HIPAA Compliance for Medical Practices
62.2K views | +16 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

5 Essential Steps to Ensure an Effective HIPAA Program

5 Essential Steps to Ensure an Effective HIPAA Program | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance is a term that is often thrown around the healthcare industry; however, I commonly ask myself – is the meaning of HIPAA Compliance the same throughout the industry? The answer is NO! Walking into a healthcare organization in the last month, the HIPAA Privacy Officer was excited to tell me that they are fully HIPAA compliant and don’t have any on-going concerns with meeting the regulations. A quick review of the documentation requirements and auditing practices indicated that there were many missing holes in their HIPAA Compliance Program. As I spoke with the HIPAA Privacy Officer, she provided me with the tool she used to get to their current state with HIPAA. Needless to say, the tools were missing core components of documentation requirements and didn’t have specific essentials for on-going maintenance for compliance. This left the organization at risk for a HIPAA data breach or unauthorized use or disclosure of health information!

Trying to achieve a satisfactory level of HIPAA compliance at an organization can be a frustrating and daunting task. Sitting down looking at the rule can be overwhelming. Digging through the pages of information in a HIPAA manual or diving into the Federal Register can be impossible with all the other tasks assigned within a job. In addition, it is easy to want to sit down and solve the HIPAA compliance issue you have in one day or one week; however, this often leads to failure and inability to create a program that protects your patient information.

We don’t wake up one morning, decide to run a marathon and go out and accomplish the overwhelming 26.2 miles (well most of us). Normally if you are going to run a marathon, you find a training program that lasts 16-18 weeks, create a plan for cross training activities within your training program, and ask for support and help along the way. That concept and mindset can transferred to HIPAA compliance as well!

One of the most effective ways to properly implement a solid HIPAA program is creating an action plan for compliance and assigning small regular tasks to get through entire HIPAA regulation. It is very important that HIPAA is an on-going process within the organization. It is not just a ‘one and done’ type of regulation due to the nature of work that we do in healthcare and the vast changes within our technologies used.

To help with HIPAA Compliance – here are 5 Essential Steps that must be taken to achieve a solid HIPAA Compliance Program.

 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Requirements – Still Posing a Challenge for Healthcare Organizations and Business Associates

HIPAA Requirements – Still Posing a Challenge for Healthcare Organizations and Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

Last fall, during the HIPAA Security Conference in Washington, DC, statistics were released by the HHS Office for Civil Rights detailing the types of security breaches that were reported. The biggest takeaway was that 80% of the reported breaches were caused by human error. That astonishing figure clearly indicates that one of the primary reasons these breaches are occurring is due to the lack of employee training in HIPAA requirements and safeguards.

 

The reported breaches were caused by theft, loss, unauthorized access or disclosure, and improper disposal of protected health information. All, if not most of the causes are preventable. The HIPAA Security Rule mandates that if your organization is a Covered Entity or a Business Associate, you must have a HIPAA Security Awareness Training Program in place.

 

The HIPAA Security Rule specifically states that a Covered Entity or a Business Associate must provide training that meets the requirements of the Code of Federal Regulation, as follows:

 

  • The training for a Covered Entity or Business Associate must cover all policies and procedures with respect to safeguards for electronic protected health information;
  • Each member of the Covered Entity's or Business Associate’s workforce must receive the training;
  • The training must occur within a reasonable period of time after the new staff member joins the Covered Entity's or Business Associate’s workforce;
  • A Covered Entity or Business Associate must document that the training was provided;
  • Training must occur on an annual basis, at minimum.

 

Keeping a workforce educated and aware of how to prevent HIPAA regulation breaches is critical to any compliance program. Training a workforce must be ongoing and comprehensive and not just ticket punching to meet the annual regulatory requirement. The use of periodic security reminders is vital. Discuss best practices to safeguard protected health information on a regular basis, such as during staff meetings or through email reminders.

