HIPAA Compliance for Medical Practices
69.8K views | +10 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Top 5 HIPAA Compliant Cloud Storage and File Sharing Services

Top 5 HIPAA Compliant Cloud Storage and File Sharing Services | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are embracing the many advantages of cloud computing, including its scalability, cost-efficiency, and flexibility. While the cloud makes file storage and sharing easy and convenient, its security risks are numerous enough to have given rise to the CASBcategory. Before implementing a solution, however, it’s important to understand how industry regulations impact cloud adoption — and what to look for when selecting a cloud-storage service provider. For healthcare organizations, HIPAA-HITECH compliance can be a major deciding factor.

 

We’ve compiled the top 5 most popular cloud storage services that are HIPAA compliant. Before we go into those, let’s first take a look at how HIPAA-HITECH applies to cloud storage software.

Why HIPAA applies to cloud storage

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the goal of protecting the privacy of sensitive patient information. Covered entities under the law include healthcare plans, health care clearinghouses and certain types of healthcare providers.

 

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA’s requirements to business associates. A business associate is any service provider who has access to the protected health information (PHI) of a covered entity. This also includes subcontractors who create, receive, maintain or transmit PHI on behalf of a business associate, including cloud providers.

 

In addition to extending the law to cover business associates, the HITECH Act dramatically increased HIPAA penalties. Pre-HITECH penalties were limited to $100 per violation and a maximum of $25,000 for “identical violations of the same provision” in the same calendar year. The new penalties have a tiered structure between $100 and $50,000 per violation based on “increasing levels of culpability” and a maximum of $1.5 million for identical violations per year.

 

The Department of Health and Human Services’ Office of Civil Rights Management (OCR), which is responsible for HIPAA enforcement, has stepped up its efforts once HITECH amplified the consequences of HIPAA non-compliance. Both the number of settlements and the average fines have been growing since 2012.

 

The number of OCR settlements in the first eight months of 2016 are already double those of 2014, even with four months still left in the year. Of the 10 settlements announced through the end of August, six were larger than $1 million, and the average of the 10 was over $2 million. OCR also settled the largest fine to date, $5.5 million, with Advocate Health Care, in 2016. The fine stemmed from three separate breach incidents affecting a total of 4 million people.

 

In addition, in 2016 OCR levied its first fine against a business associate. Catholic Health Care Services, which provides management and information technology services to skilled nursing facilities, paid a $650,000 fine after PHI was compromised when a company-issued iPhone was stolen. The iPhone was not encrypted and did not have a password lock.

HIPAA’s impact on cloud adoption

The HITECH Act added a notification requirement — covered entities and business associates must notify OCR after a breach of unsecured PHI affecting more than 500 individuals. OCR’s breach database shows that a large number of the reported breaches stem from stolen or lost laptops, mobile devices, and portable media such as thumb drives. A properly executed cloud environment can solve the challenge of securing those endpoints.

 

A cloud storage service becomes a business associate if they stores PHI on behalf of a healthcare organization, and thus the service must be HIPAA-compliant. The law protects not only the privacy of the data but also its integrity and accessibility. HIPAA’s Security Rule, which addresses electronic PHI, includes physical and technical safeguards such as audit controls and access controls, as well as administrative safeguards such as data backups and security incident procedures.

 

In addition, cloud-storage services must sign a business associate agreement (BAA) with the healthcare organization that stipulates the vendor’s compliance with HIPAA requirements. Many of OCR’s settlements include lack of properly executed BAAs among the violations.

 

In 2015, OCR settled with St. Elizabeth’s Medical Center for $218,400 after investigating a complaint that the organization’s employees used an internet-based document sharing application to store ePHI without analyzing the risk of that practice. “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” OCR Director Jocelyn Samuels said in announcing the settlement.

5 cloud storage services that are HIPAA-compliant

HIPAA does not prescribe specific methods or tools for how to secure data; however, encryption is encouraged as a best practice. Breached data is not considered unsecured if the PHI “is rendered unusable, unreadable or indecipherable to unauthorized individuals.” According to HIPAA guidance by the Department of Health and Human Services (DHHS), encryption processes that follow NIST (National Institute of Standards and Technology) criteria meet the above requirement.

