HIPAA Compliance for Medical Practices
63.1K views | +5 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

WannaCry Ransomware Protection with HIPAA 

WannaCry Ransomware Protection with HIPAA  | HIPAA Compliance for Medical Practices | Scoop.it

WannaCry, WannaCrypt, Wana Decryptor or WCry, whatever it is called, ransomware has been spreading through over 150 countries and many are concerned for good reason. The WannaCry malware attack is the largest ransomware attack to date.

The attack started on Friday (5/12/17) and locks people out of their computers, encrypts their data, and demands them to pay up to $300 in bitcoin to receive a decryption key. The price then doubles after three days and if the ransom is not paid, all files are permanently deleted. To add insult to injury, WannaCry also behaves like a worm; the malware can potentially infect computers and servers on the same network.1

The ransomware was slowed by a single security analyst last week after discovering a kill switch in WannaCry’s code. Since then, WannaCry has been updated without the kill switch, allowing it to grow further. The attack has now reached over 150 countries and around 216,000 computers.2

Here at Total HIPAA, we offer resources and services to help you figure out what to do next in preventing you and your organization from becoming a victim to ransomware and any other type of malware attacks. Health and Human Services Office of Civil Rights (OCR) has recently posted guidance on HIPAA specific to ransomware. OCR reaffirms that implementing HIPAA standards will provide safeguards against WannaCry and malicious software.

Read through the sections on areas we suggest you cover to reevaluate your business structure. There are blog articles we previously posted to help give guidance on topics that still may be questionable for your business.

3rd Party Vendors and Contractors

When looking into those 3rd party vendors and contractors hired to do a specific duty or there temporarily need to be properly handled for liability concerns. Your vendors, and, at times, your contractors will be considered business associates under HIPAA.

Passwords

Passwords are simplest and best preventative measure a user can do to help protect your organization’s network.

Ransomware and Malware Best Practices

Ransomware and malware are continuing to grow; read what you need to know about both and what you should do to prevent malicious attacks on your system.

Update Software

Microsoft Windows users were the prime targets in WannaCry’s attack. Make sure your versions are constantly updated and BitLocker 2 is enabled on your computer.

Encryption

Encryption will keep hackers and viruses from using your files against you. By encrypting your devices, anyone who attempts to retrieve your information will receive it in an unreadable format. And since many of the attacks are through email and their attachments, an email encryption solution can be very useful (and highly recommend!). Using the cloud can cover you if you fall victim to ransomware because any files stored through your file sharing application can help you regain access without having to pay a dime to criminals.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Will Stop Ransomware's Damage

HIPAA Compliance Will Stop Ransomware's Damage | HIPAA Compliance for Medical Practices | Scoop.it

On average, there have been 4,000 daily ransomware attacks since early 2016, an increase of 300% from the 1,000 daily ransomware attacks reported in 2015.1 Health and Human Services Office for Civil Rights (HHS OCR) has released a fact sheet, stating that implementing HIPAA standards in your organization will help defend against malicious software (malware) attacks like the WannaCry ransomware.

A summary of the eight-page Fact Sheet: Ransomware and HIPAA is provided by our Total HIPAA team. HHS OCR explains eight (8) key questions when dealing with ransomware and electronic protected health information (ePHI) safety.2

1. What is ransomware?

Ransomware is a type of malware that attempts to deny access to a user’s data, typically by encrypting the data with a key known only to the hacker until a ransom is paid. Then the ransomware directs the user to pay a ransom to the hacker in order to receive a decryption key. However, hackers may deploy ransomware that also destroys or extracts data.

2. Can HIPAA compliance help covered entities and business associates prevent infections of malware, including ransomware?

Yes. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. The Security Rule establishes minimum requirements, for the security of ePHI (45 CFR 164.308 (a)(1)(i)). Entities are encouraged to implement additional and/or more stringent security measures.

3. Can HIPAA compliance help covered entities and business associates recover from infections of malware, including ransomware?

Yes. The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack.

Because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.

When responding to a ransomware attack, an entity may find it necessary to activate its contingency or business continuity plans. Once activated, an entity will be able to continue its business operations while continuing to respond to and recover from a ransomware attack.

4. How can covered entities or business associates detect if their computer systems are infected with ransomware?

HIPAA’s requirement that an entity’s workforce receives appropriate security training, including training for detecting and reporting instances of malware, can assist entities in preparing their staff to detect and respond to ransomware.

If an entity believes that a ransomware attack is underway, it should immediately activate its security incident response plan, which should include measures to isolate the infected computer systems in order to halt further generation of the attack.

5. What should covered entities, or business associates or business associate subcontractors do if their computer systems are infected with ransomware?

Once ransomware is detected, the organization must initiate its security incident and response and reporting procedures (45 C.F.R. 164.308(a)(6)). These procedures should assist your organization in prioritizing subsequent incident response activities and serve as a foundation for conducting further analysis of the incident and its impact.

6. Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?

Whether or not the presence of ransomware would be a breach under HIPAA is based on specific facts. A breach of the rules is defined as the acquisition, access, use, or disclosure of ePHI in a manner not permitted under HIPAA which compromises the security or privacy of ePHI (45 C.F.R. 164.402). When ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired by an unauthorized user, and is a disclosure not permitted under HIPAA.

Unless your organization can demonstrate that there is a low probability that ePHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, in accordance with HIPAA breach notification requirements (45 C.F.R. 164.400-414).

7. How can covered entities or business associates demonstrate… that there is a low probability that the PHI has been compromised such that breach notification would not be required?

To demonstrate that there is a low probability that ePHI has been compromised because of a breach, a risk analysis considering at least the following four (4) factors must be conducted (45 C.F.R. 164.402(2)):

  1. The nature and extent of the ePHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the ePHI or to whom the disclosure was made;
  3. Whether the ePHI was actually acquired or viewed; and
  4. The extent to which the risk to the ePHI has been mitigated.

A thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process.

8. Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?

If the ePHI is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer unsecured ePHI, then the entity is not required to conduct a risk analysis to determine if there is a low probability of compromise, and breach notification is not required.3

For example, if a laptop encrypted with a full disk encryption solution in a manner consistent with HHS guidance is properly shut down and powered off and then lost or stolen, the data on the laptop would be unreadable, unusable and indecipherable to anyone other than the authenticated user. So then an entity would not need to perform a risk assessment or provide breach notification. But if the laptop is powered on and in use by an authenticated user, who then clicks on a link to a malicious website or opens an attachment from a phishing email that infects the laptop with ransomware, there could be a breach of ePHI.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Malicious Social Engineering and HIPAA 

Malicious Social Engineering and HIPAA  | HIPAA Compliance for Medical Practices | Scoop.it

Spam accounts for 65% of the total volume of global internet email traffic according to Cisco’s 2017 Annual Cybersecurity Report. The Report also points out that hackers are successfully using automated attacks on your company’s networks, leaving them more time to attempt other strategies to bypass your network defenses.1

What does this mean for you and your organization? Security awareness must be a priority across the board. In this blog we will outline three methods hackers use to trick your employees into revealing confidential information, possibly Protected Health Information, your organization has in its possession.

Social engineering is a term in computer security that refers to schemes hackers use to access your computer systems. The weakest link in most systems is the user; therefore, it’s extremely important you and your employees understand how it works.

For hackers, the three top methodologies of malicious social engineering according to Social-Engineer, Inc are:

  1. Phishing: The practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.
  2. Vishing: The practice of eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing”.
  3. Impersonation: The practice of pretending to be another person with the goal of obtaining information or access to a person, company, or computer system.2

Phishing

Hackers use phishing emails to trick people into clicking links that often lead to the installation of malware or ransomware on your computer or possibly giving up your personal information. Criminals are looking, or phishing, for your personal information. This can be a simple email asking for you to verify your Gmail account or a PayPal account.

In our blog, Social Engineering and HIPAA, we provided key ways to identify phishing emails as fraudulent:

  1. Grammar mistakes and misspellings
  2. Threatening language
  3. Fantastic job offers or promotions
  4. The link addresses don’t match the sender of the email; such as the Google title being spelled with zero’s instead of the letter o
  5. Requests for money
  6. Unsolicited requests to change passwords
  7. In general, anything that sounds too good to be true usually is

Take note to not click on the email or any corresponding links. This simple action can open up your entire company to a whole host of issues, and cause issues for your entire network.

Vishing

The practice of vishing is similar to phishing attacks but via the telephone. It is the practice of calling an individual and eliciting information or attempting to influence action.3 Two common techniques used for vishing are the attacker calling into customer service or the help desk of a company and the attacker acting as technical support.

In one technique common for vishing, the attacker calls a receptionist or customer service knowing that these individuals deal with clients in a positive manner to help solve their concerns with the organization. Due to the lack of training and the desire to give the caller a positive experience, customer service is likely to oblige any requests the caller has during the phone call. When a caller is asking for a password reset to their online account or asking for the credit card on file, have them verify some information only the corresponding individual would know.

Another effective technique used by hackers, they will have a user click on a link that allows the hacker to take over their computer, and voila, they have access to the system. Unless the technician is new to an organization, have the same person work on your computer. Question the technician if they are unfamiliar to you and verify they are an employee.