 

Reinforcing an organization’s HIPAA Sanction Policy can highlight the serious repercussions, including disciplinary actions or termination, if someone in your workforce violates policy and procedures.

 

Protenus, an organization that advocates patient privacy protection, recently released a white paper that examined the cost of data breaches to healthcare companies. The costs reported in the paper are staggering, e.g., “Breach notification costs $560,000 on average;” and “for each data breach, healthcare organizations average $3.7 million in lost revenue.”

 

Among 2016’s HIPAA settlements, there were three substantial fines in the amounts of $5.5, $3.9, and $2.75 million. This year began with another large settlement of $2.2 million in a case involving the theft of an unencrypted USB drive containing the protected health information of 2209 individuals.

 

HIPAA training and education is cost effective and plays a critical role in reducing or even eliminating breaches caused by human error  that can result in substantial fines. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

10 Reasons to be HIPAA Compliant

10 Reasons to be HIPAA Compliant | HIPAA Compliance for Medical Practices | Scoop.it

Here is a reprint of a recent online article submitted by Nick McGregor and posted by CMIT Solutions. # 7 on the list calls for an increase in enforcement of HIPAA compliance by HHS. More of an incentive to make this a priority if your small practice has not done so already.

Rather than asking, “What has changed for your business in the health care realm this year?” the better question might be, “What hasn’t changed?”

The Affordable Care Act, premium increases, existing policy cancellations, enrollment period confusion, continuing IT problems with the HealthCare.gov website… Each of these minor health care earthquakes has shaken the small business community to its core.

Add in constant worries about data security and IT functionality and it can be enough to drive a business owner mad. But there’s one feature of the health care landscape that represents an even more critical decision: new HIPAA rules, regulations, and compliance requirements.

If your business has any contact with electronic health records or medical information, either as a Covered Entity (CE) — health care provider, health plan, or health care clearinghouse — or a Business Associate (BA) — any vendor or subcontractor that helps a CE carry out its activities and functions — HIPAA compliance should be of the utmost importance for you.

Why? The following 10 reasons provide a good start:

  1. The HITECH Act and HIPAA Omnibus Rule have substantially increased civil penalties for non-compliance. The penalty cap for HIPAA violations was increased from $25,000/year to $1,500,000/year per violation. Willfully ignoring or failing to be compliant means mandatory investigations and penalties can be initiated by any complaint, breach, or discovered violation.
  2. New Breach Notification rules will increase the number of HIPAA violations determined to be breaches. The HIPAA Omnibus Rule expands the definition of a breach and the consequences of failure to address it properly. Providing proper notification can trigger federal investigations and eventual fines and penalties.
  3. The mandated deadline for new HIPAA compliance rules has already passed. All Covered Entities and Business Associates were required to update their HIPAA policies, procedures, forms, and Notices of Privacy Practices by September 23, 2013.
  4. All Covered Entities must have documented policies and procedures regarding HIPAA compliance. Recently, a dermatology practice in Concord, MA, learned this lesson the hard way, getting slapped with a $150,000 fine for allowing the health information of just 2,200 individuals to be compromised via a stolen thumb drive. The company also had to incur the cost of implementing a corrective action plan to address Privacy, Security, and Breach Notification rules.
  5. Business Associates are now required to be compliant with HIPAA Privacy and Security Rules. Business Associates will be held to that standard by Covered Entities, who are now responsible for ensuring their BAs are compliant.
  6. While Meaningful Use incentives for Electronic Health Records (EHR) are optional, HIPAA compliance is not. If you manage Protected Health Information (PHI), you must comply with federal regulations or face substantial civil and criminal penalties. If a Covered Entity accepts Meaningful Use funding, a Security Risk Analysis is required — and any funding may have to be returned if adequate documentation is not provided upon request.
  7. The Department of Human & Health Services’ (HHS) Office of Civil Rights (OCR) is expanding its Division of Health Information Privacy enforcement team. The federal bureau is stepping up hiring for HIPAA compliance activities calling for professionals with experience in privacy and security compliance and enforcement.
  8. State Attorney Generals are getting involved in HIPAA enforcement. HHS has even posted HIPAA Enforcement Training for State Attorneys General agendas on its www.HHSHIPAASAGTraining.com website.
  9. HIPAA compliance requires staff privacy and security training on a regular basis. All clinicians and medical staff that access PHI must be trained and re-trained on proper HIPAA procedures. Documentation of provided training is required to be kept for six years.
  10. Protecting your practice means avoiding the HIPAA “Wall of Shame.” The list of health care organizations reporting major breaches and receiving substantial penalties is growing at an alarming rate. The details of these breaches are widely available to the general public — and widely reported in the media.
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 Common HIPAA Mistakes

