HIPAA Compliance for Medical Practices
68.5K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’ 

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’  | HIPAA Compliance for Medical Practices | Scoop.it

The recent Sony Pictures hack exposed embarrassing emails, unreleased intellectual property and plenty of passwords, social security numbers and financial data — but it was also a giant HIPAA violation. In addition to unencrypted spreadsheets full of sensitive medical data, the hackers leaked an HR exec’s memo about the special needs and diagnosis of an employee’s child.

While we don’t yet know the cost of Sony’s myriad of security failures, the medical details of many Sony employees and their families now exist on the Internet, where it will likely stay available for the foreseeable future.

 

The Sony hack has taught us plenty of information security lessons, but one of the stickiest is the importance of protecting protected health information (PHI). We’ve already written about the reasons Sony should have used client-side email encryption, but HIPAA compliance is yet another compelling reason to encrypt your email messages.

The Need for HIPAA Compliant Email

If you’re new to the world of HIPAA compliant email, the idea of safely sending messages and files to your patients, other health providers and business associates can seem overwhelming at first. While any professional email should be approached with mindfulness of data security and awareness of the threats to your email privacy, from hacking to phishing, businesses that deal with PHI must be extra vigilant to make sure their communications are compliant with HIPAA and HITECH. After all, a HIPAA violation is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of hundreds of thousands of dollars.

While HIPAA compliant email doesn’t need to be rocket science, the stakes facing the medical community are pretty high. Consumers want more and easier access to their personal health data, but have greater demands when it comes to privacy.

Protecting Patient Privacy In the Digital Age

Any organization that handles PHI (known as a “covered entity”), from health providers such as doctors, nurses, chiropractors, pharmacies and nursing homes to businesses that provide health plans like HMOs, company health benefits and government programs like Medicare — as well as all of their business associates — needs to ensure that their email solutions are HIPAA compliant. And it’s not just corporate organizations – state and local governments, universities, and non-profits also fall under HIPAA and must protect PHI.

 

Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it seems that the demand for greater digital access to health data is at odds with the HIPAA Privacy Rule, which demands that a patient’s past, present and future PHI be accessible only to authorized recipients. One of the goals of HITECH was to spur adoption electronic health records (EHRs) for patients and health information exchanges (HIEs) to help doctors share patient data. If your ophthalmologist recently asked you to sign up for an online patient portal, that’s HITECH in action.

 

But another HITECH provision put many covered entities on notice: where prior to HITECH, $250,000 was the maximum annual penalty for a HIPAA violation, that threshold has moved up to $1.5 million. This presents the medical community with the puzzle of how to increase digital access to data without compromising patient privacy.

The Importance of Encryption in HIPAA Compliant Email

The challenges facing healthcare data security, from data thieves and “hacktivists” targeting hospitals to user error and technology adoption, make HIPAA compliant email more important than ever. But what makes an email HIPAA compliant?

 

One of the most important steps any business handling PHI should take is enabling email encryption. Encryption uses a complex cipher algorithm to render your data unreadable to anyone without the necessary credentials (or the encryption key). In short, if a cybercriminal cracks into an email you send to a patient or insurance company, they won’t be able to use that data unless they also get ahold of your encryption key.

 

There are a few options when it comes to email encryption. Many hospitals, healthcare providers and insurance companies deploy portal solutions that use Transport Layer Security (TLS) to encrypt messages. In these scenarios, patients and other providers establish and maintain a separate account for a portal where they can exchange sensitive information. While these solutions do provide for HIPAA compliance, their user experience tends to be clunky and frustrating. At one time or another we’ve all forgotten our username or password and been locked out of our health or financial data.