 

Some cloud services, including iCloud, don’t provide BAAs, while others don’t encrypt data both at rest and in transit. Some services, such as Amazon S3, are not HIPAA compliant out-of-the-box but can be configured with some customization.

 

The following cloud storage services offer HIPAA support that include BAAs and encryption of data in transit and at rest:'

 

Dropbox (Business)

The company announced support of HIPAA and HITECH Act compliance in November 2015. It now provides BAAs for Dropbox Business customers. Administrative controls include review and removal of linked devices, user access, user activity reports, and enabling two-step authentication.

 

The business version costs $12.50 per month per user, starting with five users. It includes unlimited storage and file recovery, Office 365 integration, advanced collaboration tools, system alerts and granular permissions.

Box

Having added HIPAA/HITECH support in 2013, Box has been actively marketing to healthcare customers. BAAs are provided for enterprise accounts. Features include access monitoring, reporting and audit trail for users and content, and granular file authorizations.

 

Box integrations include Office 365, DocuSign, Salesforce, and Google, among others. It also allows for securely viewing DICOM files (for X-rays, CT scans and ultrasounds) and for securely sharing data through a direct messaging protocol.

Google Drive

Google offers a BAA for Google Apps for Work customers. Covered apps include Docs, Sheets, Slides, and Forms as well as several other services such as Gmail. (Some core and all non-core apps from the Google App family are excluded.) Administrative controls include account activity and app activity tracking, audits, and file-sharing permissions.

 

Google Apps for Work offers two plans. At $5 per user per month, it includes 30GB of storage space. The $10 per user per month plan has unlimited storage (or 1TB per user if fewer than five users) and several advanced features such as additional administrative controls, audit and reporting for Drive, and Google Vault for eDiscovery.

Microsoft OneDrive

Microsoft supports HIPAA/HITECH by offering BAAs for enterprise cloud services, and it has some of the best security practices in the industry. The security features are the most robust at the Enterprise E5 level, which costs $35 per user per month.

 

Enterprise E5 includes 1TB of file storage and sharing, advanced security management for assessing risk and gaining insights into threats and advance eDiscovery.

Carbonite

BAAs are provided for Carbonite for Office customers. Safeguards include offsite backup for disaster recovery; compliance with the Massachusetts Data Security Regulation, which the company says is widely accepted as the most stringent data protection in the country; and data encryption both in the cloud and on the local endpoint (as well as in transition).

 

Three office plans are offered, ranging from $269.99 to $1,299.99 per year. The first two tiers include 250GB of storage and the ultimate version has 500GB; additional storage packs can be purchased with all plans.

Your vendor’s HIPAA certification is not enough

The fact that a cloud storage provider offers BAAs, specific administrative and security controls, and encryption may not, in and of itself, make a healthcare organization HIPAA compliant by default.

 

This is how Microsoft explains it: “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

 

HIPAA covered entities and business associates must carefully examine the cloud vendor’s specific provisions and policies before using a service for PHI. Ultimately, the covered entity or business associate is the one responsible for making sure all it’s regulatory mandates are being followed.

 

Making sure the PHI is encrypted in the cloud is only the first basic step. OCR also places an emphasis on risk assessment and management. Prior to adopting any new cloud service, organizations should conduct a comprehensive risk assessment and ensure policies, processes, and technology are in place to mitigate risks. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Checklist and Employee Sanctions 

HIPAA Compliance Checklist and Employee Sanctions  | HIPAA Compliance for Medical Practices | Scoop.it

A HIPAA compliance checklist is the tool to turn to when imposing sanctions on employees for HIPAA privacy breaches.  It may feel like a never-ending and thankless task, but consider the alternatives.  It can be tempting to adopt a “no harm, no foul” approach to employee sanctions.  But this is not the way the Office for Civil Rights, the government agency that investigates HIPAA breaches, looks at things.  To that end, your HIPAA Compliance Checklist must also address employee sanctions.

HIPAA is all about protecting PHI

There are numerous examples of the OCR imposing penalties on organizations for not protecting PHI.  And these penalties are imposed even though there was no evidence of anyone receiving or accessing any PHI in cases where a breach occurred.

