HIPAA Compliance for Medical Practices
67.1K views | +2 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA Requirements – Time for a Major Regulatory Change

HIPAA Requirements – Time for a Major Regulatory Change | HIPAA Compliance for Medical Practices | Scoop.it

It is only fitting that legislation that was created in the mid 1990’s be considered, as most HIPAA experts would agree, outdated. Even with changes brought about by HITECH and the Omnibus Act, the implementation specifications remain relatively unchanged. It is still one-size-fits-all when it comes to meeting the requirements.


Sure, you could argue what is reasonable and appropriate for one healthcare provider is not for another. Therefore, it comes down to how each implementation specification is interpreted, how you decipher what the Code of Federal Regulation (CFR) is asking for.


After spending 27 years working for the Federal government and being involved in policy and regulatory oversight, even I sometimes struggle with how to make sense of a particular CFR.

For larger healthcare providers that have regulatory and compliance staff, HIPAA compliance might be a bit easier. But for the smaller providers who are required to follow all of the same requirements, albeit what is “reasonable and appropriate,” this is a colossal struggle. I can see why some small providers just throw their hands up and say, “This is way too complex for us to figure out.”


When the HIPAA legislation was created, the healthcare system in this country was really starting to transform. Today, with more and more specialty practices and other types of healthcare service providers tapping into this growing market, updating regulation requirements must be a priority. It cannot be a one-size-fits-all requirement anymore. The U.S. Congress needs to take into consideration how the healthcare industry has changed, in particular with the emergence of new health related mobile apps hitting the techno-sphere. HIPAA regulatory requirements must be adaptable to meet this changing environment.


When I conduct a HIPAA risk assessment for a smaller healthcare provider and I ask a question in an attempt to adhere to the implementation specification, often I get a non-applicable response. The hard work for me is how to get that provider covered in meeting a required implementation specification if it is non-applicable. If a provider is truly making the effort with due diligence to follow the HIPAA regulations, then that should be factored into the equation.  The process must allow for more discretion when it comes to some of the implementation specifications.


All of this will require legislative fixes. The U.S. Congress can rattle a few cages and give the impression there is real concern with making sure healthcare providers are doing everything they can to safeguard patient records, but until there is movement towards making necessary legislative changes, HIPAA requirements will remain as confusing to some as the U.S. tax code.


Back in the mid 1990’s, Senators Kasebaum and Kennedy, the sponsors of the insurance reform legislation that became known as HIPAA, clearly had a vision about the changing landscape of healthcare security in this country. Which current day senators will have that vision and want to undertake this monumental task in reforming HIPAA for the next decade remains to be seen.  The time is now to start down this road.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

10 Reasons to be HIPAA Compliant

10 Reasons to be HIPAA Compliant | HIPAA Compliance for Medical Practices | Scoop.it

Here is a reprint of a recent online article submitted by Nick McGregor and posted by CMIT Solutions. # 7 on the list calls for an increase in enforcement of HIPAA compliance by HHS. More of an incentive to make this a priority if your small practice has not done so already.

Rather than asking, “What has changed for your business in the health care realm this year?” the better question might be, “What hasn’t changed?”

The Affordable Care Act, premium increases, existing policy cancellations, enrollment period confusion, continuing IT problems with the HealthCare.gov website… Each of these minor health care earthquakes has shaken the small business community to its core.

Add in constant worries about data security and IT functionality and it can be enough to drive a business owner mad. But there’s one feature of the health care landscape that represents an even more critical decision: new HIPAA rules, regulations, and compliance requirements.

If your business has any contact with electronic health records or medical information, either as a Covered Entity (CE) — health care provider, health plan, or health care clearinghouse — or a Business Associate (BA) — any vendor or subcontractor that helps a CE carry out its activities and functions — HIPAA compliance should be of the utmost importance for you.

Why? The following 10 reasons provide a good start:

  1. The HITECH Act and HIPAA Omnibus Rule have substantially increased civil penalties for non-compliance. The penalty cap for HIPAA violations was increased from $25,000/year to $1,500,000/year per violation. Willfully ignoring or failing to be compliant means mandatory investigations and penalties can be initiated by any complaint, breach, or discovered violation.
  2. New Breach Notification rules will increase the number of HIPAA violations determined to be breaches. The HIPAA Omnibus Rule expands the definition of a breach and the consequences of failure to address it properly. Providing proper notification can trigger federal investigations and eventual fines and penalties.
  3. The mandated deadline for new HIPAA compliance rules has already passed. All Covered Entities and Business Associates were required to update their HIPAA policies, procedures, forms, and Notices of Privacy Practices by September 23, 2013.
  4. All Covered Entities must have documented policies and procedures regarding HIPAA compliance. Recently, a dermatology practice in Concord, MA, learned this lesson the hard way, getting slapped with a $150,000 fine for allowing the health information of just 2,200 individuals to be compromised via a stolen thumb drive. The company also had to incur the cost of implementing a corrective action plan to address Privacy, Security, and Breach Notification rules.
  5. Business Associates are now required to be compliant with HIPAA Privacy and Security Rules. Business Associates will be held to that standard by Covered Entities, who are now responsible for ensuring their BAs are compliant.
  6. While Meaningful Use incentives for Electronic Health Records (EHR) are optional, HIPAA compliance is not. If you manage Protected Health Information (PHI), you must comply with federal regulations or face substantial civil and criminal penalties. If a Covered Entity accepts Meaningful Use funding, a Security Risk Analysis is required — and any funding may have to be returned if adequate documentation is not provided upon request.
  7. The Department of Human & Health Services’ (HHS) Office of Civil Rights (OCR) is expanding its Division of Health Information Privacy enforcement team. The federal bureau is stepping up hiring for HIPAA compliance activities calling for professionals with experience in privacy and security compliance and enforcement.
  8. State Attorney Generals are getting involved in HIPAA enforcement. HHS has even posted HIPAA Enforcement Training for State Attorneys General agendas on its www.HHSHIPAASAGTraining.com website.
  9. HIPAA compliance requires staff privacy and security training on a regular basis. All clinicians and medical staff that access PHI must be trained and re-trained on proper HIPAA procedures. Documentation of provided training is required to be kept for six years.
  10. Protecting your practice means avoiding the HIPAA “Wall of Shame.” The list of health care organizations reporting major breaches and receiving substantial penalties is growing at an alarming rate. The details of these breaches are widely available to the general public — and widely reported in the media.
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Top 10 Myths of HIPAA Risk Analysis

Top 10 Myths of HIPAA Risk Analysis | HIPAA Compliance for Medical Practices | Scoop.it

The following is a top 10 list distinguishing fact from fiction when it comes to conducting A HIPAA Security Risk Analysis.

  1. The security risk analysis is optional for small providers. False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
  2. Simply installing a certified EHR fulfills the security risk analysis Meaningful Use requirement. False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
  3. My EHR vendor took care of everything I need to do about privacy and security. False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
  4. I have to outsource the security risk analysis. False. It is possible for small practices to do risk analysis themselves but can be time consuming. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
  5. A checklist will suffice for the risk analysis requirement. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
  6. There is a specific risk analysis method that I must follow. False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
  7. My security risk analysis only needs to look at my EHR. False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.
  8. I only need to do a risk analysis once. False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.
  9. Before I attest for an EHR incentive program, I must fully mitigate all risks. False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
  10. Each year, I’ll have to completely redo my security risk analysis. False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period.
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format

Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format | HIPAA Compliance for Medical Practices | Scoop.it

This month, Atlantic Information Services reported that covered entities must provide patients with their ePHI when they request it, in a format that the patient can open on their computer. Does this mean Covered Entities may have to send unencrypted emails containing electronic Personal Health Information (ePHI) to their patients? It depends on what the patient requests.

The HHS statement that patients have the right to access their ePHI and that covered entities “must provide this access in the manner requested by the individual” has created confusion. Covered entities are now left trying to find ways to provide patients access to their ePHI without violating HIPAA requirements.

The Privacy Rule “allows the use of unencrypted email when communicating ePHI between the healthcare provider and the patient…provided they apply reasonable safeguards when doing so”. 1

Examples of safeguards include:

  1. Check the email address for accuracy.
  2. Send email to confirm the recipient before sending the ePHI.
  3. Limit the amount of information disclosed.
  4. Encrypt emails.

Many covered entities have policies in place requiring all email containing ePHI be encrypted, and we at Total HIPAA Compliance fully support these policies. Patients may complain about opening an encrypted email, but the alternative is that you are potentially exposing their unencrypted Protected Health Information to all kinds of unknown risks. An unencrypted email can go through multiple servers before it reaches its final destination, and every server it stops in on its way to its final destination is another potential failure point.

How do you protect your patients while giving them access to their information in the format requested?

  1. Don’t explicitly offer unencrypted communication– I know this sounds disingenuous, but if you have a communication request from a patient, it’s always best to default by sending those communications encrypted.
  2. Explain the risks of sending unencrypted communications– Most non-technical people don’t understand the risks they are taking by sending communications unencrypted. You can relate the privacy level to sending an electronic postcard listing all their requested information. It is estimated that medical identity theft costs an individual $13,500.2 This is a major reason to insist that all communications with patients be encrypted.
  3. Make the barrier for unencrypted communication high. HHS states, if the healthcare provider feels the patient is not aware of the risks of using unencrypted emails for ePHI, or has concerns about liability, they can inform the patients of those risks and allow the patient to make the decision. If the patient then decides to request the receipt of the ePHI using unencrypted email, the covered entity will be exempt of possible liability because the patient has given their explicit permission to receive the ePHI in an unencrypted form. Make sure the client signs off each time there is a requested unencrypted communication. This burden may push a client to receive information encrypted.
  4. Here is a form you can use if a client insists on having communications sent unencrypted.

