HIPAA Compliance for Medical Practices
60.5K views | +2 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Six Tips for a Small Business to Avoid HIPAA Security Breach Headaches

Six Tips for a Small Business to Avoid HIPAA Security Breach Headaches | HIPAA Compliance for Medical Practices | Scoop.it

Michael and I spoke with Alison about the recent OCR pronouncements, and she pulled several of our comments together to create a list of tips for an SMB to consider to minimise HIPAA security breach headaches. The following 6 tips are excerpted from the full article:


  1. Hire a credible consultant to help you approach the issue, and how you would respond in the event of a breach. [In other words, perform your own security risk assessment, or, if impractical, hire an expert to perform one.]
  2. Document that you have policies and procedures in place to fight cyber crime. “If you didn’t document it, it didn’t happen,” Kline said.
  3. Stay informed of cyber security news in your industry, or join an association. Be aware of what other companies in your space are doing to protect themselves.
  4. Update your security settings on a regular basis, perhaps every time you add new employees or change systems, or on an annual basis.
  5. Present annually to your company board on where the company is in terms of cyber security protection, and where it needs to be to remain as safe as possible in the future.
  6. If you’re an IT consultant working with a healthcare organisation, be clear with your client what you need to access and when, Litten said. “A client that has protected health information in its software should carefully delineate who has access to that software,” she added.


The article also quotes Ebba Blitz, CEO of Alertsec, who offers an equally important tip for the SMB dealing with employees’ use of mobile devices that contain or are used to transmit PHI:


You need a good plan for mitigating BYOD,” Blitz said. She further recommends asking employees to document their devices, so businesses can keep track of them and install security tools.


In summary, confronting ever-growing and evolving challenges of cyber security for SMBs is dependent upon serious planning, development and implementation of current policies and procedures, documentation of cyber security measures taken and entity-wide commitment to the efforts.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Medical Practice Policies for HIPAA Compliance

Medical Practice Policies for HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Medical Economics article published 4/24/2014 “Be Proactive to avoid HIPAA violations” summaries HIPAA and how to best develop procedures to avoid any violations. The recommended policies and procedures listed below are the foundation on which HIPAA compliance is built, thus medical practices should update and implement them to maintain compliance.

  • Privacy Policies
  • Security Policies
  • Incident/Breach Report/Log
  • Procedure for making records available to patients
  • Incident Response Plan
  • Complete Risk Assessment
  • Train Employees


The article details the steps that should be followed for each of these policies and procedures. After policies are updated, the practice must also complete a Notice of Privacy Practices (NPP) that clarifies the law and the practice’s obligations to the patient including the following:

  • How Patient Health Information (PHI) can be used or disclosed
  • Patient’s rights
  • Practice’s Legal obligations
  • Practice contact that can provide additional information

In addition to the practice’s obligations to secure PHI, any business associate will also share the liability for any breach. Therefore it is important to draft and implement a Business Associate Agreement that clarifies these responsibilities and requires that business associate abide by agreement to do business with the practice (click on link for the Office of Civil Rights’ (OCR) sample business associate

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

$1.55 million settlement underscores the importance of executing HIPAA business associate agreements

$1.55 million settlement underscores the importance of executing HIPAA business associate agreements | HIPAA Compliance for Medical Practices | Scoop.it

North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organisation-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.


“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organisations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.


OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure -- including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.


In addition to the $1,550,000 payment, North Memorial is required to develop an organisation-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.


Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

What exactly is HIPAA compliance?

What exactly is HIPAA compliance? | HIPAA Compliance for Medical Practices | Scoop.it
In general, the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. To date, the implementation of HIPAA standards has increased the use of electronic data interchange. Provisions under the Affordable Care Act of 2010 will further these increases and include requirements to adopt:
  • operating rules for each of the HIPAA covered transactions
  • a unique, standard Health Plan Identifier (HPID)
  • a standard and operating rules for electronic funds transfer (EFT) and electronic remittance advice (RA) and claims attachments.
  • In addition, health plans will be required to certify their compliance. The Act provides for substantial penalties for failures to certify or comply with the new standards and operating rules.Are you HIPAA compliant?  Would you know if you were not HIPAA compliant?  Below are a few tips to become HIPAA compliant.


How to be HIPAA Compliant

  • Check all your electronic safeguards, including network encryption, anti-virus software and email encryption. This is likely the most important part of HIPAA compliance because hackers seek out weak or unprotected networks.  Have a security risk analysis performed yearly on your network.
  • Ask patients to sign forms specifying who is and is not allowed access to their records beyond the standard of doctors and insurance companies. This could include family members, employers or friends whom they trust to view their information.
  • Verify authorisation and identity before releasing information to any person or company. Ask security questions or personal information such as social security number and date of birth to ensure you are speaking to the correct person. If a form is emailed or faxed authorising the release of records, check the patient’s signature against the signature on the form to ensure they match.

  • Check to see what type of information the person or company is authorised to receive. Health insurance companies are usually authorised to all information, while a patient may only want a family member to have access to certain parts of his medical information.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance for Direct Care Providers

HIPAA Compliance for Direct Care Providers | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accounting Act of 1996 ("HIPAA"), is an exceptionally important healthcare law that Direct Care providers need to be aware of. In this article, we’ll walk you through the nuts and bolts of the law, how to be compliant with HIPAA, how to evaluate tech companies to partner with, and just why Direct Primary Care providers should be particularly vigilant about its enforcement.



HIPAA, as a federal law, was designed to “allow portability of protected health information for billing purposes, so that we could engage in proper billing around the country,” explains one legal expert. “Plans and providers couldn't deal with fifty states having fifty different laws protecting privacy applicable to healthcare billing that just would not be workable.” In connection with enabling billing data portability, HIPAA also created certain privacy protocols and procedures that all “covered entities” (and now “business associates”) must follow.


The Privacy Rule

The Privacy Rule, as its name suggests, requires that covered entities (generally: plans and healthcare providers) with electronic personalised health information keep that health information private. Since a direct primary care practice is a covered entity, it has the same duty that all medical practices have--to maintain the privacy of their patient health information. Because direct primary care practices are typically even more connected with patients, engaged in more frequent communication (electronic or otherwise), these practice must pay close attention to HIPAA.

“I think everyone acknowledges that, whether it's a photocopier that's not only copying, but storing data images, or an EMR, or some other device, literally all medical practices have electronic personalised health data. And once you have that electronic data, the Privacy Rule protects everything--including paper files.” One legal expert says they have seen some physicians get confused, thinking that it doesn’t matter how they organise their files in their office or whether they talk about patient information within earshot of someone else. “But that’s not accurate,” he says. “Once there is electronic protected health information, then there's an obligation to maintain as private everything--file boxes, verbal communications, and data too.”

So is it enough to try to maintain privacy? No, you need an internal privacy plan that is documented.


The Security Rule

HIPAA requires that all covered entities engage in commercially reasonable efforts to consider various options, document that assessment in an internal memo or report called a “risk assessment,” and then implement a protocol or a program of protecting patient privacy for the practice. HIPAA's Security Rule is intended to be flexible; what is commercially reasonable for a small practice can vary from large medical providers. The Security Rule compliance requirements of a large major hospital will be different than the security protocol requirements of a solo physician practice. There’s no single hard and fast security compliance process or approach other than the requirement to reasonably consider different options and then implement a reasonable approach. One legal expert explains: “Whether you're a large hospital chain or a small medical practice, you need to document your Security Rule compliance in what's called a risk assessment memo.”

The risk assessment memo lays out a number of scenarios and protection actions for their patient’s security. These may include, but are not limited to, how the provider protects their mobile devices, what authentication measures they use, what kind of encryption their e-mails have, how they will protect portable storage devices (offsite, under lock and key, etc), who has access to files, and how and where they store patient files. The risk assessment serves as evidence of a covered entity’s consideration of different privacy protection measures while also documenting implemented solutions.


The Accounting Rule

Under the Accounting Rule, adopted as part of HITECH (a federal component of HIPAA), a patient who pays cash for certain medical services may request to have their data related to those private fee services segregated from plan-reimbursed data and not provided to plans. This rules reflects the original goal of HIPAA--increasing the portability of “plan” billing information. “When plans are handling billing, they need necessary patient data. However, when a patient is paying cash for certain services, HIPAA (as amended by HITECH) allows patients paying privately for services to segregate the health data from those services, because there's no reason for the plans to receive that information if it has no connection to plan reimbursement.”

The rule makes most sense in context. For example, if a psychiatric patient has a condition that they would like to pay their provider in cash for, that patient may be sensitive to the inclusion of that data in their general health care records shared with health plans, especially if their employer is reimbursing their health care.

Typically, for DPC practices that engage in primary care, the way the cash or the private fee is allocated don't typically generate a huge amount of patient interest in privacy. Of course, there's always going to be patients that are very interested in privacy, and they might ask for their data to be segregated. DPC practice EMR/EHR records platforms, and internal medical files, should be able to accommodate that request.

“DPC practices need to be mindful that their patients do have the right to request a segregation of their data,” one legal expert explains. “Providers need to ensure that their health care data platforms or systems have the ability to segregate that data, so it’s essential for them to ask their EMR or their EHR whether they can comply with the accounting rule when their patients pay cash or privately for certain amenities.”


