HIPAA Compliance for Medical Practices
68.8K views | +1 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Compliance Keeping Medical Records Private 

HIPAA Compliance Keeping Medical Records Private  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA (the Health Insurance Portability and Accountability Act) became law in 1996 and revolutionized requirements and practices ensuring patient rights, privacy, and security. Instead of laws that were unclear or insufficient in some cases, HIPAAbecame federally mandated and regulated. However, the healthcare businesses that must comply have to navigate complex rules and make sure regulations are being followed. 

Who needs to follow HIPAA?

The first question is, do you need to comply with HIPAA? A “Covered Entity” under HIPAA includes any person or company that provides medical, dental, or other healthcare services that transmit the protected health information (PHI) of patients electronically. That could mean sending prescriptions to pharmacies, bills to insurance companies, or emails to patients. It also includes any vendors that create, transmit, receive or store PHI for a Covered Entity.  These vendors are known as “Business Associates” and include services like EMR/EHR, information technology support, data analytics, health app developers, and in some cases, website hosting companies. Those organizations that interact or send PHI in electronic form must comply with HIPAA.

What steps do I need to take?

If you or your company is a covered entity or a business associate under HIPAA, it is your responsibility to keep protected health information secure following the HIPAA Security Standards and Implementation Specifications.  These include:

·       Developing written privacy policies – or even before this step, become familiar with the laws so that comprehensive privacy and security policies can be developed.

·       Designating a privacy and security officer – no matter how small the organization, these officers must be appointed and are responsible for HIPAA compliance.

·       Annual risk assessments – conduct a risk assessment each year and record findings. Assessments must be documented, accurate, and comprehensive in identifying vulnerabilities and threats to PHI.

·       Developing information assurance policies regarding electronic transmission of communications. This includes email and the use of mobile devices with access to PHI.

·       If you are a covered health care provider, distribute a notice of privacy practices to all new patients.

·       Using Business Associate Agreements with any outside company that will have access to PHI.

·       Developing and implementing steps to take in case of a data breach, including how to determine the timing and extent.

Demonstrating HIPAA compliance

Your organization must be able to provide proof that you and your employees are following the rules outlined by HIPAA. If there is a breach of security and PHI is improperly handled or disclosed, the investigation may determine that a penalty could be assessed or the need to enter into a settlement agreement which will include a required corrective action plan. It is important to understand the burden to demonstrate compliance will the responsibility of the organization to prove. 

You will have to show that your organization has conducted a HIPAA risk assessment, provided annual training for the whole workforce, and have a policy and procedures for protecting PHI in writing.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 Steps for Implementing a Successful HIPAA Compliance Plan 

5 Steps for Implementing a Successful HIPAA Compliance Plan  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance is key to thwarting cyber attacks, but more importantly, this Plan will tell your employees, Business Associates and patients (and HHS, if they should come calling) how you secure Protected Health Information (PHI). Just as important is effectively communicating the plan to your staff.  

So, where do you begin? The purpose of this blog is to highlight what goes into making your plan. 

Five Key Steps

Step 1 – Choose a Privacy and Security Officer

We will be talking in later blogs about what to consider when selecting these HIPAA leaders.

For a smaller practice, your Privacy and Security Officer may be the same person. For larger practices, these duties will probably be split between two people. These are the folks who are going to be spearheading your Compliance Plan.  If you don’t have someone designated to fill this role, you are not compliant.

Step 2 – Risk Assessment

This step requires you to review your workplace and electronic devices to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the Covered Entity or Business Associate. According to Atlanta healthcare attorney Daniel Brown, “a Risk Assessment extends not only to the accessibility of ePHI -- such as passwords -- but also to threats to your access of ePHI caused by natural risks, such as hurricanes and tornadoes, and even human risks, such as malicious hacking.”

You can perform the Assessment yourself or hire an outside contractor to come in and complete the process for you. If you're thinking about performing the assessment yourself, HHS has developed a Risk Assessment tool to help you get started.

The first option is obviously the cheapest and the second can be costly, or you can use a combination of the two. The key is to be very detailed and identify where all your potential Privacy and Security issues may lie. This will include listing all computing and mobile devices, where paper files are stored, how you will secure your offices when you are closed, etc. This is not a one-time event and will change over time as technology and risks change. You will want to revisit your Risk Assessment anytime you have a Breach, theft, or major change in hardware or software, but at a minimum every 2-3 years.

Step 3 – Privacy and Security Policies and Procedures

After completing your Risk Assessment, it’s time to create your blueprint for achieving HIPAA Compliance. The Compliance Plan should include Policies and Procedures - ensuring the Privacy of Protected Health Information and the Security of such information. The Security Policies and Procedures deal with ePHI (electronic PHI) and how you will protect that information.

Policies and Procedures need to be updated regularly and any changes need to be clearly documented and communicated to your staff. As you saw in the Penalties Section of our last blog, “I didn’t know” isn’t an acceptable defense!

Step 4 – Business Associate Agreements

Most of you use vendors or contractors to help run your practice or business. Under HIPAA, persons or entities outside your workforce who use or have access to your patient’s PHI or ePHI in performing service on your behalf are “Business Associates” and hold a special status in the Privacy equation. Some examples of Business Associates include third-party billing agents, attorneys, laboratories, cloud storage companies, IT vendors, email encryption companies, web hosts, etc. This list can get pretty long, and should be documented in your Risk Assessment.

Make sure you do an audit of your Business Associates before you accept a signed Agreement from them. We’ve seen a lot of folks sign these Agreements, and have no clue what they’ve agreed to. Auditing means looking at their Compliance Plan. They have to have one, or you can’t do business with them. Your legal counsel should have an Agreement you can use, or you can use a third party Agreement from a HIPAA compliance company.

Step 5 – Training Employees

You’ve got your Risk Assessment, Privacy and Security Policies and Procedures and Business Associate Agreements in hand. You’re all good, right? NO! Employees are many times your weakest link.

You need to annually train your employees on the HIPAA Rule and communicate information about your Privacy and Security Policies and Procedures that you’ve worked so hard to create. What good is all the work you’ve done on a Compliance Plan when no one knows about it, or how to use it? Train employees both on the HIPAA Law and your specific plan. In addition, you must keep records that they have been trained.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is Your Digital Ad Campaign HIPAA Compliant? 

Is Your Digital Ad Campaign HIPAA Compliant?  | HIPAA Compliance for Medical Practices | Scoop.it

As the importance of digital advertising continues to grow within the medical industry, marketers must ensure that their campaigns remain in compliance with HIPAA regulations.

In light of the evolving patient path to treatment, digital advertising is fast becoming the marketing tactic of choice for medical professionals across the industry. But as hospitals and medical practices scramble to keep pace with their competitors and roll out digital campaigns, there are a number of important considerations that must be taken into account — namely, marketers must ensure that their ads are in compliance with HIPAA regulations.

Staying in the Clear

HIPAA provisions for digital marketing are designed to protect patient confidentiality and satisfy the Privacy Rule, according to the HHS. As CEO of Futures of Palm Beach told Forbes, “Complete patient anonymity is key. Once marketers understand that, they can plan their campaigns accordingly.” Marketers must either avoid using information that could identify a patient, known as protected health information (PHI); obtain written authorization for its use from the patient; or completely anonymize such data by removing identifiers from 18 categories, as UC Berkley describes, including:

  • Names
  • Geographic Identifiers (county, city, addresses, zip code, etc.)
  • Dates (admission date, birth year, etc.)
  • Administrative Details (health plan numbers, driver's license number, etc.)
  • Biometric Identifiers (photos, fingerprints, voice prints, etc.)

Naturally, there are a multitude of ways that patients can be identified online (which may not be covered by these 18 categories), so marketers must exercise caution when developing patient-generated marketing initiatives, such as a real-life success story or endorsement, for example.

Of course, privacy violations are not the only opportunity for medical marketers to run afoul of HIPAA regulations. As Digital Guardian notes, providers and marketers must also comply with the Security Rule, which mandates that electronically stored or sent PHI is protected from data breaches, leaks, and unwanted disclosures. While this provision is primarily aimed at providers, marketers must also ensure that any protected information stored in their systems is secured at all times.

Cover Your Bases

While some hospitals, physicians, and medical marketers try to tiptoe around specific HIPAA provisions, such as PHI, it’s often easiest to avoid the issue altogether by drafting content that attracts patients without introducing potentially fraught information. For instance, marketers can provide generic health advice or tips, comment on the state of the industry, or provide educational resources, without the inclusion of patient-specific information. Taking this safer route may be preferable to the punishment for violating HIPAA — a potential fine of $50,000 per violation, as WebPT notes.

Equally important is that every member of your marketing team be thoroughly trained in HIPAA regulations, with specific guidelines in place for your individual medical organization. Likewise, if you’re interested in enlisting the services of a third-party marketing vendor, make sure that they’re HIPAA certified. Most commonly, violations stem from a lack of experience or confusion surrounding the nuanced rules and regulations. So while HIPAA may seem daunting, a well-informed approach is the key to avoiding compliance issues.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA & Texting

HIPAA & Texting | HIPAA Compliance for Medical Practices | Scoop.it

In recent years, a great number of medical practices have embraced text messaging as a popular means for communicating to both patients and their internal staff members. Despite the convenience and time saving benefits, healthcare providers and staff must be aware of potential consequences when texting Electronic Protected Health Information (ePHI). Text messaging includes any communication service or application that enables the transmission of electronic written messages between two or more mobile devices. This includes both Short Message Service (“SMS”) text messaging and other service providers like iMessage, WhatsApp, etc.