Ways to Make Patient Communication Easier While Using Encryption:

Patient Portals
A patient portal is a secure website that patients can access with a username and password. Portals allow patients to access their ePHI through an internet connection. This is an elegant way to provide the patient with their PHI and not expose the information to hackers.

Use a different encrypted email provider
There are many HIPAA compliant email encryption services you can use. Some are easier for patients to use than others. If your patients are consistently complaining, maybe it’s time to look into a new provider. There are many great options out there that will integrate with your EHR.

Two of our favorite encrypted email platforms for ease of use and cost are:

  1. Virtru This application allows users to integrate with almost any email provider. Vitru Pro is HIPAA compliant and will sign a Business Associate Agreement. Virtru offers end-to-end encryption with the ability to revoke a message at any time. Vitru makes it easy for the sender to encrypt messages and the receiver to respond encrypted.
  2. Protected Trust is also another great product. The email recipient has to be registered with Protected Trust, but this is free for your patients. Protected Trust offers many different verification options for the recipient, including sending recipients a phone call or text message to verify their identity. This application is easy to use for the receiver since they do not have to install any software or create a new email address.

The HIPAA Omnibus update strives to make communication between providers and patients easier as well as protect the privacy of your patients. This can be tricky for the health care provider, but patients always have the right to access their own PHI, and it is up to healthcare providers to grant them that access. As patients begin to demand more communication, covered entities will have to figure out the best way to do this, while remaining HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Creating and Managing Passwords - Total HIPAA Compliance

Creating and Managing Passwords - Total HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

How many times a day do you access applications or websites that require passwords? The temptation is to make passwords simple or reuse the same password. The 2017 Verizon Data Breach Investigation Report found that 81 percent of hacking-related breaches succeeded through stolen passwords or weak passwords. That’s an 18 percent increase from last year’s report, suggesting that rather than getting better, password security is getting worse.

Common password problems are using simple passwords that are easy to hack and the same one for many sites. Then there is the problem that you can’t remember them all! Ah, the joy of managing passwords. Here are two ways to protect your data. First, learn how to create a solid password. Next, consider a password management system.

Creating Passwords

You know that your passwords have to be unique and strong. But what exactly gives passwords these traits? This list of Dos and Don’ts will help you create a super strong password to safeguard your patient’s or client’s protected health information:


  • Do use 12-15 characters for each password. The longer, the better.
  • Do consider using a phrase or sentence you can easily remember your password including numbers and special characters.
  • Do use special characters in atypical places. For instance, use a number in the middle of a word rather than before or after it.
  • Do consider length more than complexity. Studies show that a 15-character password with special characters is more secure than a short one of all unique characters like 5&Hq%.


  • Don’t use easily guessed passwords like family members’ names or birthdates.
  • Don’t use single words found in the dictionary such as watermelon or even watermelonseeds as standalone passwords.
  • Don’t reuse passwords at multiple sites.
  • Don’t share your passwords with anyone. If you have to, immediately change your password as soon as someone else has used it.
  • Don’t use passwords based on adjacent keys on the keyboard, like asdfjkl;.

Password Management

Since you’re now the resident expert on password creation, how can you organize all of them? A password management program lets you store and organize passwords in a single spot, so a single, master password gives you access to your complete password database. Last month, PC Magazine published an article comparing several different password management programs. For roughly $12 to $45 dollars a month, you can pay a service like Dashlane, 1Password, LastPass, etc., to securely keep your passwords at your disposal.

Within these programs, you can define your own passwords, or they can create unique passwords for you. To make it easy, these programs can be accessed not only on your work computer but also on your cellular phone or other devices. They may be a great help, but remember that your master password to the program becomes the one and only access point to all of your other information. Concerned about the security of these management programs? A recent article in Macworld will reassure you they are a reliable tool.

Password creation and accessibility aren’t for the faint of heart. Will it always be so difficult? Maybe not. Biometric sensors like iris scanning and facial recognition are becoming increasingly popular forms of authentication. These biometrics sensors can’t stand alone as a strong security solution, but we’re already seeing them more and more as part of a multi-factor authentication solution.

For the meantime, with security breaches rampant, password security is something you and your company can’t take lightly. Make it a habit of creating strong passwords. If you can’t organize them in a safe way, a password management system just might be the help you need to secure the PHI for which you’re responsible.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Top Ten Total HIPAA Blogs

Top Ten Total HIPAA Blogs | HIPAA Compliance for Medical Practices | Scoop.it

The countdown of Total HIPAA’s most popular blogs of 2016 continues this week with #5 through #1. Not surprisingly–the top three are technical topics. If you have any topics you would like us to consider in 2017, please fill out the suggestion form at the end of this summary.

Top Ten Count Down Continued

    1. Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends?

Buddy Dyer, the mayor of Orlando, requested a waiver of the HIPAA rules following the June 12 shooting at Pulse Nightclub. A statement from HHS Assistant Secretary for Public Affairs, Kevin Griffis, explained the reason why the waiver was not needed in Orlando: “HIPAA allows health care professionals the flexibility to disclose limited health information to the public or media in appropriate circumstances. These disclosures, which are made when it is determined to be in the best interest of a patient, are permissible without a waiver to help identify incapacitated patients, or to locate family members of patients to share information about their condition. Disclosures are permissible to same sex, as well as opposite sex, partners.” In order to understand under what circumstances Mayor Dyer and healthcare providers should be concerned about HIPAA restrictions, we look at the Law in this blog.

    1. Covered Entities Must Share PHI with Patients Even if it is Requested in an Unencrypted Format

HHS stated that patients have the right to access their ePHI and that Covered Entities must provide this access in the manner requested by the individual. While the Privacy Rule does allow the use of unencrypted email when communicating ePHI between the healthcare provider and the patient, we suggest you take the steps outlined in this blog to protect your patients’ ePHI while still giving them access to their information.

    1. HIPAA Compliant Email Encryption Review 2016

Covered Entities, Business Associates and Business Associate Subcontractors are required to protect the PHI they hold at rest, in storage and in transit. In this blog, we reviewed six HIPAA-compliant and affordable email encryption solutions with a focus on solutions for small businesses.

    1. It’s Time to Upgrade Your Internet Explorer NOW and Forever

When it comes to your software, we know how you feel – if it’s not broken, why fix it? Upgrading is a pain! Upgrade one thing and your computer programs can collapse like a house of cards. In this instance, it is VERY important for your business security that you upgrade to the latest version of Internet Explorer—NOW! As of January 12, 2016, Microsoft announced it was only supporting technical and security updates for Internet Explorer 11. What did this change mean to you?

    1. HIPAA Compliant Text Messaging Application Review

Today everyone uses text messaging (“texting”) for easy and quick communication. It is a great tool for convenience and efficiency, but most users don’t realize that texting is an unencrypted form of communication that can be intercepted at any point in transmission. In this blog we reviewed four companies that offer secure messaging solutions for small to medium organizations using encryption to allow organizations to send PHI through text.

Thank you for your support on Social Media this year! As HHS continues to crack down with additional audits on both covered entities and business associates, our goal is to provide you with all the materials you need. Many of our blog topics come directly from questions sent by our clients and followers.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Implementing HIPAA is More Than Meeting Government Regulations

Implementing HIPAA is More Than Meeting Government Regulations | HIPAA Compliance for Medical Practices | Scoop.it

Recently, I was on a vacation in Germany, and as I visited several medieval cities, I had two thoughts. First, Germany certainly has a lot of walled cities, and second, city walls are a great analogy for HIPAA Compliance. (Don’t worry, I didn’t spend the whole vacation thinking about HIPAA…)

When I work with clients on their HIPAA compliance plans, we start by defining the scope of the plan. Are we only going to focus on a specific part of the company, or are we going to look at the company as a whole? Medical and dental clients, don’t have a choice – they have to address the entire practice, but insurance, BA’s and employer groups have a decision to make.

Nine times out of ten, we find that businesses take our plan and expand this out to their entire company or practice because they find the privacy and security principles to be applicable to all parts of their business, and just make good sense to apply company-wide. If you’re going to go through the process, why not protect your entire business?

How do you protect your “City”?

Step 1 – Conduct a Risk Assessment

If your enemies tended to use fire to attack your city, you wouldn’t build a wall out of wood. The same principles apply to HIPAA, it’s important to assess what risks your business is going to face, and what reasonable steps you can take to protect your assets.

HIPAA calls for you to assess three different aspects of your business- Administrative, Physical and Technical. You can hire a third party, or do this yourself. Sometimes it’s easier for a third party to see the gaping hole in your south wall that you’ve overlooked.

Step 2 – Create a Plan

This is where you convert the information you identified in your Risk Assessment into actionable items that everyone can follow. This will keep you from building two towers right next to each other –two facing north, and none facing south. Also, having a plan will ultimately save you money by giving your staff clear instructions and goals.

HIPAA requires that you have written Privacy and Security Policies and Procedures. Think of these as the blueprint for protecting your “city.”

Step 3 – Build Your “City Wall”

Most of these cities had stone walls, towers, moats, bridges, etc. This is all to make the city more difficult to attack, therefore an undesirable target.

You will be looking to build your “wall” by securing your network, devices, and facility. This is having firewalls, anti-malware software, password protection on devices, and locking your facility. Any lapse in these security items means your “city” is vulnerable to attack.

Step 4 – Secure Your Key Assets

In the old days, this meant stationing extra soldiers around granaries and weapon stores.  Today it means having backups of your systems and encrypting all your data in transit, rest, and storage. This can save you many headaches if an attack comes your way.