5 Common HIPAA Mistakes | HIPAA Compliance for Medical Practices | Scoop.it

Now more than ever, HIPAA compliance is a must. It’s hard to believe, but HIPAA violations can soar to over several million dollars and can even include jail time! We know HIPAA can be confusing. The devil’s in the details – there are a lot of rules to follow, which means a lot of mistakes you can make! While we can’t cover them all, this list of 5 common HIPAA mistakes and ways you can prevent them is a smart place to begin.

1. Lost or Stolen Devices

In January 2012, Pennsylvania –based CardioNet reported to HHS’ Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. The outcome? A crippling 2.5 million dollar settlement.¹

Mobile devices like mobile phones and laptops or tablets are particularly vulnerable to theft and loss due to their size and – well – their ease of mobility! When covered entities and business associates don’t implement mobile device security, people’s sensitive health information is put at risk. Ignoring security can result in a serious breach, which affects each individual whose information is left unprotected.

What can you do today to safeguard your devices? Here’s what the U.S. Department of Health and Human Services recommends:

  • Use a password or other user authentication
  • Install and enable encryption
  • Install and activate remote wiping and/or remote disabling
  • Disable and do not install or use file sharing applications
  • Install and enable a firewall
  • Install and enable security software
  • Keep your security software up to date
  • Research mobile applications (apps) before downloading
  • Maintain physical control
  • Use adequate security to send or receive health information over public Wi-Fi networks

2. Hacking

Getting hacked is something we all fear, and for good reason. It seems like a new hacking technique is born every day. You’ve heard of some – phishing, viruses, ransomware – and maybe not of others – Fake WAP, Waterhole attacks. Hacking can happen to anyone, any time, any place, any… Let’s just say it’s serious business.

Check out this statistic on ransomware, specifically: A recent report from a U.S. Government interagency shows that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a whopping 300% increase over the 1,000 daily ransomware attacks reported in 2015.²

What to do? Use these high-level tips as first steps:

  • Conduct a full risk assessment to discover all security vulnerabilities
  • Use strong passwords and two-factor authentication.
    • Read our “Creating and Managing Passwords” blog article for more info
  • Install all software patches promptly and ensure databases are up-to-date
  • Keep anti-virus definitions updated
  • Scan for viruses regularly
  • Check out this article for more info on ransomware: “WannaCry Ransomware Protection with HIPAA“

3. Employee Dishonesty

In 2012, the owner of a Long Island Medical Supply company was found guilty of $10.7 million dollars of Medicare fraud and HIPAA Violations. She was sentenced to 12 years in prison and fined $1.3 million dollars.

Employees accessing patient information when they are not authorized is a common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for another person, unauthorized access is illegal and can cost an organization substantial amounts. Also, people that use or sell PHI for personal gain can be subject to fines and even prison time. Staff members that gossip about patients to friends or coworkers is also a HIPAA violation that can result in a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients/clients to private places, and avoid sharing any patient information with anyone else.

Take a look at these ideas for keeping staff compliant:

  • Establish and enforce sanction policies
  • Train and retrain staff on HIPAA
  • Monitor employee compliance:
    • Check work areas for obvious violations
    • Listen for any discussion in the workplace that includes PHI

4. Improper Disposal

In 2009, CVS paid $2.25 million to settle a violation of throwing pill bottles containing patient names, addresses, medications and personal information into open dumpsters.