How to Become HIPAA Compliant

There are several ways to become HIPAA compliant. Going it alone is a bad idea, says Chas Ballew, an attorney who co-founded of healthcare developer startup, Aptible. Hiring an expert like a consultant or attorney saves providers a massive headache and, in most cases, minimises the likelihood of fines. Alternatively, Ballew suggests using service providers or business associates to provide services to the provider, like handling personal health information (PHI) on their behalf.

The benefits are obvious. Instead of manually writing down patient health information, keeping it in a filing cabinet, and buying locks for storage and badges for the physical environment, a provider can seek out a third party software to handle security for them. “If they sign a business associate agreement (“BAA”), they can use that service and their third party access controls. Providers can use their security and keep PHI out of our their own physical office, which makes it much easier for providers to prove that you don't really have a whole lot of information for anybody to be worried about,” explains Ballew.

On a smaller scale, being HIPAA complaint requires that practices give notice of privacy practices given to their patients. Obviously, the provider needs to make sure that the notice of privacy practices includes everything mandated the Privacy Rule. “You've got to make sure that you and your entire office only uses personalised health information (“PHI”) for permissible purposes,” says Ballew. These permissible purposes include treatments, operations, and payments.

Unfortunately, Ballew explains, there's no super simple formula like "Do these three things and you're HIPAA compliant." To his mind, the best way to become HIPAA compliant is to partner with somebody “who's done it before and understands all the moving parts. Partnering with a compliance expert and then also partnering with software companies and other technology companies can shoulder some of the burden.”


How to Evaluate Tech Companies

If you’re a provider that is going to partner with a technology company, then Ballew recommends making them sign a BAA to ensure that they can handle patient and protected health information. “The BAA imposes contractual liability between the covered entity and the provider, or the covered entity and their business associate,” explains Ballew. “It checks a bunch of the regulatory boxes.” A BAA is the bare minimum that a provider needs to be compliant. The BAA itself serves as evidence that a party has satisfactory assurances that the business associate is meeting their obligations under HIPAA. Providers are not required to audit a business associate themselves, and they are allowed as far as the government is concerned, to trust that BAA and are not obligated to look further than that.

For Ballew, though, a BAA isn’t enough of evaluation of a tech company’s worth. It’s also important to ask a tech company who else they do business with. “You want to see if they've been evaluated by all of the larger entities,” Ballew says. Have they passed a security assessment? Or have they gone through security reviews with larger customers?

“You'd like to see some sort of reassurance of that, because as a provider, you're not really equipped to evaluate their security practices. You're good at practising medicine,” Ballew says. After all, providers seek vendors to free up their time so they can focus on what they do best.

To get more information, a provider can ask for a risk assessment, though this may require the provider to sign a nondisclosure agreement. Similarly, they can ask for a copy of a security assessment. “You can ask for a copy of their security plan or their security policies and procedures,” Ballew suggests. “That's how you would evaluate them from a compliance perspective.” Ballew also recommends requesting and reviewing customer reviews to see if other DPC providers have been satisfied with their services.

One legal expert has observed that some companies receive PHI but are unaware that under the HIPAA Final Rule (also called the “Omnibus Rule”) that business associates now are essentially like a “covered entity”--they must comply with the Privacy Rule and the Security Rule like a covered entity and are subject to regulatory action if they breach their obligations. One legal expert notes: “Companies that receive PHI but refuse to sign a BAA or acknowledge their HIPAA obligations are raising a red flag--be very careful and think about steering clear of companies that are not serious about accepting their PHI obligations.”

Graham Melcher, Chief Security Officer at Hint Health talks about the level of commitment required to maintain HIPAA compliance like this: "For a technology partner, being HIPAA compliant requires a significant investment in time and resources, and becoming HIPAA compliant can be a difficult and expensive transition. That's why we invested in our HIPAA compliance very early on. It's more than just encrypting your database, it's a culture and mindset around the security and privacy of PHI that reaches across an organisation."


Why is HIPAA Compliance Challenging for DPC Practitioners

By its nature, direct primary care eliminates obstacles between the patient and the provider, and as a result, providers are much more likely to engage electronic communication like text messages and e-mail. “They're much more likely to be implement electronic scheduling, and they're much more likely to be communicating electronically after hours, which sometimes can involve mobile devices, like iPad,” explains one legal expert. Direct private practices need to really carefully examine HIPAA requirements, because they--more than a standard practice or a plan reimburse practice--are going to be engaging in electronic communication.

If you need further motivation, consider that HIPAA compliance is in the interests of national security. “If you believe in a strong security apparatus for the United States, then you should believe in HIPAA. Why is that? Our enemies are hacking and penetrating our data systems, in part to defraud our country by false or fraudulent Medicare billing.”

While direct primary care providers may want to be free of regulations, one legal expert sees HIPAA as one that should be followed. In fact, he doesn’t want people to think of it as overreaching federal interference. “Think of it as our country coming together to better protect data and our national interests. I think if we could shift the paradigm or re frame HIPAA compliance from a unreasonable intervention into a, ‘Hey, this is good for all of us. This is protecting our country,’ then I think that we could achieve a higher degree of compliance.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Cyber security and HIPAA Compliance

Cyber security and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

With the recent cyber-attack of a major health system in the greater Washington, DC area, Med Star Health, it shows significant vulnerabilities still exist in managing and securing protected health information. Med Star is not alone as at least five other hospitals in California and Tennessee have been hacked in the last month not to mention many smaller organisations.


If a hospital system can be put into a virtual shutdown, how vulnerable are millions of small to mid-size physician practices? Fearing if your organisation is going to be compromised is a reality that needs to be faced. Most experts agree it is not if, but when.


Having the proper safeguards in place to prevent breaches are critical HIPAA requirements. These requirements include developing and maintaining contingency plans. Policy and procedure must be in place to address areas like data backup, disaster recovery, system criticality analysis and emergency mode operations.


The government can impose fines of up to $1.5 million if a breach occurs and the investigation reveals lax security measures were in place. Most reported HIPAA investigations have revealed organisations were not following some of the basic requirements, like conducting risk assessments.


At Colington, our HIPAA compliance experts understand what physician practices must have in place in order to demonstrate compliance requirements and mitigate risk. We specialise in assisting practices and organisations that may not have the current internal resources to perform these critical and required HIPAA functions.


Colington Consulting offers a full range of compliance and consulting services including required Security Awareness Training. Our affordable and scalable pricing packages are customised for your office or organisation.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why is HIPAA compliance important?

Why is HIPAA compliance important? | HIPAA Compliance for Medical Practices | Scoop.it

The process of becoming HIPAA compliant seems costly and confusing, so as a result, numerous health organisations avoid the process. However, the cost of doing nothing is great.

Failure to comply can result in:

  • Thousands — even hundreds of thousands — of dollars in breach fines
  • Damage to reputation which leads to a loss of future and existing patients

To illustrate, the cost of each data breach is estimated at around $240. Which means if 1,000 of your records are breached the fines would be $240,000.


What do I need to know?

You need to fulfil the HIPAA Security Rule Requirements:

  • Perform a Risk Assessment
  • Develop Policies and Procedures
  • Train Employees (including periodic reminders)
  • Have an Incident Response Plan
  • Maintain Business Associate Agreements


How does Triton Technologies come into play?

Obviously, we care a lot about our clients and don’t want to see them get fined. The other reason we are so dedicated to ensuring you are HIPAA compliant is because compliance is so intertwined with IT. In fact, IT plays such a dominant role that we we feel compelled to help you become compliant.

There are so many reasons a company is at risk for breaches based on common IT weaknesses such as:

  • Lack of anti-virus on all endpoints and servers
  • Lack of security patching of servers and desktops
  • Lack of encryption (email, laptop, mobile devices, USB drives, offsite data backup)
  • Lack of an implemented and tested disaster recovery plan


How can I become compliant with the least disruption?

We want to make this process as painless as possible for our clients. So we partner with a service called HIPAA Secure Now!

This service provides everything you need to reach and maintain compliance and even does most of the heavy lifting. The service:

  • Performs the initial risk assessment (continued annually)
  • Creates your policies and procedures
  • Continuously trains your employees
  • Responds to security breaches
  • Provides a book of evidence if audited
  • Protects you from financial fines It only requires you to provide:
  • Where the patient data is
  • How patient data is protected
  • 2-4 hours of your time (which can be broken out in 1 hour sessions)
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Your Rights Under HIPAA

Your Rights Under HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.


HIPAA Right of Access Videos

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create Your Health Information, Your Rights!, a series of three short, educational videos (in English and option for Spanish captions) to help you understand your right under HIPAA to access and receive a copy of your health information.

  • Individual’s Right under HIPAA to Access their Health Information
  • HIPAA Access Associated Fees and Timing
  • HIPAA Access and Third Parties


HIPAA Right of Access Info-graphic

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create this one-page fact sheet, with illustrations, that provides an overall summary of your rights under HIPAA:

  • Your Health Information, Your Rights!


