HIPAA Compliance for Medical Practices
66.1K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Medical Practices Are Struggling With HIPAA Compliance 

Medical Practices Are Struggling With HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

We recently conducted a survey of medical practices and billing companies to gauge their knowledge of HIPAA’s Privacy and Security regulations, compliance measures, and communication methods.

 

With the help of our partners at Porter Research and The Daniel Brown Law Group, we've created an easy-to-consume narrative explaining the various aspects of HIPAA compliance while also presenting the results in a way that's easy to understand.

The survey of more than 1,100 healthcare professionals revealed several areas of concern, including:

  • 66 percent of respondents were unaware of HIPAA audits prior to this survey bringing it to their attention

  • 35 percent of respondents have conducted a HIPAA-required risk analysis

  • 34 percent of owners, managers, and administrators felt “very confident” their electronic devices containing personal health information (PHI) were HIPAA compliant

  • 24 percent of owners, managers, and administrators in small practices have evaluated all of their Business Associate Agreements

  • 56 percent of office staff and non-owner care providers in small practices have received HIPAA training in the last year

While we noticed a trend suggesting billing companies may be doing better with compliance compared to medical practices, what we found most alarming was the consistent information gap between management and staff when handling HIPAA compliance measures.

 

HIPAA Compliance Resources
Alongside the results, we've also curated a list of resources to help you learn more about the upcoming audits, how to develop a compliance plan, conduct a risk analysis, and how to ensure your electronic devices are HIPAA compliant.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Violation and Hospital Employee viewing PHI 

HIPAA Violation and Hospital Employee viewing PHI  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Violation rocks hospital!  An employee at St. Charles Health system accessed over 2400 patients’ medical records over a two-year period because they were curious. We all know that curiosity killed the cat and now it may have direr consequences for this curiosity seeker and the hospital system. 

HIPAA Violation without intent to commit fraud

The employee who viewed the protected health information (PHI) without a legitimate reason to do so is in jeopardy of large civil fines, loss of their respective clinical license and criminal prosecution. Not to mention termination from their present position. The hospital system has to repair its damaged reputation while at the same time prepare to defend itself against potential civil/criminal lawsuits.  There are too many incidences were an organization is liable for HIPAA violations, even though they “didn’t do it”.

 

Now the local District Attorney has taken interest in this matter and is launching a criminal investigation. Under the HIPAA statute there is no individual right of action, however, the Attorney General of the state where the infraction took place may file charges on the individual(s) behalf.

 

The aforementioned employee signed an affidavit stating that the HIPAA violation they committed, and any of the information they accessed was not to commit fraud, however, that did not halt the criminal investigation.

Hospital employee viewing PHI

This real-life incident demonstrates how healthcare providers and their employees can face serious trouble for viewing records inappropriately. Just remember this incident when you want to be inquisitive about a patient that you are not treating or accessing a patient’s medical records for no business purpose.

 

When performing your job function, it is not a HIPAA violation if you release and/or access a patient’s PHI for treatment, payment or health operations (TPO). When accessing and/or releasing a patient’s PHI, ask yourself does this fall under the TPO exceptions? If it does, then you should just release the minimum information necessary to complete the task and if it does not, then you may need an authorization signed by the patient or his/her representative. In the event you are unsure if you can release and/or access a patient’s PHI, contact your supervisor or your organization’s Privacy Officer.

 

Finally, this violation reaffirms the need to conduct a HIPAA Risk Analyses, including monitoring the privacy/breach rule.  Use your policies and procedures for efficient and effective training, auditing and monitoring.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

$150,000 HIPAA Settlement Following Breach of Unsecured PHI Due To Malware | JD Supra

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced on December 8, 2014 that a community behavioral health organization agreed to pay $150,000 and adopt a corrective action plan to settle potential violations related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In March 2012, Anchorage Community Mental Health Services (ACMHS) notified OCR regarding a breach of unsecured electronic protected health information from malware that compromised the security of ACMHS’ information technology resources. The breach affected 2,743 individuals. ACMHS is a five-facility, non-profit organization providing behavioral health care services in Alaska.

As part of its investigation, OCR noted that ACMHS had adopted HIPAA security rule policies and procedures in 2005, but ACMHS did not follow these rules. As part of the Resolution Agreement, OCR stated that for almost seven years, “ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability” of its electronic protected health information. During that same time period, OCR stated that ACMHS did not implement policies and procedures requiring implementation of security measures. During a four-year period, ACMHS did not implement technical security measures to guard against unauthorized access to electronic protected health information that was transmitted over an electronic communications network by “failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In early December 2014, ACHMS agreed to enter into a Corrective Action Plan (CAP) with HHS. The two-year CAP requires ACHMS to revise its security rule policies and procedures and distribute them to all workforce members who use or disclose electronic protected health information; provide general security awareness training materials for all workforce members, and conduct an annual “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of its electronic protected health information. ACHMS is required to provide annual reports to HHS of its compliance with the CAP.