HIPAA requires that you protect the privacy of PHI in any form when disposing of information (45 CFR 164.530(c)). This not only includes tangible documents like x-ray films or patient charts, but also electronic media like old laptops or external drives.

The U.S. Department of Health and Human Services has defined these proper disposal methods:

  • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor who is a business associate to pick up and shred or otherwise destroy the PHI.
  • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
  • Further, covered entities, business associates and subcontractor BAs must ensure that their workforce members receive training on and follow the disposal policies and procedures of the organization, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).⁴

5. Third-Party Disclosure

North Memorial Health Care of Minnesota paid a fine of $1.5 million to settle HIPAA violation charges in 2011 after a business associate was given access to ePHI before a signed copy of a HIPAA-compliant Business Associate Agreement (BAA) was obtained.⁵

Under HIPAA law, covered entities must have a signed BAA from any vendor that provides functions, activities or services for or on behalf of a covered entity that has access to patient ePHI. A signed copy of the BAA must be obtained before access to patient health data is provided. The BAA must outline the responsibilities the business associate has to ensure PHI is protected and is not disclosed to any unauthorized parties.

Remember, your business associates’ HIPAA shortcomings impact you! Period.

Be sure to:

  • Establish who your Business Associates are, considering their subcontractors and your own contractors. (Read our own “Preparing Contractors for HIPAA Compliance” blog)
  • Obtain a Business Associate Agreement before your BA has access to any client/ patient health data
  • Ask for verification of HIPAA compliance for each and every BA, including their subcontractors
  • Read some of the previous articles we’ve written about Business Associates for smart ways on working with them:
    • “Auditing Business Associates”
    • “Business Associates Must Take HIPAA Compliance Seriously“
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA and Social Media: Avoiding Costly Mistakes | Eyemaginations

HIPAA and Social Media: Avoiding Costly Mistakes | Eyemaginations | HIPAA Compliance for Medical Practices | Scoop.it

A nurse inspired by a young chemotherapy patient’s courage posts a photo on her personal Facebook page, being careful not to use the patient’s name. A practice manager posts a photo of an office party on Instagram; a stack of patient files is in the background. A nurse writes an angry blog post about an alleged cop-killer who is being treated at the hospital where she works, but does not name the patient, victim, or her employer. What do all of these scenarios have in common? They are all examples of HIPAA violations that led to a healthcare professional being reprimanded, fined, or fired.

You may think your practice is up to date on patient privacy, but changes in HIPAA policies, healthcare information technology, and the explosion of social media have changed the game. “Despite widespread awareness of the need to store and send sensitive patient data securely, physicians and practices run afoul of HIPAA rules on a regular basis, which opens the door to both civil and criminal penalties,” reports Medical Economics. The maximum HIPAA fines have increased to a whopping $50,000 per violation.

Here’s what you need to know about HIPAA and protecting your patients and your practice in this age of social media and oversharing.

Decoding ‘patient identifiers’

Because there are new social media platforms emerging all the time, it can be daunting to figure out what’s OK to post and what’s not. First, you and your employees need to understand what is considered a HIPAA violation on social networks. Most healthcare professionals know to avoid impermissible use or disclosure that compromises the security or privacy of a patient’s protected health information (PHI). The confusion arises in defining what PHI is and is not.

HIPAA specifies 18 identifiers beyond a patient’s name that must be kept private. One of those is “full face photographic images and any comparable images,” which is where the nurse mentioned in the Facebook example above ran afoul of HIPAA. This even includes recognizable patient photos or files in the background of photos, such as in the office party example above. You’re not even in the clear if you’re simply reposting or “regramming” photos of a patient sharing all the details of their medical issues on their own social media accounts. If the patient can be identified, don’t do it.