Impersonation

Impersonation is the practice of presenting oneself as someone else in order to obtain private information. One common attack is to impersonate a delivery person (e.g. Postal Service employee, FedEx delivery driver). Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. When a package is being delivered to your place of business, make sure to verify the credentials of an unfamiliar deliverer.4

How to Protect Yourself

Be sure to do a little social engineering of your own. Train your employees on how to use their workstations properly, how to recognize malicious emails, and help protect your systems. A key part of this is training your staff on HIPAA, and how they can support your efforts to keep client information safe. HIPAA security training covers these potential attacks on your system and much more.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Fran Page's curator insight, June 14, 11:44 PM
Key points:
Scoop.it!

Why Medical Websites Need to be HIPAA Compliant - Today's Business

Why Medical Websites Need to be HIPAA Compliant - Today's Business | HIPAA Compliance for Medical Practices | Scoop.it

In today’s digital world, information is more prone to hacking than ever before, which creates a serious safety issue. Most websites can be developed and hosted on the Internet without thinking much about safety. Healthcare practices and other establishments in the medical industry, however, must proceed with caution for various safety reasons. In order to protect patients’ records and maintain confidentiality, medical institutions must create websites that are HIPAA compliant.

 

WHAT IS HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that provides protection and security for patients’ medical information. The U.S. Department of Health and Human Services enforces this law and sets HIPAA rules and regulations. HIPAA has two rules that must be followed to be compliant with regulations. The first rule, known as the Privacy Rule, pertains to protecting the private health information of a patient. The second rule, known as the Security Rule, encourages data security measures. This rule is particularly important to address when information is stored electronically.

 

How to Make Your Website HIPAA Compliant

Patients’ confidential information is most likely at risk if medical websites are being hosted with protection that provides basic encryption. In order to avoid violating HIPAA rules, websites must attain a high-level protection. This concern only comes into play when sensitive information is being collected and a third-party is involved in the transaction of data.

One of the ways to encrypt the transmission of data is by ensuring the website is secure. Secure Sockets Layer (SSL) can be used to prevent data leaks. Before entering any personal information onto a medical website, be sure to look at the URL. Websites with an HTTPS:// have an SSL Certificate that encrypts communication between a web browser and a web server. This means that the medical institution is following HIPAA laws.

Another way to ensure HIPAA compliance is by using forms to collect data that provide that extra security and protection. Typical Content Management Systems (CMS) may not have that level of security so it is best to use a third-party form builder that would be HIPAA Compliant. Cognito Forms is one of the best form builders that provide SSL encryption, data encryption as well as a secure hosting environment.

 

Medical Website Design

Healthcare websites must ensure the safety and protection of its patients is a top priority. As technology is constantly changing and becoming more accessible, it’s becoming increasingly important to have a high-level security system on your medical website.

Here at Today’s Business, we have years of experience in building websites for our clients in the healthcare industry. No matter if you are a private practice or public institution, we can help you achieve a HIPAA compliant website that looks great on desktops, tablets, and mobile devices. We can take over your Content Management System and provide your patients’ data the safety that it requires. Contact us now to find out more!

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Checklist for Medical Practices

HIPAA Compliance Checklist for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

As you know, 2016 is a big year for HIPAA compliance audits. The Office of Civil Rights (OCR), mandated to conduct random audits under the HITECH Act, gave plenty of warning that this year's random compliance audits would begin with a renewed focus on smaller practices (15 or fewer providers) and include Business Associates (BAs) in the audit protocols.

Because practices have been under HIPAA for years, it's easy to get complacent, but HIPAA fines are nothing to take lightly. Last year, OCR issued a record number of fines for violations including $4.8 million for lack of a firewall (New York Presbyterian), $1.7 million for theft of unencrypted laptop (Concentra Health Services), and $800,000 for unsecured medical records (Parkview Health Systems). 

Here's a checklist to help you prepare for HIPAA compliance this year. 

Technical Safeguards

  • Implement a system of access control including unique user names and PINs, plus protocols governing release of ePHI in the event of an emergency. 
  • Ensure a system is in place to authenticate all ePHI; make sure no information is altered or deleted in a way that violates HIPAA guidelines. 
  • Implement an encryption system for all information sent and received outside the organization's internal firewall. 
  • Initiate and/or carry out a system of ePHI access control audits. 
  • Make sure an automatic log-out protocol is in place for all devices used to access ePHI. 

Physical Safeguards

  • Ensure procedures are in place to record anyone with physical access to areas where ePHI is stored (managed service providers, cleaners, engineers, etc.)
  • Implement safeguards for workstations and develop protocols for which functions may be performed on workstations in unrestricted areas. 
  • Develop protocols for ePHI use on mobile devices, including guidelines for removing information from devices no longer in use. 
  • Maintain accurate inventory of all hardware and devices. 

Administrative Safeguards

  • Conduct routine risk assessments and develop a risk management policy including sanctions for employees not in compliance. 
  • Implement HIPAA awareness training, including how to identify malicious attacks/malware; be sure to maintain documentation of training sessions. 
  • Develop and test a contingency plan to govern the integrity of ePHI when/if the entity operates in emergency mode. 
  • Implement policies to restrict third-party access and develop a reporting policy to identify breaches. 
  • Develop and document protocols to issue HIPAA breach notifications to affected patients and to the DHHS in the event the breach affects more than 500 individuals. 

Omnibus Considerations

The new Omnibus rules update HIPAA compliance standards, especially with regard to Business Associate Agreements (BAAs). Under the new guidelines, covered entities must now:

  • Update BAAs to include language making all BAs aware that they are bound by the same security and privacy rules governing covered entities, which means they must implement the same technical, physical, and administrative safeguards as covered entities, and are under the same reporting regime for breaches of ePHI. 
  • Issue updated BAAs to all business associates; a signed, HIPAA compliant BAA must be on file before the entity uses the BA's services. 
  • Update privacy policies to reflect changes in disclosure pertaining to: deceased persons, Medicare, private insurers, immunization records, and the use of ePHI for marketing purposes. 
  • Issue updated Notice of Privacy Practices. 
  • Conduct staff training (with appropriate documentation) regarding the new Omnibus changes. 

It's important to keep in mind exactly what's at stake if you're not in compliance with HIPAA safegaurds:

  • $100 to $50,000 fines per violation up to a maximum of $1.5 million for "did not know" violations. 
  • $1,000 to $50,000 per violation to a maximum of $1.5 million for "reasonable cause" violations.
  • $10,000 to $50,000 per violation up to $1.5 million for corrected "willful neglect" violations.
  • $50,000 per violation up to $1.5 million for uncorrected "willful neglect" violations. 
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Stay HIPAA Compliant with Audit Logs 

How to Stay HIPAA Compliant with Audit Logs  | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Department of Health and Human Services Office for Civil Rights released a cyber newsletter highlighting the importance of audit controls.1Why are audit controls so important? Logs are a critical way, not to mention required, for your company to monitor activity on your network. Whether this traffic is from an employee or another source, these logs are vital to protecting the information your organization holds.

On January 18th, a former paramedic for MedStar Ambulance was indicted in a federal identity theft and fraud case involving allegations he altered patient records as part of a scheme to steal narcotics from a local hospital starting January 2013 and ending in May 2015.2  The paramedic was finally caught after someone discovered his logs had various irregularities compared to the corresponding hospital records. This incident highlights just how important it is to maintain detailed logs and to monitor regularly.

What HIPAA Security Rule Mandates

45 C.F.R. § 164.312(b) requires Covered Entities and Business Associates to have audit controls in place. These organizations must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).1 Information systems include all electronic devices and applications used within your company’s network (e.g. smartphones, computers, emails, file sharing application, internal server).

In plain English, this means that an organization that is required to have audit logs. Whether you are a medical or dental practice, health insurance agency, or an employee of an organization that manages health records, you need to record and review audit logs to stay compliant with HIPAA and protect the information you maintain.

The kinds of information you should be logging include:

  1. User logging in
  2. Changes to databases
  3. Adding a new user
  4. Giving a user new level of access
  5. Files a user has accessed
  6. Operating System Logs
  7. Firewall logs
  8. Anti-malware logs

This extends beyond your electronic systems. If you are still using paper files to store information, you need to have logs of who is accessing information, and if files are removed from the file room. This may be done by having employees sign out files before they remove them from the file room.

Any physical assets that need to be repaired or are in line to be decommissioned should also be logged. This will make sure you are properly protecting or sanitizing these devices.

Many of the software systems you currently use already have the ability to keep detailed logs of activity. The key will be for your IT department to consolidate these logs so it is easy to review if there is ever a question or issue for your team to investigate.

In the event of a security incident, audit trails and logs should be reviewed as soon as possible. to determine if there is tampering with the information. Outside of cyber security incidents, audit trails can help you identify flaws in your network before things go wrong. This process will also help you make sure applications are performing as intended.

How to Maintain Compliance with HIPAA

Keeping detailed logs is the first step towards HIPAA compliance. Create detailed policies and procedures around audit handling, educate staff on changes in procedures, and keep up-to-date with regular reviews of audit logs and audit trails.

You should also be prepared to keep these logs for a minimum of 6 years as is required for HIPAA Compliance. These logs should be stored in a raw format for at least six (6) months to one (1) year. After that, you can store these logs in a compressed format.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What is HIPAA Compliance?

What is HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.

 

The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).

If you are hosting your data with a HIPAA compliant hosting provider, they must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services. The physical and technical safeguards are most relevant to services provided by your HIPAA compliant host as listed below, with detail on what constitutes a HIPAA compliant data center.

  • Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).
  • Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
  • Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.
  • Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.
  • Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

A supplemental act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was formed in response to health technology development and increased use, storage and transmittal of electronic health information.

Technical Dr. Inc.'s insight:
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

4 Steps to Assess a Possible HIPAA Data Breach

4 Steps to Assess a Possible HIPAA Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach. An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorized access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.

There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorized to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident. Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:

  1. PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.
  2. Unauthorized Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.
  3. Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.
  4. Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.

If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements. If you have encountered a breach, within 60 days of discovery of the breach, you have to:

  • Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.
  • Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.

With the lower “bar” for a breach and the documentation standards, your practice needs to maintain appropriate procedures, train employees, and enforce your policies to minimize the risk of impermissible uses and disclosures. In order to monitor evolving issues and avoid future problems: Review each data breach to determine if changes to policies and procedures need to be made as well as remedial training to avoid future breaches.

On a periodic basis review the impermissible use and disclosures for trends and issues that may require adjustments to your HIPAA compliance strategy. Indeed, continuing incidents that are not breaches could indicate a serious weakness that could lead to a breach. For example, continuing loss and recovery of EHR backups could indicate the need to change the backup procedures or strategy. Breaches can cost you money and undermine the confidence of your patients in the confidentiality of their PHI. With the lower breach trigger and the documentation requirement for your analysis to determine if a breach has occurred, you need to work to avoid breaches as well as impermissible uses and disclosures.      

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Maintaining HIPAA Compliance across Digital, Paper Records

Maintaining HIPAA Compliance across Digital, Paper Records | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance and numerous data privacy and security mandates is of paramount importance for healthcare organizations. Since HIPAA is not a one-size-fits-all regulatory regime, best practices for data privacy and security programs demand attention to the specific operating environment of each and every healthcare provider.

To ensure compliance, healthcare organizations must implement policies and procedures that are tailored to their operations and the size of their organization.

To complicate matters, many organizations are also challenged by the need to balance both digital and paper documents while maintaining HIPAA compliance. Many healthcare organizations handle paper documents and digital files smoothly, however it’s the integration of the two that can add increased compliance layers and often hamper productivity.

This can be solved with a combination of procedures and technologies that enable rapid paper-to-digital and digital-to-paper transformation and transmission, ensuring patient care is handled efficiently and within compliance demands. Printers, scanners, faxes, and multifunction devices can provide a highly connected on-ramp/off-ramp between digital healthcare systems and physical documents.

Further, healthcare organizations must understand how compliance requirements apply to these devices.

Both electronic data and paper records are subject to the HIPAA Privacy and Security Rules – a set of federal rules first adopted some 15 years ago and substantially revised in 2013 under the HITECH Act.

However, some healthcare organizations are surprised to learn that the risk of non-compliance can greatly increase with the misuse of office devices such as printers, scanners and fax machines. As a result, it is incumbent upon healthcare providers — in both clinical and administrative environments — to institute sound data handling practices for these devices and the documents processed by each.

Maintaining good data “hygiene” with paper records and files is made easier with user-friendly, compliant print/fax/scan devices and compatible software. Knowledgeable solution providers can assist in integrating hardware and software necessary to ensure the best practices.

To attain compliance with printers, adhere to the following guidelines:

  • Allow users to password-protect print jobs that may only be retrieved via a PIN at the device’s control panel. This prevents sensitive documents from sitting unattended on output trays of shared printers.
  • Configure printers to support face-down printing, faxing, and copying to guard against inadvertent viewing by unauthorized staff.
  • If you must fax, bypass hard-copy printouts by using PC-to-fax or “e-fax” function.

Document digitization enables paper-locked data to enter EMR systems, cloud sharing repositories, and mobile workflows. When employing scanners to assist in executing efficient and accurate data integration, consider digitizing sensitive or confidential documents to a secure FTP site, securing data as soon as it is scanned.

In some cases, moving paper workflows to electronic and automated processes can introduce new efficiencies and increase data security. Turn to tools such as scan-to-email, scan-to-workflow, and electronic file search and retrieval to help bring paper records into the digital workflow.

For many healthcare organizations, the most convenient HIPAA compliant way to transmit information is still by fax technology. Many fax devices are built with advanced security features to address the increasing demand for secure document management. Apply these practices to assist in compliant faxing:

  • Ensure that all faxes are received into memory and cannot be printed without a password, or through an NFC card reader for user-based walk-up authorization.
  • Prevent unauthorized users from sending faxes, limiting the potential for unauthorized sharing of personal health information.
  • Enable secure faxing and fax forwarding to help maintain patient confidentiality by restricting or granting access and privileges on a per-user or per-group basis.

Once device and data policies and procedures are in place, a healthcare organization should conduct a risk assessment and repeat it annually – or even more frequently if it changes any of its hardware, software, or other controls.

This includes taking an inventory of assets that may be related to health data, including office equipment such as scanners, printers, fax machines, and copiers, to identify both the breach potential inherent in those pieces of equipment and their related software tools, and the steps taken to minimize the likelihood of a data breach. At the same time, healthcare organizations should also think about how to ensure data integrity.

From the triage desk to the operating room, fast-paced, regulation-laden healthcare environments leave no room for error. Healthcare organizations can earn the trust of patients, employees and partners by implementing compliant strategies and technologies to help meet HIPAA challenges while balancing paper records and digital documents.

This approach, informed by the regulatory environment and underpinned by the hardware and software capabilities of compliant information systems, enable efficient workflows to provide care while maintaining compliance with required data privacy and security policies. The end result can produce a more efficient use of printer/scan/fax devices, with significantly reduced risk of non-compliance.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA Willful Neglect Can Cause Bankruptcy

HIPAA Willful Neglect Can Cause Bankruptcy | HIPAA Compliance for Medical Practices | Scoop.it

You totally meant to get HIPAA compliant but it looked kind of hard and maybe too expensive so you put it off.  Or maybe you just thought that no one would ever notice that you weren't HIPAA compliant.  Then something happened; a patient complaint, a competitor files a complaint with HHS, a breach happens at one of your BAs, an ex employee files a complaint or you get picked for an audit.

It could start benignly with a request for certain documentation such as your risk assessment or copies of your security and privacy policies.  If you can't produce these documents then you are already in willful neglect.  But what if these documents are out of date or you claim that you have oral policies?  Willful neglect.  What if you did staff training but didn't document it?  Willful neglect.  

So, as you can see there are a lot of potentially dangerous scenarios.  What is the definition of willful neglect? Willful neglect is defined as “conscious, intentional failure or reckless indifference to the obligation to comply with the administrative simplification provision violated.” 45 CFR 160.401. Section 13410(a) of the HITECH Act [123 STAT.

But what are the consequences of being found in willful neglect?  The answer is huge fines, action plans for maintaining compliance, bad public relations,  monitors, etc. etc.  The total cost of a breach has been calculated at $355 per patient record.  Recently there was a $450,000 penalty for the loss of 388 patient records.

Clearly, penalties for willful neglect would cause many companies to at least consider bankruptcy.  The way to avoid these draconian penalties is simple, do something.  Get some on-line security awareness training for your staff.  This costs as little as $20 per year per staff member.  Get a risk assessment and then start updating your policies.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

What All Healthcare Companies Need to Know About HIPAA Compliance 

What All Healthcare Companies Need to Know About HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

Safeguarding protected health information is becoming more challenging every day—especially for companies operating in healthcare verticals who don’t always understand that compliance issues apply to them. Yet, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, companies operating in a variety of healthcare verticals are categorized collectively as “Business Associates” (BAs) and, as such, are required to act in accordance with the HIPPA regulations.

HOW DO YOU DEFINE “HEALTHCARE COMPANIES”?

What kind of healthcare companies does this include? The short answer: More than you think. Healthcare companies and anyone operating in a healthcare vertical include anyone who has access to electronic patient health information (ePHI) and any organization that stores, transmits or receives ePHI.

Companies operating in the healthcare space who are subject to HIPAA rules can include (but are not limited to) organizations that provide the following services:

  • Revenue cycle management
  • Coding/Documentation services
  • Collection and A/R recovery services
  • EHR SW and solutions
  • Patient records management services
  • Document management services
  • Medical SW/SAAS services
  • Mobile healthcare services or applications
  • Healthcare IT services
  • Practice management services
  • Contract management services
  • Radiation document and image management services
  • Health plan administration and services

These are but some of the many companies operating in the above healthcare verticals who could be considered a Business Associate under HIPAA regulations. Any company that provides services to organizations defined by HIPAA as “Covered Entities” may well find itself subject to compliance regulations with which they are not familiar.

WHAT ARE “COVERED ENTITIES”?

HIPAA defines “Covered Entities” as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit health information in connection with transactions for which HHS has adopted standards. The HIPAA Omnibus Final Rule goes into stipulations for Business Associates in greater detail. What BAs should take away from the Final Rule is that they may be held liable in the event of a HIPAA breach in many of the same ways that Covered Entities (CEs) may be.

THE COST OF NONCOMPLIANCE

The risks and costs of being found non-compliant can be steep. The Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to a settlement for potential HIPAA violations caused by the theft of a mobile device that contained the ePHI of 412 patients. According to the U.S. Department of Health and Human Services notification, the CHCS provided management and information technology services as a Business Associate to six skilled nursing facilities. The settlement included monetary payment of $650,000 and a corrective action plan.