The Challenges

Under HIPAA healthcare providers must maintain the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by a covered entity. Unfortunately, text messaging presents multiple threats for meeting some of those requirements. Including:

  • Standard SMS messages are not encrypted
  • Sender does not have the ability to “control” if/when the message is discarded upon viewing
  • No clear path to verify the reader’s identity which opens the door to unintended recipients, AKA a HIPAA breach

Even well intended providers who find ways to implement and oversee texting security measures must also think about documentation. Any exchange between providers regarding a patient’s condition, must also make its way onto the patient’s medical record. Unless the provider integrates text messaging with their EMR, it can be difficult to ensure appropriate documentation.

What Does HIPAA Say?

Unfortunately the HIPAA laws and Office for Civil Rights (OCR) do not have anything specific outlined regarding texting requirements. Any and all forms of communication present some level of risk and it is the healthcare providers’ responsibility to ensure privacy and security while data is being exchanged.

Despite the lack of HIPAA specifications regarding texting, providers should keep in mind a general adherence to the HIPAA Privacy and Security Rules. Both have different objectives and controls for navigating the secure sending of ePHI:

  • HIPAA Privacy Rule – Limits provider disclosure of ePHI only to authorized individuals or entities.
  • HIPAA Security Rule – Requires that providers protect patient’s sensitive data from any threats to access or disclose PHI to unauthorized individuals or entities and should a breach or unauthorized disclosure occur, have a remediation plan.

Best Practices

Despite the risks, a provider can take steps to reduce the likelihood of a breach or HIPAA violation while utilizing text messaging. When texting any sensitive ePHI information that might be locally stored in a device, encryption should be applied in the event of a loss, disposal or theft. Additionally, the text might be stored at the server level (phone carrier).

The following safeguards can help protect PHI along with establishing compliant communication:


Security Risk Analysis (SRA)
– While conducting an SRA, a healthcare provider will identify where ePHI is created, received, maintained, and transmitted. For texts, ePHI will primarily be created, received, and maintained on mobile phones.

Limit PHI – Whenever possible it is best to text with limited or no PHI included in the message, examples: appointment confirmations, instructions to call the office to receive test results, etc.

Policies and Procedures – Ensure texting is included in the policies and procedures, specifically Administrative and Technical policies. It is important to outline what is acceptable to text along with an outline of steps should a text be sent to the wrong patient/incorrect recipient.

Workforce Training – A well trained workforce is any healthcare provider’s best defense against undisclosed PHI exposure. Workforce training should include the sharing of information, securing authorized devices and using secure third party apps that might permit sharing information in a secure way.

Waivers and Intake Forms – Ensure all patient forms are up-to-date with all the current HIPAA requirements. The forms should plainly state which methods the patient allows the provider to contact him/her. Additionally, forms should include who outside the patient can receive their information and what can be sent.

Notice of Privacy Practice – A Notice of Privacy should be standard operating procedure for providers and distributed to all patients. If the provider has included text messaging as part of their communication model, ensure the Notice of Privacy includes texting.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Trends to Watch in 2018 

HIPAA Trends to Watch in 2018  | HIPAA Compliance for Medical Practices | Scoop.it

Although the Trump Administration has a $6.194 million budget cut slated for the Office of Civil Rights (OCR), the office which administers HIPAA, compliance will still be enthusiastically enforced, according to OCR director Roger Severino. The Congressional Justification for FY2018 predicts a shift from routine HIPAA investigations to larger actions with sizable fines.

Here’s more on what to expect for HIPAA in 2018:

Fewer, but larger enforcement actions
Director Severino’s goal is to find a “big, juicy, egregious” breach case which could mean they will seek out more complex issues with a broad impact for enforcement. At a conference in 2017, Severino said he hasn’t decided yet on a particular area for increased investigations, but he did mention cybersecurity, ransomware and physical security as possibilities.

OCR plans to mitigate their budget decrease with increased enforcement settlement fines. So, while the department is leaner, it also may be meaner.

Possible new guidelines for medical records fees Current OCR guidance regarding patients’ access to and fees for medical records has garnered concern from businesses. The current method gives HIPAA-covered entities the ability to charge “reasonable, cost-based fees” for records, which has been interpreted as restrictive and adding to the cost of HIPAA compliance. Plus, on top of federal regulations, HIPAA entities also contend with a patchwork of state laws regarding medical record fees. The business-sympathetic Congress may require OCR to provide additional clarification regarding medical records fees to allay business concerns.

States may become more involved With OCR reducing its number of HIPAA enforcements, state attorneys generals have begun to step up enforcement activities to ensure privacy for their constituents. Privacy issues in the medical sector and other areas regarding personal information are increasingly important to the public and state AGs may lead the way to protecting citizens.

CompuTech City remains poised to facilitate medical practices’ efforts to be HIPAA compliant. We take a proactive approach to keeping your data secure and are experts in ensuring your network meets stringent HIPAA standards with device encryption, network security, intrusion prevention, gateway anti-virus, anti-spyware, content/URL filtering.

Let us know if you are interested in learning more about 2018 HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance for Email

HIPAA Compliance for Email | HIPAA Compliance for Medical Practices | Scoop.it

Are Emails HIPAA Compliant?

HIPAA compliance for email has been a hotly debated topic since changes were enacted in the Health Insurance Portability and Accountability Act (HIPAA) in 2013. Of particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant(*).

HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security have to be fulfilled in order to:

  • Restrict access to PHI
  • Monitor how PHI is communicated
  • Ensure the integrity of PHI at rest
  • Ensure 100% message accountability, and
  • Protect PHI from unauthorized access during transit

Some HIPAA covered entities have put forward the argument that encryption is sufficient to ensure HIPAA compliance for email. However, HIPAA email rules do not just cover encryption. Encryption alone does not fulfill the audit control requirement of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.

Furthermore, some required functions – such as the creation of an audit trail and preventing the improper modification of PHI – are complex to resolve. So, although emails can be HIPAA compliant, it requires significant IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email.

(*) HIPAA compliance for email is not always necessary if a covered entity has an internal email network protected by an appropriate firewall.

HIPAA Email Encryption Requirements

HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.

As previously mentioned, encryption is only one element of HIPAA compliance for email, but it will ensure that in the event of a message being intercepted, the contents of that message cannot be read, thus preventing an impermissible disclosure of ePHI.

It should be noted that encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. That means encryption is not ‘required,’ but that does not mean encryption can be ignored. Covered entities must consider encryption and implement an alternative, equivalent safeguard if the decision is taken not to use encryption. That applies to data and rest and data in transit.

A covered entity must decide on whether encryption is appropriate based on the level of risk involved. It is therefore necessary to conduct a risk analysis to determine the threat to the confidentiality, integrity, and availability of ePHI sent via email. A risk management plan must then be developed, and encryption or an alternative measure implemented to reduce that risk to an appropriate and acceptable level. The decision must also be documented. OCR will want to see that encryption has been considered, why it has not been used, and that the alternative safeguard that has been implemented in its place offers an equivalent level of protection.

Encryption is an important element of HIPAA compliance for email, but not all forms of encryption offer the same level of security. Just as the method of encryption is not specified in HIPAA to take into account advances in technology, it would not be appropriate to recommend a form of encryption on this page for the same reason. For example, a covered entity could have used the Data Encryption Standard (DES) encryption algorithm to ensure HIPAA compliance for email, but now that algorithm is known to he highly insecure.

HIPAA-covered entities can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could naturally change, so it is important to check NISTs latest guidance before implementing encryption for email. NIST has published SP 800-45 Version 2 – which will help organizations secure their email communications.

How Secure Messaging Resolves Issues with HIPAA Compliance for Email

Secure messaging is an appropriate substitute for emails as it fulfills all the requirements of the HIPAA Security Rule without sacrificing the speed and convenience of mobile technology. The solution to HIPAA compliance for email uses secure messaging apps that can be downloaded onto any desktop computer or mobile device.

Authorized users have to log into the apps using a unique, centrally-issued username and PIN number that then allows their activity to be monitored and audit trails created. All messages containing PHI are encrypted, while security mechanisms exist to ensure that PHI cannot be sent outside of an organization´s network of authorized users.

Administrative controls prevent unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoffs when an app has not been used for a predetermined period of time, and allowing the remote deletion of messages from a user´s device if the device is lost, stolen or otherwise disposed of.

The Benefits of Secure Messaging

The primary benefit of secure messaging when compared to email is the speed at which people respond to text messages. Studies have determined that 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unopened for forty-eight hours.

The communications cycle is further accelerated by the mechanisms to enforce message accountability. These significantly reduce phone tag, allowing employees more time to attend to their duties. In a healthcare environment, this means less time waiting by a phone and more time providing healthcare for patients.

This acceleration of the communications cycle also reduces the time it takes to admit or discharge a patient, how long it takes for prescription errors to be resolved, and the length of time it may take for invoices to get paid. Ultimately, secure messaging is a lot more effective than email, and less trouble to implement than resolving HIPAA compliance for email.

Encrypted Email Archiving for PHI

Inasmuch as the implementation of a secure messaging solution is an appropriate alternative to email, covered entities are required to retain past communications containing PHI for a period of six years. Depending on the size of the covered entity, and the volume of emails that have been sent and received during this period, the retention of PHI can create a storage issue for many organizations. The solution to this potential problem is encrypted email archiving for PHI.

Vendors providing an email archiving service are regarded as Business Associates, and have to adhere to the same requirements of the HIPAA Security Rule as covered entities. Therefore, their service has to have access controls, audit controls, integrity controls, and ID authentication in order to ensure the integrity of PHI. In order to comply with HIPAA email rules on transmission security, all emails should be encrypted at source before being sent to the service provider’s secure storage facility for archiving.