HIPAA General Fact Sheets

  • Your Health Information Privacy Rights
  • Privacy, Security, and Electronic Health Records
  • Understanding the HIPAA Notice
  • Sharing Health Information with Family Members and Friends


Who Must Follow These Laws

We call the entities that must follow the HIPAA regulations "covered entities."

Covered entities include:

  • Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must follow parts of the HIPAA regulations.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:

  • Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
  • Companies that help administer health plans
  • People like outside lawyers, accountants, and IT specialists
  • Companies that store or destroy medical records

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.


Who Is Not Required to Follow These Laws

Many organisations that have health information about you do not have to follow these laws.

Examples of organisations that do not have to follow the Privacy and Security Rules include:

  • Life insurers
  • Employers
  • Workers compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices


What Information Is Protected 

  • Information your doctors, nurses, and other health care providers put in your medical record
  • Conversations your doctor has about your care or treatment with nurses and others
  • Information about you in your health insurer’s computer system
  • Billing information about you at your clinic
  • Most other health information about you held by those who must follow these laws


How This Information Is Protected

  • Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
  • Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
  • Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
  • Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.


What Rights Does the Privacy Rule Give Me over My Health Information?

Health insurers and providers who are covered entities must comply with your right to: 

  • Ask to see and get a copy of your health records
  • Have corrections added to your health information
  • Receive a notice that tells you how your health information may be used and shared
  • Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
  • Get a report on when and why your health information was shared for certain purposes
  • If you believe your rights are being denied or your health information isn’t being protected, you can
    • File a complaint with your provider or health insurer
    • File a complaint with HHS

You should get to know these important rights, which help you protect your health information.

You can ask your provider or health insurer questions about your rights.

Learn more about your health information privacy rights.


Who Can Look at and Receive Your Health Information

The Privacy Rule sets rules and limits on who can look at and receive your health information

To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:

  • For your treatment and care coordination
  • To pay doctors and hospitals for your health care and to help run their businesses
  • With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
  • To make sure doctors give good care and nursing homes are clean and safe
  • To protect the public's health, such as by reporting when the flu is in your area
  • To make required reports to the police, such as reporting gunshot wounds


Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorisation, your provider generally cannot:

  • Give your information to your employer
  • Use or share your information for marketing or advertising purposes or sell your information
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Are Small Practices still struggling with HIPAA Compliance Ahead of New Audits?

Are Small Practices still struggling with HIPAA Compliance Ahead of New Audits? | HIPAA Compliance for Medical Practices | Scoop.it

ATLANTA, March 1, 2016  announced the results of its 2016 industry survey measuring progress towards compliance with the Health Insurance Portability and Accountability Act (HIPAA) among small medical practices. Conducted in February 2016, the survey of over 900 healthcare professionals revealed an increase in general awareness, but active steps toward compliance are still lagging. 

"With audits finally seeing the light of day, we wanted to gauge how quickly the industry is adapting to new regulations and offer resources to anyone who may be falling behind," said Caleb Clarke, sales and marketing director at NueMD. "Our hope is that surveys like these will draw attention to areas needing the most improvement."

Key findings include:

  • 60% of respondents are still unaware of pending HIPAA audits
  • 70% of respondents have created a compliance plan, compared to 61% in 2014
  • 30% of respondents have yet to create a plan
  • 54% of respondents have not appointed Security or Privacy Officers

In response to the results, NueMD is partnering with Total HIPAA Compliance and Atlanta-based healthcare attorney Daniel Brown, Esq. to host a series of free webinars designed to educate small medical practices and billing companies on various areas of compliance. 

"Becoming compliant not only helps protect patients, but the financial well-being of a practice," said Jason Karn, chief compliance officer at Total HIPAA Compliance. "It's really important that the industry remains educated and we're excited to be a part of that."


About Total HIPAA Compliance
Total HIPAA Compliance offers online HIPAA compliance and training for five separate covered industries – medical, dental, health insurance agents/brokers, employer health plans, and Business Associates with access to ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to Keep Your Practice’s Communication HIPAA-Compliant

How to Keep Your Practice’s Communication HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is a top concern for medical practices, and for good reason–violations can result in serious consequences, including large fines and potentially even jail time. To make things more complicated, the laws themselves tend to be rather vague on what actions practices need to take to become HIPAA-compliant.


Medical practices need to protect private patient data, but they also need to be able to go about the daily business of running a practice as efficiently as possible. Technology can certainly make day-to-day operations more efficient, but new technologies also bring about new concerns with HIPAA compliance. Many practices are hesitant to adopt new technology for that very reason.

When practices do decide that they want to use technology to communicate with patients and other practices, it can be difficult to figure out where to begin because HIPAA laws can be quite vague. Practices don’t want to slip up and have to pay the price (often, quite literally) for a violation.

So, what can you do to keep your practice’s communications on the right side of HIPAA guidelines? We highly recommend working with an expert on HIPAA laws to make sure your communication is always compliant.If you’d like to learn more on what HIPAA-compliant communication entails throughout your practice, including marketing efforts, emails, appointment reminders, patient portals, and communication with other practices, we have put together this list of helpful resources to help you stay up to date on the latest recommended best practices for HIPAA-compliant communication.



Digital marketing is critical for medical practices, as more and more patients turn to online sources to learn more about medical conditions, possible treatment options, and where to get treatment. Practices often have a website, and many also use email marketing and social media to reach out to patients. These resources will help you stay HIPAA-compliant in each of those areas of marketing.


Emailing Patients

Patients who are always on-the-go may prefer to communicate with you via email. If patients request email communication, you must make that option available to them, but you still need to take the proper precautions to protect your patients and your practice from HIPAA violations.


Appointment Reminders

Even appointment reminders can be considered private health information if done improperly. You may wish to use technology to automate this routine process and free up your employees’ time for other tasks, but you need to make sure that you aren’t inadvertently giving away private patient information in the process.


Patient Portals

Practices are required to implement and use a patient portal to meet Meaningful Use requirements. However, patient portals are still subject to HIPAA laws and may in fact pose the greatest security risk of all practice communications because of the amount of information they contain. Always do your research before choosing a vendor for your patient portal to make sure they will keep you covered.


Communicating with Other Practices

It’s important for your practice to be able to communicate with your patients’ other healthcare providers to be able to provide the most comprehensive care possible. However, it can be quite challenging communicate with other practices in a manner that is both efficient and HIPAA-compliant. These resources include suggestions on improving your communication strategies while protecting private information.


The Dangers of Sharing Patient Information via Text/IM

As a healthcare provider, your days are usually very busy, and it’s likely that the doctors you need to communicate with are equally as busy. When you need to share information, whether it’s a quick update on a patient or a request for a consult, it can be tempting to just send a quick text or instant message. If texting/instant messaging is your preferred form of communication with other doctors, you need to approach with caution.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Data Encryption Best Practices for Medical Practice Compliance

HIPAA Data Encryption Best Practices for Medical Practice Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Is data encryption something that your medical practice should consider—especially with regard to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? The short answer to this question is yes; in order to keep personal health information (PHI) confidential and to ensure full legal compliance, data encryption is something that should absolutely be on your IT radar. 

That’s not to say that encryption is the only approach, nor that compliance with HIPAA needs to be entirely technical. Some common-sense policies like using strong passwords, remote data backups and securing all portable and mobile devices can help. Still, for most practices, a discussion about encryption needs to happen sooner rather than later. 


What HIPAA Requires of You 

The slightly longer answer will involve a closer look at what the HIPAA legislation actually says: “A covered entity must… implement a mechanism to encrypt and decrypt electronic protected health information.” 

This essentially leaves medical practices with two options. One is to encrypt their data—simple as that. The other is to implement an equivalent solution to comply with this regulatory requirement. 

This may sound like a fairly narrow set of parameters, but in truth the law is fairly open-ended: “Encryption,” you will notice, is not defined very specifically. The reason it is left open to interpretation is simple: covered entities come in different types and sizes, and thus their electronic recordkeeping processes and their network usage can differ significantly.


Encryption is the Best Solution

To put it another way: HIPAA requires that you take some action to keep patient information confidential and secure. That action can be encryption or it can be something comparable. HIPAA dictates policies and procedures, but not actual technologies; thus, covered entities do have some flexibility in how they meet these regulatory standards.

Of the options available, though, most practices will surely opt for encryption. This is not without reason. Though HIPAA allows for various technological implementations, encryption technology is virtually the unanimous choice among IT professionals as the best and most cost-effective way to fulfill the letter of HIPAA laws. 


The Best Standards for Data Encryption

As you map out an encryption strategy with your IT team, consider some basic parameters and best practices: 

  •       Portable devices and thumb drives are not good storage vessels for patient data; a secure offsite location, such as a HIPAA-compliant data centre, is better.
  •       Remember that data stored on mobile devices—including phones, tablets, CDs, or USBs—must be encrypted to avoid a breach in HIPAA compliance.
  •       Note that even “backup” or “at rest” data sources can be accessed from remote locations—or from within their physical facility—and as such, they, too, should be encrypted.
  •       Finally, note that compliance with HIPAA also encompasses the destruction of media that contain PHI. Specifically, they must be constructed in a way that they cannot be reconstructed—and that’s true of paper, film, and electronic media alike.