  • The OCR considers encryption of ePHI by malicious software (e.g., ransomware) to be an unauthorized disclosure not permitted under the Privacy Rule.  Even in a ransomware attack, an organization could reasonably conclude there is a low probability that the PHI has been compromised.  But if it cannot reach that conclusion,  it is required to comply with the applicable breach notification provisions.  And this is the case even if there is no evidence that the PHI was viewed by anyone else.
  • An employee of Cancer Care Group of Indianapolis left unencrypted back-up media in a bag in a car; the car was broken into and the bag stolen.  There was no evidence that any information was ever disseminated, but the OCR imposed a penalty of $750,000 on the group.
  • In 2014, the OCR imposed a fine of $400,000 on Idaho State University for a breach of unsecured ePHI.  This was because the school had left its firewalls disabled for over 10 months!   Again, there was no indication PHI was accessed by any unauthorized persons; it was simply not protecting its PHI.

These are just a few examples of settlements, some involving employees failing to follow procedures, or where there were no procedures at all.  In these case, penalties were imposed but no information was shown to have been accessed by unauthorized parties.

HIPAA compliance requirements do not explicitly link employee sanctions to reportable HIPAA breaches

It is certainly possible to have an unauthorized disclosure that is not a reportable breach.  The definition of a breach is the acquisition, access, use or disclosure of protected health information.  This is done in a manner not permitted under the regulations.  And the disclosure compromises the security or privacy of the protected health information.

These days, employees are often the source of breaches.  They include events from lost laptops to including PHI in social media posts occurring almost daily.  It is very important to include a policy on employee sanctions in your HIPAA Compliance Checklist.  An employee sanctions policy can and should take into account the potential harm from the unauthorized disclosure.  But a “no harm, no foul” approach may leave the organization open to penalties by the OCR.

A HIPAA compliance checklist for employee sanctions policies should address several issues

  1. The policy should reference Section 164.530 of the Administrative Requirements, which requires covered entities to have and apply appropriate sanctions against members of their workforce.
  2. Section 6102(b)(4)(F) of the Affordable Care Act also requires that the standards be consistently enforced through disciplinary mechanisms.
  3. Most policies utilize a Level system, tying the action of the employee and the effect on unauthorized disclosure of PHI to the sanction recommended.  Levels could start from situations where an employee did not follow procedures, but there was no unauthorized disclosure of PHI.  Levels usually top out at situations where the actions were malicious and willful, causing harm or intending to cause harm to the patient.
  4. Mitigating factors may be enumerated, and repeated patterns of violation may result in a higher level of discipline.

Employee Sanctions should be standardized

Organizations usually strive to administer most disciplinary policies in a consistent, standardized way.  Employee sanctions for HIPAA violations are no different.  Inconsistent application can carry consequences ranging from confusing messages to erosion of public trust to vulnerability to penalties and fines.

One way to increase standardization of disciplinary actions is to develop a grid, matching the riskiness of the actions to the level of sanction.

The HIPAA regulations explicitly require organizations to have and apply appropriate sanctions against workforce members who fail to comply with the privacy policies and procedures of the organization.  While sanctions can be related to the incident and the potential harm, they also need to demonstrate that the organization is taking seriously its responsibility to protect the privacy of patient information – even when there is no evidence of unauthorized disclosure or when the breach is not reportable.

Regardless of the method you choose to develop employee sanctions, make sure your HIPAA compliance checklist addresses appropriate sanctions, and implement your policies consistently!   Healthcare Compliance requirements must be truly effective.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is Your Practice HIPAA Compliant?

Is Your Practice HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

Is Your Practice HIPAA Compliant?

With considerations and requirements that can be somewhat overwhelming, achieving HIPAA compliance can be quite challenging for medical practices. Even for those well acquainted with HIPAA provisions, there’s always the possibility of gaps and weaknesses. According to the Department of Health & Human Services (HHS), an average of 1,445 complaints has been submitted each day during the calendar year 2018. This staggering statistic means there is much cause for concern.