Step 5 – Communication

Walls and security are great, but cities thrived off communication and trade, much like your business does. If you completely lock everything down, then your “city” will starve and die.

This is where HIPAA compliant faxing, encrypted email, texting, chat, file sharing and video conferencing come in. While HIPAA doesn’t explicitly require these items, they do leave it up to the business to assess the risks and then to implement them accordingly. I’ve worked with a lot of companies on this, and I’ve yet to see a compelling reason to not use encrypted communication tools.

Step 6 – Train Your Army

Your plan is only as good as your army. Walled cities had well-trained soldiers to man the walls and repel any potential invaders. While you’re not going to call on your employees to man the trebuchets, they are your first line of defense.

Have you trained your employees on how to protect their “city?” Do they know how to communicate with clients securely; how often they are required to change passwords; what are the requirements are for secure passwords; what to do if a system starts acting strangely (potential hack), or who to contact if they think there is a potential breach? These are all items that are part of your comprehensive HIPAA Compliance Plan, and a well-trained employee can help mitigate the success of these attacks.


As you can see, all these provisions for your “city” make sense. HIPAA isn’t just a regulation, it’s a way to look at your current security stance, and make sure your “city” is properly fortified, protects the PHI inside and will repel hackers. These simple steps can save your “city” from an embarrassing attack, and protect your livelihood going forward.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Preparing Contractors for HIPAA Compliance

Preparing Contractors for HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

You’re a small medical practice whose head nurse goes out on maternity leave and you hire your mother-in-law, an RN, as a temporary replacement until she comes back. You’re an insurance company who has hired a part-time agent to work one day a week from home. Whatever the scenario, these full time employees, contract employees or independent contractors these employers hire have access to client or patient Protected Health Information. Employers are responsible for contractors and temporary employee’s compliance with HIPAA. The question is, what procedures should you follow?

Employee Classification

Since 2013, the Common Agency Provision of HIPAA in the Omnibus ruling states that you are responsible for your employee’s compliance.

Is your employee a contractor working exclusively for your company, an individual with other clients, or someone hired through a business? As an employer, you are not required to train these quasi employees, but your company will be responsible if one of these individuals breaches Protected Health Information.

Here is a recommendation:

If the employee is a contractor working exclusively for your company or a sole proprietor with other clients, you cannot expect the individual to generate Policies and Procedures for Privacy and Security as required of either a Business Associate or a Subcontractor BA. It is meaningless to ask them to sign a Business Associate Agreement or a Subcontractor Business Associate Agreement because they will not have the compliance infrastructure required by HIPAA.

Instead, ask them to sign a confidentiality agreement.These are a few of the items included in the confidentiality agreement provided by Total HIPAA:

  • What information is covered with the agreement
  • The types of information that can not be copied or modified
  • Information must be returned upon request by the employer
  • Disciplinary action for persons responsible for a breach of confidential information

Make sure these contractors are trained regularly on the HIPAA law and on your company’s Privacy and Security Policies and Procedures. You should require them to follow your company’s Security Policies and Procedures for things like firewalls and virus protection. Unfortunately, the employer is fully liable even if the independent contractor was malicious or criminal in creating the HIPAA breach.

If the employee is provided through a company with infrastructure, that company will need to meet the compliance standards as a business associate or a business associate subcontractor, which are the same requirements. Having these companies sign a Business Associate Agreement or Subcontractor BAA is a must.

HIPAA Training

Whether you are a Covered Entity, a Business Associate, or a Business Associate Subcontractor, make sure you provide HIPAA training to all your employees, contractors and temporaries that can access PHI. A Subcontractor who hires a worker has the same responsibility to train these people. The responsibility can extend down several layers.

It might be a pain, but before your contractor or temporary starts working, you must have either a signed Confidentiality Agreement, a BAA or a Subcontractor BAA in hand. This contractor must complete HIPAA training, too. Remember, if you don’t train all your workers, you open yourself up to potential breaches that can result in an HHS audit and potential fines.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

7 Most Common HIPAA Violations That Can Cost Your Practice

7 Most Common HIPAA Violations That Can Cost Your Practice | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to set national standards for the confidentiality, security, and transmissibility of personal health information. Violations of this Act can result in substantial fines to a practice ranging from $100 to $1.5 million. Healthcare providers can also be at risk for sanctions or loss of license. In order to reduce the risk of penalties or fines, medical practices should ensure their policies and procedures are regularly updated and employees receive on-going compliance training. Below are some of the most common HIPAA privacy violations and measures that can be taken to protect patient health information.

  1. Database Breaches-

In 2015, data breaches cost the healthcare industry nearly 6 billion, with the average economic impact per organization totaling $2,134,800. Medical identity theft has more than tripled over the past five years, with almost a third of the US population having been affected. It can happen to any size organization or practice which is why it is important to take the appropriate security measures, such as firewalls, encryption, and password-restricted access to protect PHI.

  1. Lost or Stolen Devices-

Another very common HIPAA violation is the theft of PHI through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information. Mobile devices are the most vulnerable to theft because of their size; therefore, the necessary safeguards should be put into place such as password protected authorization and encryption to access patient-specific information.

  1. Employees illegally accessing patient files-

Employees accessing patient information they are not authorized to is another very common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost a practice substantially. In addition, individuals that use or sell PHI for personal gain can be subject to fines and even prison time.


  1. Lack of training-

One of the most common reasons for a HIPAA violation is employees that are not familiar with HIPAA regulations. Often only managers, administration and nurses receive training even though HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained.  Compliance training is one of the most proactive and easiest ways to avoid a violation.

  1. Improper disposal of personal health information-

Personal health information should always be shredded or destroyed. It is also important to ensure the photocopier is not saving copies to its hard drive. If the copier is returned, sold, or discarded, without being properly wiped clean, this could also result in a HIPAA violation. Establishing and posting policies and procedures to make sure personal health information is locked, secured and disposed of appropriately will help to remind employees and prevent a potential violation.

  1. Employees disclosing patient information –

Employees’ gossiping about patients to friends or coworkers is another very common HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.

  1. Authorization Requirements-

A written authorization is required for the use or disclosure of any individual’s personal health information that is not used for treatment, payment, healthcare operations or permitted by the Privacy Rule.  If an employee is not sure, it is always best to get prior authorization before releasing any information.

The privacy and security of patient health information should be a priority for all healthcare providers and professionals.   Most violations can be easily be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring that all individuals with access to patient information receive the proper training.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

The Security Risk Analysis: An Essential Step Towards HIPAA Compliance

The Security Risk Analysis: An Essential Step Towards HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

There are many important elements to implementing an effective HIPAA Program, but none are more important than completing a security risk analysis. Conducting a risk analysis will give your practice an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of your electronic protected health information.

Completing a security risk analysis is a required element. This means that most specifications must be evaluated and if applicable, implemented, in order to achieve compliance with the Security Rule. It is important to remember that certain specifications in the risk analysis are considered addressable, meaning it is up to the covered entity to determine (in writing) if the specification is a “reasonable and appropriate” safeguard for its environment, taking into consideration how it will protect ePHI.

According to the Security Rule, your security risk analysis should be broken down into the implementation of 3 categories of electronic protected health information safeguards: Administrative, Physical and Technical. The following is an overview of each category, including differentiation between those specifications that are required and those that are addressable.


Administrative safeguards are administrative actions and functions to manage the security measures in place that protect electronic protected health information. Administrative safeguards must state how the covered entity will conduct oversight and management of staff members who have access to, and handle ePHI. Administrative safeguards include:

  • Risk Assessment (R)
  • Sanctions Policy (R)
  • Information System Activity Review (R)
  • Security Officer Assignment (R)
  • Security Awareness and Training (A)
  • Security Incident Procedures (R)
  • Disaster Recovery and Data Backup Plan (R)
  • Periodic Security Evaluations (R)
  • Business Associate Contracts (R)


Physical safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards and unauthorized intrusion. It includes restricted access to ePHI and retaining off-site computer backups. Applying physical safeguards means establishing:

  • Facility Access Controls (A)
  • Workstation Use and Controls (R)
  • Device and Media Controls (R)


Technical safeguards are the automated processes used to protect and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted. Technical Safeguards are:

  • Unique User Login (R)
  • Emergency Access Procedures (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls (R)
  • Authentication of Integrity of ePHI (A)
  • Authentication of Person or Entity (R)
  • Transmission Security (A)

Completing your security risk analysis is not only an essential component of your HIPAA program, but it will enable you to identify and rectify any risks and vulnerabilities to the access and confidentiality of your electronic protected health information. The results of your risk analysis will be used to determine the appropriate security measures to be taken. Be sure and revaluate your risk analysis periodically, especially if there have been any known or suspected threats to your security program.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Violations Every Day and Every Size 

HIPAA Violations Every Day and Every Size  | HIPAA Compliance for Medical Practices | Scoop.it

We frequently get questions about whether or not an event is a HIPAA violation. Some of the events are hazy, others are clear-cut. We received an email from a nurse last week with a question. She received a postcard inviting her to a weight-loss clinic and get a $25 deduction even though she was not a previous user of their services.

We called her and discussed her concern. The nurse indicated she didn’t have a serious weight problem. The postcard was sent to her office where other people could see it and she was embarrassed. She said to me, “I’ve been trained on HIPAA and I think this is a clear-cut example of a breach.”

Although we’re not lawyers, we agree. First, she never signed any agreement that the weight-loss clinic could send marketing materials to her. Second, PHI was on a postcard addressed to her so anyone who sorted the mail could read the information.