Striving for Compliance

The best guideline to remember: to ensure HIPAA compliance—and to offer adequate promise of privacy to your patients—it is imperative to render PHI unusable and unreadable by all unauthorised personnel. This requires a proactive mindset and a bent toward caution, which are not necessarily easy to achieve. The rewards are ample, however: not just an assurance of compliance, but that you’re doing right by your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA and Compliance are now more important than ever ..

HIPAA and Compliance are now more important than ever .. | HIPAA Compliance for Medical Practices | Scoop.it

For many years, the federal government encouraged healthcare organizations to implement voluntary HIPAA and compliance plans.The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued guidance to several types of healthcare providers, including:

  • hospitals
  • clinical laboratories
  • home health agencies
  • DME suppliers
  • third party billing companies
  • hospices
  • Medicare Advantage plans
  • nursing homes
  • physicians


Now, with the passage of the recent Patient Protection and Affordable Care Act (PPACA) in 2010, there has become a new urgency for health care organizations to develop and implement HIPAA and general regulatory compliance program policies and procedures.  PPACA will require health care providers applying to enroll as Medicare providers to have a full compliance program in place.


Beyond this requirement are the on-going efforts of federal and state governments to decrease the fraud and abuse that plagues government-sponsored healthcare programs.  An effective overall healthcare compliance program, one that includes HIPAA compliance as well, can help an organization spot errors in its processes, and prevent small problems before they become large ones, especially in the area of billing to government health care programs and adhering to HIPAA Privacy and Security Rules.


There are many dimensions of "compliance" for health care organizations, including 

  • compliance with medical documentation
  • compliance with billing and coding practices
  • compliance with health and safety laws and regulations
  • compliance with environmental laws and regulations
  • compliance with human resources laws and regulations
  • compliance with HIPAA laws and regulations

HIPAA, the Health Insurance Portability and Accountability Act of 1996, requires healthcare organizations to comply with a host of regulations covering the privacy of personal health information (PHI).  These requirements have increased with an adoption of the HITECH Act provisions of the American Reinvestment and Recovery Act (ARRA) early in 2009.


Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance And Data Protection 

HIPAA Compliance And Data Protection  | HIPAA Compliance for Medical Practices | Scoop.it

Patient privacy has become a major topic of concern over the past couple of years. With the majority of patient information being transferred over to digital format, to improve the convenience, efficiency and cost of storing the data, organizations expose themselves to risks.


Virtually all healthcare organizations in the United States are affected by HIPAA standards. This act applies to any health care provider, health plan or clearinghouse that electronically maintains or transmits health information pertaining to patients. 

HIPAA was designed to reduce the administrative costs of healthcare, to promote the confidentiality and portability of patient records, to develop standards for consistency in the health care industry, and to provide incentive for electronic communications.  With these standards in place, organizations can better protect their systems and patients can feel confident that their personal medical information will remain private.


Without exception, all healthcare providers and organizations must have data security standards in place according to the Standards for the Security of Electronic Protected Health Information rules (the “Security Rule”) of HIPAA. The Security Rule requires health care providers to put in place certain administrative, physical and technical safeguards for electronic patient data including a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Mode Operation Plan.


HIPAA security standards will also require your organization to appoint someone as the security manager. This person will act as the only designated individual in charge of the security management process and will have access to the data, preventing unauthorized access or corruption.


It is important to choose a data protection solution that ensures all electronic protected health information (EPHI) is fully protected when it is backed up and stored. The most important consideration relates to assurances of data consistency which can be achieved with autonomic healing and integrity checks. The solution should encrypt all information (minimum AES 256 encryption) before transfer to the service providers SSAE 16 certified data facilities.


For healthcare providers and managed service providers – how are you addressing the requirements of HIPAA for you business, patients and customers? How does cloud backup address the requirements of HIPPA compliance? Please comment below to start the conversation. 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance for Clinician Texting

HIPAA Compliance for Clinician Texting | HIPAA Compliance for Medical Practices | Scoop.it

Text (or SMS) messaging has become nearly ubiquitous on mobile devices. According to one survey, approximately 72 percent of mobile phone users send text messages. Clinical care is not immune from the trend, and in fact physicians appear to be embracing texting on par with the general population. Another survey found that 73 percent of physicians text other physicians about work.

Texting can offer providers numerous advantages for clinical care. It may be the fastest and most efficient means of sending information in a given situation, especially with factors such as background noise, spotty wireless network coverage, lack of access to a desktop or laptop, and a flood of e-mails clogging inboxes.

Further, texting is device neutral-it will work on personal or provider-supplied devices of all shapes and sizes. Because of these advantages, physicians may utilise texting to communicate clinical information, whether authorised to do so or not.

It is essential for healthcare providers to understand the communication needs of their workforce in order to appropriately address any privacy and security risks they may pose. As many providers have discovered, trying to control how your workforce communicates is easier said than done, and policies that fail to account for clinicians' communication preferences often go unheeded.

This article addresses texting between clinician members of the workforce and discusses how to ensure safer texting practices as part of your organisation's privacy and security compliance program.


The Risks of Text Messaging

All forms of communication involve some level of risk. Text messaging merely represents a different set of risks that, like other communication technologies, needs to be managed appropriately to ensure both privacy and security of the information exchanged.

Text messages may reside on a mobile device indefinitely, where the information can be exposed to unauthorised third parties due to theft, loss, or recycling of the device. Text messages often can be accessed without any level of authentication, meaning that anyone who has access to the mobile phone may have access to all text messages on the device without the need to enter a password.

Texts also are generally not subject to central monitoring by the IT department. Although text messages communicated wirelessly are usually encrypted by the carrier, interception and decryption of such messages can be done with inexpensive equipment and freely available software (although a substantial level of sophistication is needed).

The HIPAA privacy rule provides an individual with the right to access and amend protected health information (PHI) about the individual that is maintained in a designated record set. The designated record set includes PHI "used, in whole or in part, by or for the covered entity to make decisions about individuals."

Accordingly, if text messages are used to make decisions about patient care, then they may be subject to the rights of access and amendment. There is a risk of noncompliance with the privacy rule if the covered entity cannot provide patients with access to or amend such text messages.


Include Texting in Compliance Programs

Under the HIPAA security rule text messaging may be addressed as part of an organisation's comprehensive risk analysis and management strategy.

As part of its risk analysis, a healthcare provider may identify where electronic PHI, or ePHI, is created, received, maintained, and transmitted. For texts, ePHI will primarily be created, received, and maintained on mobile phones (although text messages may also reside on workstations.

Texts also may be temporarily maintained on a telecommunications provider's servers while the message awaits delivery to the recipient's device (e.g., if the recipient's device is powered off or out of range). Texts primarily will be transmitted through the wireless cellular networks of telecommunications providers, although they also may get routed through the Internet in certain situations.

The next step is to identify and document any reasonably anticipated threats to ePHI, the security measures already in place (e.g., an existing policy on texting), the likelihood of each threat, and its potential impact. Examples of threats include:

  • Theft or loss of the mobile device
  • Improper disposal of the device
  • Interception of transmission of ePHI by an unauthorised person
  • Lack of availability of ePHI to persons other than the mobile device user

It is worth keeping in mind that the threat of external interception is likely far smaller than the threat of theft or loss of the device.

Based on the above risk analysis, a provider can determine the appropriate administrative, physical, and technical controls for the organisation. Examples of security controls include:

  • An administrative policy prohibiting the texting of ePHI or limiting the type of information that may be shared via text message (e.g., limiting condition-specific information or information identifying a patient)
  • Workforce training on the appropriate use of work-related texting
  • Password protection and encryption for mobile devices that create, receive, or maintain text messages with ePHI
  • An inventory of all mobile devices used for texting ePHI (whether provider-owned or personal devices)
  • Proper sanitation of mobile devices that text ePHI upon retirement of the device
  • A policy requiring annotation of the medical record with any ePHI that is received via text and is used to make a decision about a patient
  • A policy setting forth a retention period or requiring immediate deletion of all texts that include ePHI
  • Use of alternative technology, such as a vendor-supplied secure messaging application


Further Considerations for Compliant Texting

Providers may want to also consider whether any third party uses or discloses ePHI when texting occurs. With respect to telecommunications providers, the Department of Health and Human Services has stated that entities acting only as conduits of ePHI and that do not access the information other than on a random or infrequent basis as necessary for the performance of the transportation service do not qualify as business associates.

In contrast, if texts are being stored indefinitely on a third party's server, such as when a text is sent to an e-mail account of a member of the workforce and the e-mail account is administered by a third party, then a business associate contract with the third party may be required.

Finally, providers may wish to address the use and disclosure of ePHI in their privacy policies and training and should consider sanctioning members of the workforce who violate such policies. Providers must also consider whether texts of PHI are subject to the HIPAA accounting of disclosures and, if so, whether they need to be included in a disclosure log.

There is no one-size-fits-all solution; different organisations may arrive at different conclusions regarding the threat posed by texting of PHI and what combination of controls reduces risks to a reasonable and appropriate level. There are some controls that are simply not going to be available for traditional texting, such as centralised audit controls that allow the IT department to monitor texts containing PHI.