The biggest advantage of encrypted email archiving for PHI is that, as the emails and their attachments are being encrypted, the content of each email is indexed. This makes for easy retrieval should a covered entity need to access an email quickly to comply with an audit request or to advance discovery. Other advantages include the releasing of storage space on a covered entities servers and that encrypted email arching for PHI can be used as part of a disaster recovery plan.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA compliance patient engagement strategy

HIPAA compliance patient engagement strategy | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance as a patient engagement strategy is becoming more and more appealing for health care professionals of all kind. Behavioral health professionals in particular can capitalize on an effective HIPAA compliance program as another means of developing a patient engagement strategy–attracting new patients who care about the integrity of their health care data.

Developing a patient engagement strategy is an essential way to attract new patients to your practice. Common methods that you can capitalize on include developing a social media presence or creating a newsletter to highlight industry updates or services you offer.

But HIPAA compliance gives you a unique way to address patients’ needs for data privacy, all while satisfying the regulatory requirements put forth by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

HIPAA Compliance as a Differentiator

By implementing an effective HIPAA compliance program in your practice, you can be directly involved in ongoing national conversations about data privacy and security. With ransomware incidents in the news week after week, and new concerns about data breaches reaching unprecedented levels, HIPAA compliance is the perfect way to address these concerns for your prospective patients.

Think of it this way: in the same way that concerned buyers will shop around for the perfect laptop to meet their needs, a discerning patient will shop around for a behavioral health practice that works for them. Data security-minded individuals are a growing demographic of health care consumers, especially among millennials in today’s market.

Adopting a HIPAA compliance program can allow you to address these concerns, and give you a new way to market your business. You can make your practice stand out from others in your area, all while protecting the sensitive health data that you come into contact with daily.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.   

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.    | HIPAA Compliance for Medical Practices | Scoop.it

You may want to ask your medical or dental provider what measures they are taking to protect your electronic health records. In some cases, the answer may surprise you. Here is a recent article from USA Today that will get your attention.

Nearly half of identity thefts in U.S. are medical info.

Story Highlights

  • Medical records of between 27.8 million and 67.7 million have been breached since 2009
  • Thieves have used stolen medical information for all sorts of nefarious reasons
  • Perpetrators use different methods to obtain information, from stealing laptops to hacking into computer networks

If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft.

Last month, the Identity Theft Resource Center produced a survey showing that medical-related identity theft accounted for 43% of all identity thefts reported in the United States in 2013. That is a far greater chunk than identity thefts involving banking and finance, the government and the military, or education. The U.S. Department of Health and Human Services says that since it started keeping records in 2009, the medical records of between 27.8 million and 67.7 million people have been breached.

The definition of medical identity theft is the fraudulent acquisition of someone's personal information – name, Social Security number, health insurance number – for the purpose of illegally obtaining medical services or devices, insurance reimbursements or prescription drugs.

"Medical identity theft is a growing and dangerous crime that leaves its victims with little to no recourse for recovery," said Pam Dixon, the founder and executive director of World Privacy Forum. "Victims often experience financial repercussions and worse yet, they frequently discover erroneous information has been added to their personal medical files due to the thief's activities." The Affordable Care Act has raised the stakes. One of the main concerns swirling around the disastrous rollout of federal and state health insurance exchanges last fall was whether the malfunctioning online marketplaces were compromising the confidentiality of Americans' medical information. Meanwhile, the law's emphasis on digitizing medical records, touted as a way to boost efficiency and cut costs, comes amid intensifying concerns over the security of computer networks.

Edward Snowden, the former National Security Agency contractor who has disclosed the agency's activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.

 

MULTIPLE MOTIVES

Thieves have used stolen medical information for all sorts of nefarious reasons, according to information collected by World Privacy Forum, a research group that seeks to educate consumers about privacy risks. For example:

  • A Massachusetts psychiatrist created false diagnoses of drug addiction and severe depression for people who were not his patients in order to submit medical insurance claims for psychiatric sessions that never occurred. One man discovered the false diagnoses when he applied for a job. He hadn't even been a patient.
  • An identity thief in Missouri used the information of actual people to create false driver's licenses in their names. Using one of them, she was able to enter a regional health center, obtain the health records of a woman she was impersonating, and leave with a prescription in the woman's name.
  • An Ohio woman working in a dental office gained access to protected information of Medicaid patients in order to illegally obtain prescription drugs.
  • A Pennsylvania man found that an imposter had used his identity at five different hospitals in order to receive more than $100,000 in treatment. At each spot, the imposter left behind a medical history in his victim's name.
  • A Colorado man whose Social Security number, name and address had been stolen received a bill for $44,000 for a surgery he not undergone.

Perpetrators use different methods to obtain the information, ranging from stealing laptops to hacking into computer networks, according to Sam Imandoust of the Identity Theft Resource Center. "With a click of a few buttons, you might have access to the records of 10,000 patients. Each bit of information can be sold for $10 to $20," he said.

According to HHS, the theft of a computer or other electronic device is involved in more than half of medical-related security breaches. Twenty percent of medical identity thefts result from someone gaining unauthorized access to information or passing it on without permission. Fourteen percent of breaches can be attributed to hacking.

"We say encrypt, encrypt, encrypt," said Rachel Seeger, a spokesman for HHS's Office For Civil Rights, which is charged with investigating breaches of medical records in health plans, medical practices, hospitals and related institutions.

 

RELYING ON THE HONOR SYSTEM

The records in a laptop that a fired employee lifted from the North County Hospital in Newport, Vt., last year had not been encrypted. The laptop contained the records of as many as 550 patients. Around the time that breach was uncovered, HHS cited the hospital for a second breach involving two employees gaining access to records without authorization. Those cases are ongoing.

Wendy Franklin, director of development and community relations at North County, said the hospital generally does encrypt its records. Franklin also noted that North County requires all of its employees to sign agreements not to disclose medical records and to undergo training in confidentiality laws and procedures. She also said the hospital has instituted an audit to track access to private health records. But, in the end, Franklin said, the hospital largely has to rely on the honor system.

Two federal laws govern the confidentiality of medical records: the Health Insurance Portability and Accountability Act (HIPAA), originally passed in 1996, and the Health Information Technology (HITECH) Act of 2009. Together they lay out what health care providers and affiliated businesses are required to do to protect confidentiality of patients.

According to James Pyles, a Washington, D.C., lawyer who has dealt with health issues for more than 40 years, all 50 states have their own privacy laws and 46 of them require consumer notification when there is a security breach of private records.

HHS can impose a civil fine of between $100 and $50,000 for each failure of a business, institution or provider to meet privacy standards, up to a maximum of $1.5 million per year. A person who knowingly violates HIPAA faces a criminal fine of $50,000 and up to a year in prison. If the perpetrator tried to sell the information for "commercial advantage, personal gain or malicious harm," he or she could face a $250,000 fine and up to 10 years in prison.

The HIPAA law includes exceptions that allow a provider to share medical information without a patient's permission. A common example is when hospital business offices share information for the purpose of seeking payment. But there are also exceptions for "public health activities," "health oversight activities," "law enforcement purposes," and other purposes. No wonder, Pyles said, some patients are reluctant to disclose to a medical provider that they have a sexually transmitted disease or a mental illness unless they have to.

Under the HITECH law, a medical provider, health plan or medical institution must notify patients when a breach of their medical records is discovered. HHS must also be contacted. HHS discloses breaches involving 500 or more patients.

Discovery of the breach is useful but doesn't correct the mischief that may have happened. Although patients can have corrected information put in their files, it's difficult to get fraudulent information removed because of the fear of medical liability.

"It's almost impossible to clear up a medical record once medical identity theft has occurred," said Pyles. "If someone is getting false information into your file, theirs gets laced with yours and it's impossible to segregate what information is about you and what is about them."

Pyles describes the status quo as "the worst of two worlds," he said. The U.S. has "a regulated industry that is saddled with laws with so many loopholes that they don't know what they are responsible for, and a public that doesn't believe their health information is being protected."

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Identity Theft: A Troubling Trend

Medical Identity Theft: A Troubling Trend | HIPAA Compliance for Medical Practices | Scoop.it

The Ponemon Institute, a nationally recognized privacy research firm, recently released its Fourth Annual Patient Privacy and Data Security Study. For healthcare providers, it is probably not much of a new revelation that the study found more criminals are stealing patient records to commit medical identity theft. This type of crime is a less-risk and highly profitable industry.

What is attention grabbing is that these criminal attacks on healthcare providers increased dramatically and are up 100% since 2010. According to the study, these breaches cost the industry about $5.6 billion a year.

If your medical or dental practice has electronic medical records (EMR) and is following all the proper HIPAA Security Rule safeguards, this can help to identity possible unauthorized access or fraud. If your practice has paper charts, the unauthorized access to patient records could be virtually untraceable until an identity theft cases occurs. For EMR, training staff to be alert to fraud trends can help, along with a systematic way to continuously review audit logs to see who is accessing patient records.

Here are three tips to help your practice be more proactive in fighting medical identity theft:

  1. Conduct background checks on ALL staff, regardless if access to patient records is required for their particular positions or not.
  2. Set up a robust education campaign to make patients aware of medical identity theft and teach them how to report any errors discovered on their Explanation of Benefits.
  3. Implement a response program for possible medical identity theft cases. The program needs to have comprehensive but understandable written policies and procedures for immediate action for a flagged record.