In the press releasing announcing the resolution with ACMHS, HHS emphasized that successful HIPAA compliance includes, “reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

This is the sixth resolution agreement announced by OCR in 2014. Overall, HHS has entered into 21 resolution agreements relating to HIPAA compliance. HIPAA compliance continues to be a focus of OCR activities.



more...
No comment yet.
Scoop.it!

HIPAA Email Compliance: 6 Best Practices for Medical Data Security 

HIPAA Email Compliance: 6 Best Practices for Medical Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

As technology advances and legislation changes, HIPAA email compliance can seem like a constantly moving target. With the challenges facing today’s healthcare landscape, including the proliferation of electronic health records (EHRs) and health information exchanges (HIEs), hackers and “hacktivists” targeting hospitals and the adoption of cloud and mobile technology in healthcare, HIPAA compliance is becoming more challenging — and more important — than ever.

Much has changed since 1996, when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. The World Wide Web was still relatively new, mobile phones were relatively rare (and great for your biceps!) and your health data was divided into thick manila folders stuffed with paperwork. Now, all that stands between patients and the entirety of their medical histories is a username and a password, and a startling number of those passwords is “password.”

The Challenge of Protecting Patient Data

When most of us think about HIPAA compliance, we think about its access control aspect — that is, who gets access to protected health information (PHI), and when. A leak of PHI can be as simple as a medical professional forgetting to log out of their portal, and leaving patient data open on the desktop to be viewed by anyone walking by (this is why automatic logout is one of the “technical safeguards” required to maintain HIPAA compliance).

When it comes to protecting PHI, the penalties add up fast — and since the passing of the 2009 Recovery Act, violating HIPAA has only grown more expensive. Each individual violation will run your business anywhere from $100 to $50,000, if it’s a first offense (and a lack of due diligence, as opposed to willful neglect). Violations due to willful neglect, however, cost a covered entity a minimum of $50,000 per violation. And when you consider how many patients have their data stored on a single server, those $50,000 violations stack up fast.

Doctors, hospital administrators, insurance professionals and anyone who deals with PHI need to be aware of the growing threats to patient privacy and be proactive with their information security. Here are six ways to lock down patient data and stay ahead of the threat.

1. Use strong data encryption.

Any PHI data you’re storing, whether it be on your desktop, on a server or in the cloud, should be encrypted. Encryption obscures your data, making it unintelligible to anyone who doesn’t have the key to decrypt it. As proven by the 2014 CHS Heartbleed attack, which resulted in the theft of 4.5 million social security numbers from one of the largest hospital groups in the United States, cybercriminals have both the desire and the means to crack into hospital servers and steal sensitive data. With encryption, that data is still protected even after hackers get their hands on it, provided they weren’t able to also steal the encryption key.Data encryption isn’t just best practice for information security, though — it’s a written requirement to maintain HIPAA compliance. Established in 2009, the HIPAA Breach Notification Rule gives businesses 60 days to notify all parties who may be affected by a leak of “unsecured protected health information.” Here, “unsecured” is another way of saying “unencrypted.”The HHS actually goes into detail about its encryption standards for data at rest and data in motion. For data at rest (data that sits in storage), for example, the HHS’ standards are consistent with those of the National Institute of Standards and Technology (NIST), and include centrally managing all storage encryption, using multi-factor authentication for encryption solutions and using the Advanced Encryption Standard (AES) for encryption algorithms.

2. Encrypt your emails, as well.

A tremendous amount of PHI is exchanged over email, and HIPAA compliant email requires encryption, too. In a post-HITECH (Health Information Technology for Economic and Clinical Health) world, the data shared digitally between doctors and their patients can be extremely useful for enterprising hackers, and email is a particularly vulnerable vector of attack.The traditional route hospitals and providers take for HIPAA compliant email is a portal solution that uses Transport Layer Security (TLS) to encrypt messages. While these legacy portal solutions do provide for HIPAA email compliance, they are certainly not easy for either the providers or patients who use them. Webmail portals tend to be inconvenient to use, requiring separate usernames and passwords for each and every system and creating information silos for medical information.Newer email encryption solutions bypass the annoyance of email portals by integrating seamlessly with more popular email services, like Gmail. Virtru Pro, for example, works with the service you’re already using to provide client-side encryption for HIPAA compliant email. In this case, encrypted PHI can be delivered safely and securely directly to the inbox, with no need for separate accounts or credentials. This allows for both HIPAA compliant email and convenience. (To learn more, read our FAQ about how Virtru Pro enables HITECH and HIPAA compliance for Gmail, or download our free guide)

3. Use multi-factor authentication wherever possible.

If a hacker steals your password, can they access your data? If you’re using multi-factor authentication, you may still be safe. Without multi-factor authentication, your password is a single point of failure, the only gatekeeper separating you from the data thieves.To help satisfy the Person or Entity Authentication component of HIPAA compliance, the HHS recommends that businesses handling PHI require, in addition to a password or PIN, either something the individual possesses (like a token or smart card) or a biometric (for example, a fingerprint or iris scan) for identity verification. These are both examples of multi-factor authentication, which requires a combination of something a user knows with something a user has.Anyone who has used a debit card is familiar with multi-factor authentication. Even if someone gets a hold of your card, that person can’t withdraw money at an ATM without your PIN. Requiring two separate steps to verify your identity makes it doubly hard for someone to gain access to your money (or your data) by posing as you.

