HIPAA Compliance for Medical Practices
61.1K views | +12 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Physicians: Protect Your Data from Hackers in 5 Steps

Physicians: Protect Your Data from Hackers in 5 Steps | HIPAA Compliance for Medical Practices | Scoop.it

According to a recent CNBC report, hackers may have stolen personnel data and Social Security numbers for every single federal employee last December. If true, the cyberattack on federal employee data is far worse than the Obama administration has acknowledged.

J. David Cox, president of the American Federal of Government Employees Union, believes "hackers stole military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; [as well as] age, gender, race data," according to the report. This would be all that is needed for cybercriminals to steal identities of the employees, divert funds from one account to another, submit fake healthcare claims, and create fake accounts for everything from credit cards to in-store credit card purchases.


Although physicians maintain personal and professional data which is especially valuable to thieves, you are not the federal government. Make it hard enough on cybercriminals, and they will move on for lower-hanging fruit. Readers Digest offers good advice in five simple steps in its article, "Internet Security, How not to Get Hacked":


1. Be aware of what you share.


On Facebook, Twitter, or social media, avoid posting birth dates, graduation years, or your mother's maiden name — info often used to answer security questions to access your accounts online or over the phone.


2. Pick a strong password.


Hackers guess passwords using a computer. The longer your password and the more nonsensical characters it contains, the longer it takes the computer. The idea here is that longer, more complicated passwords could take a computer 1,000 years to guess. Give 'em a challenge


3. Use a two-step password if offered.


Facebook and Gmail have an optional security feature that, once activated, requires you to enter two passwords: your normal password plus a code that the companies text to your phone-to access your account. "The added step is a slight inconvenience that's worth the trouble when the alternative can be getting hacked,"  CNET tech writer Matt Elliot told Readers Digest. To set up the verification on Gmail, click on Account, then Security. On Facebook, log in, click on the down icon next to Home, and then click on Account Setting, Security, and finally Login Approvals.


4. Use Wi-Fi hot spots sparingly.


By now, you probably know that Internet cafés and free hotspots are not secure. You shouldn't be doing your online banking from these spots. However, the little button that turns off your laptops Wi-Fi so that your laptop cannot be accessed remotely is also handy. In Windows, right click on the wireless icon in the taskbar to it off. On a Mac, click the Wi-Fi icon in the menu bar to turn off Wi-Fi.


5. Back up your data.


Hackers can delete years' worth of e-mails, photos, documents, and music from your computer in minutes. Protect your digital files by using a simple and free backup system available on websites such as Crashplan and Dropbox


Take this basic instruction and build on it yourself. Google, for example offers advice expanding on the concept of "stong passwords." The worst thing you can do is use "dictionary words," the word "password," and sequential keystrokes, such as "1234" or "qwerty," because the hacker's computers will try these first. For e-mail, pick a phrase, such as "[m]y friends Tom and Jasmine send me a funny e-mail once a day" and then use numbers and letters to recreate it as a cryptic password. "MfT&Jsmafe1ad."

more...
No comment yet.
Scoop.it!

Key Factors for the HIPAA Privacy Rule in Emergencies

Key Factors for the HIPAA Privacy Rule in Emergencies | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Privacy Rule was designed to help keep protected health information (PHI) from becoming exposed or easily accessible to the public. But what happens in an emergency situation? When does the public’s safety trump the privacy of one individual?

That debate is currently underway in Texas, as a nurse who worked at Texas Health Presbyterian Hospital Dallas is now suing her former employer for allegedly violating her patient privacy, as well as not properly training her for emergency situations. Specifically, Nina Pham told the Dallas Morning News that the hospital “failed her” and her colleagues when a patient diagnosed with the Ebola virus was admitted back in Oct. 2014.

In terms of patient privacy violations, though, did the hospital actually do anything that went against HIPAA guidelines? While the impending court case will make the final decision, HealthITSecurity.com will break down the finer points of the HIPAA Privacy Rule, and discuss exactly what should happen in an emergency situation.

HIPAA privacy and patient consent

According to the HIPAA Privacy Rule, a covered entity is permitted – but required – to use and disclose PHI without the patient’s consent in certain situations:

  • To the Individual (unless required for access or accounting of disclosures);
  • Treatment, Payment, and Health Care Operations;
  • Opportunity to Agree or Object;
  • Incident to an otherwise permitted use and disclosure;
  • Public Interest and Benefit Activities;
  • Limited Data Set for the purposes of research, public health or health care operations.

Moreover, there are instances where covered entities need to obtain written consent from individuals. This is for what are referred to as “authorized uses and disclosures.” For example, a covered entity must get written consent to disclose psychotherapy notes and for marketing purposes. This includes “any communication about a product or service that encourages recipients to purchase or use the product or service.”

“A covered entity must obtain an authorization to use or disclose protected health information for marketing, except for face-to-face marketing communications between a covered entity and an individual, and for a covered entity’s provision of promotional gifts of nominal value,” according to HHS.

Additionally, it must be revealed immediately if the marketing involves a covered entity’s receipt of direct or indirect remuneration from a third-party. Essentially, for certain disclosures of information, a healthcare provider or hospital needs to have a patient’s written consent to reveal their PHI. However, there are several instances where written consent is not required. This is where emergency situations fall into play.

Extra guidance from the OCR

When Ebola was making headlines in the US last fall, partly due to what was happening at the Texas hospital, the Office for Civil Rights (OCR) released its own guidelines. These were meant to further clarify the HIPAA Privacy Rule, and ensure that the public and covered entities understood exactly what was allowed and why it was allowed.

“The HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes,” according to the OCR.

Moreover, it is important for public health authorities and facilities responsible for ensuring public health and safety to have access to PHI that helps them fulfill their mission to keep the public safe. For example, the Centers for Disease Control (CDC) or state health departments could be given that information. Along similar lines, a foreign government agency that is working with a public health authority can be privy to certain information.

Finally, notification can also be given to individuals who are at risk of contracting or spreading a disease. This will help dangerous diseases from spreading.

Even so, it is essential that the “minimum necessary” is kept, according to the OCR. Only the minimum amount of information necessary should be disclosed.

“For example, a covered entity may rely on representations from the CDC that the protected health information requested by the CDC about all patients exposed to or suspected or confirmed to have Ebola virus disease is the minimum 3 necessary for the public health purpose. Internally, covered entities should continue to apply their role-based access policies to limit access to protected health information to only those workforce members who need it to carry out their duties.”

A key point to the HIPAA Privacy Rule discussed by the OCR is that a covered entity can share information about a patient “as necessary to identify, locate, and notify family members, guardians, or anyone else responsible for the patient’s care, of the patient’s location, general condition, or death.” This could even include the police, the press, and the general public.

That being said, the healthcare organization must still try and receive verbal permission from the patient. If the individual is deemed to be incapacitated, then a covered entity can disclose certain information if they decide that it is in the best interest of the patient.

Finding the right balance

HIPAA is meant to protect sensitive data from being public knowledge. However, covered entities need to also prevent serious or imminent threats to the health and safety of the public. It is not going to be easy to strike that perfect balance between patient privacy and public safety. Having current and comprehensive administrative, physical, and technical safeguards are key, as are having staff members fully educated on HIPAA rules. It is unlikely that a data breach or patient privacy violation will never occur, but covered entities must remain diligent in prevention.


more...
No comment yet.