It’s also important to consider things that might be “patient identifiers” besides a person’s name or face. In one case, a nurse posted a comment on a small-town newspaper’s blog that mentioned a patient’s age and mobility aids, which were enough to figure out whom she was discussing.  “In small communities especially, people can quickly determine who is in the hospital and for what with just a few details. Innocent comments about a patient lead to identification,” notes Kyna Veatch on the legal website Law360.com.  

This also goes for celebrities and high-profile people. In the case of the nurse mentioned above who angrily shared her views about a patient online, news coverage about the murder case made it clear whom she was talking about. Another common example of HIPAA violations is when staffers cannot contain their excitement about treating a pro athlete or well-known TV personality and “overshare” on social media. “Posting verbal ‘gossip’ about a patient to unauthorized individuals, even if the name is not disclosed” can get medical practices into hot water with HIPAA, warns the company Healthcare Compliance Pros (HCP).

HIPAA do’s and don’ts

Let’s look at some best practices related to HIPAA and social media:

Do keep your and your employees’ personal social media accounts separate from the practice accounts. “Some ophthalmologists choose to create personal pages with pseudonyms that only their friends and family know,” notes Veatch. “This keeps patients from searching for them and sending friend requests.” Avoid “friending” patients on personal or practice accounts, and advise your employees to do the same.

Don’t make the mistake of thinking that posts are private or disappear once they have been deleted.Search engines and screenshots can make even deleted posts permanent. As a general rule, don’t post anything you wouldn’t be comfortable sharing in public. “If there is any doubt at all about a certain post, picture, or comment then check with your compliance officer or even a colleague before publishing,” advises HCP.

Do speak up when patients are asking for medical advice online. Crowdsourcing your medical care on social media is never a good idea, but people do it all the time. Doctors can offer advice as long as it’s general and not specific to one patient. Sharing a patient education video on a particular health topic or condition can be one way to do it. “Speaking to patients as a collective on social media should steer providers away from any privacy risks,” per physician and social media expert Kevin Pho of KevinMD.com. If an unknown patient reaches out and asks a personal health question on social media, “take that conversation offline with a standard response that asks the patient to call the office and make an appointment, or if an emergency, to call 911 or go to the emergency department,” he advises.

Don’t overlook staff training. Educating your staff and having a solid social media policy in place is imperative to HIPAA compliance, according to Healthcare IT News. Your policy should define social media, mention specific sites, and describe what information employees are allowed to post online and what is off-limits, on both the practice pages and their personal pages. As Healthcare IT News states, “When employees post on social media, not only do they represent themselves, they represent the employer, the office, and all healthcare professionals.”

 

 

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Use the Right Tools to Protect Patient Data and HIPAA Compliance

Use the Right Tools to Protect Patient Data and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The focus on securely storing and protecting your patients' information mandate that you use the right tools and systems to fulfill this requirement. This necessity should generate at least two questions.

  • Are you using the right tools now to protect your patient data?
  • How can you ensure that you use the best systems to securely store and protect your patient information?

Consider these suggestions to create a checklist of features your system should include to meet privacy, storage and protection guidelines. These tips will help you identify the right tools to safely protect patient data and satisfy security mandates.

 

How to Identify the Right Tools for Patient Data Security

A. Examine current administrative safeguards:

  • Perform a risk assessment.
  • Design a risk management procedure.
  • Create practice policies for safe and secure storage of patient data.

B. Evaluate Your Physical Security Measures:

  • Limit physical access to your systems that store patient information.
  • Password protect workstations that have access to patient health information (PHI).
  • Prohibit removal of electronic media with PHI from the workplace.

C. Analyze Your Technical Security Procedures:

  • Give access to PHI only to those that need it, on a "need to know" basis.
  • Create an internal audit procedure to examine your IT tools that contain PHI.
  • Ensure your electronic systems have high-level integrity to prevent others from altering, destroying or changing PHI.
  • Evaluate the security of your transmission of PHI over electronic networks.