4. Make all of your employees HIPAA compliance experts.

One of the standards HIPAA lists among its Administrative Safeguards is Security and Awareness Training. Any business is only as secure as its least vigilant employee. All it takes is one tired worker uploading notes to their personal cloud, or leaving handwritten passwords in open spaces, to violate HIPAA compliance laws. It’s essential to make sure that every employee is thoroughly trained and refreshed in HIPAA and HITECH regulations, as well as your company’s security policies.While many of the technical safeguards that protect HIPAA compliance are automated, like timed session logouts and password complexity requirements, nothing can replace thorough training and adequate knowledge sharing when it comes to strengthening your security posture.

5. Review the compliance and security practices of business associates.

When it comes to HIPAA compliance, you can’t just tidy up shop internally. As with its employees, a company is also only as compliant as its least secure partner/vendor/contractor, and every business your hospital, private practice or insurance company partners with is a potential vector for attack or HIPAA violation.There are a few precautions any HIPAA-covered entity should take when it enters into a business associate agreement, including securing the right to audit the associate for compliance. Lay down ground rules for HIPAA compliance best practices, including a mutual obligation to encrypt any shared PHI, and ensure that your business associate can’t pass PHI from your patients on to subcontractors without your approval. This includes using only HIPAA compliant email to exchange PHI.

6. Be aware of social engineering and inside threats.

While usually, the leak of PHI is simply an act of user error or negligence, many data leaks are caused by malice — both from the outside and within. While many infosec efforts are directed at the stereotypical hacker, hiding in the shadows in a musty basement cracking into a distant server, 28 percent of security incidents come from within the organization, and 66 percent of malicious hacks are acts of social engineering, a method of intrusion that relies on social manipulation.Social engineering can be as simple as someone walking into a hospital dressed like a convincing repair person, sneaking in a thumb drive and leaving with sensitive PHI. Make sure your internal security audits address these scenarios, as well as insider data threats.

Between legislation and technological advances, healthcare in the United States has recently undergone a dramatic transformation. It’s vital that healthcare providers and other covered entities keep pace with these changes. While it isn’t necessary to be an infosec expert or a white hat hacker, doctors, nurses and administrators should know the law, know the threats and keep vigilant to protect the privacy of their patients and the HIPAA compliance of their practices.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

10 Steps for Ensuring HIPAA Compliance 

10 Steps for Ensuring HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

1. Development of privacy policies. Healthcare organizations must develop, adopt and implement privacy and security policies and procedures. They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.

2. Appointment of privacy and security officers. Healthcare organizations should appoint a privacy and security officer. This could either be the same or different individuals. This person should be conversant in all HIPAA regulations and policies.

3. Conducting regular risk assessments. Healthcare organizations should regularly conduct risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of protected health information. It is important to remediate any identified risks and revise policies, if necessary, to minimize risk.

4. Adoption of email policies. Healthcare organizations should adopt policies regarding the use of e-mail. "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication," HIPAA does not prohibit the use of email for transmitting protected health information and it does not require that the email be encrypted. But, it is best to encrypt email if possible. If your organization can't encrypt email, make sure that your patients are aware of the risks they are facing if they ask for their health information over email. 

5. Adoption of mobile device policies. Healthcare organizations should adopt strict policies regarding the storage of protected health information on portable electronic devices, and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices, and healthcare organizations should be familiar with it.

6. Training. Training all employees who use or disclose protected health information and documenting that training, is an essential step to ensuring HIPAA compliance. Healthcare organizations should also conduct refresher courses and train the employees in new policies and procedures.

7. Notice of Privacy Practices. A Notice of Privacy Practices should be correctly published and distributed to all patients. It should also be displayed on the organization's website, and the organization should obtain acknowledgement of receipt from all their patients,that the notice should be updated whenever policies are revised. It will need to be updated now to reflect the provisions of the Omnibus Final Rule. 

8. Entering into valid agreements. Healthcare organizations should ensure that they are entering into valid business associate agreements with all business associates and subcontractors. Any existing business associate agreements will have to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of liability of business associates.

9. Adoption of potential breach protocols. A protocol for investigating potential breaches of protected health information is a must. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.

10. Implementation of privacy policies. Privacy and security policies must be properly implemented by healthcare organizations, and they should sanction employees who violate them.

 

These 10 steps will help healthcare organizations ensure that they remain HIPAA compliant, but organizations are also encouraged to check the resources available on the Office of Civil Rights website, such as sample business associate agreements and audit protocols.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.