HIPAA Compliance for Medical Practices
59.3K views | +3 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Why is HIPAA compliance important?

Why is HIPAA compliance important? | HIPAA Compliance for Medical Practices | Scoop.it

The process of becoming HIPAA compliant seems costly and confusing, so as a result, numerous health organisations avoid the process. However, the cost of doing nothing is great.

Failure to comply can result in:

  • Thousands — even hundreds of thousands — of dollars in breach fines
  • Damage to reputation which leads to a loss of future and existing patients

To illustrate, the cost of each data breach is estimated at around $240. Which means if 1,000 of your records are breached the fines would be $240,000.


What do I need to know?

You need to fulfil the HIPAA Security Rule Requirements:

  • Perform a Risk Assessment
  • Develop Policies and Procedures
  • Train Employees (including periodic reminders)
  • Have an Incident Response Plan
  • Maintain Business Associate Agreements


How does Triton Technologies come into play?

Obviously, we care a lot about our clients and don’t want to see them get fined. The other reason we are so dedicated to ensuring you are HIPAA compliant is because compliance is so intertwined with IT. In fact, IT plays such a dominant role that we we feel compelled to help you become compliant.

There are so many reasons a company is at risk for breaches based on common IT weaknesses such as:

  • Lack of anti-virus on all endpoints and servers
  • Lack of security patching of servers and desktops
  • Lack of encryption (email, laptop, mobile devices, USB drives, offsite data backup)
  • Lack of an implemented and tested disaster recovery plan


How can I become compliant with the least disruption?

We want to make this process as painless as possible for our clients. So we partner with a service called HIPAA Secure Now!

This service provides everything you need to reach and maintain compliance and even does most of the heavy lifting. The service:

  • Performs the initial risk assessment (continued annually)
  • Creates your policies and procedures
  • Continuously trains your employees
  • Responds to security breaches
  • Provides a book of evidence if audited
  • Protects you from financial fines It only requires you to provide:
  • Where the patient data is
  • How patient data is protected
  • 2-4 hours of your time (which can be broken out in 1 hour sessions)
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Your Rights Under HIPAA

Your Rights Under HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Most of us believe that our medical and other health information is private and should be protected, and we want to know who has this information. The Privacy Rule, a Federal law, gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral. The Security Rule is a Federal law that requires security for health information in electronic form.


HIPAA Right of Access Videos

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create Your Health Information, Your Rights!, a series of three short, educational videos (in English and option for Spanish captions) to help you understand your right under HIPAA to access and receive a copy of your health information.

  • Individual’s Right under HIPAA to Access their Health Information
  • HIPAA Access Associated Fees and Timing
  • HIPAA Access and Third Parties


HIPAA Right of Access Info-graphic

OCR has teamed up with the HHS Office of the National Coordinator for Health IT to create this one-page fact sheet, with illustrations, that provides an overall summary of your rights under HIPAA:

  • Your Health Information, Your Rights!


HIPAA General Fact Sheets

  • Your Health Information Privacy Rights
  • Privacy, Security, and Electronic Health Records
  • Understanding the HIPAA Notice
  • Sharing Health Information with Family Members and Friends


Who Must Follow These Laws

We call the entities that must follow the HIPAA regulations "covered entities."

Covered entities include:

  • Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.
  • Most Health Care Providers—those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.
  • Health Care Clearinghouses—entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must follow parts of the HIPAA regulations.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to have access to your health information when providing services to the covered entity. We call these entities “business associates.” Examples of business associates include:

  • Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims
  • Companies that help administer health plans
  • People like outside lawyers, accountants, and IT specialists
  • Companies that store or destroy medical records

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar contracts with subcontractors. Business associates (including subcontractors) must follow the use and disclosure provisions of their contracts and the Privacy Rule, and the safeguard requirements of the Security Rule.


Who Is Not Required to Follow These Laws

Many organisations that have health information about you do not have to follow these laws.

