HIPAA Compliance for Medical Practices
70.2K views | +1 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

ARE YOU SURE YOUR MEDICAL BUSINESS IS HIPAA COMPLIANT? 

ARE YOU SURE YOUR MEDICAL BUSINESS IS HIPAA COMPLIANT?  | HIPAA Compliance for Medical Practices | Scoop.it

What Exactly Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that took effect in 2003 to assure that patient’s medical records and other health information provided to health plans, hospitals, doctors and other health care providers is protected.  HIPAA is enforced by the U.S. Department of Health and Human Services, to provide nation-wide privacy and security standards for patient information, while allowing patients greater access to their medical records and more control over how their personal health information is used and disclosed.  HIPAA established national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity (medical provider).

The HIPAA Security Risk Assessment

There are over 50 HIPAA Security Standards and Implementation Specifications that must be addressed with policy and procedures. They are all applicable to Covered Entities and Business Associates. The HIPAA rule is very detailed, and it is important that you not miss any compliance requirements.

One of the best ways to ensure HIPAA compliance is to implement a HIPAA security risk assessment. This will tell you what areas of your practice are in compliance, and which areas need corrections to be made in order to become compliant. No matter what, you want to make certain you are following all the requirements of the HIPAA Security Rule, as there are steep fines resulting from non-compliance.

The Three Parts of the HIPAA Security Rule

The HIPAA Security Rule requires a healthcare facility and its staff to implement specific safeguards in these three areas:

•             Administrative

•             Physical

•             Technical Safeguards

These safeguards ensure the confidentiality, integrity, and security of protected health information (PHI). While “required implementation specifications” must be implemented, “addressable implementation specifications” must be implemented if it is appropriate and reasonable to do so. Your choice must be documented. Do not make the mistake of automatically thinking that “addressable implementation specifications” are optional. If you are unsure if any “addressable implementation specifications” apply to you, it is best to implement them, as most are considered to be standard “best practices” for a medical business.

The results of your HIPAA security risk assessment should provide you with a list of areas where you need improvement. This is where you will begin to work on policies and procedures to address the deficiencies by documenting and outlining all “required implementation specifications”, and all applicable “addressable implementation specifications” needed to become HIPAA compliant.

Just A Few Examples of HIPAA Policy Requirements

Here are a few examples of the types of HIPAA “required” controls you will need to implement.

One of the main requirements is controlling the access to patient’s records by your staff members. This requires a unique user identification login and logout for identifying and tracking each user, as well as comprehensive HIPAA training for your staff. Often, staff will find HIPAA compliance inconvenient, but they must recognize it is for their own protection.

You must have a secure procedure for accessing PHI during an emergency. Should the power go off, do you have a back-up power source? Are your records securely backed-up in compliance with HIPAA ? Healthcare organizations should have a contingency plan in place for emergency operations and disaster recovery.

It is advisable that all patient data be encrypted and decrypted. After a risk assessment, all laptops, computers, and mobile devices may need to be encrypted. Do you have firewall protection? Is your network accessible from outside your business? Do you have intrusion protection? Is your wireless network secured? Any company that handles sensitive patient data protected by HIPAA should run a cybersecurity assessment , to thoroughly check your network to determine how secure it is, and explain measures that must be taken to secure any holes in that system.

Audit controls, via hardware or software, must record and examine activity in information systems containing or using ePHI.

Transmission of all ePHI must be secure.

There are many other required and addressable specifications that need to be implemented. This is only a handful, to give you an idea of the types of issues you will need to address.

Once Your Are HIPAA Compliant, Then What?

Once you have achieved HIPAA compliance, it is then important that procedures and policies be put into place to maintain compliance. Employers must keep a record that all employees have received proper HIPAA training. They need to understand how HIPAA is implemented in your office. If you switch IT companies, you will need to make certain that the new company is HIPAA compliant, and they will need to provide you with a Business Associate Agreement. Yes, HIPAA compliance is a never ending task for businesses that handle patient health information.

If you are concerned about understanding and meeting all of the “required” and “addressable” security standards and implementation specifications your business must have in order to be HIPAA compliant, consider bringing in Colington Consulting to review the status of your HIPAA compliance program. Colington Consulting are experts in the field who know the HIPAA rules inside and out. They will help you avoid problems and steep fines by ensuring your business is meeting HIPAA compliance requirements,  relieving you from any doubt about the status of your business’s HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Anthem Was Wrong Not to Encrypt

Why Anthem Was Wrong Not to Encrypt | HIPAA Compliance for Medical Practices | Scoop.it

Being provocative isn’t always helpful. Such is the case with Fred Trotter’s recent headline ‒ Why Anthem Was Right Not To Encrypt.

His argument that encryption wasn’t to blame for the largest healthcare data breach in U.S. history is technically correct, but lost in that technical argument is the fact that healthcare organizations are notably lax in their overall security profile. I found this out firsthand last year when I logged onto the network of a 300+ bed hospital about 2,000 miles away from my home office in Phoenix. I used a chrome browser and a single malicious IP address that was provided by Norse. I wrote about the details of that here ‒ Just How Secure Are IT Network In Healthcare? Spoiler‒alert, the answer to that question is not very.

I encourage everyone to read Fred’s article, of course, but the gist of his argument is that technically ‒ data encryption isn’t a simple choice and it has the potential to cause data processing delays. That can be a critical decision when the accessibility of patient records are urgently needed. It’s also a valid point to argue that the Anthem breach should not be blamed on data that was unencrypted, but the healine itself is misleading ‒ at best.