 

Suggesttions to Have the Right Tools to Meet Meaningful Use and PHI Security Requirements

  • Display leadership by emphasizing the importance of protecting patient information to ensure privacy and security.
  • Document all policies, procedures and efforts to ensure security.
  • Evaluate your security analysis results to identify risks to PHI.
  • After analysis and evaluation, create a new action plan, if necessary.
  • Be sure your action plan and tools mitigate risks, which can be lowered to manageable levels.
  • Ensure your electronic health records (EHRs) are protected by having locked server rooms, using strong passwords, performing regular backups and having disaster plans for data recovery after server crashes.
  • Give your staff thorough education and training on protecting PHI.
  • Advise your patients their information is confidential and protected to minimize patient privacy fconcerns.
  • Ensure your "business associate agreements" contain language that mandates they remain in HIPAA privacy and security compliance.
  • Register for EHR Incentive Programs only after you can attest (with confidence) that your practice meets or exceeds meaningful use requirements, including documentation that you've performed a security risk analysis and identified potential problems with PHI security.
  • Consider using a top third-party medical documentation and billing firm, such as M-Scribe Technologies, to minimize the staff burden of compliance with regulations and better ensure practice compliance.

Hopefully, you have not made a major investment in IT systems that fall short of ensuring security and protection of patient information and EHRs. However, going through this checklist will determine if your systems and procedures are sufficient to be considered the right tools and policies to securely protect your patient data.

Understand that your objectivity in evaluating your current tools is critical to installing the best systems to ensure patient privacy and information protection. Spending time analyzing the tools now in use is more efficient than needing to fix leaked or unlawfully changed patient data. Solutions are more like putting toothpaste back into its tube or unringing a bell, than finding answers to problems: Serious damage may already been done.

Identifying the right tools to protect patient data--and yourself--will eliminate (or minimize) the need for costly solutions after a problem occurs. Once you take action to maintain security, if appropriate, or improve EHR safety, if necessary, be sure to document your efforts. Should HIPAA or other regulators ask for evidence, you'll have it, further protecting yourself from challenges.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Protecting PHI: Managing HIPAA Risk with Outside Consultants

Protecting PHI: Managing HIPAA Risk with Outside Consultants | HIPAA Compliance for Medical Practices | Scoop.it

The rising complexity of healthcare, particularly as it relates to providers’ growing technical needs, is increasingly prompting healthcare organizations to seek the help of outside consultants. In engagements with healthcare entities, thought IT consultants try to minimize interaction with patient data, they often have access to protected health information (PHI). When working with HIPAA Covered Entities, consultants are treated as “business associates” and are required to comply with Privacy Rules designed to protect PHI.

Managing HIPAA compliance when engaging outside consultants requires that consultants enter into a Business Associate Agreement (BAA). The BAA must:

  • Describe the permitted and required uses of PHI by the business associate in the context of their role
  • Provide that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided for by the contract

Here are several best practices to follow to ensure the protection of PHI in consulting arrangements.

 

FTE Mentality

During the contract period, the expectation is that consultants act as if they were an employee of the hospital or provider organization and therefore treat PHI in this manner. It is important to know that consultant business associates could be held liable or equally responsible for a PHI data breach in the same way a full-time employee could be.

 

Role-Based Access Rules

Limit access to PHI based on role to ensure that only the parties that need PHI have access to it. An IT strategist, for example, does not need to see live patient data. Associates leading implementation projects, on the other hand, may need access to live PHI. Typically, this occurs late in the implementation process, when the time comes to test a system with live, identifiable patient data.

 

Safeguard Access Points

If a hospital wants a consultant to have regular access to PHI, it would be preferable that the hospital provides the consultant with a computer or device with appropriate access authorizations and restrictions in place. Avoid the use of personal devices whenever possible. Make sure that only approved and authorized devices can be used inside the firewall and require multi-factor authentication during log-in. Avoid inappropriate access to PHI by way of shared or public data access points. Don’t allow private access to PHI where others could intervene.