Examples of organisations that do not have to follow the Privacy and Security Rules include:

  • Life insurers
  • Employers
  • Workers compensation carriers
  • Most schools and school districts
  • Many state agencies like child protective service agencies
  • Most law enforcement agencies
  • Many municipal offices


What Information Is Protected 

  • Information your doctors, nurses, and other health care providers put in your medical record
  • Conversations your doctor has about your care or treatment with nurses and others
  • Information about you in your health insurer’s computer system
  • Billing information about you at your clinic
  • Most other health information about you held by those who must follow these laws


How This Information Is Protected

  • Covered entities must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.
  • Covered entities must reasonably limit uses and disclosures to the minimum necessary to accomplish their intended purpose.
  • Covered entities must have procedures in place to limit who can view and access your health information as well as implement training programs for employees about how to protect your health information.
  • Business associates also must put in place safeguards to protect your health information and ensure they do not use or disclose your health information improperly.


What Rights Does the Privacy Rule Give Me over My Health Information?

Health insurers and providers who are covered entities must comply with your right to: 

  • Ask to see and get a copy of your health records
  • Have corrections added to your health information
  • Receive a notice that tells you how your health information may be used and shared
  • Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as for marketing
  • Get a report on when and why your health information was shared for certain purposes
  • If you believe your rights are being denied or your health information isn’t being protected, you can
    • File a complaint with your provider or health insurer
    • File a complaint with HHS

You should get to know these important rights, which help you protect your health information.

You can ask your provider or health insurer questions about your rights.

Learn more about your health information privacy rights.


Who Can Look at and Receive Your Health Information

The Privacy Rule sets rules and limits on who can look at and receive your health information

To make sure that your health information is protected in a way that does not interfere with your health care, your information can be used and shared:

  • For your treatment and care coordination
  • To pay doctors and hospitals for your health care and to help run their businesses
  • With your family, relatives, friends, or others you identify who are involved with your health care or your health care bills, unless you object
  • To make sure doctors give good care and nursing homes are clean and safe
  • To protect the public's health, such as by reporting when the flu is in your area
  • To make required reports to the police, such as reporting gunshot wounds


Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorisation, your provider generally cannot:

  • Give your information to your employer
  • Use or share your information for marketing or advertising purposes or sell your information
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Are Small Practices still struggling with HIPAA Compliance Ahead of New Audits?

Are Small Practices still struggling with HIPAA Compliance Ahead of New Audits? | HIPAA Compliance for Medical Practices | Scoop.it

ATLANTA, March 1, 2016  announced the results of its 2016 industry survey measuring progress towards compliance with the Health Insurance Portability and Accountability Act (HIPAA) among small medical practices. Conducted in February 2016, the survey of over 900 healthcare professionals revealed an increase in general awareness, but active steps toward compliance are still lagging. 

"With audits finally seeing the light of day, we wanted to gauge how quickly the industry is adapting to new regulations and offer resources to anyone who may be falling behind," said Caleb Clarke, sales and marketing director at NueMD. "Our hope is that surveys like these will draw attention to areas needing the most improvement."

Key findings include:

  • 60% of respondents are still unaware of pending HIPAA audits
  • 70% of respondents have created a compliance plan, compared to 61% in 2014
  • 30% of respondents have yet to create a plan
  • 54% of respondents have not appointed Security or Privacy Officers

In response to the results, NueMD is partnering with Total HIPAA Compliance and Atlanta-based healthcare attorney Daniel Brown, Esq. to host a series of free webinars designed to educate small medical practices and billing companies on various areas of compliance. 

"Becoming compliant not only helps protect patients, but the financial well-being of a practice," said Jason Karn, chief compliance officer at Total HIPAA Compliance. "It's really important that the industry remains educated and we're excited to be a part of that."


About Total HIPAA Compliance
Total HIPAA Compliance offers online HIPAA compliance and training for five separate covered industries – medical, dental, health insurance agents/brokers, employer health plans, and Business Associates with access to ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to Keep Your Practice’s Communication HIPAA-Compliant

How to Keep Your Practice’s Communication HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is a top concern for medical practices, and for good reason–violations can result in serious consequences, including large fines and potentially even jail time. To make things more complicated, the laws themselves tend to be rather vague on what actions practices need to take to become HIPAA-compliant.


Medical practices need to protect private patient data, but they also need to be able to go about the daily business of running a practice as efficiently as possible. Technology can certainly make day-to-day operations more efficient, but new technologies also bring about new concerns with HIPAA compliance. Many practices are hesitant to adopt new technology for that very reason.