 

At the end of the day, employees prefer to use the applications they’re used to — including their email service providers. Newer email encryption solutions are able to integrate with the email service you’re already using to provide a seamless, easy-to-use user experience with powerful client-side encryption.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Juan Carlos Moreno Angulo's curator insight, May 20, 3:57 PM
Before clicking send, do even think twice about it? What happens when hackers leak sensitive information under the name of famous companies/corporations such as the case of SONY is something common? In recent times, the Sony hack showed and taught us plenty of information security lessons, but one of the stickiest is the importance of protecting protected health information (PHI). What this article expose us to a violation that is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of a lot money. While we do not know about the security measures taken by the institution we put out trust in, there are medical details of many employees and their families on the Internet before you even know, a giant violation to your life. Protecting patient privacy in the digital age can be a really hard to do, especially when the world is just a click far from you. However, a positive thing to highlight such organization handles PHI which is known as a “covered entity” that allow companies to keep track of the user info. Opposite to that, the introduction of what happened with hacking patients; it seems that organizations demand for greater level of security when accessing health data and more. Moreover, just remember that every message, image, and video you send everything you do will be recorded and stored in a data collection base.
Scoop.it!

HIPAA Email Compliance: 6 Best Practices for Medical Data Security 

HIPAA Email Compliance: 6 Best Practices for Medical Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

As technology advances and legislation changes, HIPAA email compliance can seem like a constantly moving target. With the challenges facing today’s healthcare landscape, including the proliferation of electronic health records (EHRs) and health information exchanges (HIEs), hackers and “hacktivists” targeting hospitals and the adoption of cloud and mobile technology in healthcare, HIPAA compliance is becoming more challenging — and more important — than ever.

Much has changed since 1996, when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. The World Wide Web was still relatively new, mobile phones were relatively rare (and great for your biceps!) and your health data was divided into thick manila folders stuffed with paperwork. Now, all that stands between patients and the entirety of their medical histories is a username and a password, and a startling number of those passwords is “password.”

The Challenge of Protecting Patient Data

When most of us think about HIPAA compliance, we think about its access control aspect — that is, who gets access to protected health information (PHI), and when. A leak of PHI can be as simple as a medical professional forgetting to log out of their portal, and leaving patient data open on the desktop to be viewed by anyone walking by (this is why automatic logout is one of the “technical safeguards” required to maintain HIPAA compliance).

When it comes to protecting PHI, the penalties add up fast — and since the passing of the 2009 Recovery Act, violating HIPAA has only grown more expensive. Each individual violation will run your business anywhere from $100 to $50,000, if it’s a first offense (and a lack of due diligence, as opposed to willful neglect). Violations due to willful neglect, however, cost a covered entity a minimum of $50,000 per violation. And when you consider how many patients have their data stored on a single server, those $50,000 violations stack up fast.

Doctors, hospital administrators, insurance professionals and anyone who deals with PHI need to be aware of the growing threats to patient privacy and be proactive with their information security. Here are six ways to lock down patient data and stay ahead of the threat.

1. Use strong data encryption.

Any PHI data you’re storing, whether it be on your desktop, on a server or in the cloud, should be encrypted. Encryption obscures your data, making it unintelligible to anyone who doesn’t have the key to decrypt it. As proven by the 2014 CHS Heartbleed attack, which resulted in the theft of 4.5 million social security numbers from one of the largest hospital groups in the United States, cybercriminals have both the desire and the means to crack into hospital servers and steal sensitive data. With encryption, that data is still protected even after hackers get their hands on it, provided they weren’t able to also steal the encryption key.Data encryption isn’t just best practice for information security, though — it’s a written requirement to maintain HIPAA compliance. Established in 2009, the HIPAA Breach Notification Rule gives businesses 60 days to notify all parties who may be affected by a leak of “unsecured protected health information.” Here, “unsecured” is another way of saying “unencrypted.”The HHS actually goes into detail about its encryption standards for data at rest and data in motion. For data at rest (data that sits in storage), for example, the HHS’ standards are consistent with those of the National Institute of Standards and Technology (NIST), and include centrally managing all storage encryption, using multi-factor authentication for encryption solutions and using the Advanced Encryption Standard (AES) for encryption algorithms.

