA Compliance for Medical Practices | Scoop.it

Last week during the annual Healthcare Information and Management Systems Society (HIMSS) conference, the Office of the National Coordinator for Health IT (ONC) published a revised version of its “Guide to Privacy and Security of Electronic Health Information.”

In the foreword of the guide, ONC says that its intent is to help healthcare providers ―especially Health Insurance Portability and Accountability Act (HIPAA) covered entities (CEs) and Medicare eligible professionals (EPs) from smaller organizations―better understand how to integrate federal health information privacy and security requirements into their practices. The new version of the guide provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, security, and breach notification rules, says ONC.


In a blog post from Lucia Savage, chief privacy officer, ONC, she says that this is the first step towards fulfilling the commitment the federal agency made in its Interoperability Roadmap— helping individuals, providers, and the health and health IT community better understand how existing federal law, HIPAA, supports interoperable exchange of information for health.


According to Savage’s post, “the guide includes practical information on issues like cybersecurity, patient access through certified electronic health record technology (CEHRT), and other EHR technology features available under the 2014 Edition Certification rule. The guide also includes new, practical examples of the HIPAA privacy and security rules in action, to help everyone understand how those rules may impact their businesses and the people they serve.”


The guide additionally offers: many scenarios for anyone who has struggled to understand when someone is or is not a business associate; provides information about when a provider (or any HIPAA-covered entity) is permitted to exchange information about an individual for treatment, payment, or healthcare operations without being required to have the individual sign a piece of paper before the exchange occurs; and provides practical tips and information about security, Savage said.


more...
No comment yet.
Scoop.it!

Is the HIPAA Security Rule Doing Enough for Healthcare?

Is the HIPAA Security Rule Doing Enough for Healthcare? | HIPAA Compliance for Medical Practices | Scoop.it
The HIPAA Security Rule created a national set of security standards designed to protect certain health information, either held or transferred in electronic form. However, technology has continued to evolve, and one healthcare security expert claims that a complete reboot of the Security Rule might be necessary to ensure the protection of sensitive healthcare data.

CynergisTek, Inc. co-founder and CEO Mac McMillan spoke with HealthITSecurity.com at HIMSS last week about the Security Rule, recent data breaches, and what healthcare organizations need to be prepared for in 2015.mac-mcmillan-photo

McMillan, who is also the Chair of the HIMSS Privacy & Security Policy Task Force, said that one of the big issues currently is vendor security management, and firms ensuring they have a strong grip on their vendors. It is also important for facilities to ensure that they have a handle on mobile devices, as well as the proliferation of devices between mobile, wearables, and other new technologies.

“If you’re a CIO today, you’ve got stuff coming to you from every direction,” McMillan said. “Everybody’s got a gadget, everybody has something they want to put on the network, and literally everything they have goes on the network or communicates with the network. And security and privacy are not always first and foremost in the developer’s mind when they’re developing the next greatest thing for some clinical purpose.”

Because of that, CIOs need to ensure that they implement things in a smart way, and stay ahead of the latest trends or they will be playing catch up instead.

Healthcare security, data breach prevention measures

Encrypting mobile media and mobile devices is also becoming more common, which McMillan says is definitely progress.

“More people are figuring out that if they’re going to let data go out there, they need to do a better job protecting that information,” he said.

More covered entities are also conducting risk assessments and takin the time to understand where their risk actually lies, McMillan added, which is a positive thing because “knowledge goes a long way.”

“We’re seeing more and more people begin to test their environments, which is also good,” McMillan said. “That means actually performing technical testing of their controls in the environment.”

Moreover, outsourcing security is also becoming more common. Facilities are becoming more aware of what privacy and security measures they’re capable of doing well, and also which measures they’re not capable of doing well, he said. Healthcare organization leaders realize that potentially solving certain security problems is not something they can always do on their own.

The push toward interoperability

There has been a large push recently toward interoperability, and the Office of the National Coordinator (ONC) also released an updated privacy and security guide on how covered entities can properly integrate the right privacy and security measures.

In general, McMillan said that he does not believe that security is an impediment for covered entities when it comes to information sharing. However, he added that it could be an issue in certain cases. For example, if a facility does not feel that another organization has security at a level that is equal to its own, then it might be reticent about sharing the data.

“In most cases, they have no clue what the other guy has with respect to security,” McMillan said. “Part of the reason for that is that we don’t have a common standard for what security means.”