In a statement relative to this case, U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels said “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health informationthey create, receive, maintain, or transmit from covered entities,” said “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”

THE IMPORTANCE OF THE BUSINESS ASSOCIATE AGREEMENT (BAA) 

Healthcare companies, vendors, or providers who qualify as Business Associates are required to sign a HIPAA Business Associate Agreement (BAA). The document is an integral part of any contractual agreement with any provider of services, products, or applications, and must provide detailed information explaining how the BA will respond to a breach of any kind, including one caused by any subcontractors used by the BA. The BAA must also describe how a BA will respond to an audit by the Office for Civil Rights (OCR).

HIPAA rules holds Covered Entities responsible for their own data breaches, as well as many of the things over which their BAs have direct control. If a CE is audited, their BAs may be required to provide certain files or documents in a very short amount of time, as prescribed by HIPAA. The BAA acts almost like a service level agreement (SLA) that ensures these and other needs will be promptly met.

For companies of all types and all sizes, this is serious business—and the regulatory authorities are intensifying their focus on any business operating in the healthcare space as it relates to compliance. Fines are being assessed with increasing regularity and all businesses operating in the healthcare space should take note.

To illustrate the importance of a having a BAA in place, a Raleigh, N.C. orthopedic clinic agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Ruleby handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

HHS provides a template for business associate agreement language on its website to help covered entities and business associates execute agreements that address the business associate contractual requirements.

HOW CAN YOU MANAGE HIPAA COMPLIANCE ISSUES? 

Compliance with HIPAA regulations is a long-term process and at times can feel overwhelming. Yet, for companies operating in the healthcare industry, the risks associated with non-compliance are huge. Staying apprised of changes to HIPAA regulations can be a daunting task, but here are some actions you can take to make sure you know the latest.

  1. Know Where to Find Resources. The Office for Civil Rights (OCR) provides a wealth of online information about safeguarding ePHI including FAQs, guidance, and technical assistance materials. One easy way to stay updated is to sign up for the OCR announcement-only Privacy and Security Listservs.
  1. Ask Questions. It’s critical that you ensure any BAs with whom you work fully understand their responsibilities and obligations regarding compliance. Take the time to ask and answer questions and highlight the HIPAA compliance requirements for business associates. These questions can include:
  • What is your risk analysis plan?
  • Do you encrypt your devices?
  • What are your disclosure policies?
  • What are your IT practices?
  • How do you handle server maintenance and backup information?
  • Do you or your employees use personal devices for ePHI?
  • What are your password policies?
  • Describe company’s the physical security.
  • Do you do background checks o your employees?
  • What kind of training do you supply your employees?
  • What are your disclosure policies?
  • What is your breach mitigation plan?
  1. Explore HIPAA Compliant Hosting. HIPAA compliant hosting can alleviate some of the concerns that accompany being a business associate in a healthcare vertical. By working with a hosting provider that employs HIPAA compliance processes, healthcare-focused companies can construct a comprehensive plan that will, when combined with workplace safeguards and internal best practices, allow vendor partners to reach HIPAA compliance collaboratively. This collaboration of efforts is key, since HIPAA compliant hosting alone can’t eliminate risks that exist inside the workplace. However, it can help mitigate threats to ePHI and also afford easier access and management of a company’s IT infrastructure.

By taking action to evaluate your organization’s level of compliance with HIPAA rules—and that of any business associates with whom you work—and staying on top of HIPAA regulation changes and updates, you will ensure your company is maintaining the appropriate level of compliance and avoiding the risks and penalties of non-compliance.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

NueMD HIPAA Survey Results 

NueMD HIPAA Survey Results  | HIPAA Compliance for Medical Practices | Scoop.it

In 2014, NueMD, an Electronic Health Record (EHR) and billing software company, distributed a questionnaire to medical practices and billing companies to gain insights on their knowledge of HIPAA regulations, compliance measures, and communication methods.¹ There were 1197 responses, with 1037 medical practices and 160 billing companies. Two years later in 2016, the survey was distributed again to determine how much has changed in relation to the participants’ knowledge.² This time it was a total of 927 responses, with 799 medical practices and 58 billing companies. The respondents were clients of NueMD.

In this blog, we compare the data found in these two surveys. The results are surprising.

HIPAA Audits

2014: In 2014, only 32% of those surveyed were aware of HIPAA audits

2016: In 2016, 40% participants reported that they knew about HIPAA audits

Currently, audits of business associates are taking place. The first round in 2016 looked at covered entities (primarily healthcare providers). In October 2016, HIPAA audits expanded to include business associates. HHS is drawing from a list of 20,000 BAs identified in the first round of audits. Next year, OCR plans to conduct full audits for a selected group of covered entities and business associates. These audits will be more intense than previous ones because they involve auditors coming onsite for several days. HHS gives the practice 10 days to prepare. For those organizations that have not started the compliance process in advance, there is almost no way to prepare in time if you are selected for an audit.3

HIPAA Compliance Plan

2014:In 2014, 58% of those surveyed stated they had a HIPAA compliance plan in place. However, there was a disconnect between managers and staff. 68% of managers claimed to have a HIPAA compliance plan but only43% of staff.

2016:In 2016, a whopping 70% of respondents reported that they have a HIPAA compliance plan.

All organizations that come in contact with PHI should have a compliance plan in place. There are several important documents that a medical practice must complete to have a comprehensive  plan. This includes Privacy and Security Policies and Procedures, Business Associate Agreements and a Risk Assessment. Based on the response to the next two questions, it is likely that not as many healthcare providers are really as compliant as they indicate.

Business Associate Agreement (BAA)

2014: 60% of those surveyed were aware that the Omnibus Ruling requires BAAs with third party vendors.

2016: The number rose to 68% of participants knowing about the BAA rules.

Business Associate Agreements Reviewed and Updated

2014: 24% of respondents had “all” of their BAAs reviewed and updated since the 2013 Omnibus Rule, and 21% surveyed said “some”.

2016: There was an increase from 2014 to 2016, with 29% responding “all” BAAs are updated and reviewed, and 19% having “some” of their BAAs up to date.

Recently OCR was notified that Women and Infants Hospital (WIH) of Rhode Island lost unencrypted backup tapes of ultrasounds of over 14,000 patients. The tapes also included PHI like names and dates of birth. WIH is a covered entity member of Care New England Health Center (CNE). CNE provides centralized corporate support for its covered entities. The two organizations signed their BAA in 2005 and had not updated it since. he Omnibus Ruling in 2013 added extra requirements to Business Associate Agreements. Failure to update their BAA to incorporate these new requirements rendered their 2005 Agreement ineffective. In the end, the outdated BAA resulted in a $400,000 settlement.

Risk Assessment

2014: Only 33% said they performed a risk analysis

2016: This question was not included in the NueMD 2016 HIPAA Survey Update

If there is a audit, one of the first things OCR will ask to see is a Risk Assessment. This helps organizations realize their potential areas of risk in regards to the PHI they handle. Failing to assess potential areas of risk in your organization is failing to protect PHI.

In July 2016, a settlement was reached with U-Miss Medical Center after a breach that affected 10,000 people. It was found that UMMC did not take adequate risk management security measures. They settled with OCR for $2.75 million.5

HIPAA Training

2014: 62% of managers reported that they provided HIPAA training for their employees.

2016: This number surprisingly dropped over the 2 years. Only 58% of organizations surveyed claimed to have provided HIPAA training.

Proper HIPAA training should educate people on the Law. Lack of training equals lack of knowledge and translates into more risk. On October 17, 2016, St. Joseph Health (SJH) settled potential violations with HHS following the report that files containing PHI were publicly accessible through internet search engines from 2011 until 2012. SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. As part of the corrective action plan, with HHS’ final approval of the training materials, SJH must train all appropriate workforce members, in accordance with SJH’s applicable administrative procedures and provide annual retraining.6

To help comply with the current compliance regulation, check out Total HIPAA’s latest service, HIPAA Prime™. HIPAA Prime is an easy-to-follow, cost-effective online solution for quickly developing and implementing your personalized HIPAA Compliance Plan. Whether you are a small or large organization, HIPAA Prime will satisfy all of your documentation and training requirements.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends?

Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends? | HIPAA Compliance for Medical Practices | Scoop.it

Buddy Dyer, the mayor of Orlando, requested a waiver of the HIPAA rules following the June 12 shooting at Pulse Nightclub. Families and loved ones were inquiring about the status of patients located at local hospitals, but were not provided timely reports. Many of the patients being treated at the hospitals in Orlando did not have formalized legal relationships, and the mayor felt HIPAA would slow down the sharing of information with partners.

Some healthcare professionals feel that HIPAA restricts them from providing information about patients to their families and loved ones. There are stories of loved ones denied information about elderly parents or adult children by medical professionals citing HIPAA. In many cases, healthcare professionals do not understand the flexibility of HIPAA.

In order to understand whether Mayor Dyer and healthcare providers need to be concerned about HIPAA restrictions, let’s look at the Law. The waiver described under Section 1135 of the Social Security Act includes suspending certain HIPAA provisions to protect physicians, emergency medical staff, and law enforcement agencies so that they will not face penalties and sanctions for the release of PHI in a crisis.