As the risk will only continue to grow, the reputation and credibility of your practice in addressing patient record breaches is at stake here. Having a proactive plan in place will help your practice quickly recognize possible medical identity theft cases and initiate an immediate and required action.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Top Ten Total HIPAA Blogs

Top Ten Total HIPAA Blogs | HIPAA Compliance for Medical Practices | Scoop.it

The countdown of Total HIPAA’s most popular blogs of 2016 continues this week with #5 through #1. Not surprisingly–the top three are technical topics. If you have any topics you would like us to consider in 2017, please fill out the suggestion form at the end of this summary.

Top Ten Count Down Continued

    1. Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends?

Buddy Dyer, the mayor of Orlando, requested a waiver of the HIPAA rules following the June 12 shooting at Pulse Nightclub. A statement from HHS Assistant Secretary for Public Affairs, Kevin Griffis, explained the reason why the waiver was not needed in Orlando: “HIPAA allows health care professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances. These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition. Disclosures are permissible to same sex, as well as opposite sex, partners.” In order to understand under what circumstances Mayor Dyer and healthcare providers should be concerned about HIPAA restrictions, we look at the Law in this blog.

    1. Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format

HHS stated that patients have the right to access their ePHI and that Covered Entities must provide this access in the manner requested by the individual. While the Privacy Rule does allow the use of unencrypted email when communicating ePHI between the healthcare provider and the patient, we suggest you take the steps outlined in this blog to protect your patients’ ePHI while still giving them access to their information.

    1. HIPAA Compliant Email Encryption Review 2016

Covered Entities, Business Associates and Business Associate Subcontractors are required to protect the PHI they hold at rest, in storage and in transit. In this blog, we reviewed six HIPAA-compliant and affordable email encryption solutions with a focus on solutions for small businesses.

    1. It’s Time to Upgrade Your Internet Explorer NOW and Forever

When it comes to your software, we know how you feel – if it’s not broken, why fix it? Upgrading is a pain! Upgrade one thing and your computer programs can collapse like a house of cards. In this instance, it is VERY important for your business security that you upgrade to the latest version of Internet Explorer—NOW! As of January 12, 2016, Microsoft announced it was only supporting technical and security updates for Internet Explorer 11. What did this change mean to you?

    1. HIPAA Compliant Text Messaging Application Review

Today everyone uses text messaging (“texting”) for easy and quick communication. It is a great tool for convenience and efficiency, but most users don’t realize that texting is an unencrypted form of communication that can be intercepted at any point in transmission. In this blog we reviewed four companies that offer secure messaging solutions for small to medium organizations using encryption to allow organizations to send PHI through text.

Thank you for your support on Social Media this year! As HHS continues to crack down with additional audits on both covered entities and business associates, our goal is to provide you with all the materials you need. Many of our blog topics come directly from questions sent by our clients and followers.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Status Of HIPAA Compliance

The Status Of HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR), the agency within the U.S. Department of Health and Human Services tasked with HIPAA compliance enforcement, is about to start formally notifying various healthcare providers and plans that they have been selected for an audit. Those covered entities selected will be required to submit specific documentation to OCR that demonstrates how their respective organizations are complying with HIPAA compliance requirements. 

 

The goal with the Phase 2 Audit program is to determine how well covered entities are implementing the correct policies and procedures for HIPAA compliance. If the results of the Phase 2 audits are anything like the first audit, OCR is probably going to see disappointing data indicating most organizations are not fully complying with all the requirements. 

 

There is an easier way to find out the status of current compliance with covered entities, not to mention a less costly way, in saving the taxpayers money in paying a contractor to gather the needed results.  Published reports showed that OCR paid about 9 million dollars to the global audit firm KPMG in 2012 to conduct the Phase 1 audits.

 

NueMD released the results of their follow-up survey to the original survey conducted in 2014, which looked at the status of HIPAA compliance. In the updated survey, 927 respondents, which included practices and billing companies, answered a number of revealing questions about the current status of HIPAA knowledge and compliance. For comparison purposes, OCR is looking to identify about 200 covered entities for the Phase 2 audit.

 

So what did NueMD find out in their updated survey? Overall HIPAA compliance is still not close to where it needs to be with most organizations. With so many HIPAA data breaches occurring on what seems like a daily basis, the survey clearly shows why this is occurring.

 

Here are some significant findings of the survey:

 

  • Regarding the annual requirement for HIPAA Security Awareness Training, the 2014 survey indicated 62% of owners, managers and administrators claimed they provided training for their staff annually — now that number has dropped to 58%.

 

  • Appointing HIPAA Security and Privacy Officers is another requirement for compliance. The survey found an actual decrease in these appointments. Although appointments were only a few percentages down, the study said, “These may not be extraordinary changes, but the numbers are moving in the wrong direction!”  Agreed.

 

  • On the positive side, the survey showed, “A region that suggests a correlation between increased awareness and improved compliance is that of Business Associate Agreements,” (BAA).  In 2014, 60% of the respondents were aware of the use of BAAs, where in 2016, 68% now claim to know more about these rules.  

 

  • Another positive finding was in the awareness of the HIPAA Omnibus updates. In 2014, respondents indicated 64% were aware of the updates in law. That percent increased to 69% this time around. There are many additional patient rights afforded by the Omnibus Rule that healthcare providers must be aware of. Although there was an increase, providers must do a better job in understanding their responsibilities under Omnibus. 

 

The NueMD updated survey is a great barometer to gauge overall HIPAA compliance efforts, but as the survey shows, covered entities still have a long way to go to make sure they fully understand all the requirements and just not some.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

How HIPAA applies to the burgeoning world of mobile health

How HIPAA applies to the burgeoning world of mobile health | HIPAA Compliance for Medical Practices | Scoop.it

The federal regulatory environment has not kept pace with the progress of mobile health. Mobile health is driven by consumers who expect to have all sorts of information, including health data, on their phones, said Jeffrey Dunifon, an associate attorney at Baker & McKenzie who previously was an investigator at the Department of Health and Human Services Office for Civil Rights.

 

 

To help healthcare provider organizations and mobile developers navigate the HIPAA waters, Dunifon points to the HIPAA Questions Portal at hipaaqsportal.hhs.gov, which was launched by HHS. Providers and developers ask questions, HHS provides answers, said Dunifon, who spoke today at the HIMSS and Healthcare IT News Privacy & Security Forum in Los Angeles during a session entitled "HIPAA and mHealth: Key Challenges and Solutions."

 

 

"Key issues covered on the site include businesses regulated by HIPAA, information covered by HIPAA, and HIPAA compliance measures," Dunifon said.

When it comes to mobile health, or mHealth, it's important to fully understand the entities covered by HIPAA. These include healthcare providers, health plans and clearinghouses.

"Less clear, though, is when a company becomes a business associate under HIPAA," Dunifon explained. "A business associate is any entity that accesses or discloses protected health information for or on behalf of a covered entity or another business associate. This is very relevant in the developer environment."

 

 

Examples of businesses and tools that could require a business associate agreement, according to Dunifon, include:

 

  • A cloud services vendor that hosts PHI. "OCR has said in no uncertain terms that if an organization is using a cloud services vendor to host PHI, it needs a business associate agreement," Dunifon said.

 

  • An electronic health record developer that accesses PHI to help troubleshoot technical issues. "This is more on the routine side of the business associate definition, a company that has routine, ongoing access," he said.

 

  • A live translation mobile app used between healthcare providers and patients. "If an organization is using an iPhone or iPad on a live basis to have conversations between patients and providers discussing PHI, that needs to be covered by a business associate agreement," Dunifon said.

 

  • A patient appointment scheduling and payment mobile app. "If a provider offers to let patients schedule an appointment or pay for an appointment, that app developer needs to be covered by a business associate agreement," he said. "That can be a little confusing sometimes because there's not a clear health element to it."

 

  • Remote medical devices or apps sharing health indicators. "If you have a medical device someone is wearing that's sending information to an app, which is sharing that with the healthcare provider, and the app company is playing a role in transmitting or maintaining that information, that may be PHI covered by HIPAA," Dunifon said.

 

 

"In mobile health, if a consumer is paying for a product, it might not be PHI," he added. "But if it is being tracked by a covered entity, then it may be PHI."

 

 

Dunifon pointed conference attendees to a variety of resources to help with HIPAA compliance and mHealth, including the National Institute of Standards and Technology's Special Publications, the HHS Office for Civil Rights, HIMSS and Baker & McKenzie.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Prison Term for ID Theft at Hospital

Prison Term for ID Theft at Hospital | HIPAA Compliance for Medical Practices | Scoop.it

A former Alabama hospital worker has been sentenced to serve two years in prison for his role in an identity theft case that led to federal tax refund fraud. The case also has resulted in a class action lawsuit.

The breach at 235-bed Flowers Hospital in Dothan, Ala., spotlights that "insider threats are a large challenge," says privacy attorney Adam Greene, of law firm Davis Wright Tremaine, who is not involved in the case. "Policies, procedures and training can influence good employees, but may have little impact on employees who are considering using information for criminal purposes," he says.


"Some good ways to reduce the risk include thorough background checks of employees, reducing the use of Social Security numbers and other risky information within the organization where possible, minimizing the types of employees who have access to such information, reviewing system activity to identify patterns that may demonstrate abuse of access, and considering technologies such as data loss prevention to reduce the risk of information leaving the network," the attorney adds.

But Greene notes that even with all the right controls in place, "it is virtually impossible to completely eliminate the threat of insiders abusing their access to information systems."