Calling back to when he worked in various defense agencies, McMillan explained that the Department of Defense found itself in a similar situation in terms of sharing information. Different agencies were starting to connect together, and it was difficult to pinpoint what the security was like at another agency.

One of the things that had to happen was create “the definition of a trusted environment,” he said, meaning there was a certain level of security that everyone had to be able to demonstrate. That way, organizations knew that there were certain things other agencies had to do because it was the same things they had to undertake.

“In healthcare today, we don’t have that,” McMillan said. “There’s nothing in healthcare that says you have to maintain your environment at the same level of security controls respect that another facility uses to maintain theirs.”

Part of the interoperability program that the ONC should be promoting is addressing the fundamental baseline for security. That baseline then says that in order for an organization to have a truly interoperable system and connect to others in a trusted relationship, certain security features must be part of its architecture. However, McMillan said that trust is key before a facility feels good about sharing its information.

Key takeaways from large scale health data breaches

After the Anthem data breach and Premera data breach, healthcare privacy measures and the data breach notification process have been pushed into the public’s eye. McMillan was quick to say that neither organization is a “poster child for what somebody did wrong,” and that the issue wasn’t that they didn’t necessarily have adequate security. Rather, what happened to Anthem and Premera could have happened to anybody, especially in the healthcare industry.

“We need to do a better job of being able to detect and react to incidents,” McMillan said. “People should take away that even with all the money in the world, even large organizations that probably have large security budgets or spend a lot of money on security and are trying to do it right [can have problems].”

Moreover, the right cyber attacker who has the necessary knowledge, motivation, and right amount of time will succeed nine out of 10 times, he said, adding that that’s what happened to Anthem and Premera. Healthcare needs to do a better job of detecting what’s going on in the environment, and do a better job of monitoring what’s going on, he said.

“The bottom line that those incidents taught us is that we need to step our game up with respect to how we address security,” McMillan said. “Just approaching security from a HIPAA compliance perspective is no longer effective. It never was to begin with, but it’s even less today.”

McMillan added that the HIPAA Security Rule has not changed since its final version was produced in 2003. However, security frameworks, such as the one at the National Institute of Standards and Technology (NIST), continue to go through revisions.

“We’re behind,” McMillan said. “Basically what we really need to do is scrap the HIPAA Security Rule and just let organizations select the framework that they want to work with, whether it’s NIST, whether it’s ISO, but a legitimate framework. From there, they build their program and we hold them accountable for protecting the data.”

McMillan added that NIST has come out with guidelines for mobile devices and cloud security, among others. Neither of those topics were addressed in the HIPAA Security Rule, he said.

“The problem is HIPAA is antiquated,” McMillan said. “It’s behind the times and we need to take a new approach.”
more...
No comment yet.
Scoop.it!

HIPAA Privacy and Security and Workplace Wellness Programs

HIPAA Privacy and Security and Workplace Wellness Programs | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules (the HIPAA Rules) protect individuals’ identifiable health information held by covered entities and their business associates (called “protected health information” or “PHI”).  Covered entities under HIPAA are health care clearinghouses, health plans, and most health care providers.  Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve access to PHI.

The Privacy Rule, among other things, regulates the uses and disclosures that a covered entity or business associate may make of PHI.  The Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to secure electronic PHI.  The Breach Notification Rule requires covered entities to notify affected individuals, the Department of Health and Human Services (HHS), and, in some cases, the media (and business associates to notify covered entities), of breaches of unsecured PHI.


Q1: Do the HIPAA Rules apply to workplace wellness programs?

A1: Since the HIPAA Rules apply only to covered entities and business associates – and not to employers in their capacity as employers -- the application of the HIPAA Rules to workplace wellness programs depends on the way in which those programs are structured.  Some employers may offer a workplace wellness program as part of a group health plan for employees.  For example, some employers may offer certain incentives or rewards related to group health plan benefits, such as reductions in premiums or cost-sharing amounts, in exchange for participation in a wellness program.  Other employers may offer workplace wellness programs directly and not in connection with a group health plan.

Where a workplace wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is PHI and protected by the HIPAA Rules.  While the HIPAA Rules do not directly apply to the employer, a group health plan sponsored by the employer is a covered entity under HIPAA,[1] and HIPAA protects the individually identifiable health information held by the group health plan (or its business associates).  HIPAA also protects PHI that is held by the employer as plan sponsor on the plan’s behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan.[2]

Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by the HIPAA Rules.  However, other Federal or state laws may apply and regulate the collection and/or use of the information.