Each healthcare organisation must decide whether it will prohibit or allow texting. This may be a fluid process, requiring the monitoring and reevaluation of policies to determine if they are effective. It is ultimately imperative to recognise both the value and risks of texting and to proactively address the issues.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

New HIPAA rules

New HIPAA rules | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare providers have until September 23 to put into place internal policies and procedures needed to comply with sweeping changes coming to the Health Insurance Portability and Accountability Act (HIPAA).

In January, the U.S. Department of Health and Human Services (HHS) released a set of rules, known collectively as the omnibus rule, designed to supplement and modify the privacy, security, breach notification, and enforcement rules governing patient health information in HIPAA. HHS has made it clear that the September 23 compliance deadline is final. Penalties can range from $100 to $1.5 million depending on the violation.


For primary care and other physicians in private practice, compliance will mean:

  • conducting and documenting a risk analysis, which HHS defines as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (PHI) in your practice;

  • reviewing the practice’s policies and procedures for when PHI is lost or stolen or otherwise improperly disclosed, and making sure your staff members are trained in them;

  • ensuring that the electronic PHI your practice holds is encrypted so that it cannot be accessed if it is lost or stolen (see “Encrypting your patients’ health information”);

  • modifying the practice’s  electronic health record (EHR) system so that you can flag information a patient does not want shared with an insurance company;

  • having the ability to send patients their health information in an electronic format;

  • reviewing your contracts with any vendors that have access to your practice’s PHI; and

  • updating your practice’s notice of privacy practices.


Other provisions

Other provisions of the omnibus rule include restrictions on selling PHI or using it for marketing and fundraising purposes without obtaining the patient’s permission and loosening some of the restrictions on sharing PHI with family members or other caregivers of deceased patients. Disclosure is only permitted, however, to the extent that the PHI is relevant to the role the family member or caregiver played in the decedent’s treatment. Moreover, release is not permitted in cases in which the individual expressly stated before death that he or she did not want the PHI released.

The omnibus rule also permits doctors in states with compulsory vaccination laws to disclose a child’s immunisation records to schools without obtaining formal authorisation from parents. Physicians now can do so with only a verbal agreement, provided they document that they obtained the permission. Lastly, the rule prohibits health plans from using or disclosing genetic information for the purpose of insurance underwriting.

The rule also sets and describes the four categories of penalties for violating the rules and the dollar amounts for each.

The omnibus rule is the latest step in a process that began when Congress enacted the Health Information Technology for Economic and Clinical Health (HI TECH) Act in 2009. Among other provisions, the HI TECH Act required HHS to strengthen HIPAA’s privacy and security protections for health information. HHS adopted interim rules for doing so in 2010 and finalised the rules with adoption of the omnibus rule.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

What Does Increased Patient Access Mean for HIPAA Compliance?

What Does Increased Patient Access Mean for HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

A recent AHA report shows increased patient access to their data, but organisations must continue to maintain HIPAA compliance.

More individuals than ever before now have electronic access to their own health information, according to a recent report from the American Hospital Association (AHA). However, organisations are required to offer patient access as part of their HIPAA compliance measures.

With increased electronic access, covered entities must ensure that they are still adhering to all aspects of the HIPAA Privacy and Security Rules.


Patient access to data is necessary, but the necessary data security measures cannot be compromised in the process.

The latest AHA Trend Watch report found that 92 percent of hospitals offered the ability to view medical records online in 2015, a large increase from the 43 percent that offered the same option in 2013.

Additionally, 84 percent of hospitals allowed patients to download information from their medical record in 2015, compared to just 30 percent in 2013.

“A growing number of individuals also are able to perform everyday health care tasks, such as making a medical appointment online with their hospital-based care providers,” the report’s authors explained. “Offering these capabilities allows patients to more easily access their providers and engage in their care.”

Not only are more hospitals increasing their options when it comes to patient to provider communication, but more are also allowing patients to submit patient-generated data to their provider online, according to the report.

Specifically, 63 percent of hospitals allowed patients to message their providers online in 2015, an increase of 8 percentage points from the previous year. In 2015, 37 percent of hospitals had the ability for patients to submit patient-generated data, compared to just 14 percent in 2013.


As more hospitals are able to offer these services, individuals will have more insight into their medical data and the ability to interact with care providers at times and in ways that are convenient for the patient,” the report’s authors concluded.

While these numbers show that more covered entities continue to embrace technology, it is important to remember that HIPAA regulations require patients to have access to their own health data if they desire it.

Patient right of access is applicable to patient medical information, regardless of the form that the PHI is in at a healthcare organisation. Certain provisions may apply slightly differently, such as those related to requests for access, timely action, verification, form or format of access, and denial of access, but individuals have the right to their own medical records.

Another important aspect of patient access is whether or not patients can be charged for access to copies of their PHI. The fee may include only the cost of certain labour, supplies, and postage, but the Office for Civil Rights (OCR) encourages covered entities to provide the copies for free.


“Providing individuals with access to their health information is a necessary component of delivering and paying for health care,” OCR states on its website. “We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.”

Increased patient access to their own medical information should not be cause for concern, but a reminder to covered entities and business associates to ensure that they have the necessary safeguards in place to continue to ensure PHI security. For example, if more patients are utilising secure messaging options, then perhaps hospitals should review their mobile device policies and ensure they are utilising comprehensive data encryption options.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Email Compliance - 6 Best Practices

HIPAA Email Compliance - 6 Best Practices | HIPAA Compliance for Medical Practices | Scoop.it

As technology advances and legislation changes, HIPAA email compliance can seem like a constantly moving target. With the challenges facing today’s healthcare landscape, including the proliferation of electronic health records (EHRs) and health information exchanges (HIEs), hackers and “hacktivists” targeting hospitals and the adoption of  mobile technology in healthcare, HIPAA compliance is becoming more challenging — and more important — than ever.

Much has changed since 1996, when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. The World Wide Web was still relatively new, mobile phones were relatively rare (and great for your biceps!) and your health data was divided into thick manila folders stuffed with paperwork. Now, all that stands between patients and the entirety of their medical histories is a username and a password, and a startling number of those passwords is “password.”


The Challenge of Protecting Patient Data

When most of us think about HIPAA compliance, we think about its access control aspect — that is, who gets access to protected health information (PHI), and when. A leak of PHI can be as simple as a medical professional forgetting to log out of their portal, and leaving patient data open on the desktop to be viewed by anyone walking by (this is why automatic logout is one of the “technical safeguards” required to maintain HIPAA compliance).

When it comes to protecting PHI, the penalties add up fast — and since the passing of the 2009 Recovery Act, violating HIPAA has only grown more expensive. Each individual violation will run your business anywhere from$100 to $50,000, if it’s a first offence (and a lack of due diligence, as opposed to wilful neglect). Violations due to wilful neglect, however, cost a covered entity a minimum of $50,000 per violation. And when you consider how many patients have their data stored on a single server, those $50,000 violations stack up fast.

Doctors, hospital administrators, insurance professionals and anyone who deals with PHI need to be aware of the growing threats to patient privacy and be proactive with their information security. Here are six ways to lock down patient data and stay ahead of the threat.


1. Use strong data encryption.

Any PHI data you’re storing, whether it be on your desktop, on a server, should be encrypted. Encryption obscures your data, making it unintelligible to anyone who doesn’t have the key to decry-pt it. As proven by the 2014 CHS Heart-bleed attack, which resulted in the theft of 4.5 million social security numbers from one of the largest hospital groups in the United States, cyber-criminals have both the desire and the means to crack into hospital servers and steal sensitive data. With encryption, that data is still protected even after hackers get their hands on it, provided they weren’t able to also steal the encryption key.Data encryption isn’t just best practice for information security, though — it’s a written requirement to maintain HIPAA compliance. Established in 2009, the HIPAA Breach Notification Rule gives businesses 60 days to notify all parties who may be affected by a leak of “unsecured protected health information.” Here, “unsecured” is another way of saying “unencrypted.”The HHS actually goes into detail about its encryption standards for data at rest and data in motion. For data at rest (data that sits in storage), for example, the HHS’ standards are consistent with those of the National Institute of Standards and Technology (NIST), and include centrally managing all storage encryption, using multi-factor authentication for encryption solutions and using the Advanced Encryption Standard (AES) for encryption algorithms.


2. Encrypt your emails, as well.

A tremendous amount of PHI is exchanged over email, and HIPAA compliant email requires encryption, too. In a post-HI-TECH (Health Information Technology for Economic and Clinical Health) world, the data shared digitally between doctors and their patients can be extremely useful for enterprising hackers, and email is a particularly vulnerable vector of attack.The traditional route hospitals and providers take for HIPAA compliant email is a portal solution that uses Transport Layer Security (TLS) to encrypt messages. While these legacy portal solutions do provide for HIPAA email compliance, they are certainly not easy for either the providers or patients who use them. Web mail portals tend to be inconvenient to use, requiring separate usernames and passwords for each and every system and creating information silos for medical information.Newer email encryption solutions bypass the annoyance of email portals by integrating seamlessly with more popular email services, like Gmail. Virtue Pro, for example, works with the service you’re already using to provide client-side encryption for HIPAA compliant email. In this case, encrypted PHI can be delivered safely and securely directly to the inbox, with no need for separate accounts or credentials. This allows for both HIPAA compliant email and convenience. (To learn more, read our FAQ about how Virtue Pro enables HI-TECH and HIPAA compliance for Gmail, or download our free guide)


3. Use multi-factor authentication wherever possible.

If a hacker steals your password, can they access your data? If you’re using multi-factor authentication, you may still be safe. Without multi-factor authentication, your password is a single point of failure, the only gatekeeper separating you from the data thieves.To help satisfy the Person or Entity Authentication component of HIPAA compliance, the HHS recommends that businesses handling PHI require, in addition to a password or PIN, either something the individual possesses (like a token or smart card) or a bio-metric (for example, a fingerprint or iris scan) for identity verification. These are both examples of multi-factor authentication, which requires a combination of something a user knows with something a user has.Anyone who has used a debit card is familiar with multi-factor authentication. Even if someone gets a hold of your card, that person can’t withdraw money at an ATM without your PIN. Requiring two separate steps to verify your identity makes it doubly hard for someone to gain access to your money (or your data) by posing as you.