Restitution Required

The U.S. Department of Justice, in a Dec. 12 statement, said that in addition to his prison sentence, former hospital lab technician, Kamarian D. Millender was also ordered to pay about $19,000 in restitution after pleading guilty in July to one count of aggravated identity theft.

Flowers Hospital, where Millender formerly worked, is part of the Community Health Systems chain. But the breach involving Millender was unrelated to a larger hacker attack on Community Health Systems earlier this year that affected 4.5 million patients.

The Alabama hospital incident is listed on the Department of Health and Human Services' "wall of shame" list of major breaches as a theft of paper records occurring from June 2013 to February 2014 and affecting 629 individuals.

Fraud Scheme

In the criminal case against Millender, federal prosecutors say he and others stole patient medical records that contained personal identification information, which was then used to file more than 100 false tax returns, victimizing approximately 73 individuals. Prosecutors say the false tax returns attempted to defraud an estimated $536,000 from the IRS. However, "the IRS was able to stop the vast majority of the falsely claimed refunds, but approximately $18,915 in refunds were issued," according to the prosecutors' statement.

Meanwhile, the class action lawsuit filed against Flowers Hospital in May alleges that the breach affected "thousands" of plaintiffs.

"Flowers [Hospital] flagrantly disregarded plaintiffs' ... privacy rights by intentionally, willfully, recklessly and/or negligently failing to take the necessary precautions required to safeguard and protect their PII/PHI from unauthorized disclosure," the suit alleges. The suit claims the plaintiffs' personal information "was improperly handled and stored, and was otherwise not kept in accordance with applicable and appropriate security protocols, policies and procedures," which led to the theft.


The class action suit alleges that patient information affected by the breach includes names, addresses, dates of birth, Social Security numbers, treating physician and/or departments for each individual, medical diagnoses, medical record numbers, medical service codes, and health insurance information.

"There is a high likelihood that significant identity theft and/or identity fraud has not yet been discovered or reported and a high probability that criminals who may now possess plaintiffs' PII and PHI, but will do so later, or re-sell it," the lawsuit states. It alleges the hospital violated the Fair Credit Reporting Act and contains allegations of negligence and invasion of privacy by public disclosure of private facts. It seeks unspecified damages as well as reimbursement for legal expenses.

A Flowers Hospital spokeswoman declined to comment on the criminal case involving the former lab worker or the class action lawsuit.

An attorney representing the plaintiffs in the class action suit against Flowers did not reply to Information Security Media Group's request for comment. Federal prosecutors involved with the Millender criminal case also did not respond to ISMG's request for comment.

Preventing ID Theft

Privacy and information security expert Rebecca Herold points out that a big hurdle with preventing insider breaches is that, "many organizations don't want to accept that their employees would ever take information from patients or insureds and commit a crime with them, especially within healthcare provider settings, where the focus is on patient health and well-being."

Because of that trust, "organizations often do not have the policies, processes, training, awareness reminders, oversight and auditing in place to verify that employees truly are doing the right things and have not wandered off the path of compliance onto the criminal highway," says Herold, a co-owner of the consulting firm HIPAA Compliance Tools and CEO of The Privacy Professor.

While potential insider breaches will always pose a challenge for many healthcare related organizations, there is one key piece of advice that can go a long way in preventing these incidents, Herold says.

"It always starts from the top: there must be strong support for information security and privacy initiatives from the organization's top leader," she says. "Make sure all employees know that top management expects them to work in a legal and ethical manner, and that those violating the corporate policies, and applicable laws, will face appropriate sanctions, including the potential for termination and for legal actions and jail time."

more...
No comment yet.
Scoop.it!

Why Small Medical Practices Struggle with HIPAA Compliance 

Why Small Medical Practices Struggle with HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

Over the past couple of years, cybercriminals have increasingly targeted healthcare organizations for the volume of sensitive data they have on file. When stolen, medical records containing personally identifiable information (PII) can be used to create and sell false identities, contributing to high breach costs per record that can shut your clients’ practices down. To prevent this, it’s critical that all impacted organizations maintain HIPAA compliance, have safeguards in place and establish a disaster recovery (DR) plan.

Compliance starts with awareness, but many small practices aren’t aware that they’re falling short in this area. That’s where you come in. You’re in the unique position to help clients take the proper steps towards HIPAA compliance and ensure that all guidelines are being followed. So how can you relay that message in your next MSP sales presentation? To help you get started, we’ve pulled data from NueMD’s 2016 HIPAA Survey. Leverage this chart to show clients and prospects that you are the data security solution they need to stay HIPAA compliant!

 

When presenting this chart in your proposal, use these talking points to illustrate how you can help clients maintain HIPAA compliance:

 

  1. A surprising 60 percent of respondents aren’t even aware of the new HIPAA audits that were launched in phase two. This is a huge problem, especially if you’re part of that 60 percent because you could be fined up to $50,000 per violation for not even knowing you violated HIPAA regulations. To avoid this, rely on us to be your trusted resource. We’re always up-to-date on the current compliance standards, and we can even perform a HIPAA audit that not only assesses whether your practice is compliant, but provides corrective action and possibly uncovers security issues to help you avoid potential data breaches. (Continuum offers a HIPAA Assessment Tool, which allows you to expand your service portfolio, generate additional revenue and most importantly, helps your clients survive an OCR audit.)

  2. While we help you remain HIPAA compliant through proactive and preventative IT management services and support, you also have to be prepared when disaster strikes. Sometimes cyber attacks are successful or data is compromised internally by accident. To mitigate the damage (both to your finances and reputation) and remain HIPAA compliant, you need a comprehensive DR plan. However, as this chart shows, 30 percent of respondents have yet to create a said plan – meaning they could be found in violation of HIPAA law. Rather than assume the same risk with our backup and disaster recovery (BDR) solution and services, we’ll ensure patient data is securely backed-up and easily restorable.

  3. HIPAA compliance is an organization-wide responsibility. You need to ensure that your staff knows how to handle sensitive data and understand the need to secure it. Partner with us to prevent yourself from becoming like the other 42 percent of respondents who do not provide annual compliance training for their employees. We regularly help conduct training courses and seminars with your employees so they can better understand how their behavior impacts data security. With our ongoing education, we help your employees do their part in maintaining HIPAA compliance, explaining best practices when creating login credentials, sending emails, receiving unknown links or seemingly harmless attachments and more. 

  4. With 80 percent of respondents being unconfident that their mobile devices are HIPAA compliant, there’s a clear need to protect those endpoints that have access to patient data. With a service such as mobile device management (MDM), you'll be able to remotely lock down and wipe the device, should it be compromised. MDM is an added security measure that ensures you’re doing all you can to keep sensitive data protected.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is Your Medical HIPAA Compliant Website Protected? 

Is Your Medical HIPAA Compliant Website Protected?  | HIPAA Compliance for Medical Practices | Scoop.it

Every physician and medical administrator that we know is intimately—often, intensely—aware of HIPAA’s privacy and security rules. There isn’t a policy, procedure or process that isn’t carefully scrutinized as HIPAA compliant.

 

This isn’t legal advice, but healthcare professionals know that protected health information (PHI) and electronic protected health information (ePHI) need to be on the safe side of the Health Insurance Portability and Accountability Act and the Department of Health and Human Services.

 

But, physicians and medical administrators also realize that, in an Internet-driven world, confidentiality, privacy, and data security are vastly larger, dangerous and more complex issues. What’s more, hospital data and medical records are attractive targets for cyber theft and ransomware attacks.

 

If regulations, compliance and digital security issues aren’t compelling enough to keep you awake at night, consider this: What if your website and digital presence are not HIPAA compliant? Many ordinary, and innocent appearing, healthcare websites are not secure, or inadvertently fail to safeguard all “individually identifiable health information.”

 

Being HIPAA compliant is vital to every medical website…

Check with your own legal advisor, but here are some of the ways that medical websites, and HIPAA compliance, can be at risk:

Are files, storage, and transmissions secure? Data that is “in the open” (without encryption or SSL/Secure Socket Layer) is at risk. An important compliance checkpoint is having all sensitive material encrypted and secure, particularly when transmitted over the Internet.

 

Some forms can put you at risk. Generally, when a patient or prospective patient completes an online form—even elementary info such as name, phone number, email—it may be advisable to provide the data with the same level of protection as ePHI. More specifically, “individually identifiable” and “protected health information” is likely to meet the definition of electronic protected health information.

 

Social media can be a danger zone. Social media is a useful tool to talk about many things under the broad medical umbrella. That said, anything that is specific to an individual patient or identifiable info—even photographs—can violate personal privacy.

 

Use caution responding to online comments and review sites. It can be tempting to use specific, “he-said-she-said” replies to Internet-posted comments—especially negative mentions. It’s OK to be responsive, but a provider’s reply must avoid reference to a specific, identifiable or individual patient. Even acknowledging that someone is a patient would be inappropriate.

 

Your favorite iPhone or Blackberry is a target for theft. Mobile devices—a favorite among doctors—are compact and easily “snatch-able,” and that opens the door to cyber theft of stored or access information. What’s more, mobile devices themselves that are used to exchange doctor-patient communications may not be secure or HIPAA compliant.

Look for additional articles in this series…

There’s no question that compliance is vitally important for hospitals, group practices, and healthcare providers. In addition, medical websites are an important connection between the professional and the public. HIPAA’s privacy and security rules are a critical consideration. Check with your legal advisor and avoid compliance issues online.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA & Email

HIPAA & Email | HIPAA Compliance for Medical Practices | Scoop.it

Is it possible to email patients in a HIPAA compliant manner? What can and cannot be included in an email to patients? What does HIPAA have to say about it? These questions have long been on the minds of providers as they attempt to navigate towards greater messaging options without opening themselves up to breaches, penalties or fines. Before determining if HIPAA and email can effectively coexist, let’s take a step back and understand what the HIPAA Privacy and Security rules allow.