 

Keep it Local

Don’t take PHI away from the source of use. Consultants should avoid storing PHI on personal devices, including smart phones, which are particularly susceptible to theft and loss. Devices used to store or access PHI must be registered. Best practices often include controls giving IT staff advance permission to remotely wipe or lock a stolen registered device. Avoid leaving registered devices in cars or unprotected areas.

 

Paper-based reports also pose threat of PHI leak. Documents you take home over the weekend, for example, could be accessed by family members, lost, or stolen. Electronic, paper, verbal and image-based PHI should all be confidently secured. Of course the regulations also relate to visual and verbal protections. When accessing PHI avoid allowing others to view your screen over your shoulder. When discussing PHI make sure only those who need to know and have appropriate authority can hear the conversation.

 

The healthcare industry is making great strides in establishing digital infrastructure, much of which is cloud-based, putting new onus on providers and their business partners to ensure the security of that information. No one wants to make headlines for the latest data breach, least of all the IT consultants hired by providers to help guide their data management efforts. Rigorous attention to HIPAA Privacy Rule guidelines is not only required – it’s imperative to maintaining trust in the healthcare ecosystem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format | HIPAA Compliance for Medical Practices | Scoop.it

This month, Atlantic Information Services reported that covered entities must provide patients with their ePHI when they request it, in a format that the patient can open on their computer. Does this mean Covered Entities may have to send unencrypted emails containing electronic Personal Health Information (ePHI) to their patients? It depends on what the patient requests.

The HHS statement that patients have the right to access their ePHI and that covered entities “must provide this access in the manner requested by the individual” has created confusion. Covered entities are now left trying to find ways to provide patients access to their ePHI without violating HIPAA requirements.

The Privacy Rule “allows the use of unencrypted email when communicating ePHI between the healthcare provider and the patient…provided they apply reasonable safeguards when doing so”. 1

Examples of safeguards include:

  1. Check the email address for accuracy.
  2. Send email to confirm the recipient before sending the ePHI.
  3. Limit the amount of information disclosed.
  4. Encrypt emails.

Many covered entities have policies in place requiring all email containing ePHI be encrypted, and we at Total HIPAA Compliance fully support these policies. Patients may complain about opening an encrypted email, but the alternative is that you are potentially exposing their unencrypted Protected Health Information to all kinds of unknown risks. An unencrypted email can go through multiple servers before it reaches its final destination, and every server it stops in on its way to its final destination is another potential failure point.

How do you protect your patients while giving them access to their information in the format requested?

  1. Don’t explicitly offer unencrypted communication– I know this sounds disingenuous, but if you have a communication request from a patient, it’s always best to default by sending those communications encrypted.
  2. Explain the risks of sending unencrypted communications– Most non-technical people don’t understand the risks they are taking by sending communications unencrypted. You can relate the privacy level to sending an electronic postcard listing all their requested information. It is estimated that medical identity theft costs an individual $13,500.2 This is a major reason to insist that all communications with patients be encrypted.
  3. Make the barrier for unencrypted communication high. HHS states, if the healthcare provider feels the patient is not aware of the risks of using unencrypted emails for ePHI, or has concerns about liability, they can inform the patients of those risks and allow the patient to make the decision. If the patient then decides to request the receipt of the ePHI using unencrypted email, the covered entity will be exempt of possible liability because the patient has given their explicit permission to receive the ePHI in an unencrypted form. Make sure the client signs off each time there is a requested unencrypted communication. This burden may push a client to receive information encrypted.
  4. Here is a form you can use if a client insists on having communications sent unencrypted.

Ways to Make Patient Communication Easier While Using Encryption:

Patient Portals
A patient portal is a secure website that patients can access with a username and password. Portals allow patients to access their ePHI through an internet connection. This is an elegant way to provide the patient with their PHI and not expose the information to hackers.