4. Make all of your employees HIPAA compliance experts.

One of the standards HIPAA lists among its Administrative Safeguards is Security and Awareness Training. Any business is only as secure as its least vigilant employee. All it takes is one tired worker uploading notes to their personal server, or leaving handwritten passwords in open spaces, to violate HIPAA compliance laws. It’s essential to make sure that every employee is thoroughly trained and refreshed in HIPAA and HI TECH regulations, as well as your company’s security policies.While many of the technical safeguards that protect HIPAA compliance are automated, like timed session logouts and password complexity requirements, nothing can replace thorough training and adequate knowledge sharing when it comes to strengthening your security posture.


5. Review the compliance and security practices of business associates.

When it comes to HIPAA compliance, you can’t just tidy up shop internally. As with its employees, a company is also only as compliant as its least secure partner/vendor/contractor, and every business your hospital, private practice or insurance company partners with is a potential vector for attack or HIPAA violation.There are a few precautions any HIPAA-covered entity should take when it enters into a business associate agreement, including securing the right to audit the associate for compliance. Lay down ground rules for HIPAA compliance best practices, including a mutual obligation to encrypt any shared PHI, and ensure that your business associate can’t pass PHI from your patients on to subcontractors without your approval. This includes using only HIPAA compliant email to exchange PHI.


6. Be aware of social engineering and inside threats.

While usually, the leak of PHI is simply an act of user error or negligence, many data leaks are caused by malice — both from the outside and within. While many info-sec efforts are directed at the stereotypical hacker, hiding in the shadows in a musty basement cracking into a distant server, 28 percent of security incidents come from within the organisation, and 66 percent of malicious hacks are acts of social engineering, a method of intrusion that relies on social manipulation.Social engineering can be as simple as someone walking into a hospital dressed like a convincing repair person, sneaking in a thumb drive and leaving with sensitive PHI. Make sure your internal security audits address these scenarios, as well as insider data threats.

Between legislation and technological advances, healthcare in the United States has recently undergone a dramatic transformation. It’s vital that healthcare providers and other covered entities keep pace with these changes. While it isn’t necessary to be an info-sec expert or a white hat hacker, doctors, nurses and administrators should know the law, know the threats and keep vigilant to protect the privacy of their patients and the HIPAA compliance of their practices.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

Austin Dodd's curator insight, November 12, 2016 4:40 PM
This article talks about how to maintain security when emailing private health information so that you follow in line with the Health Insurance Portability and Accountability Act. It advises encrypting information and maintaining knowledge on potential threats. I believe this information is valuable to those who must follow HIPAA email compliance.

HIPAA Compliance in a Fast-Paced Medical Practice

HIPAA Compliance in a Fast-Paced Medical Practice | HIPAA Compliance for Medical Practices | Scoop.it

Did you know that patient medical records can fetch more than $2,000 on the black market? Or that, because of the relative ease of medical insurance fraud, your medical records are worth significantly more on the black market than your credit card number? That’s right. Your medical history, including information about your insurance provider and your health status, are of great value to thieves. Even incomplete or partial records can be worth hundreds of dollars. If the value to hackers is hundreds or thousands of dollars, you can’t put a price on what those records are worth to the patient and their caregiver. We recently had a client whose medical records had been tampered with by a hacker. Her blood type had been switched in her medical records and, if not for a clerk noticing the change at the last minute, an upcoming surgery could have been a disaster. How do you put a price on that kind of threat? How do you overstate the need for robust security to protect medical records from theft or mishandling?


HIPAA Compliance in Theory and in Practice

The Health Insurance Portability and Accountability Act, also known as HIPAA, was established to protect patient medical records from being disclosed to unauthorised parties. HIPAA lays the groundwork for ensuring that these private details remain private and accessible only by patients and their caregivers. That’s the idea behind HIPAA: protecting patients and care providers by creating minimum standards for privacy and accessibility. Despite near-universal agreement on the need for patient privacy, there is no surefire method to protect patient records from being accidentally released or stolen. Many clinics count on their door locks, alarms, and firewalls to provide adequate security for the entire practice, including the medical records. While some protection is better than none, my experience is that most medical facilities and practices have woefully low amounts of security in place for their patients’ medical data. Aside from this lack of protection running counter to the patient’s best interests, it also greatly increases the chances of a HIPAA violation which can cause huge problems for the practice. Just a single incident can incur a fine of $50,000! The repercussions for all involved are nothing to take lightly.


Enhance HIPAA Compliance and Security

So what is a medical practice to do? Hope for the best and that nothing will happen? Certainly not. Fortify security measures? That’s not much better unless there is also a plan in place and an understanding of what level of security and precaution already exist. The first thing we would recommend to any medical provider interested in enhancing their security would be a network assessment that focuses on HIPAA compliance. This type of assessment, offered by Diamond IT, doesn’t just scan for vulnerabilities and areas of possible intrusion, it also evaluates how patient data is being stored, backed up, and secured, to provide a true diagnosis of HIPAA compliance across the network. Assessing your network and security will uncover even more information about your HIPAA compliance and how successful you’ve been in maintaining patient privacy.Moving to hosted Exchange allows for control and oversight to make sure messages are protected and monitored. Backing up data to an offsite location means that if there is an incident at the office there is no threat of permanent data loss. Once this assessment is complete, we work to find areas of improvement that have real results for the security of your organisation and your patients. By the time our team is finished, your practice will have a detailed plan on not only how to enhance physical and digital security, but also how to make sure you are remaining in compliance with HIPAA each and every day. So often patients choose a medical care provider based on an online review or a recommendation from friends and family. When is the last time you heard anyone say they chose their care provider because they had great confidence that provider could protect their privacy? The reality is that patient data security should be important to everyone but is often taken for granted by patients. Patients trust their providers to protect their private data, and care providers owe that protection to those patients. Ensuring that your practice is as secure as possible and mitigating the risk of data breach or HIPAA violation is not a mission to be taken on alone. With Diamond IT on your side, greater protection is not far away, giving you greater peace of mind so that you can focus on patient care.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Risk Management Plan

HIPAA Risk Management Plan | HIPAA Compliance for Medical Practices | Scoop.it

Simply put, a HIPAA Risk Management Plan is a compilation of an organisation's compliance policies, procedures, forms, logs and reports. A plan serves as a way to demonstrate your HIPAA compliance efforts in writing. This is critical because if a HIPAA breach or an audit occurs, rest assured the HHS Office of Civil Rights (OCR) will want to see specific written policies and procedures that your organisation has in place. 


The overall goal of a HIPAA Risk Management Plan is to address risk. A risk is an event or condition that, if it occurs, could have a positive or negative effect on an organisation. Risk management is the process of identifying, assessing, responding to, monitoring, controlling and reporting risks. A good plan will outline how risk management activities will be performed, recorded and monitored to comply with the HIPAA Security Rule. 


In guidance provided by OCR, HIPAA Covered Entities and Business Associates must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A plan must be maintained until six years after the date of their creation or last effective date (whichever is later), with written security policies and procedures and written records of required actions, activities and assessments.


Covered Entities and Business Associates must periodically review and update their documentation in response to environmental or organisational changes that affect the security of electronic protected health information (e-PHI).  Reviewing and amending policies and procedures should occur on an as-needed basis. 


A comprehensive risk plan must cover all the HIPAA Security Rule Standards and Implementation Specifications. Under this Rule, the implementation of standards is required. The implementation specifications are defined as either “required” or “addressable.”  A required specification must be implemented with no exceptions.  An addressable specification allows additional flexibility with respect to compliance for the standard, but it is not optional.

Let’s look at little deeper at addressable implementation specifications. These specifications were developed to provide an organisation additional flexibility with respect to compliance with some of the security standards. However, one of the following must be done for each addressable specification:

  1. Implement the addressable implementation specifications;
  2. Implement one or more alternative security measures to accomplish the same purpose; 
  3. Not implement either an addressable implementation specification or an alternative. This choice must be documented. (I always advise to try and met the specification. Remember a clearly written justification as to why it is not being met is required.)  