2. Encrypt your emails, as well.

A tremendous amount of PHI is exchanged over email, and HIPAA compliant email requires encryption, too. In a post-HITECH (Health Information Technology for Economic and Clinical Health) world, the data shared digitally between doctors and their patients can be extremely useful for enterprising hackers, and email is a particularly vulnerable vector of attack.The traditional route hospitals and providers take for HIPAA compliant email is a portal solution that uses Transport Layer Security (TLS) to encrypt messages. While these legacy portal solutions do provide for HIPAA email compliance, they are certainly not easy for either the providers or patients who use them. Webmail portals tend to be inconvenient to use, requiring separate usernames and passwords for each and every system and creating information silos for medical information.Newer email encryption solutions bypass the annoyance of email portals by integrating seamlessly with more popular email services, like Gmail. Virtru Pro, for example, works with the service you’re already using to provide client-side encryption for HIPAA compliant email. In this case, encrypted PHI can be delivered safely and securely directly to the inbox, with no need for separate accounts or credentials. This allows for both HIPAA compliant email and convenience. (To learn more, read our FAQ about how Virtru Pro enables HITECH and HIPAA compliance for Gmail, or download our free guide)

3. Use multi-factor authentication wherever possible.

If a hacker steals your password, can they access your data? If you’re using multi-factor authentication, you may still be safe. Without multi-factor authentication, your password is a single point of failure, the only gatekeeper separating you from the data thieves.To help satisfy the Person or Entity Authentication component of HIPAA compliance, the HHS recommends that businesses handling PHI require, in addition to a password or PIN, either something the individual possesses (like a token or smart card) or a biometric (for example, a fingerprint or iris scan) for identity verification. These are both examples of multi-factor authentication, which requires a combination of something a user knows with something a user has.Anyone who has used a debit card is familiar with multi-factor authentication. Even if someone gets a hold of your card, that person can’t withdraw money at an ATM without your PIN. Requiring two separate steps to verify your identity makes it doubly hard for someone to gain access to your money (or your data) by posing as you.

4. Make all of your employees HIPAA compliance experts.

One of the standards HIPAA lists among its Administrative Safeguards is Security and Awareness Training. Any business is only as secure as its least vigilant employee. All it takes is one tired worker uploading notes to their personal cloud, or leaving handwritten passwords in open spaces, to violate HIPAA compliance laws. It’s essential to make sure that every employee is thoroughly trained and refreshed in HIPAA and HITECH regulations, as well as your company’s security policies.While many of the technical safeguards that protect HIPAA compliance are automated, like timed session logouts and password complexity requirements, nothing can replace thorough training and adequate knowledge sharing when it comes to strengthening your security posture.

5. Review the compliance and security practices of business associates.

When it comes to HIPAA compliance, you can’t just tidy up shop internally. As with its employees, a company is also only as compliant as its least secure partner/vendor/contractor, and every business your hospital, private practice or insurance company partners with is a potential vector for attack or HIPAA violation.There are a few precautions any HIPAA-covered entity should take when it enters into a business associate agreement, including securing the right to audit the associate for compliance. Lay down ground rules for HIPAA compliance best practices, including a mutual obligation to encrypt any shared PHI, and ensure that your business associate can’t pass PHI from your patients on to subcontractors without your approval. This includes using only HIPAA compliant email to exchange PHI.

6. Be aware of social engineering and inside threats.

While usually, the leak of PHI is simply an act of user error or negligence, many data leaks are caused by malice — both from the outside and within. While many infosec efforts are directed at the stereotypical hacker, hiding in the shadows in a musty basement cracking into a distant server, 28 percent of security incidents come from within the organization, and 66 percent of malicious hacks are acts of social engineering, a method of intrusion that relies on social manipulation.Social engineering can be as simple as someone walking into a hospital dressed like a convincing repair person, sneaking in a thumb drive and leaving with sensitive PHI. Make sure your internal security audits address these scenarios, as well as insider data threats.