The suspended requirements are:

  1. 45 C.F.R. § 164.510 requiring healthcare providers to obtain a patient’s agreement so that a medical professional can speak with family members or friends or provide patients the right to opt out of the facility directory;
  2. 45 C.F.R. § 164.520, the requirement to distribute a Notice of Privacy Practices to patients; and
  3. 45 C.F.R. § 164.522, the patient’s right to request privacy restrictions or confidential communications.

In 2010 President Obama issued an executive memo ordering the Department of Health and Human Services (HHS) to address the issue of hospital visitation for same-sex couples. Later that same year, the department prohibited hospitals from discriminating against visitation rights based on sexual orientation and gender identity.

A statement from HHS Assistant Secretary for Public Affairs Kevin Griffis explained the reason why the waiver was not needed in Orlando:

 

Entities such as healthcare organizations, governmental agencies and law enforcement are allowed to exercise professional judgment as stated under HIPAA. For example, PHI communicated by Emergency Medical Technician (EMT) via a radio to the 911 Dispatcher or between other ambulance units is also permitted through the professional judgment definition in HIPAA. For most law enforcement personnel, as well as fire departments, the HIPAA Privacy Rule does not apply to them either as disclosures are needed to perform their job duties. They can release PHI about victims of a vehicle accident or for investigation of a crime scene. The essential part to note is as long as the conversations by the personnel covered under these provisions are related to treatment-related disclosures, there is no HIPAA violation. Hospitals and large health organizations must train their emergency staff on HIPAA and their specific policies and procedures to comply with the regulations.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Top Ten Total HIPAA Blogs

Top Ten Total HIPAA Blogs | HIPAA Compliance for Medical Practices | Scoop.it

The countdown of Total HIPAA’s most popular blogs of 2016 continues this week with #5 through #1. Not surprisingly–the top three are technical topics. If you have any topics you would like us to consider in 2017, please fill out the suggestion form at the end of this summary.

Top Ten Count Down Continued

    1. Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends?

Buddy Dyer, the mayor of Orlando, requested a waiver of the HIPAA rules following the June 12 shooting at Pulse Nightclub. A statement from HHS Assistant Secretary for Public Affairs, Kevin Griffis, explained the reason why the waiver was not needed in Orlando: “HIPAA allows health care professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances. These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition. Disclosures are permissible to same sex, as well as opposite sex, partners.” In order to understand under what circumstances Mayor Dyer and healthcare providers should be concerned about HIPAA restrictions, we look at the Law in this blog.

    1. Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format

HHS stated that patients have the right to access their ePHI and that Covered Entities must provide this access in the manner requested by the individual. While the Privacy Rule does allow the use of unencrypted email when communicating ePHI between the healthcare provider and the patient, we suggest you take the steps outlined in this blog to protect your patients’ ePHI while still giving them access to their information.

    1. HIPAA Compliant Email Encryption Review 2016

Covered Entities, Business Associates and Business Associate Subcontractors are required to protect the PHI they hold at rest, in storage and in transit. In this blog, we reviewed six HIPAA-compliant and affordable email encryption solutions with a focus on solutions for small businesses.

    1. It’s Time to Upgrade Your Internet Explorer NOW and Forever

When it comes to your software, we know how you feel – if it’s not broken, why fix it? Upgrading is a pain! Upgrade one thing and your computer programs can collapse like a house of cards. In this instance, it is VERY important for your business security that you upgrade to the latest version of Internet Explorer—NOW! As of January 12, 2016, Microsoft announced it was only supporting technical and security updates for Internet Explorer 11. What did this change mean to you?

    1. HIPAA Compliant Text Messaging Application Review

Today everyone uses text messaging (“texting”) for easy and quick communication. It is a great tool for convenience and efficiency, but most users don’t realize that texting is an unencrypted form of communication that can be intercepted at any point in transmission. In this blog we reviewed four companies that offer secure messaging solutions for small to medium organizations using encryption to allow organizations to send PHI through text.

Thank you for your support on Social Media this year! As HHS continues to crack down with additional audits on both covered entities and business associates, our goal is to provide you with all the materials you need. Many of our blog topics come directly from questions sent by our clients and followers.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Implementing HIPAA is More Than Meeting Government Regulations

Implementing HIPAA is More Than Meeting Government Regulations | HIPAA Compliance for Medical Practices | Scoop.it

Recently, I was on a vacation in Germany, and as I visited several medieval cities, I had two thoughts. First, Germany certainly has a lot of walled cities, and second, city walls are a great analogy for HIPAA Compliance. (Don’t worry, I didn’t spend the whole vacation thinking about HIPAA…)

When I work with clients on their HIPAA compliance plans, we start by defining the scope of the plan. Are we only going to focus on a specific part of the company, or are we going to look at the company as a whole? Medical and dental clients, don’t have a choice – they have to address the entire practice, but insurance, BA’s and employer groups have a decision to make.

Nine times out of ten, we find that businesses take our plan and expand this out to their entire company or practice because they find the privacy and security principles to be applicable to all parts of their business, and just make good sense to apply company-wide. If you’re going to go through the process, why not protect your entire business?

How do you protect your “City”?

Step 1 – Conduct a Risk Assessment

If your enemies tended to use fire to attack your city, you wouldn’t build a wall out of wood. The same principles apply to HIPAA, it’s important to assess what risks your business is going to face, and what reasonable steps you can take to protect your assets.

HIPAA calls for you to assess three different aspects of your business- Administrative, Physical and Technical. You can hire a third party, or do this yourself. Sometimes it’s easier for a third party to see the gaping hole in your south wall that you’ve overlooked.

Step 2 – Create a Plan

This is where you convert the information you identified in your Risk Assessment into actionable items that everyone can follow. This will keep you from building two towers right next to each other –two facing north, and none facing south. Also, having a plan will ultimately save you money by giving your staff clear instructions and goals.

HIPAA requires that you have written Privacy and Security Policies and Procedures. Think of these as the blueprint for protecting your “city.”

Step 3 – Build Your “City Wall”

Most of these cities had stone walls, towers, moats, bridges, etc. This is all to make the city more difficult to attack, therefore an undesirable target.

You will be looking to build your “wall” by securing your network, devices, and facility. This is having firewalls, anti-malware software, password protection on devices, and locking your facility. Any lapse in these security items means your “city” is vulnerable to attack.

Step 4 – Secure Your Key Assets

In the old days, this meant stationing extra soldiers around granaries and weapon stores.  Today it means having backups of your systems and encrypting all your data in transit, rest, and storage. This can save you many headaches if an attack comes your way.

Step 5 – Communication

Walls and security are great, but cities thrived off communication and trade, much like your business does. If you completely lock everything down, then your “city” will starve and die.

This is where HIPAA compliant faxing, encrypted email, texting, chat, file sharing and video conferencing come in. While HIPAA doesn’t explicitly require these items, they do leave it up to the business to assess the risks and then to implement them accordingly. I’ve worked with a lot of companies on this, and I’ve yet to see a compelling reason to not use encrypted communication tools.

Step 6 – Train Your Army

Your plan is only as good as your army. Walled cities had well-trained soldiers to man the walls and repel any potential invaders. While you’re not going to call on your employees to man the trebuchets, they are your first line of defense.

Have you trained your employees on how to protect their “city?” Do they know how to communicate with clients securely; how often they are required to change passwords; what are the requirements are for secure passwords; what to do if a system starts acting strangely (potential hack), or who to contact if they think there is a potential breach? These are all items that are part of your comprehensive HIPAA Compliance Plan, and a well-trained employee can help mitigate the success of these attacks.

Conclusion

As you can see, all these provisions for your “city” make sense. HIPAA isn’t just a regulation, it’s a way to look at your current security stance, and make sure your “city” is properly fortified, protects the PHI inside and will repel hackers. These simple steps can save your “city” from an embarrassing attack, and protect your livelihood going forward.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Preparing Contractors for HIPAA Compliance

Preparing Contractors for HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

You’re a small medical practice whose head nurse goes out on maternity leave and you hire your mother-in-law, an RN, as a temporary replacement until she comes back. You’re an insurance company who has hired a part-time agent to work one day a week from home. Whatever the scenario, these full time employees, contract employees or independent contractors these employers hire have access to client or patient Protected Health Information. Employers are responsible for contractors and temporary employee’s compliance with HIPAA. The question is, what procedures should you follow?

Employee Classification

Since 2013, the Common Agency Provision of HIPAA in the Omnibus ruling states that you are responsible for your employee’s compliance.

Is your employee a contractor working exclusively for your company, an individual with other clients, or someone hired through a business? As an employer, you are not required to train these quasi employees, but your company will be responsible if one of these individuals breaches Protected Health Information.

Here is a recommendation:

If the employee is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate Policies and Procedures for Privacy and Security as required of either a Business Associate or a Subcontractor BA. It is meaningless to ask them to sign a Business Associate Agreement or a Subcontractor Business Associate Agreement because they will not have the compliance infrastructure required by HIPAA.

Instead, ask them to sign a confidentiality agreement.These are a few of the items included in the confidentiality agreement provided by Total HIPAA:

  • What information is covered with the agreement
  • The types of information that can not be copied or modified
  • Information must be returned upon request by the employer
  • Disciplinary action for persons responsible for a breach of confidential information

Make sure these contractors are trained regularly on the HIPAA law and on your company’s Privacy and Security Policies and Procedures. You should require them to follow your company’s Security Policies and Procedures for things like firewalls and virus protection. Unfortunately, the employer is fully liable even if the independent contractor was malicious or criminal in creating the HIPAA breach.