HIPAA Privacy Rule

Per the Office for Civil Rights (OCR) of the Department of Health and Human Services webpage, “The HIPAA Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

OCR then goes on to state if the patient reaches out to a healthcare provider using email, the provider can assume that email communication is acceptable. If the provider feels the patient does not understand the possible risks of using un-encrypted email, the provider should alert the patient and ensure that they want to continue with email communications.

Additionally, the Privacy Rule states that patients have the right to request a provider communicate with them by alternative means if reasonable; “For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.” See 45 C.F.R. § 164.522(b).

HIPAA Security Rule

The HIPAA Security Rule does not prohibit the use of e-mail to send ePHI, however, it does outline some standards to protect and guard the integrity of unauthorized access to ePHI. Sited from the OCR website, “However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

Recap of the Privacy and Security Standards:

Providers may e-mail patients but they must take precautions.

Should the patient request his/her provider use e-email, the provider must take the necessary steps to ensure the ePHI is protected.

As a standard practice, providers should warn patients about the risks of e-mail communications.

Information shared over an open network increases the likelihood of unauthorized access. 

Best Practices for HIPAA Compliant Email

Below is a list of some best practices to ensure compliant e-mail along with adhering to the Privacy and Security Rules:

  • Encrypt e-mail messages – If the provider is not using a patient portal or e-mail application, encrypt any/all sent e-mail messages and avoid sending any PHI. Additionally, any attachments (specifically those including PHI) should be encrypted as well.
  • Capture each patient’s consent to receive communication by email – Include a communication consent form within the patient on-boarding forms to verify communication preferences and allow patients to opt in or out of e-mail correspondence.
  • Utilize a secure, HIPAA compliant email application – There are many email applications and servers designed to offer providers a HIPAA compliant e-mail offering.
  • Message patients through an EMR portal – A secure EMR portal is the perfect place to send HIPAA compliant messages to patients. Patients may log in to view appointment reminders, test results and physician/nurse messages without the threat of unsecured e-mail.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility? 

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility?  | HIPAA Compliance for Medical Practices | Scoop.it

If your healthcare practice must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations, a breach of protected health information may require patient and government notifications.  

HIPAA provides data privacy and security provisions for safeguarding medical information, and if that information is compromised either through a breach of your information system or sheer carelessness on the part of an employee, you may be subject to heavy monetary penalties.

But what qualifies as a HIPAA breach, what happens if it affects a limited number of your patients, and what are you required to do?

Rules That Apply

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  Such impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least these factors:

1.     The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2.     The unauthorized person who used the protected health information or to whom the disclosure was made;

3.     Whether the protected health information was actually acquired or viewed; and

4.     The extent to which the risk to the protected health information has been mitigated.

Those affected by this rule have discretion to provide the required breach notifications without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first applies to “the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”

The second exception involves” the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.”

In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

The final exception applies “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”

In addition to notifying affected individuals and the media (when appropriate), you must notify the Office of Civil Rights (OCR) of breaches of unsecured protected health information. by visiting the Health and Human Services (HHS) web site and filling out and electronically submitting a breach report form. If the breach affects 500 or more individuals, covered entities must notify the OCR without unreasonable delay and no later than 60 days following the breach.

Deadline Approaching

If the breach affects fewer than 500 individuals, your practice has no later than 60 days after the end of the calendar year in which the breach is discovered.  This means that if your practice has experienced a breach of fewer than 500 individuals and it has not been reported yet, you have until March 1, only a few days away to file the notification.

If you experience a breach affecting more than 500 residents of your State or jurisdiction you must provide notice to media outlets serving the State or jurisdiction, as well as notifying the affected individuals.  This notification will likely be in the form of a press release to the appropriate media outlets and must be provided no later than 60 days following the discovery of the breach and must include the same information required for the individual notice.

Don’t Leave Anything to Chance

As you can see, HIPAA breach notification requirements are quite stringent and can be complex. If your practice has experienced a breach, the HIPAA compliance experts and former criminal investigators at Colington Consulting can rapidly respond on-site to assist your practice in conducting a HIPAA breach investigation.  Their investigative process uses systematic approach to quickly determine how the breach was caused. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

ARE YOU SURE YOUR MEDICAL BUSINESS IS HIPAA COMPLIANT? 

ARE YOU SURE YOUR MEDICAL BUSINESS IS HIPAA COMPLIANT?  | HIPAA Compliance for Medical Practices | Scoop.it

What Exactly Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that took effect in 2003 to assure that patient’s medical records and other health information provided to health plans, hospitals, doctors and other health care providers is protected.  HIPAA is enforced by the U.S. Department of Health and Human Services, to provide nation-wide privacy and security standards for patient information, while allowing patients greater access to their medical records and more control over how their personal health information is used and disclosed.  HIPAA established national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity (medical provider).

The HIPAA Security Risk Assessment

There are over 50 HIPAA Security Standards and Implementation Specifications that must be addressed with policy and procedures. They are all applicable to Covered Entities and Business Associates. The HIPAA rule is very detailed, and it is important that you not miss any compliance requirements.

One of the best ways to ensure HIPAA compliance is to implement a HIPAA security risk assessment. This will tell you what areas of your practice are in compliance, and which areas need corrections to be made in order to become compliant. No matter what, you want to make certain you are following all the requirements of the HIPAA Security Rule, as there are steep fines resulting from non-compliance.

The Three Parts of the HIPAA Security Rule

The HIPAA Security Rule requires a healthcare facility and its staff to implement specific safeguards in these three areas:

•             Administrative

•             Physical

•             Technical Safeguards

These safeguards ensure the confidentiality, integrity, and security of protected health information (PHI). While “required implementation specifications” must be implemented, “addressable implementation specifications” must be implemented if it is appropriate and reasonable to do so. Your choice must be documented. Do not make the mistake of automatically thinking that “addressable implementation specifications” are optional. If you are unsure if any “addressable implementation specifications” apply to you, it is best to implement them, as most are considered to be standard “best practices” for a medical business.

The results of your HIPAA security risk assessment should provide you with a list of areas where you need improvement. This is where you will begin to work on policies and procedures to address the deficiencies by documenting and outlining all “required implementation specifications”, and all applicable “addressable implementation specifications” needed to become HIPAA compliant.

Just A Few Examples of HIPAA Policy Requirements

Here are a few examples of the types of HIPAA “required” controls you will need to implement.

One of the main requirements is controlling the access to patient’s records by your staff members. This requires a unique user identification login and logout for identifying and tracking each user, as well as comprehensive HIPAA training for your staff. Often, staff will find HIPAA compliance inconvenient, but they must recognize it is for their own protection.

You must have a secure procedure for accessing PHI during an emergency. Should the power go off, do you have a back-up power source? Are your records securely backed-up in compliance with HIPAA ? Healthcare organizations should have a contingency plan in place for emergency operations and disaster recovery.

It is advisable that all patient data be encrypted and decrypted. After a risk assessment, all laptops, computers, and mobile devices may need to be encrypted. Do you have firewall protection? Is your network accessible from outside your business? Do you have intrusion protection? Is your wireless network secured? Any company that handles sensitive patient data protected by HIPAA should run a cybersecurity assessment , to thoroughly check your network to determine how secure it is, and explain measures that must be taken to secure any holes in that system.

Audit controls, via hardware or software, must record and examine activity in information systems containing or using ePHI.

Transmission of all ePHI must be secure.

There are many other required and addressable specifications that need to be implemented. This is only a handful, to give you an idea of the types of issues you will need to address.

Once Your Are HIPAA Compliant, Then What?

Once you have achieved HIPAA compliance, it is then important that procedures and policies be put into place to maintain compliance. Employers must keep a record that all employees have received proper HIPAA training. They need to understand how HIPAA is implemented in your office. If you switch IT companies, you will need to make certain that the new company is HIPAA compliant, and they will need to provide you with a Business Associate Agreement. Yes, HIPAA compliance is a never ending task for businesses that handle patient health information.

If you are concerned about understanding and meeting all of the “required” and “addressable” security standards and implementation specifications your business must have in order to be HIPAA compliant, consider bringing in Colington Consulting to review the status of your HIPAA compliance program. Colington Consulting are experts in the field who know the HIPAA rules inside and out. They will help you avoid problems and steep fines by ensuring your business is meeting HIPAA compliance requirements,  relieving you from any doubt about the status of your business’s HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA and Ransomware: What You Need to Know

HIPAA and Ransomware: What You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA and ransomware, there are some key responsibilities that health care professionals have when handling an incident. Following the regulation is essential to keeping your behavioral health practice out of the headlines and mitigating the risk to patients’ sensitive health data.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has yet to release new regulation specifically in regards to HIPAA and ransomware. However, in 2016 after a string of ransomware attacks impacted hospitals and health services across North America, guidance was released about how to handle a ransomware incident should one impact your practice.

What is Ransomware?

Ransomware is a type of malware that infects your computer or network. The malicious software automatically encrypts your data, and then the hackers responsible demand a ransom in exchange for access.

Sometimes, the ransomware will even give health care providers a countdown: pay the ransom within the time allotted, or face permanently losing access to this electronic protected health information (ePHI). ePHI is any health care data that can be used to identify a patient that is stored in electronic format, such as electronic health records systems (EHRs).