Increasingly small businesses such as this weight-loss clinic are going to be scrutinized for their actions. More and more businesses that see or generate PHI such as rehabilitation clinics, group foster homes, long-term care facilities, social workers, accountants and shredding companies realize that they need to be HIPAA compliant.

One of the largest groups that must be compliant are employers who provide health benefits to employees and see Protected Health Information. If one of these organizations improperly releases information, the loss of trust will translate into a loss of clients and business.

Filing a Complaint

When an individual feels their Protected Health Information has been breached, they can file a complaint with the company, through HHS (HIPAA Complaint Portal Assistant and 1-800-368-1019). In several states, individuals can file with the State Attorney General Office, and we’ve seen in some states that protection of PHI is considered a standard of care, so patients are suing under malpractice laws. Although the fines and penalties are not currently shared with the individual, this may soon be available which will result in a feeding frenzy in the legal community.


How do you prepare your staff so that violations of HIPAA like the one affecting the nurse, do not occur? Training your staff on the HIPAA law and on your organization’s unique policies and procedures is part of the HIPAA compliance process. Also, you are required to complete a risk assessment, and then convert the information captured in the risk assessment into privacy and security policies and procedures.

If you do it yourself, completing required documents takes between 40 and 60 hours. The question then is, did you capture all the required information and have you determined that your file sharing, email encryption, firewalls and virus checker are truly HIPAA compliant. Are these solutions the easiest to use and most cost-effective choices for your organization? Many times, companies say they are HIPAA compliant, but they have no documentation to back up the claim.

If you fit any of these groups: health insurance agent/broker, an employer offering health benefits to your employees, or business associate that can access health information about a client (shredding company, IT vendor, or accountant), find out if you need to be HIPAA compliant. This short survey will help you determine if you need to take action: *

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to Eliminate Your HIPAA Compliance Blind Spots

How to Eliminate Your HIPAA Compliance Blind Spots | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA compliance (i.e., adherence to regulations detailed in the Health Insurance Portability and Accountability Act of 1996), most health facilities are well versed on the Privacy Rule and its protection of personal medical information. They work hard to maintain patient trust by upholding the necessary privacy standards. But sometimes, even the most conscientious facilities let patients’ health details slip through the cracks.


The rise of mobile technology and electronic medical records have left the health industry with a few harsh blind spots. Health information that is stored and/or transferred electronically (i.e., electronic protected health information, or ePHI) is highly susceptible to a HIPAA breach. So health organizations must be extra diligent to ensure they are fully safeguarding ePHI and remaining HIPAA compliant.

To help you take stock of your organization’s HIPAA security efforts, here are 4 tips for eliminating your HIPAA compliance blind spots:

#1: Limit Information Shared in Mobile Messages

In today’s fast-paced, mobile world, we often receive appointment confirmations or prescription refill notices via voicemail, text, or email. While this is convenient for health organizations and patients, it opens up the door for HIPAA security violations.

To keep a patient’s private health information out of the wrong hands, health organizations should limit the information they share in mobile messages. For instance, a prescription refill notice should not contain details of the specific prescription; it should simply notify the patient that it’s time for him or her to submit a refill request. Likewise, appointment confirmation messages should leave out any details regarding the specific reason for the appointment.

If a facility wants to take its privacy protection a step further, it can even limit its mobile messages to a simple request for a patient to call the facility for further information.

#2: Be Cautious of Open Text Fields

A lot of health organizations have moved their data collection efforts online in recent years, which means they are collecting new patient registrations or appointment requests with online forms. While using a HIPAA compliant data management system is a great (and necessary) way to protect patient data, a HIPAA breach is still possible if facilities aren’t careful.

Online forms that contain open text fields can inadvertently lead to HIPAA security violations. This is because patients may unknowingly share ePHI, such as current medications or medical conditions, in that free text space. For instance, when providing feedback on a patient satisfaction survey, a patient might state that his or her doctor was supportive and caring after delivering a cancer diagnosis.

To limit the sharing of ePHI on online forms, health organizations can add disclaimers next to any open text fields to warn patients not to include personal medical details in those fields. Or they can remove any open text space altogether.

#3: Evaluate Facility Advertisements

Online advertising—particularly on social media—is fairly new territory for health facilities. And for good reason. The healthcare industry is subject to deeper scrutiny than other industries when it comes to advertising, and those working in the industry are held liable for both truth in advertising and HIPAA compliance. This means they have to be super careful about what they publish for all to see.

If proper permission is not obtained, any use of a patient’s information or likeness in an advertisement could be a HIPAA breach. For instance, if a dermatologist posts photos of a patient’s skin before and after treatment, the patient’s identity could be compromised. Even if the post or advertisement contains only a portion of the patient’s face, his or her privacy could still be violated if family members or close friends recognize the patient.

To avoid violating HIPAA security laws when advertising online, healthcare organizations should take extra steps to evaluate all advertisements and ensure they aren’t improperly using identifiable patient photos or information.

#4: Avoid Use of Patient Names

This might seem like a no-brainer when it comes to protecting patient data, but facilities should avoid using patient names or other personally identifiable information when possible. As mentioned earlier, patients will sometimes share ePHI unknowingly when filling out online medical forms. To avoid tying patients directly to any sensitive information they might provide, health organizations can find ways to gather the information without using patients’ names.

For example, if a facility is simply surveying patients to help improve its overall services, the facility should consider gathering anonymous feedback. In other instances, when it is helpful or necessary to have a patient record tied to the information, organizations should consider using a unique identifier—such as a patient ID or account number—instead of a name.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Audit Survival Tips and Strategies

HIPAA Audit Survival Tips and Strategies | HIPAA Compliance for Medical Practices | Scoop.it

When the Department of Health and Human Services (HHS) or the Office for Civil Rights (OCR) reaches out to health care organizations in response to a potential HIPAA investigation, auditors follow a very specific path toward contact, investigation, and resolution. Once a complaint is received and OCR has determined that it is legitimate, it will issue letters of notification to both the complainant and the recipient. These letters will outline a timeline for the investigation and will explicitly identify the investigating party as the OCR.

Once the investigation begins, OCR will collect and review documentation submitted by both parties. They may use any number of investigative methods including interviews and onsite visits to determine if there is sufficient evidence to support the allegations. Once again, OCR will send a letter explaining their findings. Resolutions will then vary depending on the outcome of their investigation.

HIPAA Audit Survival

HIPAA audit survival starts with keeping informed about OCR procedures. Knowledge is power. In this case, being aware and prepared is the best way to prepare your practice for a potential investigation. OCR will only contact you directly via a certified letter or email. Disreputable parties regularly attempt to lure unsuspecting practitioners into buying “certification” services that are fraudulent.

FACT: There is no certifying body for HIPAA compliance by any federal or private entity–any organization that claims otherwise is using misleading or potentially fraudulent language.

  1. Your best defense then is to keep in mind the above described process, and stop communicating with any party that suggests a deviation from the standard procedure outlined.
  2. Next, if you’re unsure if you’ve been contacted by a federal agency or not, ask the sender to confirm the identity of their organization, then verify them with a google search about their services
  3. If your organization receives an email or call from an entity claiming that you need to have a “Mandatory HIPAA Risk Assessment Review with A Certified HIPAA Compliance Adviser” be on full alert. This deviation from the official procedure described above will let you know that the caller is not providing a legitimate notice from a federal or state regulatory agency. Do not feel obligated to provide or share any of your information if you receive such notice.
  4. Check the source of the email. These fraudulent emails are being sent from sources such as ‘OSOCRAudit@hhs-gov.us‘, while a legitimate OCR email will be sent from ‘OSOCRAudit@hhs.gov‘. The distinction is subtle, but that’s characteristic of scams such as these.

To protect yourself, be leery of misleading language and marketing efforts targeted at health care professionals by such third party organizations. Some such advertising will occasionally try to leverage the threat of a federal offense to garner a sale of technology that isn’t legal. This type of fraud has become so widespread that OCR has responded to this unlawful conduct with a statement telling health care officials not to follow any of the links in the email. For more information on how to mitigate HIPAA breaches and fines, check out these upcoming HIPAA educational webinars brought to you by Telemental Health’s HIPAA compliance affiliate, the Compliancy Group. Simplify HIPAA today with TMHI’s HIPAA Compliance Resource, the Compliancy Group!*

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

Have you been the victim of a breach? Maybe not, but perhaps you know someone who has. Either way, deciding what to do next can be challenging if you're unprepared. 

First, it's important to determine whether the incident is truly a breach or simply a false alarm, then follow these guidelines to quickly respond.

What is Considered a Breach?
The Department of Health and Human Services (HHS) defines a breach as:

“The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

The reason I bring this up is that the definition was updated with the latest Omnibus Ruling which no longer includes the “Harm Standard.” This means if you have a release of information of any kind, be it a fax or email to the wrong person, malware attack, loss of unencrypted device, etc., you have a breach. This is different from the early version of the law which required you to prove the information had been compromised. Now, it’s presumed a breach unless proven otherwise.

Steps to Mitigating a Breach
When responding to a breach, HHS expects you to have your response protocol in place BEFORE a breach happens, so we highly recommend including this as part of your HIPAA Compliance Plan. This is the best way to protect yourself if and when a breach does occur. To get started, follow these four steps: 

Step 1: Perform A Risk Analysis
This first step is important and is required by HIPAA. Your Risk Analysis needs to be conducted quickly and should be as thorough as possible. Here's what to look for:

  1. When did the breach start and end?
  2. What date did you discover the breach?
  3. Approximately how many individuals are affected?
  4. What type of breach has occurred?
    • Hacking/IT Incident
    • Improper disposal of PHI
    • Loss 
    • Theft 
    • Unauthorized Access/Disclosure
  5. Where did the breach occur?
  6. What type of PHI is involved?
    • Clinical
    • Demographic
    • Financial
    • Other

As you review this information, you will have a better idea of what happened and whether or not a breach actually took place.