You can apply the reasonable and appropriate standard to addressable implementation specifications.  This standard will depend on a variety of factors such as the risk assessment, risk mitigation strategy, what security measures are already in place and the cost of implementation. HIPAA Risk Management Plans should be created with the understanding that every member of the workforce must be able to access the plan. Organisations must require workforce members’ attestation to receiving the plan and knowing they are accountable for the contents. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Ensure your medical practice complies with HIPPA data privacy

Ensure your medical practice complies with HIPPA data privacy | HIPAA Compliance for Medical Practices | Scoop.it

Do have a plan

 When it comes to HIPAA compliance, a minimum plan is better than none. A basic policy forbidding employees to release patient health data and covering paper documentation and online viewing in the office is a good start. Make this policy a part of your New Hire Orientation Packet. Some of the best policy practices, however, incorporate items related to security access and protocol, non-use of public servers or unsecured Internet hotspots, and reporting infringements without retaliation from the employer. A solid IT team will assist you with implementation and policy for your technology resources. You will also want to confirm you meet your state’s privacy laws and that your service providers meet compliance at a federal and state level.


Do provide safeguards for physical and online archives

 One key aspect of HIPAA relates to information storage - on site, online or off premises. If this is paper documentation, a simple lock and key system may suffice with a limited number of users. For online systems, it’s important to train staff on how to prevent unauthorised access. Each computer station, application or program, and websites requiring a login should be accessed by each individual with his or her own unique username and password. Be sure that if the employee voluntarily leaves or is terminated, you have a procedure in place to deactivate or delete access to all systems.


Do involve all staff levels 

Most plans for HIPAA compliance work best when everyone is in the loop. From doctors to front desk clerical workers, everyone should know what the business policy is and how to achieve it together. When you are creating your policy or revise, a facilitated group meeting can raise points and identify potential risks that may have otherwise been overlooked.


Do brainstorm the most effective communications protocols

With information overload and a lot of hardships encountered by medical businesses in meeting HIPAA compliance, your patients will want to know how you handle their sensitive information, especially as more and more practices utilises electronic health record systems. Have handouts or other materials available to assure them you have a system in place to proactively manage and handle their data. Your plan should also include procedures on how your staff discusses patient cases on and off site and the importance of keeping identifiable patient information secure. Offices that take time in coming up with a good system stand the best chance of building a truly adaptive HIPAA compliance plan.


Do ask questions

 Some government agencies and other groups can help advise a medical business on the best way to comply with HIPAA, where doctors who try to do this entirely on their own can overlook some major issues or take compliance entirely too far. Questions to ask might include:

  • What are the basics my plan has to include? What elements aren’t mandatory but necessary?
  • What security measures are required for technology resources?
  • How often do I have to update my policy?
  • What information is not restricted by HIPAA?
  • Do I have to inform my patients on how I use or disclose their information?


Do not assume that staffers will get the message

 Passive office structures often leave key people uninformed and uninstructed. Make sure that messages on HIPAA compliance and other critical administrative aspects get to all of the right people on a regular basis. If it is a policy or procedure, formalise this process with a sign off and acknowledgement that the individual has read, understood, and will comply.


Do not overbuild HIPAA infrastructure

 Some medical offices fall into the trap of creating elaborate indoor areas with fountains, cubicles, or other sound reducing features. While this may be effective in some cases, in others, it may not be enough for true compliance and might also end up being quite expensive. Ensure that the basics are met including keeping all paper based patient and financial sensitive data face down or covered, computer screens go blank if unused after a certain time frame, and computer programs are set to auto logout if idle after a specific amount of time has passed.


Do not act only on a punitive basis

 One of the big mistakes made by top management is to disregard HIPAA compliance issues until there is a breach, and then come down hard on employees. Instead, create the up-front plan to be more informative than threatening so that employees will feel safe in voicing concerns without fear of reprisal. You may want to include a section on how to report a potential or actual breach and the action steps that will follow.


Do not just have a paper plan

 HIPAA compliance plans that happen in back rooms are sometimes just filed away and never acted on. While this might be somewhat of a hedge in the case of HIPAA violation, it’s not really going to do much during any kind of substantial audit. Review and update your plan at least annually and take the time to retrain your staff on meeting compliance.


Do not overlook social media

 From regular e-mail to Facebook and Twitter, there are a lot of new ways that employees can unknowingly create HIPAA violations. Cover all of these social media platforms in your staff training's and certainly address them in your HIPAA compliance plan. Cover specifics like never post information about actual patients unless you have written consent from the patient, never use patient names in electronic communications unless the platform meets HIPAA compliance, and never post photographs unless written authorisation from the patient is on file.


Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Keeping Staff HIPAA Compliant Best Practices

Keeping Staff HIPAA Compliant Best Practices | HIPAA Compliance for Medical Practices | Scoop.it

It is important to comply with HIPAA for medical providers and medical groups because non compliance can cost fines of up to $50,000 or more for a violation.

As per HHS’ OCR (Office of Civil Rights) which implements HIPAA, correction actions are mostly needed in private practices. Other medical facilities that require correction are general hospitals, pharmacies, outpatient facilities and health plans.

Office of Civil Rights has resolved 2385 HIPAA violation cases since 2003 through changes in private practices, corrective actions or by extending technical assistance. In other 26 issues, HIPAA violation has amounted to $23 million in fines paid by national pharmacy chains, hospital chains and medical provider offices and others.


What can you do to keep your staff HIPAA compliant? Some of the best practices are:

  • Train your staff to handle PHI (protected health information) appropriately.
  • Employ a staff exclusively to manage HIPAA compliance and security standards, and to educate staff members from time to time.
  • Different levels of security must be given to different staffs, to prevent security breach beyond a staff’s scope of work.
  • Do not allow staff to share passwords.
  • Make it a point not to disclose PHI unless it is necessary.
  • Staff must be warned against accessing patient records unless necessary and written permission must be taken before accessing such records.
  • Computer programs must properly before moving to another task. You can use practice management systems that goes offline after a set amount of time.
  • Safeguard electronic data using passwords, encryption and authentication wherever required.
  • Use two step verification processes. For example, use password as well as voice detection, mobile phone verification or fingerprint detection.
  • If patient details are stored in paper files, put it in locked cabinets and shred it while disposing and use a cover sheet while faxing.
  • Always use a HIPAA compliant server for data security. Server is safe to safeguard patient records.
  • Make sure all third parties involved in your medical business comply with HIPAA guidelines.


Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance Tips for Medical Practices

HIPAA Compliance Tips for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

Complying with HIPAA is more critical — and more complicated — than ever. The government is ramping up its efforts to crackdown on violations, and small- to medium-sized practices are no exception.

In April 2012, a five-physician cardiac surgery practice in Arizona became the first small practice to pay a significant HIPAA-related penalty to HHS — to the tune of $100,000. The investigation stemmed from a complaint that the practice posted surgery and appointment schedules on a publicly-accessible Internet-based calendar. The department's Office of Civil Rights (OCR) found that the practice had implemented few policies and procedures to comply with HIPAA, and had limited safeguards in place to protect patients' electronic protected health information.

This case is "a wakeup call for smaller practices that they can get on the [government's] radar screen," says Elizabeth Warren, a Nashville-based health law attorney at Bass, Berry & Sims. "Certainly [OCR] could have looked at the situation this group had and just advised them on how to fix it, but they did choose to impose a penalty and the resolution agreement and kind of put them publicly out there," Warren says. " ... It definitely seems to point to, if you're not doing anything or not doing much of anything [to comply], you may trigger an enforcement action even if you're small."The HITECH Act, which was part of the American Recovery and Reinvestment Act of 2009, enhanced privacy and security enforcement provisions and increased penalties. It also required HHS to provide for periodic audits to ensure covered entities are complying with HIPAA.

To help ensure you are prepared for whatever HIPAA-related issues may be heading your way, here's what experts say your practice should be doing — and what it should definitely not be doing — when it comes to the privacy and security rules.


Do polish your policies

To ensure you are ready if an auditor comes knocking, critically assess your policies and procedures and update them if necessary, says Ericka Adler, a health law attorney at Kamensky Rubinstein Hochman & Delott, LLP, based in Lincolnwood, Ill. "I think one of the most important things is that a lot of practices did what they were supposed to do [when the laws first came out] in terms of getting their policy together and getting their forms out there, and they haven't talked about HIPAA since," she says, noting that some of the laws have changed and practices need to alter their policies accordingly. In addition, practices must have an active program in terms of training staff on the privacy and security rules, tracking patient record requests, HIPAA violations, etc. "HIPAA needs to be a living breathing part of a practice and not a policy that sits on a shelf so the practice can say they have a policy," says Adler.

Keep in mind that new technology use at your practice or by your staff members, such as e-mail and social media, could lead to privacy and security issues. Make sure your policies account for these changes, says Sharona Hoffman, a professor of law and bioethics at Case Western Reserve University School of Law in Cleveland. "Technology always gives rise to a lot of benefits, but it also creates a lot of risks, and you have to be sensitive to those," she says. "... You have to make sure that security is maintained."


Do audit effectiveness

Ensuring all your policies and procedures are updated is a good start, but you must also make certain those policies are working. As Adam Greene, a health law attorney and partner at national business and litigation law firm Davis Wright Tremaine LLP, points out, "A lot of things sound good on paper, but in practice don't actually work." For example, "If your policy that you created back in 2003 was that all protected health information should go in the orange bin, which will then be sent to the shredder, it's worth looking into whether that's actually working — and there's a pretty good chance that it won't be," he says. "It's always better to find that out yourself rather than through a patient complaint, or ... an OCR audit."