When practices do decide that they want to use technology to communicate with patients and other practices, it can be difficult to figure out where to begin because HIPAA laws can be quite vague. Practices don’t want to slip up and have to pay the price (often, quite literally) for a violation.

So, what can you do to keep your practice’s communications on the right side of HIPAA guidelines? We highly recommend working with an expert on HIPAA laws to make sure your communication is always compliant.If you’d like to learn more on what HIPAA-compliant communication entails throughout your practice, including marketing efforts, emails, appointment reminders, patient portals, and communication with other practices, we have put together this list of helpful resources to help you stay up to date on the latest recommended best practices for HIPAA-compliant communication.



Digital marketing is critical for medical practices, as more and more patients turn to online sources to learn more about medical conditions, possible treatment options, and where to get treatment. Practices often have a website, and many also use email marketing and social media to reach out to patients. These resources will help you stay HIPAA-compliant in each of those areas of marketing.


Emailing Patients

Patients who are always on-the-go may prefer to communicate with you via email. If patients request email communication, you must make that option available to them, but you still need to take the proper precautions to protect your patients and your practice from HIPAA violations.


Appointment Reminders

Even appointment reminders can be considered private health information if done improperly. You may wish to use technology to automate this routine process and free up your employees’ time for other tasks, but you need to make sure that you aren’t inadvertently giving away private patient information in the process.


Patient Portals

Practices are required to implement and use a patient portal to meet Meaningful Use requirements. However, patient portals are still subject to HIPAA laws and may in fact pose the greatest security risk of all practice communications because of the amount of information they contain. Always do your research before choosing a vendor for your patient portal to make sure they will keep you covered.


Communicating with Other Practices

It’s important for your practice to be able to communicate with your patients’ other healthcare providers to be able to provide the most comprehensive care possible. However, it can be quite challenging communicate with other practices in a manner that is both efficient and HIPAA-compliant. These resources include suggestions on improving your communication strategies while protecting private information.


The Dangers of Sharing Patient Information via Text/IM

As a healthcare provider, your days are usually very busy, and it’s likely that the doctors you need to communicate with are equally as busy. When you need to share information, whether it’s a quick update on a patient or a request for a consult, it can be tempting to just send a quick text or instant message. If texting/instant messaging is your preferred form of communication with other doctors, you need to approach with caution.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Data Encryption Best Practices for Medical Practice Compliance

HIPAA Data Encryption Best Practices for Medical Practice Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Is data encryption something that your medical practice should consider—especially with regard to compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA)? The short answer to this question is yes; in order to keep personal health information (PHI) confidential and to ensure full legal compliance, data encryption is something that should absolutely be on your IT radar. 

That’s not to say that encryption is the only approach, nor that compliance with HIPAA needs to be entirely technical. Some common-sense policies like using strong passwords, remote data backups and securing all portable and mobile devices can help. Still, for most practices, a discussion about encryption needs to happen sooner rather than later. 


What HIPAA Requires of You 

The slightly longer answer will involve a closer look at what the HIPAA legislation actually says: “A covered entity must… implement a mechanism to encrypt and decrypt electronic protected health information.” 

This essentially leaves medical practices with two options. One is to encrypt their data—simple as that. The other is to implement an equivalent solution to comply with this regulatory requirement. 

This may sound like a fairly narrow set of parameters, but in truth the law is fairly open-ended: “Encryption,” you will notice, is not defined very specifically. The reason it is left open to interpretation is simple: covered entities come in different types and sizes, and thus their electronic recordkeeping processes and their network usage can differ significantly.


Encryption is the Best Solution

To put it another way: HIPAA requires that you take some action to keep patient information confidential and secure. That action can be encryption or it can be something comparable. HIPAA dictates policies and procedures, but not actual technologies; thus, covered entities do have some flexibility in how they meet these regulatory standards.

Of the options available, though, most practices will surely opt for encryption. This is not without reason. Though HIPAA allows for various technological implementations, encryption technology is virtually the unanimous choice among IT professionals as the best and most cost-effective way to fulfill the letter of HIPAA laws. 