Step 2: Contact the Authorities
At this point, if you’ve discovered that indeed this is a breach, and if you determine a criminal act has transpired, contact your local authorities. For malware issues, you may be referred to the FBI to file an official complaint. 

Step 3: Notification of Patients
Each patient must be notified of the breach by U.S. Mail, unless you have clearly outlined in your Notice of Privacy Practices that notifications will be sent by email. However, if you determine notifications will be sent electronically, all patients must agree and sign off on this method of communication. This can save you a lot of time and money, so we highly recommend including this clause in your compliance plan. To add this clause, contact your lawyer, or the team at Total HIPAA to make sure this is properly laid out.

The Substitute Notice: This is required when you cannot reach 10 or more individuals. You now have two options: 1) You may post the Notice on your website for 90 days, or 2) You can contact local media outlets and have them post the breach notification.

What is Required to be in the Patient Notification?

  1. A brief description of what happened, the date of the breach and the date the breach was discovered.

  2. A description of the types of unsecured PHI involved in the breach (name, address, date of birth, SSN, health information, treatment codes, etc.)

  3. The steps individuals should take to protect themselves from potential harm. The action could be different for each incident.

  4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate damage, and to protect against future breaches.

  5. Contact procedures for individuals to ask questions or learn additional information, a phone number, an email address, website or postal address.

Step 4: Notifying HHS of the Breach, or The Rule of 500

Under 500 Patients Affected
If you have a breach of fewer than 500 patients’ information, you are not required to notify HHS at the time the breach is discovered. You will however need to document all the items described above and report the breach to HHS at the end of the calendar year. Notifications must be submitted to HHS within 60 days of the last day of the year and can be filed online using the OCR's notification portal.

Over 500 Patients Affected
If you have a breach affecting more than 500 patients’ information, you are required to notify HHS immediately. You should also verify the HIPAA breach notification rules for your respective state, as these may vary. In several states, such as California, you are also required to notify the Office of the Attorney General. As always, check with your attorney if you have any questions about your specific state’s notification requirements.

What Happens if You Don’t Self-Report a Breach?
If you are chosen for a HIPAA audit and the auditor discovers you have not self-reported breaches, this falls under the Willful Neglect provision, and you may be fined starting at $10,000 per violation. As you can see self-reporting is the better action here.

Exceptions to Notification Rules
Law enforcement officials may ask the Covered Entity to refrain from posting any notification if they believe it could impede a criminal investigation or may cause damage to national security.

What Happens if your Business Associate is responsible for a Breach?
Unfortunately, this is happening more and more, and though you have a Business Associate Agreement in place, this could still open you up to an audit from HHS as a result of the Common Agency Provision in the Omnibus Ruling.

We recommend that you have a clause in your Business Associate Agreement that states you will be notified within 15 days of a suspected breach of information. Since you are the Covered Entity, it's best that you take the lead on patient notification. Make sure you get a full report from your Business Associate, and what they are doing to mitigate the breach. It’s important to communicate all relevant information to your patients so they can protect themselves.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.   

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.    | HIPAA Compliance for Medical Practices | Scoop.it

You may want to ask your medical or dental provider what measures they are taking to protect your electronic health records. In some cases, the answer may surprise you. Here is a recent article from USA Today that will get your attention.

Nearly half of identity thefts in U.S. are medical info.

Story Highlights

  • Medical records of between 27.8 million and 67.7 million have been breached since 2009
  • Thieves have used stolen medical information for all sorts of nefarious reasons
  • Perpetrators use different methods to obtain information, from stealing laptops to hacking into computer networks

If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft.

Last month, the Identity Theft Resource Center produced a survey showing that medical-related identity theft accounted for 43% of all identity thefts reported in the United States in 2013. That is a far greater chunk than identity thefts involving banking and finance, the government and the military, or education. The U.S. Department of Health and Human Services says that since it started keeping records in 2009, the medical records of between 27.8 million and 67.7 million people have been breached.

The definition of medical identity theft is the fraudulent acquisition of someone's personal information – name, Social Security number, health insurance number – for the purpose of illegally obtaining medical services or devices, insurance reimbursements or prescription drugs.

"Medical identity theft is a growing and dangerous crime that leaves its victims with little to no recourse for recovery," said Pam Dixon, the founder and executive director of World Privacy Forum. "Victims often experience financial repercussions and worse yet, they frequently discover erroneous information has been added to their personal medical files due to the thief's activities." The Affordable Care Act has raised the stakes. One of the main concerns swirling around the disastrous rollout of federal and state health insurance exchanges last fall was whether the malfunctioning online marketplaces were compromising the confidentiality of Americans' medical information. Meanwhile, the law's emphasis on digitizing medical records, touted as a way to boost efficiency and cut costs, comes amid intensifying concerns over the security of computer networks.

Edward Snowden, the former National Security Agency contractor who has disclosed the agency's activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.



Thieves have used stolen medical information for all sorts of nefarious reasons, according to information collected by World Privacy Forum, a research group that seeks to educate consumers about privacy risks. For example:

  • A Massachusetts psychiatrist created false diagnoses of drug addiction and severe depression for people who were not his patients in order to submit medical insurance claims for psychiatric sessions that never occurred. One man discovered the false diagnoses when he applied for a job. He hadn't even been a patient.
  • An identity thief in Missouri used the information of actual people to create false driver's licenses in their names. Using one of them, she was able to enter a regional health center, obtain the health records of a woman she was impersonating, and leave with a prescription in the woman's name.
  • An Ohio woman working in a dental office gained access to protected information of Medicaid patients in order to illegally obtain prescription drugs.
  • A Pennsylvania man found that an imposter had used his identity at five different hospitals in order to receive more than $100,000 in treatment. At each spot, the imposter left behind a medical history in his victim's name.
  • A Colorado man whose Social Security number, name and address had been stolen received a bill for $44,000 for a surgery he not undergone.

Perpetrators use different methods to obtain the information, ranging from stealing laptops to hacking into computer networks, according to Sam Imandoust of the Identity Theft Resource Center. "With a click of a few buttons, you might have access to the records of 10,000 patients. Each bit of information can be sold for $10 to $20," he said.

According to HHS, the theft of a computer or other electronic device is involved in more than half of medical-related security breaches. Twenty percent of medical identity thefts result from someone gaining unauthorized access to information or passing it on without permission. Fourteen percent of breaches can be attributed to hacking.

"We say encrypt, encrypt, encrypt," said Rachel Seeger, a spokesman for HHS's Office For Civil Rights, which is charged with investigating breaches of medical records in health plans, medical practices, hospitals and related institutions.



The records in a laptop that a fired employee lifted from the North County Hospital in Newport, Vt., last year had not been encrypted. The laptop contained the records of as many as 550 patients. Around the time that breach was uncovered, HHS cited the hospital for a second breach involving two employees gaining access to records without authorization. Those cases are ongoing.

Wendy Franklin, director of development and community relations at North County, said the hospital generally does encrypt its records. Franklin also noted that North County requires all of its employees to sign agreements not to disclose medical records and to undergo training in confidentiality laws and procedures. She also said the hospital has instituted an audit to track access to private health records. But, in the end, Franklin said, the hospital largely has to rely on the honor system.

Two federal laws govern the confidentiality of medical records: the Health Insurance Portability and Accountability Act (HIPAA), originally passed in 1996, and the Health Information Technology (HITECH) Act of 2009. Together they lay out what health care providers and affiliated businesses are required to do to protect confidentiality of patients.

According to James Pyles, a Washington, D.C., lawyer who has dealt with health issues for more than 40 years, all 50 states have their own privacy laws and 46 of them require consumer notification when there is a security breach of private records.

HHS can impose a civil fine of between $100 and $50,000 for each failure of a business, institution or provider to meet privacy standards, up to a maximum of $1.5 million per year. A person who knowingly violates HIPAA faces a criminal fine of $50,000 and up to a year in prison. If the perpetrator tried to sell the information for "commercial advantage, personal gain or malicious harm," he or she could face a $250,000 fine and up to 10 years in prison.

The HIPAA law includes exceptions that allow a provider to share medical information without a patient's permission. A common example is when hospital business offices share information for the purpose of seeking payment. But there are also exceptions for "public health activities," "health oversight activities," "law enforcement purposes," and other purposes. No wonder, Pyles said, some patients are reluctant to disclose to a medical provider that they have a sexually transmitted disease or a mental illness unless they have to.

Under the HITECH law, a medical provider, health plan or medical institution must notify patients when a breach of their medical records is discovered. HHS must also be contacted. HHS discloses breaches involving 500 or more patients.

Discovery of the breach is useful but doesn't correct the mischief that may have happened. Although patients can have corrected information put in their files, it's difficult to get fraudulent information removed because of the fear of medical liability.

"It's almost impossible to clear up a medical record once medical identity theft has occurred," said Pyles. "If someone is getting false information into your file, theirs gets laced with yours and it's impossible to segregate what information is about you and what is about them."

Pyles describes the status quo as "the worst of two worlds," he said. The U.S. has "a regulated industry that is saddled with laws with so many loopholes that they don't know what they are responsible for, and a public that doesn't believe their health information is being protected."