How to Handle HIPAA and Ransomware

In the event of a ransomware incident, the first thing you should do is report the incident to local law authority. HHS guidance on the matter even goes so far as to include contacting the FBI, though this is only fully necessary for larger organizations such as hospital systems.

If you have reason to believe that ePHI has been accessed by the hackers, then you must also report the breach to OCR. If your organization already has an effective HIPAA compliance solution in place, then you should have full documentation in place that can prove to OCR investigators that you’ve done everything possible to prevent breaches.

Having a HIPAA compliance program in place can’t prevent a ransomware attack from occurring, but it’s your best defense against heavy federal fines in the event that a breach does occur. HIPAA fines have already reached $17.1 million in 2017 alone, which is set to outpace 2016’s record breaking $23.5 million.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Requirements – Time for a Major Regulatory Change

HIPAA Requirements – Time for a Major Regulatory Change | HIPAA Compliance for Medical Practices | Scoop.it

It is only fitting that legislation that was created in the mid 1990’s be considered, as most HIPAA experts would agree, outdated. Even with changes brought about by HITECH and the Omnibus Act, the implementation specifications remain relatively unchanged. It is still one-size-fits-all when it comes to meeting the requirements.

 

Sure, you could argue what is reasonable and appropriate for one healthcare provider is not for another. Therefore, it comes down to how each implementation specification is interpreted, how you decipher what the Code of Federal Regulation (CFR) is asking for.

 

After spending 27 years working for the Federal government and being involved in policy and regulatory oversight, even I sometimes struggle with how to make sense of a particular CFR.

For larger healthcare providers that have regulatory and compliance staff, HIPAA compliance might be a bit easier. But for the smaller providers who are required to follow all of the same requirements, albeit what is “reasonable and appropriate,” this is a colossal struggle. I can see why some small providers just throw their hands up and say, “This is way too complex for us to figure out.”

 

When the HIPAA legislation was created, the healthcare system in this country was really starting to transform. Today, with more and more specialty practices and other types of healthcare service providers tapping into this growing market, updating regulation requirements must be a priority. It cannot be a one-size-fits-all requirement anymore. The U.S. Congress needs to take into consideration how the healthcare industry has changed, in particular with the emergence of new health related mobile apps hitting the techno-sphere. HIPAA regulatory requirements must be adaptable to meet this changing environment.

 

When I conduct a HIPAA risk assessment for a smaller healthcare provider and I ask a question in an attempt to adhere to the implementation specification, often I get a non-applicable response. The hard work for me is how to get that provider covered in meeting a required implementation specification if it is non-applicable. If a provider is truly making the effort with due diligence to follow the HIPAA regulations, then that should be factored into the equation.  The process must allow for more discretion when it comes to some of the implementation specifications.

 

All of this will require legislative fixes. The U.S. Congress can rattle a few cages and give the impression there is real concern with making sure healthcare providers are doing everything they can to safeguard patient records, but until there is movement towards making necessary legislative changes, HIPAA requirements will remain as confusing to some as the U.S. tax code.

 

Back in the mid 1990’s, Senators Kasebaum and Kennedy, the sponsors of the insurance reform legislation that became known as HIPAA, clearly had a vision about the changing landscape of healthcare security in this country. Which current day senators will have that vision and want to undertake this monumental task in reforming HIPAA for the next decade remains to be seen.  The time is now to start down this road.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Top 10 Myths of HIPAA Risk Analysis

Top 10 Myths of HIPAA Risk Analysis | HIPAA Compliance for Medical Practices | Scoop.it

The following is a top 10 list distinguishing fact from fiction when it comes to conducting A HIPAA Security Risk Analysis.

  1. The security risk analysis is optional for small providers. False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
  2. Simply installing a certified EHR fulfills the security risk analysis Meaningful Use requirement. False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
  3. My EHR vendor took care of everything I need to do about privacy and security. False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
  4. I have to outsource the security risk analysis. False. It is possible for small practices to do risk analysis themselves but can be time consuming. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
  5. A checklist will suffice for the risk analysis requirement. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
  6. There is a specific risk analysis method that I must follow. False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
  7. My security risk analysis only needs to look at my EHR. False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.
  8. I only need to do a risk analysis once. False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.
  9. Before I attest for an EHR incentive program, I must fully mitigate all risks. False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
  10. Each year, I’ll have to completely redo my security risk analysis. False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period.
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format | HIPAA Compliance for Medical Practices | Scoop.it

This month, Atlantic Information Services reported that covered entities must provide patients with their ePHI when they request it, in a format that the patient can open on their computer. Does this mean Covered Entities may have to send unencrypted emails containing electronic Personal Health Information (ePHI) to their patients? It depends on what the patient requests.

The HHS statement that patients have the right to access their ePHI and that covered entities “must provide this access in the manner requested by the individual” has created confusion. Covered entities are now left trying to find ways to provide patients access to their ePHI without violating HIPAA requirements.

The Privacy Rule “allows the use of unencrypted email when communicating ePHI between the healthcare provider and the patient…provided they apply reasonable safeguards when doing so”. 1

Examples of safeguards include:

  1. Check the email address for accuracy.
  2. Send email to confirm the recipient before sending the ePHI.
  3. Limit the amount of information disclosed.
  4. Encrypt emails.

Many covered entities have policies in place requiring all email containing ePHI be encrypted, and we at Total HIPAA Compliance fully support these policies. Patients may complain about opening an encrypted email, but the alternative is that you are potentially exposing their unencrypted Protected Health Information to all kinds of unknown risks. An unencrypted email can go through multiple servers before it reaches its final destination, and every server it stops in on its way to its final destination is another potential failure point.

How do you protect your patients while giving them access to their information in the format requested?

  1. Don’t explicitly offer unencrypted communication– I know this sounds disingenuous, but if you have a communication request from a patient, it’s always best to default by sending those communications encrypted.
  2. Explain the risks of sending unencrypted communications– Most non-technical people don’t understand the risks they are taking by sending communications unencrypted. You can relate the privacy level to sending an electronic postcard listing all their requested information. It is estimated that medical identity theft costs an individual $13,500.2 This is a major reason to insist that all communications with patients be encrypted.
  3. Make the barrier for unencrypted communication high. HHS states, if the healthcare provider feels the patient is not aware of the risks of using unencrypted emails for ePHI, or has concerns about liability, they can inform the patients of those risks and allow the patient to make the decision. If the patient then decides to request the receipt of the ePHI using unencrypted email, the covered entity will be exempt of possible liability because the patient has given their explicit permission to receive the ePHI in an unencrypted form. Make sure the client signs off each time there is a requested unencrypted communication. This burden may push a client to receive information encrypted.
  4. Here is a form you can use if a client insists on having communications sent unencrypted.

Ways to Make Patient Communication Easier While Using Encryption:

Patient Portals
A patient portal is a secure website that patients can access with a username and password. Portals allow patients to access their ePHI through an internet connection. This is an elegant way to provide the patient with their PHI and not expose the information to hackers.

Use a different encrypted email provider
There are many HIPAA compliant email encryption services you can use. Some are easier for patients to use than others. If your patients are consistently complaining, maybe it’s time to look into a new provider. There are many great options out there that will integrate with your EHR.

Two of our favorite encrypted email platforms for ease of use and cost are:

  1. Virtru This application allows users to integrate with almost any email provider. Vitru Pro is HIPAA compliant and will sign a Business Associate Agreement. Virtru offers end-to-end encryption with the ability to revoke a message at any time. Vitru makes it easy for the sender to encrypt messages and the receiver to respond encrypted.
  2. Protected Trust is also another great product. The email recipient has to be registered with Protected Trust, but this is free for your patients. Protected Trust offers many different verification options for the recipient, including sending recipients a phone call or text message to verify their identity. This application is easy to use for the receiver since they do not have to install any software or create a new email address.

The HIPAA Omnibus update strives to make communication between providers and patients easier as well as protect the privacy of your patients. This can be tricky for the health care provider, but patients always have the right to access their own PHI, and it is up to healthcare providers to grant them that access. As patients begin to demand more communication, covered entities will have to figure out the best way to do this, while remaining HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Bring Your Own Device (BYOD) Guidance 

Bring Your Own Device (BYOD) Guidance  | HIPAA Compliance for Medical Practices | Scoop.it

Bring Your Own Device (BYOD) Guidance

 

                   Bring Your Own Device, or BYOD, is when employers allow their employees to use their own electronic devices (phones, computers, tablets, etc.) on the organisations network.

BYOD has progressed from infrequent implementation to the norm. In 2015, Tech Pro Research released a study which reported that about 74% of respondents were already using or planning to use BYOD in their organization.¹

Despite its growth, not many organisations are completely confident in BYOD. In 2016, NueMD conducted a HIPAA survey. In this survey, they asked participants how confident they are that the devices they use in their business are HIPAA compliant, and found that only 20% of respondents were at all confident.

                  BYOD can open organisations up to serious security issues if not handled correctly. Since employees are using their own devices, they will take these devices home (and everywhere else); thus, there is more of a chance for these devices to be lost or stolen. Electronics were a lot more secure when it was the norm to leave them in the office. It was up to the company to protect those devices. Now with BYOD, employees will have to use extra caution in order to keep their devices safe.

BYOD also opens up organisations to malware. With an employee using the device for personal use as well, it is easier for a phishing email to reach the employee if the proper security software is not loaded. In addition, malware may be part of a download when unapproved applications are added by the employee. That malware would then affect everything on the device, including work related information. This puts the PHI on your network at risk.