The Best Standards for Data Encryption

As you map out an encryption strategy with your IT team, consider some basic parameters and best practices: 

  •       Portable devices and thumb drives are not good storage vessels for patient data; a secure offsite location, such as a HIPAA-compliant data centre, is better.
  •       Remember that data stored on mobile devices—including phones, tablets, CDs, or USBs—must be encrypted to avoid a breach in HIPAA compliance.
  •       Note that even “backup” or “at rest” data sources can be accessed from remote locations—or from within their physical facility—and as such, they, too, should be encrypted.
  •       Finally, note that compliance with HIPAA also encompasses the destruction of media that contain PHI. Specifically, they must be constructed in a way that they cannot be reconstructed—and that’s true of paper, film, and electronic media alike.


Striving for Compliance

The best guideline to remember: to ensure HIPAA compliance—and to offer adequate promise of privacy to your patients—it is imperative to render PHI unusable and unreadable by all unauthorised personnel. This requires a proactive mindset and a bent toward caution, which are not necessarily easy to achieve. The rewards are ample, however: not just an assurance of compliance, but that you’re doing right by your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA and Compliance are now more important than ever ..

HIPAA and Compliance are now more important than ever .. | HIPAA Compliance for Medical Practices | Scoop.it

For many years, the federal government encouraged healthcare organizations to implement voluntary HIPAA and compliance plans.The Office of Inspector General (OIG) of the Department of Health and Human Services (HHS) issued guidance to several types of healthcare providers, including:

  • hospitals
  • clinical laboratories
  • home health agencies
  • DME suppliers
  • third party billing companies
  • hospices
  • Medicare Advantage plans
  • nursing homes
  • physicians


Now, with the passage of the recent Patient Protection and Affordable Care Act (PPACA) in 2010, there has become a new urgency for health care organizations to develop and implement HIPAA and general regulatory compliance program policies and procedures.  PPACA will require health care providers applying to enroll as Medicare providers to have a full compliance program in place.


Beyond this requirement are the on-going efforts of federal and state governments to decrease the fraud and abuse that plagues government-sponsored healthcare programs.  An effective overall healthcare compliance program, one that includes HIPAA compliance as well, can help an organization spot errors in its processes, and prevent small problems before they become large ones, especially in the area of billing to government health care programs and adhering to HIPAA Privacy and Security Rules.


There are many dimensions of "compliance" for health care organizations, including 

  • compliance with medical documentation
  • compliance with billing and coding practices
  • compliance with health and safety laws and regulations
  • compliance with environmental laws and regulations
  • compliance with human resources laws and regulations
  • compliance with HIPAA laws and regulations

HIPAA, the Health Insurance Portability and Accountability Act of 1996, requires healthcare organizations to comply with a host of regulations covering the privacy of personal health information (PHI).  These requirements have increased with an adoption of the HITECH Act provisions of the American Reinvestment and Recovery Act (ARRA) early in 2009.


Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance And Data Protection 

HIPAA Compliance And Data Protection  | HIPAA Compliance for Medical Practices | Scoop.it

Patient privacy has become a major topic of concern over the past couple of years. With the majority of patient information being transferred over to digital format, to improve the convenience, efficiency and cost of storing the data, organizations expose themselves to risks.


Virtually all healthcare organizations in the United States are affected by HIPAA standards. This act applies to any health care provider, health plan or clearinghouse that electronically maintains or transmits health information pertaining to patients. 

HIPAA was designed to reduce the administrative costs of healthcare, to promote the confidentiality and portability of patient records, to develop standards for consistency in the health care industry, and to provide incentive for electronic communications.  With these standards in place, organizations can better protect their systems and patients can feel confident that their personal medical information will remain private.


Without exception, all healthcare providers and organizations must have data security standards in place according to the Standards for the Security of Electronic Protected Health Information rules (the “Security Rule”) of HIPAA. The Security Rule requires health care providers to put in place certain administrative, physical and technical safeguards for electronic patient data including a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Mode Operation Plan.


HIPAA security standards will also require your organization to appoint someone as the security manager. This person will act as the only designated individual in charge of the security management process and will have access to the data, preventing unauthorized access or corruption.


It is important to choose a data protection solution that ensures all electronic protected health information (EPHI) is fully protected when it is backed up and stored. The most important consideration relates to assurances of data consistency which can be achieved with autonomic healing and integrity checks. The solution should encrypt all information (minimum AES 256 encryption) before transfer to the service providers SSAE 16 certified data facilities.