Do plan for worst-case scenarios

If a security or privacy breach does occur at your practice, it's crucial to handle it quickly and appropriately. "You definitely want to make sure you've got a HIPAA breach policy, which not everybody does …" says Warren. Covered entities must notify individuals affected by a breach within 60 days of its discovery, and the sooner they are notified of a breach the better, she says. "The privacy officer needs the more detailed map of — if this happens, here's what I do, here's what notifications have to go out — but the rank and file don't necessarily need to know all of that detail. They just need to understand things have to be reported quickly, and then I think it's helpful to provide training of concrete examples of things that should be reported." For example, reporting a stolen or missing laptop or thumb drive, even if staff believes it is encrypted or does not contain personal health information, or mistakenly providing private information to the wrong patient.


Do reevaluate and reeducate

It's important to provide HIPAA training to staff as soon as they begin working at your practice. But one initial training session is not sufficient, says Adler. "I recommend to my clients that you make this an annual event because it just fades into the background unless [HIPAA compliance] is something that's repeated to employees all the time," she says. "They just forget about it and they don't even think in certain contexts, 'Oh yeah, HIPAA, I need to remember about that.' There should be a constant education program."

Consider mixing smaller HIPAA training sessions in with other staff gatherings, says Greene. For instance, if you want to train staff members on a specific scenario, such as what to do if a police officer asks for information about a patient, add it to the agenda at a monthly staff meeting. Also, just as you should your other policies, ensure your training program is continually updated and revised.


Do tailor to job function

Keep in mind that while every policy needs to have a staff member trained on it, not every staff member needs to be trained on every policy, says Greene. "Your training should not be focused on making everyone a HIPAA expert," he says. Instead, it should cater to each employee's particular needs. For instance, "The person who's responsible for responding to requests for medical records may need to have different training than the receptionist,

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA: Not Just for Medical Practices

HIPAA: Not Just for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

By now, most people who work in healthcare know that physicians, dentists and other medical providers must comply with the Health Insurance Portability and Accountability Act of 1996 – usually known as HIPAA – or face stiff penalties. But not everybody realises that many jobs outside of direct patient care also demand strict adherence.

The HIPAA Privacy Rule mandates that “covered entities” who deal with protected health information follow measures to keep data private. This information is anything that can be used to identify a patient. It may relate to their health condition (past, present or future), provision of healthcare, or payment for healthcare. Something as simple as a birth-date, name or address — as well as obviously sensitive information like Social Security numbers – is considered protected health information.


Exactly who is responsible for meeting HIPAA regulations? Anybody who meets HIPAA’s definition of a covered entity, such as health plans, healthcare providers and healthcare clearinghouses. On the surface, this sounds clear. But beyond the optometrists and chiropractors are less obvious covered entities. Nonprofit organisations, schools and government agencies which provide some healthcare services must also comply with HIPAA.



Organisations that perform both covered and non-covered functions may decide to become what is known as a “hybrid entity.” The organisation designates which are the healthcare components within its operation, and which components are not. The healthcare components must then comply with HIPAA rules.

Consider a university. If a university includes an academic hospital which electronically transmits health records – and many other departments which have nothing to do with health information – the university may decide to be a hybrid entity. It can designate the hospital as its healthcare component, while departments like geography and engineering are clearly separate. The privacy rule would then apply only to the hospital and other designated components, governing health info maintained, created or received by or on behalf of these healthcare components. If the hospital were to disclose patient information to other parts of the university, it would be regulated just as if the data were being disclosed to an entity outside the university. A university research lab that also serves as a healthcare provider may or may not be included as a designated healthcare component, depending on whether or not it conducts specified electronic transactions.



Most states have gone above and beyond federal standards when it comes to HIPAA. Texas has especially strict medical privacy rules. In 2012, Texas created the Texas Medical Records Privacy Act, one of the country’s most stringent. Texas expanded the definition of “covered entity” and “business associate” to make even more organisations comply with HIPAA. For example, accounting firms, law firms, government agencies and insurance providers who come into possession of protected health information all squarely fall within the Texas definition.

A variety of Texas codes include privacy laws regarding health information, such as the Texas Occupations Code, the Texas Code of Criminal Procedure, the Texas Family Code, and many others. Everything from blood donations to hearing loss in newborns to mental impairments in offenders in correctional facilities is covered by some Texas code.

Texas also requires more extensive HIPAA training, and not just for physicians. Business associates and subcontractors who work with healthcare providers must undergo training, and may be found liable if they don’t. The Texas laws apply mostly to entities who exchange protected health information electronically.



What does it take to keep protected health information safe? Unfortunately, it takes a lot. The IT departments of most covered entities are overwhelmed by HIPAA rules, and many simply can’t afford the safeguards needed to comply. HIPAA-compliant data centre environments provide a secure solution for covered entities. All records must retain:

  1. Integrity – the information within medical records themselves must remain accurate.
  2. Confidentiality – to ensure medical records are only viewed on an as-needed basis by professionals.
  3. Availability – Medical records can be recalled at a moment’s notice with little to no downtime.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Ensuring HIPAA Compliance for Your Medical Practice

Ensuring HIPAA Compliance for Your Medical Practice | HIPAA Compliance for Medical Practices | Scoop.it

With the adoption of electronic health records (EHR) systems, a changing health insurance landscape, and rapid technological advances, it seems that no other industry that is undergoing as much change as the healthcare industry. As mandated compliance to the HIPAA final omnibus rule—which went into effect in September 2013, strengthening provider requirements for ensuring patient privacy protections—and healthcare providers have a lot to think about.


The evolving HIPAA landscape is also reflective of—and a direct response to—the countless privacy breach threats the healthcare industry faces. Hospitals, institutions and small practices are increasingly targeted for the acquisition of confidential patient information. Providers who do not adequately protect patient health information (PHI) not only risk damage to their reputation and face civil lawsuits, but also run afoul of increasing scrutiny by the Department of Health and Human Services Office for Civil Rights (OCR). Recently, the OCR handed out a record-breaking $4.8 million HIPAA fine to New York Presbyterian Hospital and Columbia University Medical Center for failure to protect PHI. This should serve as a cautionary tale, not only for large healthcare institutions but also for doctors and practitioners with smaller practices.


HIPAA compliance doesn’t necessarily mean having to invest in costly electronic systems; often it comes down to basic, common sense methods for maintaining continuous privacy for your patients’ health information. While the pilfering of electronic health information through hacking and cyber-attacks is certainly on the rise, breaches of hardcopy information are still common.

For example, in another recent occurrence, a complaint was filed against a large drugstore chain for alleged HIPAA violations, including accusations of PHI being left unattended on desks and in public areas. While the OCR did not find widespread or systematic non-compliance, individual instances were noted and suggestions were made for ensuring safeguards, one of which was enhanced staff training.


Protecting patient privacy

These troublesome violations highlight the need for ongoing HIPAA training of the doctors, practitioners and administrative staff within your practice. All employees should understand privacy and security policies and associated consequences of a violation. Policies for the handling of PHI should also be made clear. Procedures for storing, accessing and disposing of medical records and business documents should also be clearly outlined.

Patient information should never be left in plain view for others to see. On-site file rooms should be locked and access to records highly regulated. Inactive files should be transferred off-site to a secure records center where they can be protected and managed for the duration of their retention life cycle.


Records and other paperwork should promptly be disposed of. A secure NAID AAA certified shredding service eliminates expired records being left on desktops or workstations where they run the risk of being compromised. Shred collection containers can be strategically placed within your practice, enabling documents and files to be quickly and securely disposed of and shredded in accordance with HIPAA standards.


Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

What HIPPA compliance says to Physicians ?

What HIPPA compliance says to Physicians ? | HIPAA Compliance for Medical Practices | Scoop.it

Compliance with the updated regulations require medical practices to:

  • conduct a risk analysis to determine the vulnerability of electronic protected health information (PHI) to loss or theft, and document that they have done so;

  • encrypt patient PHI so that it can’t be used if it’s lost or stolen;

  • review policies and procedures for what do if PHI is lost, stolen, or inappropriately disclosed;

  • review contracts with vendors and other “business associates” that have access to PHI to ensure that the vendors have proper safeguards in place to secure patient PHI.

The penalty for unauthorized disclosure of PHI consists of fines that range from $100 to $50,000, depending on the circumstances of the disclosure and the size of the practice.

The new regulations also:

  • allow patients to forbid disclosure of information about a test or treatment for which the patient has paid out-of-pocket, thus requiring  practices to be able to identify and separate information a patient doesn’t disclose so that it’s not accidentally sent to an insurance provider;

  • permit patients to request their health information in electronic form, and require practices to comply with the request within 30 days with one 30-day extension permitted; and

  • require practices to update their notice of privacy practices to include all patients’ rights, and send the updated notice to all patients and posting it in the practice’s office and on its Web site.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

Tracey Mathew's curator insight, October 19, 2016 3:08 AM
Share your insight