If the employee is provided through a company with infrastructure, that company will need to meet the compliance standards as a business associate or a business associate subcontractor, which are the same requirements. Having these companies sign a Business Associate Agreement or Subcontractor BAA is a must.

HIPAA Training

Whether you are a Covered Entity, a Business Associate, or a Business Associate Subcontractor, make sure you provide HIPAA training to all your employees, contractors and temporaries that can access PHI. A Subcontractor who hires a worker has the same responsibility to train these people. The responsibility can extend down several layers.

It might be a pain, but before your contractor or temporary starts working, you must have either a signed Confidentiality Agreement, a BAA or a Subcontractor BAA in hand. This contractor must complete HIPAA training, too. Remember, if you don’t train all your workers, you open yourself up to potential breaches that can result in an HHS audit and potential fines.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

7 Most Common HIPAA Violations That Can Cost Your Practice

7 Most Common HIPAA Violations That Can Cost Your Practice | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to set national standards for the confidentiality, security, and transmissibility of personal health information. Violations of this Act can result in substantial fines to a practice ranging from $100 to $1.5 million. Healthcare providers can also be at risk for sanctions or loss of license. In order to reduce the risk of penalties or fines, medical practices should ensure their policies and procedures are regularly updated and employees receive on-going compliance training. Below are some of the most common HIPAA privacy violations and measures that can be taken to protect patient health information.

  1. Database Breaches-

In 2015, data breaches cost the healthcare industry nearly 6 billion, with the average economic impact per organization totaling $2,134,800. Medical identity theft has more than tripled over the past five years, with almost a third of the US population having been affected. It can happen to any size organization or practice which is why it is important to take the appropriate security measures, such as firewalls, encryption, and password-restricted access to protect PHI.

  1. Lost or Stolen Devices-

Another very common HIPAA violation is the theft of PHI through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information. Mobile devices are the most vulnerable to theft because of their size; therefore, the necessary safeguards should be put into place such as password protected authorization and encryption to access patient-specific information.

  1. Employees illegally accessing patient files-

Employees accessing patient information they are not authorized to is another very common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost a practice substantially. In addition, individuals that use or sell PHI for personal gain can be subject to fines and even prison time.

 

  1. Lack of training-

One of the most common reasons for a HIPAA violation is employees that are not familiar with HIPAA regulations. Often only managers, administration and nurses receive training even though HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained.  Compliance training is one of the most proactive and easiest ways to avoid a violation.

  1. Improper disposal of personal health information-

Personal health information should always be shredded or destroyed. It is also important to ensure the photocopier is not saving copies to its hard drive. If the copier is returned, sold, or discarded, without being properly wiped clean, this could also result in a HIPAA violation. Establishing and posting policies and procedures to make sure personal health information is locked, secured and disposed of appropriately will help to remind employees and prevent a potential violation.

  1. Employees disclosing patient information –

Employees’ gossiping about patients to friends or coworkers is another very common HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.

  1. Authorization Requirements-

A written authorization is required for the use or disclosure of any individual’s personal health information that is not used for treatment, payment, healthcare operations or permitted by the Privacy Rule.  If an employee is not sure, it is always best to get prior authorization before releasing any information.

The privacy and security of patient health information should be a priority for all healthcare providers and professionals.   Most violations can be easily be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring that all individuals with access to patient information receive the proper training.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Security Risk Analysis: An Essential Step Towards HIPAA Compliance

The Security Risk Analysis: An Essential Step Towards HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

There are many important elements to implementing an effective HIPAA Program, but none are more important than completing a security risk analysis. Conducting a risk analysis will give your practice an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of your electronic protected health information.

Completing a security risk analysis is a required element. This means that most specifications must be evaluated and if applicable, implemented, in order to achieve compliance with the Security Rule. It is important to remember that certain specifications in the risk analysis are considered addressable, meaning it is up to the covered entity to determine (in writing) if the specification is a “reasonable and appropriate” safeguard for its environment, taking into consideration how it will protect ePHI.

According to the Security Rule, your security risk analysis should be broken down into the implementation of 3 categories of electronic protected health information safeguards: Administrative, Physical and Technical. The following is an overview of each category, including differentiation between those specifications that are required and those that are addressable.

ADMINISTRATIVE SAFEGUARDS

Administrative safeguards are administrative actions and functions to manage the security measures in place that protect electronic protected health information. Administrative safeguards must state how the covered entity will conduct oversight and management of staff members who have access to, and handle ePHI. Administrative safeguards include:

  • Risk Assessment (R)
  • Sanctions Policy (R)
  • Information System Activity Review (R)
  • Security Officer Assignment (R)
  • Security Awareness and Training (A)
  • Security Incident Procedures (R)
  • Disaster Recovery and Data Backup Plan (R)
  • Periodic Security Evaluations (R)
  • Business Associate Contracts (R)

PHYSICAL SAFEGUARDS

Physical safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards and unauthorized intrusion. It includes restricted access to ePHI and retaining off-site computer backups. Applying physical safeguards means establishing:

  • Facility Access Controls (A)
  • Workstation Use and Controls (R)
  • Device and Media Controls (R)

TECHNICAL SAFEGUARDS

Technical safeguards are the automated processes used to protect and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted. Technical Safeguards are:

  • Unique User Login (R)
  • Emergency Access Procedures (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls (R)
  • Authentication of Integrity of ePHI (A)
  • Authentication of Person or Entity (R)
  • Transmission Security (A)

Completing your security risk analysis is not only an essential component of your HIPAA program, but it will enable you to identify and rectify any risks and vulnerabilities to the access and confidentiality of your electronic protected health information. The results of your risk analysis will be used to determine the appropriate security measures to be taken. Be sure and revaluate your risk analysis periodically, especially if there have been any known or suspected threats to your security program.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Violations Every Day and Every Size 

HIPAA Violations Every Day and Every Size  | HIPAA Compliance for Medical Practices | Scoop.it

We frequently get questions about whether or not an event is a HIPAA violation. Some of the events are hazy, others are clear-cut. We received an email from a nurse last week with a question. She received a postcard inviting her to a weight-loss clinic and get a $25 deduction even though she was not a previous user of their services.

We called her and discussed her concern. The nurse indicated she didn’t have a serious weight problem. The postcard was sent to her office where other people could see it and she was embarrassed. She said to me, “I’ve been trained on HIPAA and I think this is a clear-cut example of a breach.”

Although we’re not lawyers, we agree. First, she never signed any agreement that the weight-loss clinic could send marketing materials to her. Second, PHI was on a postcard addressed to her so anyone who sorted the mail could read the information.

Increasingly small businesses such as this weight-loss clinic are going to be scrutinized for their actions. More and more businesses that see or generate PHI such as rehabilitation clinics, group foster homes, long-term care facilities, social workers, accountants and shredding companies realize that they need to be HIPAA compliant.

One of the largest groups that must be compliant are employers who provide health benefits to employees and see Protected Health Information. If one of these organizations improperly releases information, the loss of trust will translate into a loss of clients and business.

Filing a Complaint

When an individual feels their Protected Health Information has been breached, they can file a complaint with the company, through HHS (HIPAA Complaint Portal Assistant and 1-800-368-1019). In several states, individuals can file with the State Attorney General Office, and we’ve seen in some states that protection of PHI is considered a standard of care, so patients are suing under malpractice laws. Although the fines and penalties are not currently shared with the individual, this may soon be available which will result in a feeding frenzy in the legal community.

Preparation

How do you prepare your staff so that violations of HIPAA like the one affecting the nurse, do not occur? Training your staff on the HIPAA law and on your organization’s unique policies and procedures is part of the HIPAA compliance process. Also, you are required to complete a risk assessment, and then convert the information captured in the risk assessment into privacy and security policies and procedures.

If you do it yourself, completing required documents takes between 40 and 60 hours. The question then is, did you capture all the required information and have you determined that your file sharing, email encryption, firewalls and virus checker are truly HIPAA compliant. Are these solutions the easiest to use and most cost-effective choices for your organization? Many times, companies say they are HIPAA compliant, but they have no documentation to back up the claim.

If you fit any of these groups: health insurance agent/broker, an employer offering health benefits to your employees, or business associate that can access health information about a client (shredding company, IT vendor, or accountant), find out if you need to be HIPAA compliant. This short survey will help you determine if you need to take action: *

Technical Dr. Inc.'s insight:
:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Eliminate Your HIPAA Compliance Blind Spots

How to Eliminate Your HIPAA Compliance Blind Spots | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA compliance (i.e., adherence to regulations detailed in the Health Insurance Portability and Accountability Act of 1996), most health facilities are well versed on the Privacy Rule and its protection of personal medical information. They work hard to maintain patient trust by upholding the necessary privacy standards. But sometimes, even the most conscientious facilities let patients’ health details slip through the cracks.

How?

The rise of mobile technology and electronic medical records have left the health industry with a few harsh blind spots. Health information that is stored and/or transferred electronically (i.e., electronic protected health information, or ePHI) is highly susceptible to a HIPAA breach. So health organizations must be extra diligent to ensure they are fully safeguarding ePHI and remaining HIPAA compliant.

To help you take stock of your organization’s HIPAA security efforts, here are 4 tips for eliminating your HIPAA compliance blind spots:

#1: Limit Information Shared in Mobile Messages

In today’s fast-paced, mobile world, we often receive appointment confirmations or prescription refill notices via voicemail, text, or email. While this is convenient for health organizations and patients, it opens up the door for HIPAA security violations.