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Medical Identity Theft: A Troubling Trend

Medical Identity Theft: A Troubling Trend | HIPAA Compliance for Medical Practices | Scoop.it

The Ponemon Institute, a nationally recognized privacy research firm, recently released its Fourth Annual Patient Privacy and Data Security Study. For healthcare providers, it is probably not much of a new revelation that the study found more criminals are stealing patient records to commit medical identity theft. This type of crime is a less-risk and highly profitable industry.

What is attention grabbing is that these criminal attacks on healthcare providers increased dramatically and are up 100% since 2010. According to the study, these breaches cost the industry about $5.6 billion a year.

If your medical or dental practice has electronic medical records (EMR) and is following all the proper HIPAA Security Rule safeguards, this can help to identity possible unauthorized access or fraud. If your practice has paper charts, the unauthorized access to patient records could be virtually untraceable until an identity theft cases occurs. For EMR, training staff to be alert to fraud trends can help, along with a systematic way to continuously review audit logs to see who is accessing patient records.

Here are three tips to help your practice be more proactive in fighting medical identity theft:

  1. Conduct background checks on ALL staff, regardless if access to patient records is required for their particular positions or not.
  2. Set up a robust education campaign to make patients aware of medical identity theft and teach them how to report any errors discovered on their Explanation of Benefits.
  3. Implement a response program for possible medical identity theft cases. The program needs to have comprehensive but understandable written policies and procedures for immediate action for a flagged record.

As the risk will only continue to grow, the reputation and credibility of your practice in addressing patient record breaches is at stake here. Having a proactive plan in place will help your practice quickly recognize possible medical identity theft cases and initiate an immediate and required action.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

5 Common HIPAA Mistakes

5 Common HIPAA Mistakes | HIPAA Compliance for Medical Practices | Scoop.it

Now more than ever, HIPAA compliance is a must. It’s hard to believe, but HIPAA violations can soar to over several million dollars and can even include jail time! We know HIPAA can be confusing. The devil’s in the details – there are a lot of rules to follow, which means a lot of mistakes you can make! While we can’t cover them all, this list of 5 common HIPAA mistakes and ways you can prevent them is a smart place to begin.

1. Lost or Stolen Devices

In January 2012, Pennsylvania –based CardioNet reported to HHS’ Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. The outcome? A crippling 2.5 million dollar settlement.¹

Mobile devices like mobile phones and laptops or tablets are particularly vulnerable to theft and loss due to their size and – well – their ease of mobility! When covered entities and business associates don’t implement mobile device security, people’s sensitive health information is put at risk. Ignoring security can result in a serious breach, which affects each individual whose information is left unprotected.

What can you do today to safeguard your devices? Here’s what the U.S. Department of Health and Human Services recommends:

  • Use a password or other user authentication
  • Install and enable encryption
  • Install and activate remote wiping and/or remote disabling
  • Disable and do not install or use file sharing applications
  • Install and enable a firewall
  • Install and enable security software
  • Keep your security software up to date
  • Research mobile applications (apps) before downloading
  • Maintain physical control
  • Use adequate security to send or receive health information over public Wi-Fi networks

2. Hacking

Getting hacked is something we all fear, and for good reason. It seems like a new hacking technique is born every day. You’ve heard of some – phishing, viruses, ransomware – and maybe not of others – Fake WAP, Waterhole attacks. Hacking can happen to anyone, any time, any place, any… Let’s just say it’s serious business.

Check out this statistic on ransomware, specifically: A recent report from a U.S. Government interagency shows that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a whopping 300% increase over the 1,000 daily ransomware attacks reported in 2015.²

What to do? Use these high-level tips as first steps:

  • Conduct a full risk assessment to discover all security vulnerabilities
  • Use strong passwords and two-factor authentication.
    • Read our “Creating and Managing Passwords” blog article for more info
  • Install all software patches promptly and ensure databases are up-to-date
  • Keep anti-virus definitions updated
  • Scan for viruses regularly
  • Check out this article for more info on ransomware: “WannaCry Ransomware Protection with HIPAA“

3. Employee Dishonesty

In 2012, the owner of a Long Island Medical Supply company was found guilty of $10.7 million dollars of Medicare fraud and HIPAA Violations. She was sentenced to 12 years in prison and fined $1.3 million dollars.

Employees accessing patient information when they are not authorized is a common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for another person, unauthorized access is illegal and can cost an organization substantial amounts. Also, people that use or sell PHI for personal gain can be subject to fines and even prison time. Staff members that gossip about patients to friends or coworkers is also a HIPAA violation that can result in a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients/clients to private places, and avoid sharing any patient information with anyone else.

Take a look at these ideas for keeping staff compliant:

  • Establish and enforce sanction policies
  • Train and retrain staff on HIPAA
  • Monitor employee compliance:
    • Check work areas for obvious violations
    • Listen for any discussion in the workplace that includes PHI

4. Improper Disposal

In 2009, CVS paid $2.25 million to settle a violation of throwing pill bottles containing patient names, addresses, medications and personal information into open dumpsters.

HIPAA requires that you protect the privacy of PHI in any form when disposing of information (45 CFR 164.530(c)). This not only includes tangible documents like x-ray films or patient charts, but also electronic media like old laptops or external drives.

The U.S. Department of Health and Human Services has defined these proper disposal methods:

  • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor who is a business associate to pick up and shred or otherwise destroy the PHI.
  • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
  • Further, covered entities, business associates and subcontractor BAs must ensure that their workforce members receive training on and follow the disposal policies and procedures of the organization, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).⁴

5. Third-Party Disclosure

North Memorial Health Care of Minnesota paid a fine of $1.5 million to settle HIPAA violation charges in 2011 after a business associate was given access to ePHI before a signed copy of a HIPAA-compliant Business Associate Agreement (BAA) was obtained.⁵

Under HIPAA law, covered entities must have a signed BAA from any vendor that provides functions, activities or services for or on behalf of a covered entity that has access to patient ePHI. A signed copy of the BAA must be obtained before access to patient health data is provided. The BAA must outline the responsibilities the business associate has to ensure PHI is protected and is not disclosed to any unauthorized parties.

Remember, your business associates’ HIPAA shortcomings impact you! Period.

Be sure to:

  • Establish who your Business Associates are, considering their subcontractors and your own contractors. (Read our own “Preparing Contractors for HIPAA Compliance” blog)
  • Obtain a Business Associate Agreement before your BA has access to any client/ patient health data
  • Ask for verification of HIPAA compliance for each and every BA, including their subcontractors
  • Read some of the previous articles we’ve written about Business Associates for smart ways on working with them:
    • “Auditing Business Associates”
    • “Business Associates Must Take HIPAA Compliance Seriously“
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

WannaCry Ransomware Protection with HIPAA 

WannaCry Ransomware Protection with HIPAA  | HIPAA Compliance for Medical Practices | Scoop.it

WannaCry, WannaCrypt, Wana Decryptor or WCry, whatever it is called, ransomware has been spreading through over 150 countries and many are concerned for good reason. The WannaCry malware attack is the largest ransomware attack to date.

The attack started on Friday (5/12/17) and locks people out of their computers, encrypts their data, and demands them to pay up to $300 in bitcoin to receive a decryption key. The price then doubles after three days and if the ransom is not paid, all files are permanently deleted. To add insult to injury, WannaCry also behaves like a worm; the malware can potentially infect computers and servers on the same network.1

The ransomware was slowed by a single security analyst last week after discovering a kill switch in WannaCry’s code. Since then, WannaCry has been updated without the kill switch, allowing it to grow further. The attack has now reached over 150 countries and around 216,000 computers.2

Here at Total HIPAA, we offer resources and services to help you figure out what to do next in preventing you and your organization from becoming a victim to ransomware and any other type of malware attacks. Health and Human Services Office of Civil Rights (OCR) has recently posted guidance on HIPAA specific to ransomware. OCR reaffirms that implementing HIPAA standards will provide safeguards against WannaCry and malicious software.

Read through the sections on areas we suggest you cover to reevaluate your business structure. There are blog articles we previously posted to help give guidance on topics that still may be questionable for your business.

3rd Party Vendors and Contractors

When looking into those 3rd party vendors and contractors hired to do a specific duty or there temporarily need to be properly handled for liability concerns. Your vendors, and, at times, your contractors will be considered business associates under HIPAA.


Passwords are simplest and best preventative measure a user can do to help protect your organization’s network.

Ransomware and Malware Best Practices

Ransomware and malware are continuing to grow; read what you need to know about both and what you should do to prevent malicious attacks on your system.

Update Software

Microsoft Windows users were the prime targets in WannaCry’s attack. Make sure your versions are constantly updated and BitLocker 2 is enabled on your computer.


Encryption will keep hackers and viruses from using your files against you. By encrypting your devices, anyone who attempts to retrieve your information will receive it in an unreadable format. And since many of the attacks are through email and their attachments, an email encryption solution can be very useful (and highly recommend!). Using the cloud can cover you if you fall victim to ransomware because any files stored through your file sharing application can help you regain access without having to pay a dime to criminals.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance Will Stop Ransomware's Damage

HIPAA Compliance Will Stop Ransomware's Damage | HIPAA Compliance for Medical Practices | Scoop.it

On average, there have been 4,000 daily ransomware attacks since early 2016, an increase of 300% from the 1,000 daily ransomware attacks reported in 2015.1 Health and Human Services Office for Civil Rights (HHS OCR) has released a fact sheet, stating that implementing HIPAA standards in your organization will help defend against malicious software (malware) attacks like the WannaCry ransomware.