Use a different encrypted email provider
There are many HIPAA compliant email encryption services you can use. Some are easier for patients to use than others. If your patients are consistently complaining, maybe it’s time to look into a new provider. There are many great options out there that will integrate with your EHR.

Two of our favorite encrypted email platforms for ease of use and cost are:

  1. Virtru This application allows users to integrate with almost any email provider. Vitru Pro is HIPAA compliant and will sign a Business Associate Agreement. Virtru offers end-to-end encryption with the ability to revoke a message at any time. Vitru makes it easy for the sender to encrypt messages and the receiver to respond encrypted.
  2. Protected Trust is also another great product. The email recipient has to be registered with Protected Trust, but this is free for your patients. Protected Trust offers many different verification options for the recipient, including sending recipients a phone call or text message to verify their identity. This application is easy to use for the receiver since they do not have to install any software or create a new email address.

The HIPAA Omnibus update strives to make communication between providers and patients easier as well as protect the privacy of your patients. This can be tricky for the health care provider, but patients always have the right to access their own PHI, and it is up to healthcare providers to grant them that access. As patients begin to demand more communication, covered entities will have to figure out the best way to do this, while remaining HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Status Of HIPAA Compliance

The Status Of HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR), the agency within the U.S. Department of Health and Human Services tasked with HIPAA compliance enforcement, is about to start formally notifying various healthcare providers and plans that they have been selected for an audit. Those covered entities selected will be required to submit specific documentation to OCR that demonstrates how their respective organizations are complying with HIPAA compliance requirements. 

 

The goal with the Phase 2 Audit program is to determine how well covered entities are implementing the correct policies and procedures for HIPAA compliance. If the results of the Phase 2 audits are anything like the first audit, OCR is probably going to see disappointing data indicating most organizations are not fully complying with all the requirements. 

 

There is an easier way to find out the status of current compliance with covered entities, not to mention a less costly way, in saving the taxpayers money in paying a contractor to gather the needed results.  Published reports showed that OCR paid about 9 million dollars to the global audit firm KPMG in 2012 to conduct the Phase 1 audits.

 

NueMD released the results of their follow-up survey to the original survey conducted in 2014, which looked at the status of HIPAA compliance. In the updated survey, 927 respondents, which included practices and billing companies, answered a number of revealing questions about the current status of HIPAA knowledge and compliance. For comparison purposes, OCR is looking to identify about 200 covered entities for the Phase 2 audit.

 

So what did NueMD find out in their updated survey? Overall HIPAA compliance is still not close to where it needs to be with most organizations. With so many HIPAA data breaches occurring on what seems like a daily basis, the survey clearly shows why this is occurring.

 

Here are some significant findings of the survey:

 

  • Regarding the annual requirement for HIPAA Security Awareness Training, the 2014 survey indicated 62% of owners, managers and administrators claimed they provided training for their staff annually — now that number has dropped to 58%.

 

  • Appointing HIPAA Security and Privacy Officers is another requirement for compliance. The survey found an actual decrease in these appointments. Although appointments were only a few percentages down, the study said, “These may not be extraordinary changes, but the numbers are moving in the wrong direction!”  Agreed.

 

  • On the positive side, the survey showed, “A region that suggests a correlation between increased awareness and improved compliance is that of Business Associate Agreements,” (BAA).  In 2014, 60% of the respondents were aware of the use of BAAs, where in 2016, 68% now claim to know more about these rules.  

 

  • Another positive finding was in the awareness of the HIPAA Omnibus updates. In 2014, respondents indicated 64% were aware of the updates in law. That percent increased to 69% this time around. There are many additional patient rights afforded by the Omnibus Rule that healthcare providers must be aware of. Although there was an increase, providers must do a better job in understanding their responsibilities under Omnibus. 

 

The NueMD updated survey is a great barometer to gauge overall HIPAA compliance efforts, but as the survey shows, covered entities still have a long way to go to make sure they fully understand all the requirements and just not some.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.