Between legislation and technological advances, healthcare in the United States has recently undergone a dramatic transformation. It’s vital that healthcare providers and other covered entities keep pace with these changes. While it isn’t necessary to be an infosec expert or a white hat hacker, doctors, nurses and administrators should know the law, know the threats and keep vigilant to protect the privacy of their patients and the HIPAA compliance of their practices.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

10 Steps for Ensuring HIPAA Compliance 

10 Steps for Ensuring HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

1. Development of privacy policies. Healthcare organizations must develop, adopt and implement privacy and security policies and procedures. They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.

2. Appointment of privacy and security officers. Healthcare organizations should appoint a privacy and security officer. This could either be the same or different individuals. This person should be conversant in all HIPAA regulations and policies.

3. Conducting regular risk assessments. Healthcare organizations should regularly conduct risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of protected health information. It is important to remediate any identified risks and revise policies, if necessary, to minimize risk.

4. Adoption of email policies. Healthcare organizations should adopt policies regarding the use of e-mail. "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication," HIPAA does not prohibit the use of email for transmitting protected health information and it does not require that the email be encrypted. But, it is best to encrypt email if possible. If your organization can't encrypt email, make sure that your patients are aware of the risks they are facing if they ask for their health information over email. 

5. Adoption of mobile device policies. Healthcare organizations should adopt strict policies regarding the storage of protected health information on portable electronic devices, and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices, and healthcare organizations should be familiar with it.

6. Training. Training all employees who use or disclose protected health information and documenting that training, is an essential step to ensuring HIPAA compliance. Healthcare organizations should also conduct refresher courses and train the employees in new policies and procedures.

7. Notice of Privacy Practices. A Notice of Privacy Practices should be correctly published and distributed to all patients. It should also be displayed on the organization's website, and the organization should obtain acknowledgement of receipt from all their patients,that the notice should be updated whenever policies are revised. It will need to be updated now to reflect the provisions of the Omnibus Final Rule. 

8. Entering into valid agreements. Healthcare organizations should ensure that they are entering into valid business associate agreements with all business associates and subcontractors. Any existing business associate agreements will have to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of liability of business associates.

9. Adoption of potential breach protocols. A protocol for investigating potential breaches of protected health information is a must. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.

10. Implementation of privacy policies. Privacy and security policies must be properly implemented by healthcare organizations, and they should sanction employees who violate them.

 

These 10 steps will help healthcare organizations ensure that they remain HIPAA compliant, but organizations are also encouraged to check the resources available on the Office of Civil Rights website, such as sample business associate agreements and audit protocols.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Practices Are Struggling With HIPAA Compliance 

Medical Practices Are Struggling With HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

We recently conducted a survey of medical practices and billing companies to gauge their knowledge of HIPAA’s Privacy and Security regulations, compliance measures, and communication methods.

 

With the help of our partners at Porter Research and The Daniel Brown Law Group, we've created an easy-to-consume narrative explaining the various aspects of HIPAA compliance while also presenting the results in a way that's easy to understand.

The survey of more than 1,100 healthcare professionals revealed several areas of concern, including:

  • 66 percent of respondents were unaware of HIPAA audits prior to this survey bringing it to their attention

  • 35 percent of respondents have conducted a HIPAA-required risk analysis

  • 34 percent of owners, managers, and administrators felt “very confident” their electronic devices containing personal health information (PHI) were HIPAA compliant

  • 24 percent of owners, managers, and administrators in small practices have evaluated all of their Business Associate Agreements

  • 56 percent of office staff and non-owner care providers in small practices have received HIPAA training in the last year

While we noticed a trend suggesting billing companies may be doing better with compliance compared to medical practices, what we found most alarming was the consistent information gap between management and staff when handling HIPAA compliance measures.

 

HIPAA Compliance Resources
Alongside the results, we've also curated a list of resources to help you learn more about the upcoming audits, how to develop a compliance plan, conduct a risk analysis, and how to ensure your electronic devices are HIPAA compliant.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Violation and Hospital Employee viewing PHI 

HIPAA Violation and Hospital Employee viewing PHI  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Violation rocks hospital!  An employee at St. Charles Health system accessed over 2400 patients’ medical records over a two-year period because they were curious. We all know that curiosity killed the cat and now it may have direr consequences for this curiosity seeker and the hospital system. 