A summary of the eight-page Fact Sheet: Ransomware and HIPAA is provided by our Total HIPAA team. HHS OCR explains eight (8) key questions when dealing with ransomware and electronic protected health information (ePHI) safety.2

1. What is ransomware?

Ransomware is a type of malware that attempts to deny access to a user’s data, typically by encrypting the data with a key known only to the hacker until a ransom is paid. Then the ransomware directs the user to pay a ransom to the hacker in order to receive a decryption key. However, hackers may deploy ransomware that also destroys or extracts data.

2. Can HIPAA compliance help covered entities and business associates prevent infections of malware, including ransomware?

Yes. The HIPAA Security Rule requires implementation of security measures that can help prevent the introduction of malware, including ransomware. The Security Rule establishes minimum requirements, for the security of ePHI (45 CFR 164.308 (a)(1)(i)). Entities are encouraged to implement additional and/or more stringent security measures.

3. Can HIPAA compliance help covered entities and business associates recover from infections of malware, including ransomware?

Yes. The HIPAA Security Rule requires covered entities and business associates to implement policies and procedures that can assist an entity in responding to and recovering from a ransomware attack.

Because ransomware denies access to data, maintaining frequent backups and ensuring the ability to recover data from backups is crucial to recovering from a ransomware attack. Test restorations should be periodically conducted to verify the integrity of backed up data and provide confidence in an organization’s data restoration capabilities. Because some ransomware variants have been known to remove or otherwise disrupt online backups, entities should consider maintaining backups offline and unavailable from their networks.

When responding to a ransomware attack, an entity may find it necessary to activate its contingency or business continuity plans. Once activated, an entity will be able to continue its business operations while continuing to respond to and recover from a ransomware attack.

4. How can covered entities or business associates detect if their computer systems are infected with ransomware?

HIPAA’s requirement that an entity’s workforce receives appropriate security training, including training for detecting and reporting instances of malware, can assist entities in preparing their staff to detect and respond to ransomware.

If an entity believes that a ransomware attack is underway, it should immediately activate its security incident response plan, which should include measures to isolate the infected computer systems in order to halt further generation of the attack.

5. What should covered entities, or business associates or business associate subcontractors do if their computer systems are infected with ransomware?

Once ransomware is detected, the organization must initiate its security incident and response and reporting procedures (45 C.F.R. 164.308(a)(6)). These procedures should assist your organization in prioritizing subsequent incident response activities and serve as a foundation for conducting further analysis of the incident and its impact.

6. Is it a HIPAA breach if ransomware infects a covered entity’s or business associate’s computer system?

Whether or not the presence of ransomware would be a breach under HIPAA is based on specific facts. A breach of the rules is defined as the acquisition, access, use, or disclosure of ePHI in a manner not permitted under HIPAA which compromises the security or privacy of ePHI (45 C.F.R. 164.402). When ePHI is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired by an unauthorized user, and is a disclosure not permitted under HIPAA.

Unless your organization can demonstrate that there is a low probability that ePHI has been compromised based on the factors set forth in the Breach Notification Rule, a breach of PHI is presumed to have occurred. The entity must then comply with the applicable breach notification provisions, in accordance with HIPAA breach notification requirements (45 C.F.R. 164.400-414).

7. How can covered entities or business associates demonstrate… that there is a low probability that the PHI has been compromised such that breach notification would not be required?

To demonstrate that there is a low probability that ePHI has been compromised because of a breach, a risk analysis considering at least the following four (4) factors must be conducted (45 C.F.R. 164.402(2)):

  1. The nature and extent of the ePHI involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the ePHI or to whom the disclosure was made;
  3. Whether the ePHI was actually acquired or viewed; and
  4. The extent to which the risk to the ePHI has been mitigated.

A thorough and accurate evaluation of the evidence acquired and analyzed as a result of security incident response activities could help entities with the risk assessment process.

8. Is it a reportable breach if the ePHI encrypted by the ransomware was already encrypted to comply with HIPAA?

If the ePHI is encrypted by the entity in a manner consistent with the Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals such that it is no longer unsecured ePHI, then the entity is not required to conduct a risk analysis to determine if there is a low probability of compromise, and breach notification is not required.3

For example, if a laptop encrypted with a full disk encryption solution in a manner consistent with HHS guidance is properly shut down and powered off and then lost or stolen, the data on the laptop would be unreadable, unusable and indecipherable to anyone other than the authenticated user. So then an entity would not need to perform a risk assessment or provide breach notification. But if the laptop is powered on and in use by an authenticated user, who then clicks on a link to a malicious website or opens an attachment from a phishing email that infects the laptop with ransomware, there could be a breach of ePHI.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Malicious Social Engineering and HIPAA 

Malicious Social Engineering and HIPAA  | HIPAA Compliance for Medical Practices | Scoop.it

Spam accounts for 65% of the total volume of global internet email traffic according to Cisco’s 2017 Annual Cybersecurity Report. The Report also points out that hackers are successfully using automated attacks on your company’s networks, leaving them more time to attempt other strategies to bypass your network defenses.1

What does this mean for you and your organization? Security awareness must be a priority across the board. In this blog we will outline three methods hackers use to trick your employees into revealing confidential information, possibly Protected Health Information, your organization has in its possession.

Social engineering is a term in computer security that refers to schemes hackers use to access your computer systems. The weakest link in most systems is the user; therefore, it’s extremely important you and your employees understand how it works.

For hackers, the three top methodologies of malicious social engineering according to Social-Engineer, Inc are:

  1. Phishing: The practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.
  2. Vishing: The practice of eliciting information or attempting to influence action via the telephone, may include such tools as “phone spoofing”.
  3. Impersonation: The practice of pretending to be another person with the goal of obtaining information or access to a person, company, or computer system.2


Hackers use phishing emails to trick people into clicking links that often lead to the installation of malware or ransomware on your computer or possibly giving up your personal information. Criminals are looking, or phishing, for your personal information. This can be a simple email asking for you to verify your Gmail account or a PayPal account.

In our blog, Social Engineering and HIPAA, we provided key ways to identify phishing emails as fraudulent:

  1. Grammar mistakes and misspellings
  2. Threatening language
  3. Fantastic job offers or promotions
  4. The link addresses don’t match the sender of the email; such as the Google title being spelled with zero’s instead of the letter o
  5. Requests for money
  6. Unsolicited requests to change passwords
  7. In general, anything that sounds too good to be true usually is

Take note to not click on the email or any corresponding links. This simple action can open up your entire company to a whole host of issues, and cause issues for your entire network.


The practice of vishing is similar to phishing attacks but via the telephone. It is the practice of calling an individual and eliciting information or attempting to influence action.3 Two common techniques used for vishing are the attacker calling into customer service or the help desk of a company and the attacker acting as technical support.

In one technique common for vishing, the attacker calls a receptionist or customer service knowing that these individuals deal with clients in a positive manner to help solve their concerns with the organization. Due to the lack of training and the desire to give the caller a positive experience, customer service is likely to oblige any requests the caller has during the phone call. When a caller is asking for a password reset to their online account or asking for the credit card on file, have them verify some information only the corresponding individual would know.

Another effective technique used by hackers, they will have a user click on a link that allows the hacker to take over their computer, and voila, they have access to the system. Unless the technician is new to an organization, have the same person work on your computer. Question the technician if they are unfamiliar to you and verify they are an employee.


Impersonation is the practice of presenting oneself as someone else in order to obtain private information. One common attack is to impersonate a delivery person (e.g. Postal Service employee, FedEx delivery driver). Impersonating a delivery person is an effective attack and an easy attack since not much acting is involved. When a package is being delivered to your place of business, make sure to verify the credentials of an unfamiliar deliverer.4

How to Protect Yourself

Be sure to do a little social engineering of your own. Train your employees on how to use their workstations properly, how to recognize malicious emails, and help protect your systems. A key part of this is training your staff on HIPAA, and how they can support your efforts to keep client information safe. HIPAA security training covers these potential attacks on your system and much more.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004


Why Medical Websites Need to be HIPAA Compliant - Today's Business

Why Medical Websites Need to be HIPAA Compliant - Today's Business | HIPAA Compliance for Medical Practices | Scoop.it

In today’s digital world, information is more prone to hacking than ever before, which creates a serious safety issue. Most websites can be developed and hosted on the Internet without thinking much about safety. Healthcare practices and other establishments in the medical industry, however, must proceed with caution for various safety reasons. In order to protect patients’ records and maintain confidentiality, medical institutions must create websites that are HIPAA compliant.



The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that provides protection and security for patients’ medical information. The U.S. Department of Health and Human Services enforces this law and sets HIPAA rules and regulations. HIPAA has two rules that must be followed to be compliant with regulations. The first rule, known as the Privacy Rule, pertains to protecting the private health information of a patient. The second rule, known as the Security Rule, encourages data security measures. This rule is particularly important to address when information is stored electronically.


How to Make Your Website HIPAA Compliant

Patients’ confidential information is most likely at risk if medical websites are being hosted with protection that provides basic encryption. In order to avoid violating HIPAA rules, websites must attain a high-level protection. This concern only comes into play when sensitive information is being collected and a third-party is involved in the transaction of data.

One of the ways to encrypt the transmission of data is by ensuring the website is secure. Secure Sockets Layer (SSL) can be used to prevent data leaks. Before entering any personal information onto a medical website, be sure to look at the URL. Websites with an HTTPS:// have an SSL Certificate that encrypts communication between a web browser and a web server. This means that the medical institution is following HIPAA laws.

Another way to ensure HIPAA compliance is by using forms to collect data that provide that extra security and protection. Typical Content Management Systems (CMS) may not have that level of security so it is best to use a third-party form builder that would be HIPAA Compliant. Cognito Forms is one of the best form builders that provide SSL encryption, data encryption as well as a secure hosting environment.