For healthcare providers and managed service providers – how are you addressing the requirements of HIPAA for you business, patients and customers? How does cloud backup address the requirements of HIPPA compliance? Please comment below to start the conversation. 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Should You Consider HIPAA Compliance?

Should You Consider HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

Protecting private patient information is crucial, especially in this day and age of online storage and transactions. As the media reports more and more healthcare-related security breaches, it may be time for you to find out if you need to be HIPAA Compliant. Designed to protect patients, HIPAA is required for many businesses that deal with private health data. While there is much more to HIPAA than the data center where your data is stored, Liquid Web can be an important part of your overall compliance with HIPAA standards. At Liquid Web, we provide the utmost in security with our compliant network solutions, physical and data security measures, highly available infrastructure, and 24/7/365 onsite HIPAA trained staff. In combination with our recommended HIPAA Compliant hosting plans, we can help you achieve the compliance you need.

So how do you know if you should become HIPAA Compliant? We’ve gathered some helpful information that might set you on the right track.

What is HIPAA anyway?

HIPAA, or Health Insurance Portability & Accountability Act, is a strict set of regulations created in order to keep critical health information secure and confidential. This is especially important as many organizations that deal with patient health information store that data digitally. Recent large healthcare security breaches have only cemented the importance of HIPAA Compliance for your business and customers.

What kind of data is protected by HIPAA standards?

Any private medical data needs to remain confidential and secure, including but not limited to health records, patient charts, health insurance claim information, lab results, x-rays, and surgery documentation. HIPAA calls this data “ePHI,” or electronic protected health information.

What kind of businesses are required to comply with HIPAA?

The U.S. Department of Health & Human Services (HHS) have defined the businesses required to comply with HIPAA as “Covered Entities,” but only if they transmit any information in an electronic form in connection with a transaction for which HHS has developed a standard. Covered Entities included are as follows:

  • Healthcare Providers – Including doctor’s offices, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
  • Health Plans – Including health insurance companies, HMOs, company health plans, and government programs like Medicare and Medicaid.
  • Healthcare Clearinghouses – Including businesses that process health information from another entity either from a non-standard form to a standard form, or vice versa.


In addition, HIPAA applies to any business working with a covered entity to carry out its health care activities. Liquid Web could be one such “Business Associate” or “Sub-Contractor Business Associate.” When a covered entity enlists a business associate like Liquid Web for assistance in storing health information, a Business Associate Agreement might be needed to lay out the responsibilities of each party.



Why comply with HIPAA Standards?

These HIPAA standards exist to protect your patients’ confidentiality and privacy, ensuring your business has a trustworthy reputation. In addition, those that do not comply with the standards face being shut down and/or heavily fined. HIPAA’s standards are enforced through investigating complaints filed with the HHS and through conducting compliance reviews.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Don't Confuse EHR HIPAA Compliance With Total HIPAA Compliance

Don't Confuse EHR HIPAA Compliance With Total HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

Electronic health records (EHR) systems are revolutionizing the collection and standardization of patient medical information. Never before has it been so easy for healthcare practitioners to have patient information so readily available, allowing for more efficient and accurate care.

Unfortunately, what many organizations today don’t realize is, just because their EHRsystem is compliant with HIPAA security standards, their entity as a whole may not be fully compliant.

Every healthcare organization under HIPAA is responsible for the protection of patient data, regardless of whether they use a vendor to process or store their patient records. If your EHR vendor claims you don’t have to worry about HIPAA compliance, don’t believe them – it’s just not true.

Privacy and security are much more than simply having a HIPAA compliant EHR. It is truly frightening when I hear a healthcare company, or even worse, an EHR vendor, claim their EHR system covers all of a healthcare company’s HIPAA requirements. Even for cloud-based EHR systems, this simply is not the case.

Maintaining a secure EHR system

The newly revised HIPAA Security Rule requires providers to assess the security of their databases, applications, and systems that contain patient data against a list of 75 specific security controls. These controls include specific safeguards to be in place for the purpose of protecting PHI.

In our ever-changing digital environment, it’s critical that healthcare organizations regularly assess their security programs as a whole to ensure they have the policies, procedures, and security measures in place to better protect patient information and avoid costly regulatory enforcements.