HIPAA Violation without intent to commit fraud

The employee who viewed the protected health information (PHI) without a legitimate reason to do so is in jeopardy of large civil fines, loss of their respective clinical license and criminal prosecution. Not to mention termination from their present position. The hospital system has to repair its damaged reputation while at the same time prepare to defend itself against potential civil/criminal lawsuits.  There are too many incidences were an organization is liable for HIPAA violations, even though they “didn’t do it”.

 

Now the local District Attorney has taken interest in this matter and is launching a criminal investigation. Under the HIPAA statute there is no individual right of action, however, the Attorney General of the state where the infraction took place may file charges on the individual(s) behalf.

 

The aforementioned employee signed an affidavit stating that the HIPAA violation they committed, and any of the information they accessed was not to commit fraud, however, that did not halt the criminal investigation.

Hospital employee viewing PHI

This real-life incident demonstrates how healthcare providers and their employees can face serious trouble for viewing records inappropriately. Just remember this incident when you want to be inquisitive about a patient that you are not treating or accessing a patient’s medical records for no business purpose.

 

When performing your job function, it is not a HIPAA violation if you release and/or access a patient’s PHI for treatment, payment or health operations (TPO). When accessing and/or releasing a patient’s PHI, ask yourself does this fall under the TPO exceptions? If it does, then you should just release the minimum information necessary to complete the task and if it does not, then you may need an authorization signed by the patient or his/her representative. In the event you are unsure if you can release and/or access a patient’s PHI, contact your supervisor or your organization’s Privacy Officer.

 

Finally, this violation reaffirms the need to conduct a HIPAA Risk Analyses, including monitoring the privacy/breach rule.  Use your policies and procedures for efficient and effective training, auditing and monitoring.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Dorothy R. Cook 's curator insight, July 2, 4:09 AM

There is a way to address certain issues using protocol. and proper procedures. Take yourcissue to the right people in the right way. 

Scoop.it!

$150,000 HIPAA Settlement Following Breach of Unsecured PHI Due To Malware | JD Supra

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) announced on December 8, 2014 that a community behavioral health organization agreed to pay $150,000 and adopt a corrective action plan to settle potential violations related to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In March 2012, Anchorage Community Mental Health Services (ACMHS) notified OCR regarding a breach of unsecured electronic protected health information from malware that compromised the security of ACMHS’ information technology resources. The breach affected 2,743 individuals. ACMHS is a five-facility, non-profit organization providing behavioral health care services in Alaska.

As part of its investigation, OCR noted that ACMHS had adopted HIPAA security rule policies and procedures in 2005, but ACMHS did not follow these rules. As part of the Resolution Agreement, OCR stated that for almost seven years, “ACMHS failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability” of its electronic protected health information. During that same time period, OCR stated that ACMHS did not implement policies and procedures requiring implementation of security measures. During a four-year period, ACMHS did not implement technical security measures to guard against unauthorized access to electronic protected health information that was transmitted over an electronic communications network by “failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches.”

In early December 2014, ACHMS agreed to enter into a Corrective Action Plan (CAP) with HHS. The two-year CAP requires ACHMS to revise its security rule policies and procedures and distribute them to all workforce members who use or disclose electronic protected health information; provide general security awareness training materials for all workforce members, and conduct an annual “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of its electronic protected health information. ACHMS is required to provide annual reports to HHS of its compliance with the CAP.

In the press releasing announcing the resolution with ACMHS, HHS emphasized that successful HIPAA compliance includes, “reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”

This is the sixth resolution agreement announced by OCR in 2014. Overall, HHS has entered into 21 resolution agreements relating to HIPAA compliance. HIPAA compliance continues to be a focus of OCR activities.



more...
No comment yet.