Q2: Where a workplace wellness program is offered through a group health plan, what protections are in place under HIPAA with respect to access by the employer as plan sponsor to individually identifiable health information about participants in the program?

A2. The HIPAA Privacy and Security Rules place restrictions on the circumstances under which a group health plan may allow an employer as plan sponsor access to PHI, including PHI about participants in a wellness program offered through the plan, without the written authorization of the individual.  Often, the employer as plan sponsor will be involved in administering certain aspects of the group health plan, which may include administering wellness program benefits offered through the plan.  Where this is the case, and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents and certifies to the group health plan that it agrees to, among other things:

    Establish adequate separation between employees who perform plan administration functions and those who do not;
    Not use or disclose PHI for employment-related actions or other purposes not permitted by the Privacy Rule;
    Where electronic PHI is involved, implement reasonable and appropriate administrative, technical, and physical safeguards to protect the information, including by ensuring that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions; and Report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.

Further, where a group health plan has knowledge of a breach of unsecured PHI at the plan sponsor (i.e., an unauthorized use or disclosure that compromises the privacy or security of the PHI), the group health plan, as a covered entity under the HIPAA Rules, must notify the affected individuals, HHS, and if applicable, the media, of the breach, in accordance with the requirements of the Breach Notification Rule.

Where the employer as plan sponsor does not perform plan administration functions on behalf of the group health plan, access to PHI by the plan sponsor without the written authorization of the individual is much more circumscribed.  In these cases, the Privacy Rule generally would permit the group health plan to disclose to the plan sponsor only: (1) information on which individuals are participating in the group health plan or enrolled in the health insurance issuer or HMO offered by the plan; and/or (2) summary health information if requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan.


more...
No comment yet.
Scoop.it!

HIPAA Crackdown on Security Hacks

HIPAA Crackdown on Security Hacks | HIPAA Compliance for Medical Practices | Scoop.it

Health care security breaches are on the rise with headline-making hacks at insurer Anthem Inc. and NewYork-Presbyterian Hospital, giving employers reason to be concerned.


This year, the Department of Health & Human Services’ Office for Civil Rights is conducting Health Insurance Portability and Accountability Act, or HIPAA, compliance audits, and HR departments need to prepare, according to Gordon Rapkin, CEO of Archive Systems Inc., an HR document manager based in Fairfield, New Jersey. The office hasn’t announced when audits will commence. 


“Employers need to know that they are obligated to protect this information, they must show that they are capable of protecting this information and prove that their employees have been trained to do so,” Rapkin said. “You must be able to prove all that in a very short window of time if you’re unfortunate enough to be selected for an audit.”


In 2011 and 2012, the HHS conducted a pilot phase of the audits selecting 150 “covered entities,” which include providers and health plans, including employers that sponsor them, according to the HHS. Those chosen have 10 business days to provide supporting documents, Rapkin said.


“You don’t want to be in a situation where you are tagged for an audit and can’t respond in a timely fashion,” he said. “That triggers fines, and the fines have been hefty. It’s like a disaster plan. It’s incumbent on organizations to have one in place.”


In 2014, Columbia University and NewYork-Presbyterian Hospital were fined a combined $4.8 million for failing to secure the health records of more than 6,000 patients. In 2013, Anthem Inc. (then known as WellPoint Inc.) was fined $1.7 million when the health records of more than 600,000 patients were made available to unauthorized users.

Rapkin urged employers that have not yet conducted a HIPAA risk assessment to do so as soon as possible.


He said employers should focus on training employees to understand HIPAA policies and procedures and take an inventory of safeguards to protect physical and electronic information. If a breach occurs, employers must be vigilant about notifying individuals whose information was compromised.


“In the past it was easier to sweep things under the rug,” he said. “You can’t hide by saying, ‘Well someone left a laptop at Dunkin’ Donuts, but we don’t know if it’s been breached.’ You must notify any individual affected even if you only have reason to believe that you’ve been breached.”


Initially HIPAA was about health information portability — the ability to take records from one vendor or provider to another, he said. “It advanced to be much more about security as requirements like the HITECH Act came into play.”


The HITECH, or Health Information Technology for Economic and Clinical Health Act of 2009, required that organizations publicly report breaches that involve more than 500 patients, increased fines for violations, mandated that the HHS conduct audits, and extended the rules to third parties that work with health care organizations.


more...
No comment yet.