            Obviously, there must be some positives to BYOD, or it would not be as popular as it is. The main advantage is that it cuts costs for the organization. If employees can bring their own devices, organisations can save money because they do not have pay to provide devices for employees. BYOD also results in better productivity because employees are using a device they already understand. No time is wasted on training employees how to use the device.

The implementation of BYOD has grown every year. Eventually you will need to consider BYOD and establish guidelines for implementing it on your network that respect the privacy of the user’s device. Access should only be requested for security reasons outlined in your policy. If you do choose to implement BYOD, it’s important to clearly define this decision in your policies and procedures.

First, you should have policies and procedures in place outlining the use of devices on your network. The policies and procedures should include:

  1. Acceptable uses:
    1. What apps are employees allowed to run?
    2. What websites should and shouldn’t be accessed?
    3. Can they be used for personal use during work?
  2. Acceptable devices:
    1. Will you allow laptops, phones, and tablets?
    2. What type of devices will you allow (Apple, Android, Windows, Blackberry, PC, etc)?
    3. How are you encrypting devices?
  3. Policies:
    1. Is the device configuration set up by the organisation's IT department?
    2. Is connectivity supported by IT?
    3. How often will you require a password change?
    4. Do you have a remote wipe policy?

 

Second, decide whether or not to implement Mobile Device Management (MDM).  MDM creates a single unified console through which IT can administer different mobile devices and operating systems. MDM allows an organisation's IT department to do things like remotely wipe devices, encrypt devices, secure VPN, and locate devices.

MDM allows you to selectively wipe the information lost on stolen devices. Some devices such as iPhone's have a built-in application (i.e. Find My iPhone). Android phones can be tracked and wiped using Android Device Manager. Both applications are great for individuals, but not necessarily the best option for an enterprise situation where you will need to track more than one device. Wiping a device is a heavy handed approach that may make employees hesitant to use their device on your network, as all of their personal information could be wiped along with work related data. With BYOD in place, employees know what’s expected of them when they use their personal devices at work, including the possibility that the company will use MDM to remotely wipe information as needed.

Alternatives to consider are Mobile Application Management (MAM) and Agent-less BYOD. MAM is software that controls access to mobile apps on BYOD devices. A report by Bit-glass found that only 14% of participants have adopted MAM. Accordingly, MAM never really took off, and MDM has now stagnated due to privacy concerns.³ Their solution is Bit-glass Agent-less BYOD, which protects corporate data on any device without an application. It also has an automated deployment process that does not require IT intervention. Agent-less BYOD is meant to be more secure and less strict on the employee because of its selective wiping capabilities.⁴

Finally, a BYOD policy agreement should confirm that the BYOD user understands and agrees to the policies and procedures. The user should also understand that the organization owns the work-related information on their device. Therefore, the organization has the right to take away access to the company network at any time. The BYOD agreement should be signed by the user, a department manager, and IT.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA and Social Media: Avoiding Costly Mistakes | Eyemaginations

HIPAA and Social Media: Avoiding Costly Mistakes | Eyemaginations | HIPAA Compliance for Medical Practices | Scoop.it

A nurse inspired by a young chemotherapy patient’s courage posts a photo on her personal Facebook page, being careful not to use the patient’s name. A practice manager posts a photo of an office party on Instagram; a stack of patient files is in the background. A nurse writes an angry blog post about an alleged cop-killer who is being treated at the hospital where she works, but does not name the patient, victim, or her employer. What do all of these scenarios have in common? They are all examples of HIPAA violations that led to a healthcare professional being reprimanded, fined, or fired.

You may think your practice is up to date on patient privacy, but changes in HIPAA policies, healthcare information technology, and the explosion of social media have changed the game. “Despite widespread awareness of the need to store and send sensitive patient data securely, physicians and practices run afoul of HIPAA rules on a regular basis, which opens the door to both civil and criminal penalties,” reports Medical Economics. The maximum HIPAA fines have increased to a whopping $50,000 per violation.

Here’s what you need to know about HIPAA and protecting your patients and your practice in this age of social media and oversharing.

Decoding ‘patient identifiers’

Because there are new social media platforms emerging all the time, it can be daunting to figure out what’s OK to post and what’s not. First, you and your employees need to understand what is considered a HIPAA violation on social networks. Most healthcare professionals know to avoid impermissible use or disclosure that compromises the security or privacy of a patient’s protected health information (PHI). The confusion arises in defining what PHI is and is not.

HIPAA specifies 18 identifiers beyond a patient’s name that must be kept private. One of those is “full face photographic images and any comparable images,” which is where the nurse mentioned in the Facebook example above ran afoul of HIPAA. This even includes recognizable patient photos or files in the background of photos, such as in the office party example above. You’re not even in the clear if you’re simply reposting or “regramming” photos of a patient sharing all the details of their medical issues on their own social media accounts. If the patient can be identified, don’t do it.

It’s also important to consider things that might be “patient identifiers” besides a person’s name or face. In one case, a nurse posted a comment on a small-town newspaper’s blog that mentioned a patient’s age and mobility aids, which were enough to figure out whom she was discussing.  “In small communities especially, people can quickly determine who is in the hospital and for what with just a few details. Innocent comments about a patient lead to identification,” notes Kyna Veatch on the legal website Law360.com.  

This also goes for celebrities and high-profile people. In the case of the nurse mentioned above who angrily shared her views about a patient online, news coverage about the murder case made it clear whom she was talking about. Another common example of HIPAA violations is when staffers cannot contain their excitement about treating a pro athlete or well-known TV personality and “overshare” on social media. “Posting verbal ‘gossip’ about a patient to unauthorized individuals, even if the name is not disclosed” can get medical practices into hot water with HIPAA, warns the company Healthcare Compliance Pros (HCP).

HIPAA do’s and don’ts

Let’s look at some best practices related to HIPAA and social media:

Do keep your and your employees’ personal social media accounts separate from the practice accounts. “Some ophthalmologists choose to create personal pages with pseudonyms that only their friends and family know,” notes Veatch. “This keeps patients from searching for them and sending friend requests.” Avoid “friending” patients on personal or practice accounts, and advise your employees to do the same.

Don’t make the mistake of thinking that posts are private or disappear once they have been deleted.Search engines and screenshots can make even deleted posts permanent. As a general rule, don’t post anything you wouldn’t be comfortable sharing in public. “If there is any doubt at all about a certain post, picture, or comment then check with your compliance officer or even a colleague before publishing,” advises HCP.

Do speak up when patients are asking for medical advice online. Crowdsourcing your medical care on social media is never a good idea, but people do it all the time. Doctors can offer advice as long as it’s general and not specific to one patient. Sharing a patient education video on a particular health topic or condition can be one way to do it. “Speaking to patients as a collective on social media should steer providers away from any privacy risks,” per physician and social media expert Kevin Pho of KevinMD.com. If an unknown patient reaches out and asks a personal health question on social media, “take that conversation offline with a standard response that asks the patient to call the office and make an appointment, or if an emergency, to call 911 or go to the emergency department,” he advises.

Don’t overlook staff training. Educating your staff and having a solid social media policy in place is imperative to HIPAA compliance, according to Healthcare IT News. Your policy should define social media, mention specific sites, and describe what information employees are allowed to post online and what is off-limits, on both the practice pages and their personal pages. As Healthcare IT News states, “When employees post on social media, not only do they represent themselves, they represent the employer, the office, and all healthcare professionals.”

 

 

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why 'Adaptive Defense' Is Critical

Why 'Adaptive Defense' Is Critical | HIPAA Compliance for Medical Practices | Scoop.it

As hacker attacks, such as the breach of Anthem Inc., become more common, it's more critical than ever for organizations to carry out a comprehensive "adaptive defense model" to protect sensitive information, says Dave Merkel, chief technology officer at FireEye.

Although the model should incorporate several technologies, including multi-factor authentication, encryption and intrusion detection systems, it must go beyond that, Merkel says in an interview with Information Security Media Group.


"You also have to have intelligence," he notes. "The bad guy has [intelligence] about you, why don't you have it about the bad guy?"

Organizations also have to ensure they have expertise to protect data, detect breaches and respond appropriately, he stresses. "The bad guys are always innovating, so you have to also."

Going beyond a focus on breach prevention is essential, Merkel says, because breaches are inevitable. "You need to be analyzing, hunting in your environment, looking for attackers constantly with your human expertise, and then when you identify something that might be an incident, you have to respond, and you have to do it quickly ... so if you do have an event, you go from identifying the event to resolving it in minutes, as opposed to what we unfortunately frequently see, which is resolving it in weeks or months or potentially years."

Mandiant, a FireEye company, is working with health insurer Anthem in the digital forensic investigation of a hacking attack that may have exposed up to 80 million individuals' unencrypted information, but Merkel says he cannot yet reveal any details. The breach is believed by Anthem to have begun with phishing e-mails sent to a handful of its employees.

In the interview, Merkel also discusses:

  • How spear phishing and social engineering schemes are becoming more sophisticated, and why organizations need to put effort into learning more about potential bad actors and their motivation for attacks;
  • Why neither encryption nor multifactor authentication are silver bullets to protect data;
  • Why the healthcare sector is a growing target for hacker attacks.

Merkel has more than 15 years of experience in the information security and incident response fields. Before joining FireEye, he was CTO and vice president of products at cybersecurity firm Mandiant, which was acquired by FireEye, where he focused on shaping the strategy and direction of the company's technology and engineering solutions. Earlier, Merkel spent more than seven years leading a team of technologists at America Online to protect corporate systems and network infrastructure. And he was a special agent with the United States Air Force office of special investigations


more...
No comment yet.