I don’t disagree with Fred’s narrow technical argument, but there is definitely a larger issue that he chose to ignore. That larger issue ‒ and one I’ve written about frequently ‒ is what industry experts call a “culture of security.” The sheer volume of data breaches suggests a serious lack of that culture specifically in healthcare.  The SANS Institute report last year highlights the dire state of cybersecurity in healthcare. New Cyberthreat report by SANS Institute Delivers Chilling Warning to Healthcare Industry

Less than 6 months prior to the time Anthem pulicized their breach earlier this month, Community Health Systems (CHS) announced their breach of 4.5 million patient records. Some of the top security analysts have already begun to link the two (Anthem and CHS) ‒ right down to the lethal vulnerability that was discovered last April ‒ the Heartbleed bug. There’s even speculation that the actual breaches at both Anthem and CHS may have occurred in fairly close proximity to each other (after April of last year). Again, something I covered here: Are the Data Breaches at Anthem and CHS Linked?

That “culture of security” means that there’s a technical basis ‒ and logic ‒ to use the appropriate technology (both software and hardware in tandem) to ensure that adequate data (and network) security is in place. Note the use of that word ‒ adequate.

There will never be a perfect. The attack surface in increasing ‒ exponentially with IoT ‒ and the attackers have only to find one vulnerability once. Defenders, on the other hand, need to defend against all vulnerabilities ‒ all the time. That equation gives the attackers the upperhand and the gap between attacker and defenders is widening.

In the end ‒ we’ll likely see at least 2 outcomes from these new mega breaches.

  1. If it’s determined ‒ in court ‒ that the breach was the result of the Heartbleed bug,  both Anthem and CHS will have a much harder time defending against negligence ‒ which means the damage awards will be significant.
  2. Whatever the final cost of both breaches (and those yet to come), as always, they will be passed on to each of us as patients and healthcare consumers in the form of higher premiums.

This last one is simply an extension of many other perverse incentives that exist throughout our for‒profit healthcare system. Why bother paying for an expensive barn door that locks when we can simply pass the cost of the all the lost animals onto someone else? Sure there will be hits to profits and earnings, for awhile, and some heads may actually roll (the CIO at Sony was summarily dismissed), but will these mega breaches (and others yet to happen) be enough to change the “culture of security” inside healthcare? Probably not ‒ and certainly not if strong technical voices like Fred’s continue to defend what amounts to a cavalier attitude of security on the basis of a narrow argument – even if that argument is technically correct.


more...
No comment yet.
Scoop.it!

Creating and Managing Passwords - Total HIPAA Compliance

Creating and Managing Passwords - Total HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

How many times a day do you access applications or websites that require passwords? The temptation is to make passwords simple or reuse the same password. The 2017 Verizon Data Breach Investigation Report found that 81 percent of hacking-related breaches succeeded through stolen passwords or weak passwords. That’s an 18 percent increase from last year’s report, suggesting that rather than getting better, password security is getting worse.

Common password problems are using simple passwords that are easy to hack and the same one for many sites. Then there is the problem that you can’t remember them all! Ah, the joy of managing passwords. Here are two ways to protect your data. First, learn how to create a solid password. Next, consider a password management system.

Creating Passwords

You know that your passwords have to be unique and strong. But what exactly gives passwords these traits? This list of Dos and Don’ts will help you create a super strong password to safeguard your patient’s or client’s protected health information:

Do:

  • Do use 12-15 characters for each password. The longer, the better.
  • Do consider using a phrase or sentence you can easily remember your password including numbers and special characters.
  • Do use special characters in atypical places. For instance, use a number in the middle of a word rather than before or after it.
  • Do consider length more than complexity. Studies show that a 15-character password with special characters is more secure than a short one of all unique characters like 5&Hq%.

Don’t:

  • Don’t use easily guessed passwords like family members’ names or birthdates.
  • Don’t use single words found in the dictionary such as watermelon or even watermelonseeds as standalone passwords.
  • Don’t reuse passwords at multiple sites.
  • Don’t share your passwords with anyone. If you have to, immediately change your password as soon as someone else has used it.
  • Don’t use passwords based on adjacent keys on the keyboard, like asdfjkl;.

Password Management

Since you’re now the resident expert on password creation, how can you organize all of them? A password management program lets you store and organize passwords in a single spot, so a single, master password gives you access to your complete password database. Last month, PC Magazine published an article comparing several different password management programs. For roughly $12 to $45 dollars a month, you can pay a service like Dashlane, 1Password, LastPass, etc., to securely keep your passwords at your disposal.

Within these programs, you can define your own passwords, or they can create unique passwords for you. To make it easy, these programs can be accessed not only on your work computer but also on your cellular phone or other devices. They may be a great help, but remember that your master password to the program becomes the one and only access point to all of your other information. Concerned about the security of these management programs? A recent article in Macworld will reassure you they are a reliable tool.

Password creation and accessibility aren’t for the faint of heart. Will it always be so difficult? Maybe not. Biometric sensors like iris scanning and facial recognition are becoming increasingly popular forms of authentication. These biometrics sensors can’t stand alone as a strong security solution, but we’re already seeing them more and more as part of a multi-factor authentication solution.

For the meantime, with security breaches rampant, password security is something you and your company can’t take lightly. Make it a habit of creating strong passwords. If you can’t organize them in a safe way, a password management system just might be the help you need to secure the PHI for which you’re responsible.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.