 

Often, the missteps in HIPAA compliance aren’t deliberate or due to lackadaisical procedures, but rather the result of insufficient documentation and/or inefficient tools. The first step in determining where your vulnerabilities lie is through a Security Risk Analysis. However, a Risk Analysis is often considered the Achilles heel for practices, requiring substantial documentation on multiple processes and contingencies. While the many complex layers of a Risk Analysis present multiple opportunities for errors to occur, its importance in passing audits and being prepared is invaluable.

 

Security Risk Analysis

The Office of Civil Rights (OCR) has determined that the Risk Analysis, which is derived from the Security Rule, to be the foundation of a HIPAA-compliant program. The Risk Analysis and its significance in HIPAA compliance impacts every part of the healthcare ecosystem. There are no opt-outs of HIPAA compliance, no matter the size of an organization or any other influencing factors. Every organization that transmits any Personal Health Information (PHI) in an electronic format or in data content in connection with a transaction for which HHS has adopted a standard, must be HIPAA-compliant. This includes providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, HMOs, company health plans, government and military/veteran health care programs, health care clearinghouses, and/or MACRA/MIPS participants.

 

In straightforward terms, per the HHS site, the purpose of the Risk Analysis is to “conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].” To ensure that information is protected and safeguarded by HIPAA standards, the Risk Assessment takes into account three separate organizational areas: physical, technical, and administrative. Each division must have its own plan for compliance, detailing both strengths and possible weaknesses. It’s also not a one and done type of exercise–plans must evolve throughout a healthcare organization’s lifespan.

 

Risk Analysis and Meaningful Use

In today’s medical profession, failing a Meaningful Use (MU) audit isn’t as uncommon as one would hope. In fact, the Morning eHealth section of Politico magazine reported that according to Centers for Medicare & Medicaid Services (CMS) data, 209,000 doctors and providers were penalized for failure to meet MU standards in 2014, which is approximately two in five physicians practicing in the U.S. Failing a Meaningful Use audit often comes down to the same weak link—either the lack of, or the insufficiency of, a practice’s Risk Analysis. And further reports on 2016 HIPAA audits by HHS.gov have found that organizations did not have an adequate Risk Analysis 83% of the time. As the foundation for HIPAA compliance, it’s simple to see that Risk Analysis deficiencies can impact many other components of the compliance network as well.

Risk Analysis: The Center Piece of a Much Bigger Compliance Puzzle

Risk Analysis sets the tone for HIPAA compliance and having a sound plan that details strategies in all three areas are essential. However, many other pieces must fit together to complete the puzzle. Remaining compliant is an ongoing act of vigilance. Policies and procedures must be drafted that define processes to safeguard PHI, and should include Disaster Recovery and Business Continuity Plans—compliance must continue even when the worst scenario occurs. In addition, everyday operating initiatives must be supported, such as password protocols and staff training. In fact, staff should be trained in PHI security within 90 days of hire, with continued education scheduled on an annual basis.

 

Furthermore, organizations should set in place routine procedures to ensure patients sign required HIPAA-related notices and forms, during both new patient onboarding, and on an annual basis going forward. It is also essential to regularly verify that vendors and other providers that interact with a patient’s PHI are not only HIPAA-compliant but have executed Business Associate Agreements to offset any liability in the case of a breach. Lastly, retaining HIPAA documentation in both hard copy and digital means practices have information readily accessible to confirm compliance.

Ensure Compliance: Join ChartLogic’s Webinar “Are You HIPAA-Compliant?”

In today’s modern electronic healthcare world, HIPAA compliance is mandatory, crossing all sectors of the healthcare industry. To avoid costly penalties, data violations, and breaches in doctor-patient trust, small practices, and large organizations alike must keep current with the HIPAA landscape and ensure that weaknesses in their systems are turned to strengths.

Join a free webinar hosted by Abyde & ChartLogic to learn more about Security Risk Analysis and other related HIPAA requirements. In this complimentary educational HIPAA compliance webinar, other topics covered will include:

  •  HIPAA Privacy & Security Rules simplified
  •  MACRA/MIPS & Meaningful Use HIPAA Compliance requirements explained
  •  Statistics from the most recent HIPAA audits
  •  Passing an audit
  •  Software solutions for HIPAA compliance

 

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.