To keep a patient’s private health information out of the wrong hands, health organizations should limit the information they share in mobile messages. For instance, a prescription refill notice should not contain details of the specific prescription; it should simply notify the patient that it’s time for him or her to submit a refill request. Likewise, appointment confirmation messages should leave out any details regarding the specific reason for the appointment.

If a facility wants to take its privacy protection a step further, it can even limit its mobile messages to a simple request for a patient to call the facility for further information.

#2: Be Cautious of Open Text Fields

A lot of health organizations have moved their data collection efforts online in recent years, which means they are collecting new patient registrations or appointment requests with online forms. While using a HIPAA compliant data management system is a great (and necessary) way to protect patient data, a HIPAA breach is still possible if facilities aren’t careful.

Online forms that contain open text fields can inadvertently lead to HIPAA security violations. This is because patients may unknowingly share ePHI, such as current medications or medical conditions, in that free text space. For instance, when providing feedback on a patient satisfaction survey, a patient might state that his or her doctor was supportive and caring after delivering a cancer diagnosis.

To limit the sharing of ePHI on online forms, health organizations can add disclaimers next to any open text fields to warn patients not to include personal medical details in those fields. Or they can remove any open text space altogether.

#3: Evaluate Facility Advertisements

Online advertising—particularly on social media—is fairly new territory for health facilities. And for good reason. The healthcare industry is subject to deeper scrutiny than other industries when it comes to advertising, and those working in the industry are held liable for both truth in advertising and HIPAA compliance. This means they have to be super careful about what they publish for all to see.

If proper permission is not obtained, any use of a patient’s information or likeness in an advertisement could be a HIPAA breach. For instance, if a dermatologist posts photos of a patient’s skin before and after treatment, the patient’s identity could be compromised. Even if the post or advertisement contains only a portion of the patient’s face, his or her privacy could still be violated if family members or close friends recognize the patient.

To avoid violating HIPAA security laws when advertising online, healthcare organizations should take extra steps to evaluate all advertisements and ensure they aren’t improperly using identifiable patient photos or information.

#4: Avoid Use of Patient Names

This might seem like a no-brainer when it comes to protecting patient data, but facilities should avoid using patient names or other personally identifiable information when possible. As mentioned earlier, patients will sometimes share ePHI unknowingly when filling out online medical forms. To avoid tying patients directly to any sensitive information they might provide, health organizations can find ways to gather the information without using patients’ names.

For example, if a facility is simply surveying patients to help improve its overall services, the facility should consider gathering anonymous feedback. In other instances, when it is helpful or necessary to have a patient record tied to the information, organizations should consider using a unique identifier—such as a patient ID or account number—instead of a name.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA Audit Survival Tips and Strategies

HIPAA Audit Survival Tips and Strategies | HIPAA Compliance for Medical Practices | Scoop.it

When the Department of Health and Human Services (HHS) or the Office for Civil Rights (OCR) reaches out to health care organizations in response to a potential HIPAA investigation, auditors follow a very specific path toward contact, investigation, and resolution. Once a complaint is received and OCR has determined that it is legitimate, it will issue letters of notification to both the complainant and the recipient. These letters will outline a timeline for the investigation and will explicitly identify the investigating party as the OCR.

Once the investigation begins, OCR will collect and review documentation submitted by both parties. They may use any number of investigative methods including interviews and onsite visits to determine if there is sufficient evidence to support the allegations. Once again, OCR will send a letter explaining their findings. Resolutions will then vary depending on the outcome of their investigation.

HIPAA Audit Survival

HIPAA audit survival starts with keeping informed about OCR procedures. Knowledge is power. In this case, being aware and prepared is the best way to prepare your practice for a potential investigation. OCR will only contact you directly via a certified letter or email. Disreputable parties regularly attempt to lure unsuspecting practitioners into buying “certification” services that are fraudulent.

FACT: There is no certifying body for HIPAA compliance by any federal or private entity–any organization that claims otherwise is using misleading or potentially fraudulent language.

  1. Your best defense then is to keep in mind the above described process, and stop communicating with any party that suggests a deviation from the standard procedure outlined.
  2. Next, if you’re unsure if you’ve been contacted by a federal agency or not, ask the sender to confirm the identity of their organization, then verify them with a google search about their services
  3. If your organization receives an email or call from an entity claiming that you need to have a “Mandatory HIPAA Risk Assessment Review with A Certified HIPAA Compliance Adviser” be on full alert. This deviation from the official procedure described above will let you know that the caller is not providing a legitimate notice from a federal or state regulatory agency. Do not feel obligated to provide or share any of your information if you receive such notice.
  4. Check the source of the email. These fraudulent emails are being sent from sources such as ‘OSOCRAudit@hhs-gov.us‘, while a legitimate OCR email will be sent from ‘OSOCRAudit@hhs.gov‘. The distinction is subtle, but that’s characteristic of scams such as these.

To protect yourself, be leery of misleading language and marketing efforts targeted at health care professionals by such third party organizations. Some such advertising will occasionally try to leverage the threat of a federal offense to garner a sale of technology that isn’t legal. This type of fraud has become so widespread that OCR has responded to this unlawful conduct with a statement telling health care officials not to follow any of the links in the email. For more information on how to mitigate HIPAA breaches and fines, check out these upcoming HIPAA educational webinars brought to you by Telemental Health’s HIPAA compliance affiliate, the Compliancy Group. Simplify HIPAA today with TMHI’s HIPAA Compliance Resource, the Compliancy Group!*

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Where Is HIPAA Taking Physician Practices?

Where Is HIPAA Taking Physician Practices? | HIPAA Compliance for Medical Practices | Scoop.it

Introduction

Several provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, were intended to encourage electronic data interchange (EDI) and safeguard the security, privacy, and confidentiality of patient health information In the context of this act, security is the means by which confidentiality and privacy are insured. Confidentially defines how patient data can be protected from inappropriate access, while privacy is concerned with who should have access to the patient data. This article explores how the policies stipulated by HIPAA are shaping the practice of medicine and will likely affect your practice in the future.

HIPAA Security vs Innovation

If you're a typical small-practice physician, odds are that you view HIPAA as simply another federally mandated cost of practicing medicine, regardless of the intended outcome of the act. This position is understandable, given the cost of mandated training for you and your office staff. Furthermore, if your practice is computerized, then you'll need to spend even more money on software upgrades and possibly additional training from the vendor.

HIPAA rules and regulations are complex, in part because much of compliance is open to interpretation. For example, security issues, which are predominantly in the domain of software and hardware vendors, are based on “risk assessment,” not specific technology standards. The act doesn't stipulate specific technologies or endorse nationally recognized procedures, but leaves it up to the physician practice or medical enterprise to ensure that patient health data are secure. (HIPAA's security standards take effect on April 20, 2005, for all “covered entities” except small health plans). However, because HIPAA enforcement is complaint-driven – there are no “HIPAA Police” checking to see that your practice meets the law's requirements – differences in interpretation of the act are likely to end up in a courtroom at some point. For this reason, some experts recommend assessment of HIPAA compliance by outside counsel.

Most physicians are understandably concerned with the immediate compliance issues surrounding HIPAA and privacy and confidentiality of patient data. Even though the security standards were designed to be “technology-neutral,” the vagaries of these requirements are having a direct impact on medicine beyond the acute phase of compliance, especially in the introduction of new technologies in the clinical arena. New technologies, from wireless to tablet PCs, bring with them added functionality, potential workflow enhancements, and efficiencies – as well as new HIPAA security compliance issues.

Consider, for example, the effect of HIPAA's privacy rules on a physician contemplating the purchase of a Palm Pilot or other PDA. Even late adopters have probably observed the benefit of PDAs. Need to share patient data? Just beam it across the infrared link from one PDA to the next. Need to review patient lab data? Just touch the screen and the data are only a second away.

But it isn't that simple once HIPAA enters into the picture. Now a PDA carrying patient data is a compliance concern, as HIPAA's privacy rule applies to all mediums of a patient's protected health information, whether it's print, verbal, or electronic. Does your PDA have a login and auto logout feature? If not, then anyone could take your PDA and look up patient data. Consider the liability issues if you forgot your PDA at a coffee shop and someone picked it up and scanned through your list of patients. But with a login screen, one of the major benefits of a PDA – instant access to data – is lost.

If you use one of the wireless PDAs, such as the BlackBerry, then there are additional HIPAA-related issues: Does your PDA support the encryption of email and patient data it sends over the Internet? Is the encryption enabled? Is the level of encryption good enough for HIPAA?

Perhaps you've been considering adding a wireless (WiFi) LAN to your clinic or practice. You may have good reason to; wireless will allow you to carry a laptop into examining rooms for decision support and not have to worry about Ethernet cords. But considering HIPAA, is your WiFi system secure? Is the data encryption good enough? If not, will you have to buy new PCs and PDAs, or simply upgrade the operating systems? Do you need to hire a consultant? Maybe it's easier to simply string cables to each office and forget about the laptop this year. Or maybe it would be better to hold off on the computer-assisted decision support project altogether.