Unfortunately, addressing risks to electronic patient data is not always a top priority.

We need to get the message out that HIPAA compliance (and the protection of patient data) cannot be relegated to simply checking a box (i.e., my EHR system is compliant, therefore, my practice is compliant, too). HIPAA compliance must, instead, be addressed across an organization wherever patient data is present.

Understand current security measures

The ongoing responsibility of managing patient data throughout an organization requires an organized, well-thought-out approach to risk management. No matter how small or long established, it’s critical for healthcare entities to understand what they are doing to protect patient data, what they are not doing, and what they shouldbe doing in the future.

While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.

As the guardian of patient health information, it is up to each healthcare organization to learn and understand the basic features of their IT assets and medical devices, what security mechanisms are in place, and how to use them.

There are a number of actions an entity can take to make sure that their EHR systems and IT assets are secure. Such measures leverage an integrated use of data loss prevention tools, intrusion prevention, anti-malware, file integrity monitoring, robust identity management and authentication programs, role-based access and data security solutions.

The road to HIPAA compliance

Creating adequate safeguards does not happen overnight. While it may seem overwhelming and time-consuming at first (due to HIPAA’s complex nature), the biggest obstacle to overcome is actually getting the entire process started.

Begin by carving out a regular, weekly routine – perhaps starting at 30 minutes per week when your staff members who are responsible for HIPAA compliance can meet to discuss the privacy and security of patient data.

Here are some specific actions your entity should take when working to protect patient information:

  • Have a designated HIPAA-assigned compliance officer or team member. Clearly and specifically lay out the roles of everyone in your organization involved with HIPAA compliance responsibilities.
  • Ensure that access to ePHI is restricted based on an individual’s job roles and/or responsibilities.
  • Conduct an annual HIPAA security risk analysis (specifically required under HIPAA rules.) This can involve regularly engaging with a trusted provider that can remotely monitor and maintain your network and devices to ensure ongoing security.
  • Mitigate and address any risks identified during your HIPAA risk analysis including deficient security, administrative and physical controls, access to environments where ePHI is stored, and a disaster recovery plan.
  • Make sure your policies and procedures match up to the requirements of HIPAA.
  • Require user authentication, such as passwords or PIN numbers that limit access to patient information to authorized-only individuals.
  • Encrypt patient information using a key known or made available only to authorized individuals.
  • Incorporate audit trails, which record who accessed your information, what changes were made, and when they were made, providing an additional layer of security.
  • Implement workstation security, which ensures the computer terminals that access individual health records cannot be used by unauthorized persons.
  • Privacy and security concerns are key when it comes to HIPAA, but it’s also important to ensure your enterprise as a whole is protected. With 75 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure all systems where ePHI resides are protected. Otherwise, organizations are placing themselves and their patients at serious risk.


Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA and Social Media: What are the Rule

HIPAA and Social Media: What are the Rule | HIPAA Compliance for Medical Practices | Scoop.it

The use of social media in today’s society continues to grow as more Americans interact through one or more social media platforms. Whether writing a blog article, posting on Facebook or tweeting on Twitter, many users see social media as a primary means to communicate. According the Pew Research Center, as many as 46% of users “discussed a news issue or event” on a social media platform.

As more healthcare providers use or consider using social media for business purposes, HIPAA plays a more significant role in what can be said in a Facebook post, a tweet or a blog article. There are some clear challenges when it comes to meeting the requirements of the HIPAA Privacy Rule. But those challenges do not need to be obstacles, as long as there is proper guidance on what can or cannot be posted. 

My advice when it comes to the use of social media in a healthcare organization is to have a comprehensive, written policy and procedure. The less discretion the better, meaning there is always structured guidance to follow with little to no wiggle room.

In formulating your organization’s social media policy, start with the 3 W’s: Who, What and Where.  

  • Who – Determine who is permitted to post material on social media on behalf of the organization. Designate a specific person as the organization’s official social media administrator.
  • What – Determine what can be posted. The policy should include how to handle an individual that posts a medical question on a social media platform. As an example, if a patient can ask specific questions about a medical condition on your Facebook page, how does your organization address it? I caution from a possible liability standpoint that it may be inappropriate to respond with advice. A better response would be to ask the individual to contact the office to discuss the specific concern.
  • Where – Determine where and on what platforms posting will occur. The policy must clearly state which social media sites the organization will use.  