Medical Website Design

Healthcare websites must ensure the safety and protection of its patients is a top priority. As technology is constantly changing and becoming more accessible, it’s becoming increasingly important to have a high-level security system on your medical website.

Here at Today’s Business, we have years of experience in building websites for our clients in the healthcare industry. No matter if you are a private practice or public institution, we can help you achieve a HIPAA compliant website that looks great on desktops, tablets, and mobile devices. We can take over your Content Management System and provide your patients’ data the safety that it requires. Contact us now to find out more!

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance Checklist for Medical Practices

HIPAA Compliance Checklist for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

As you know, 2016 is a big year for HIPAA compliance audits. The Office of Civil Rights (OCR), mandated to conduct random audits under the HITECH Act, gave plenty of warning that this year's random compliance audits would begin with a renewed focus on smaller practices (15 or fewer providers) and include Business Associates (BAs) in the audit protocols.

Because practices have been under HIPAA for years, it's easy to get complacent, but HIPAA fines are nothing to take lightly. Last year, OCR issued a record number of fines for violations including $4.8 million for lack of a firewall (New York Presbyterian), $1.7 million for theft of unencrypted laptop (Concentra Health Services), and $800,000 for unsecured medical records (Parkview Health Systems). 

Here's a checklist to help you prepare for HIPAA compliance this year. 

Technical Safeguards

  • Implement a system of access control including unique user names and PINs, plus protocols governing release of ePHI in the event of an emergency. 
  • Ensure a system is in place to authenticate all ePHI; make sure no information is altered or deleted in a way that violates HIPAA guidelines. 
  • Implement an encryption system for all information sent and received outside the organization's internal firewall. 
  • Initiate and/or carry out a system of ePHI access control audits. 
  • Make sure an automatic log-out protocol is in place for all devices used to access ePHI. 

Physical Safeguards

  • Ensure procedures are in place to record anyone with physical access to areas where ePHI is stored (managed service providers, cleaners, engineers, etc.)
  • Implement safeguards for workstations and develop protocols for which functions may be performed on workstations in unrestricted areas. 
  • Develop protocols for ePHI use on mobile devices, including guidelines for removing information from devices no longer in use. 
  • Maintain accurate inventory of all hardware and devices. 

Administrative Safeguards

  • Conduct routine risk assessments and develop a risk management policy including sanctions for employees not in compliance. 
  • Implement HIPAA awareness training, including how to identify malicious attacks/malware; be sure to maintain documentation of training sessions. 
  • Develop and test a contingency plan to govern the integrity of ePHI when/if the entity operates in emergency mode. 
  • Implement policies to restrict third-party access and develop a reporting policy to identify breaches. 
  • Develop and document protocols to issue HIPAA breach notifications to affected patients and to the DHHS in the event the breach affects more than 500 individuals. 

Omnibus Considerations

The new Omnibus rules update HIPAA compliance standards, especially with regard to Business Associate Agreements (BAAs). Under the new guidelines, covered entities must now:

  • Update BAAs to include language making all BAs aware that they are bound by the same security and privacy rules governing covered entities, which means they must implement the same technical, physical, and administrative safeguards as covered entities, and are under the same reporting regime for breaches of ePHI. 
  • Issue updated BAAs to all business associates; a signed, HIPAA compliant BAA must be on file before the entity uses the BA's services. 
  • Update privacy policies to reflect changes in disclosure pertaining to: deceased persons, Medicare, private insurers, immunization records, and the use of ePHI for marketing purposes. 
  • Issue updated Notice of Privacy Practices. 
  • Conduct staff training (with appropriate documentation) regarding the new Omnibus changes. 

It's important to keep in mind exactly what's at stake if you're not in compliance with HIPAA safegaurds:

  • $100 to $50,000 fines per violation up to a maximum of $1.5 million for "did not know" violations. 
  • $1,000 to $50,000 per violation to a maximum of $1.5 million for "reasonable cause" violations.
  • $10,000 to $50,000 per violation up to $1.5 million for corrected "willful neglect" violations.
  • $50,000 per violation up to $1.5 million for uncorrected "willful neglect" violations. 
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to Stay HIPAA Compliant with Audit Logs 

How to Stay HIPAA Compliant with Audit Logs  | HIPAA Compliance for Medical Practices | Scoop.it

The U.S. Department of Health and Human Services Office for Civil Rights released a cyber newsletter highlighting the importance of audit controls.1Why are audit controls so important? Logs are a critical way, not to mention required, for your company to monitor activity on your network. Whether this traffic is from an employee or another source, these logs are vital to protecting the information your organization holds.

On January 18th, a former paramedic for MedStar Ambulance was indicted in a federal identity theft and fraud case involving allegations he altered patient records as part of a scheme to steal narcotics from a local hospital starting January 2013 and ending in May 2015.2  The paramedic was finally caught after someone discovered his logs had various irregularities compared to the corresponding hospital records. This incident highlights just how important it is to maintain detailed logs and to monitor regularly.

What HIPAA Security Rule Mandates

45 C.F.R. § 164.312(b) requires Covered Entities and Business Associates to have audit controls in place. These organizations must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (ePHI).1 Information systems include all electronic devices and applications used within your company’s network (e.g. smartphones, computers, emails, file sharing application, internal server).

In plain English, this means that an organization that is required to have audit logs. Whether you are a medical or dental practice, health insurance agency, or an employee of an organization that manages health records, you need to record and review audit logs to stay compliant with HIPAA and protect the information you maintain.

The kinds of information you should be logging include:

  1. User logging in
  2. Changes to databases
  3. Adding a new user
  4. Giving a user new level of access
  5. Files a user has accessed
  6. Operating System Logs
  7. Firewall logs
  8. Anti-malware logs

This extends beyond your electronic systems. If you are still using paper files to store information, you need to have logs of who is accessing information, and if files are removed from the file room. This may be done by having employees sign out files before they remove them from the file room.

Any physical assets that need to be repaired or are in line to be decommissioned should also be logged. This will make sure you are properly protecting or sanitizing these devices.

Many of the software systems you currently use already have the ability to keep detailed logs of activity. The key will be for your IT department to consolidate these logs so it is easy to review if there is ever a question or issue for your team to investigate.

In the event of a security incident, audit trails and logs should be reviewed as soon as possible. to determine if there is tampering with the information. Outside of cyber security incidents, audit trails can help you identify flaws in your network before things go wrong. This process will also help you make sure applications are performing as intended.

How to Maintain Compliance with HIPAA

Keeping detailed logs is the first step towards HIPAA compliance. Create detailed policies and procedures around audit handling, educate staff on changes in procedures, and keep up-to-date with regular reviews of audit logs and audit trails.

You should also be prepared to keep these logs for a minimum of 6 years as is required for HIPAA Compliance. These logs should be stored in a raw format for at least six (6) months to one (1) year. After that, you can store these logs in a compressed format.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

What is HIPAA Compliance?

What is HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

This includes covered entities (CE), anyone who provides treatment, payment and operations in healthcare, and business associates (BA), anyone with access to patient information and provides support in treatment, payment or operations. Subcontractors, or business associates of business associates, must also be in compliance.


The HIPAA Privacy Rule addresses the saving, accessing and sharing of medical and personal information of any individual, while the HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically, also known as electronic protected health information (ePHI).

If you are hosting your data with a HIPAA compliant hosting provider, they must have certain administrative, physical and technical safeguards in place, according to the U.S. Department of Health and Human Services. The physical and technical safeguards are most relevant to services provided by your HIPAA compliant host as listed below, with detail on what constitutes a HIPAA compliant data center.

  • Physical safeguards include limited facility access and control, with authorized access in place. All covered entities, or companies that must be HIPAA compliant, must have policies about use and access to workstations and electronic media. This includes transferring, removing, disposing and re-using electronic media and electronic protected health information (ePHI).
  • Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption.
  • Audit reports, or tracking logs, must be implemented to keep records of activity on hardware and software. This is especially useful to pinpoint the source or cause of any security violations.
  • Technical policies should also cover integrity controls, or measures put in place to confirm that ePHI hasn’t been altered or destroyed. IT disaster recovery and offsite backup are key to ensure that any electronic media errors or failures can be quickly remedied and patient health information can be recovered accurately and intact.
  • Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

A supplemental act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was formed in response to health technology development and increased use, storage and transmittal of electronic health information.

Technical Dr. Inc.'s insight:
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

4 Steps to Assess a Possible HIPAA Data Breach

4 Steps to Assess a Possible HIPAA Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach. An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorized access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.

There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorized to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident. Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:

  1. PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.
  2. Unauthorized Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.
  3. Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.
  4. Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.

If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements. If you have encountered a breach, within 60 days of discovery of the breach, you have to:

  • Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.
  • Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.

With the lower “bar” for a breach and the documentation standards, your practice needs to maintain appropriate procedures, train employees, and enforce your policies to minimize the risk of impermissible uses and disclosures. In order to monitor evolving issues and avoid future problems: Review each data breach to determine if changes to policies and procedures need to be made as well as remedial training to avoid future breaches.

On a periodic basis review the impermissible use and disclosures for trends and issues that may require adjustments to your HIPAA compliance strategy. Indeed, continuing incidents that are not breaches could indicate a serious weakness that could lead to a breach. For example, continuing loss and recovery of EHR backups could indicate the need to change the backup procedures or strategy. Breaches can cost you money and undermine the confidence of your patients in the confidentiality of their PHI. With the lower breach trigger and the documentation requirement for your analysis to determine if a breach has occurred, you need to work to avoid breaches as well as impermissible uses and disclosures.      

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.