Paradoxically, although proponents of HIPAA once thought that it would enhance the move toward the electronic medical record (EMR), I believe that it is having the opposite effect. Because of the uncertainty surrounding HIPAA compliance and whether the legal system will be swamped with cases alleging violations of privacy, it's simply safer for small practices to stay with paper charts, and let the big medical practices deal with the inevitable lawsuits.

This brings up another cost issue: Does your insurance cover a patient suit over HIPAA? If so, how inclusive is the insurance? For example, let's say your practice regularly sends digital audio files overseas for transcription. You send the audio files and receive text documents a day later. Do you know how the patient data are handled at the transcription service? If a transcriptionist overseas decides to protest his or her low wages by posting a transcription of your patient's clinic visit openly on the Web, are you liable? Will your insurer pay? This example isn't as far-fetched as it might seem. In October 2003, a disgruntled Pakistani transcriber threatened the University of California-San Francisco over back pay.She threatened to post patients' confidential files on the Internet unless she was paid more money. To show that she was serious, she sent UCSF an unencrypted email with a patient record attached.

 
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

A Doctors Guide to HIPAA Compliance in 2017

A Doctors Guide to HIPAA Compliance in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance in 2017 is a key issue that many doctors are focussed on.

Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for between $100 to $50,000 for each violation. The maximum HIPAA Violation is $1.5 million for identical provisions during a calendar year. Some HIPAA violations can lead to imprisonment in extreme circumstances. This is why HIPAA compliance in 2017 is such an important factor for doctors.

To ensure that your practice has effective HIPAA compliance in 2017, here are 5 steps to follow:

1) Correct Sharing of Patient Information

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Secured Paper Files

While paper charts are slowly becoming a relic, it is important that past files are stored securely.  Doctors who have moved to using an EHR for all patient records may still have old patient files that need to be transferred. Once converting from paper documents to electronic format is complete, be sure to shred any patient records before you dispose of them.

If your medical practice still uses paper documents, be sure not to leave them in unsecured or unattended areas. This includes charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

3) Encrypted Emails

Never underestimate the importance of email encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you should consider an encrypted email or file sharing service for pertinent patient information.

When sending bulk emails to patients, or many emails in a row, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient address or an email attachment.

This is one of those areas where slow, steady careful checking pays off.

4) HIPAA Secured Patient Portals

If you use or are considering creating a patient portal, ensure it has secure login compliance. Any personal patient information should not be easily accessible without a username and password.

If sharing information with family members of patients, be sure to get written authorization from the patient first. A good practice is to require identity verification for password reminders. You can also remind patients to access their patient portal when they have a secure internet connection (i.e. not in public places).

5) Ensure your Telemedicine platform is HIPAA compliant

Some doctors have considered using Skype or Facetime to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end.

Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. Having HIPAA Compliance in 2017 is as important as it has been for the past 20 years.

When doctors treating patient information caution they can and enjoy the peace of mind that comes with being HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

The Importance of HIPAA Compliance 

The Importance of HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

No matter what business you’re in, information and technology management is important for success. But in the health-care realm, the ability to keep data safe and secure is even more paramount. That’s because government regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA) state that all protected health information must be strictly protected — and that any breach of such information must be reported immediately.   

In addition, the HITECH Act expanded the scope of who was responsible for meeting HIPAA regulations by including any third-party business associate that handles or processes personal health information for a covered entity like a hospital, insurance company, or medical provider. That means financial, accounting, legal, billing, claims processing, and IT firms that work with the health-care industry, along with all of the third-party vendors that they use.
 
So why does HIPAA-compliant IT support matter? With the new breach notification requirements, companies that mishandle health information can now be audited, fined, or slapped with civil or criminal charges. And that doesn’t even take into account the hit to a company’s reputation that comes with a data breach.
 
Take the recent announcement that Anthem, Inc., the second-largest health insurance provider in North America, inadvertently exposed the medical information, Social Security numbers, and email addresses of over 80 million consumers. Regulatory fines will certainly be forthcoming — but tens of thousands of Anthem clients have already filed class-action lawsuits against the company, as well.
 
In our current data breach-sensitive day and age, the revelation of a situation like Anthem’s can lead to productive changes in the world of HIPAA-compliant IT support. Unfortunately, some of those changes include major IT providers deciding to walk away from the health-care industry altogether.
 
At CMIT Solutions, we’ve put in the extra time and effort to make sure our IT solutions are HIPAA-compliant. Below are some of the most important ones that small businesses rely on:
 
• Data encryption. HIPAA regulations require that data be encrypted at rest in the data centers where it resides, in transit across the Internet, and to and from the cloud. Anthem’s data breach resulted from data on its servers not being encrypted, presumably so employees had easier access to it. But such shortcuts are reflective of outdated IT policies that don’t meet today’s needs.
 
• Strong backup, recovery, and eradication capabilities. HIPAA rules dictate several requirements for storing data: backups must reside in certain locations; retrieval of data must be overseen through access control and login monitoring; data must be kept available, even in the event of a disaster; and old storage systems must be destroyed, not reused. No small business owner should be expected to add worries to his or her day-to-day duties — that’s what a HIPAA-compliant IT provider is for.

 Tested policies and procedures. This might not seem to fall under the IT umbrella, but best-practices policies and procedures can save your business from a HIPAA-related disaster down the road. A trustworthy and truly HIPAA-compliant IT provider will have Business Associate Agreements, Privacy and Security Rule Risk Assessments, and other documents ready for your perusal and implementation.
 
At CMIT Solutions, we understand the complexities of IT support for the health-care industry, and we’ve worked hard to meet HIPAA regulations. We offer proven solutions that can deliver positive outcomes and an unparalleled level of care while increasing your efficiency and productivity. Contact us today to find out how we can be your all-in-one IT provider.

 
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

How to Eliminate Your HIPAA Compliance Blind Spots 

How to Eliminate Your HIPAA Compliance Blind Spots  | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA compliance (i.e., adherence to regulations detailed in the Health Insurance Portability and Accountability Act of 1996), most health facilities are well versed on the Privacy Rule and its protection of personal medical information. They work hard to maintain patient trust by upholding the necessary privacy standards. But sometimes, even the most conscientious facilities let patients’ health details slip through the cracks.

How?

The rise of mobile technology and electronic medical records have left the health industry with a few harsh blind spots. Health information that is stored and/or transferred electronically (i.e., electronic protected health information, or ePHI) is highly susceptible to a HIPAA breach. So health organizations must be extra diligent to ensure they are fully safeguarding ePHI and remaining HIPAA compliant.

To help you take stock of your organization’s HIPAA security efforts, here are 4 tips for eliminating your HIPAA compliance blind spots:

#1: Limit Information Shared in Mobile Messages

In today’s fast-paced, mobile world, we often receive appointment confirmations or prescription refill notices via voicemail, text, or email. While this is convenient for health organizations and patients, it opens up the door for HIPAA security violations.

To keep a patient’s private health information out of the wrong hands, health organizations should limit the information they share in mobile messages. For instance, a prescription refill notice should not contain details of the specific prescription; it should simply notify the patient that it’s time for him or her to submit a refill request. Likewise, appointment confirmation messages should leave out any details regarding the specific reason for the appointment.

If a facility wants to take its privacy protection a step further, it can even limit its mobile messages to a simple request for a patient to call the facility for further information.

#2: Be Cautious of Open Text Fields

A lot of health organizations have moved their data collection efforts online in recent years, which means they are collecting new patient registrations or appointment requests with online forms. While using a HIPAA compliant data management system is a great (and necessary) way to protect patient data, a HIPAA breach is still possible if facilities aren’t careful.

Online forms that contain open text fields can inadvertently lead to HIPAA security violations. This is because patients may unknowingly share ePHI, such as current medications or medical conditions, in that free text space. For instance, when providing feedback on a patient satisfaction survey, a patient might state that his or her doctor was supportive and caring after delivering a cancer diagnosis.

To limit the sharing of ePHI on online forms, health organizations can add disclaimers next to any open text fields to warn patients not to include personal medical details in those fields. Or they can remove any open text space altogether.

 

#3: Evaluate Facility Advertisements

Online advertising—particularly on social media—is fairly new territory for health facilities. And for good reason. The healthcare industry is subject to deeper scrutiny than other industries when it comes to advertising, and those working in the industry are held liable for both truth in advertising and HIPAA compliance. This means they have to be super careful about what they publish for all to see.

If proper permission is not obtained, any use of a patient’s information or likeness in an advertisement could be a HIPAA breach. For instance, if a dermatologist posts photos of a patient’s skin before and after treatment, the patient’s identity could be compromised. Even if the post or advertisement contains only a portion of the patient’s face, his or her privacy could still be violated if family members or close friends recognize the patient.

To avoid violating HIPAA security laws when advertising online, healthcare organizations should take extra steps to evaluate all advertisements and ensure they aren’t improperly using identifiable patient photos or information.

#4: Avoid Use of Patient Names

This might seem like a no-brainer when it comes to protecting patient data, but facilities should avoid using patient names or other personally identifiable information when possible. As mentioned earlier, patients will sometimes share ePHI unknowingly when filling out online medical forms. To avoid tying patients directly to any sensitive information they might provide, health organizations can find ways to gather the information without using patients’ names.

For example, if a facility is simply surveying patients to help improve its overall services, the facility should consider gathering anonymous feedback. In other instances, when it is helpful or necessary to have a patient record tied to the information, organizations should consider using a unique identifier—such as a patient ID or account number—instead of a name.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.