Guidelines issued by the AMA on social media say, “Be cognizant of standards of patient privacy and confidentiality. Don't post sensitive patient information online or transmit it without appropriate protection.” The guidelines also say to “maintain the appropriate boundaries of the patient-physician relationship, just as in any other context.” This means following all the applicable standards of the HIPAA Privacy Rule.

Another area of concern is the use of patient testimonials. This is a somewhat newer trend in the healthcare provider marketing strategy. Any patient testimonials used by a healthcare organization must comply with the HIPAA Privacy Rule. A healthcare provider, as a covered entity, must obtain the written authorization of the patient prior to any use or disclosure of the individual’s protected health information for marketing purposes.

In a recent case, a California physical therapy practice paid a settlement of $25,000 to the HHS Office for Civil Rights for a HIPAA privacy violation. There were allegations that the practice posted patient testimonials to its website without legal, HIPAA-compliant authorization. This is not a situation you want to find yourself in.

If your organization embraces social media as a method to market or provide information, have robust policies and procedures in place and follow them. You can be social, but be safe.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why HIPAA Compliance Need Security Risk Analysis?

Why HIPAA Compliance Need Security Risk Analysis? | HIPAA Compliance for Medical Practices | Scoop.it

There are many important elements to implementing an effective HIPAA Program, but none are more important than completing a security risk analysis. Conducting a risk analysis will give your practice an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of your electronic protected health information.

Completing a security risk analysis is a required element. This means that most specifications must be evaluated and if applicable, implemented, in order to achieve compliance with the Security Rule. It is important to remember that certain specifications in the risk analysis are considered addressable, meaning it is up to the covered entity to determine (in writing) if the specification is a “reasonable and appropriate” safeguard for its environment, taking into consideration how it will protect ePHI.

According to the Security Rule, your security risk analysis should be broken down into the implementation of 3 categories of electronic protected health information safeguards: Administrative, Physical and Technical. The following is an overview of each category, including differentiation between those specifications that are required and those that are addressable.


Administrative safeguards are administrative actions and functions to manage the security measures in place that protect electronic protected health information. Administrative safeguards must state how the covered entity will conduct oversight and management of staff members who have access to, and handle ePHI. Administrative safeguards include:

  • Risk Assessment (R)
  • Sanctions Policy (R)
  • Information System Activity Review (R)
  • Security Officer Assignment (R)
  • Security Awareness and Training (A)
  • Security Incident Procedures (R)
  • Disaster Recovery and Data Backup Plan (R)
  • Periodic Security Evaluations (R)
  • Business Associate Contracts (R)



Physical safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards and unauthorized intrusion. It includes restricted access to ePHI and retaining off-site computer backups. Applying physical safeguards means establishing:

  • Facility Access Controls (A)
  • Workstation Use and Controls (R)
  • Device and Media Controls (R)




Technical safeguards are the automated processes used to protect and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted. Technical Safeguards are:

  • Unique User Login (R)
  • Emergency Access Procedures (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls (R)
  • Authentication of Integrity of ePHI (A)
  • Authentication of Person or Entity (R)
  • Transmission Security (A)

Completing your security risk analysis is not only an essential component of your HIPAA program, but it will enable you to identify and rectify any risks and vulnerabilities to the access and confidentiality of your electronic protected health information. The results of your risk analysis will be used to determine the appropriate security measures to be taken. Be sure and revaluate your risk analysis periodically, especially if there have been any known or suspected threats to your security program.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Guidance For Small To Mid-Size Medical Practices

HIPAA Guidance For Small To Mid-Size Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

For small and mid-size medical practices, HIPAA compliance has long been a small problem. After all, it wasn’t very long ago that all but the largest practices could rest relatively easy, knowing their very smallness made them unappealing targets for regulators looking for bigger fish to fry.


As long as they didn’t blatantly, repeatedly or intentionally violate HIPAA’s strictures, they rarely rated government action beyond (at most) a warning letter.


Those days are now over. The federal government is cracking down harder on practices that violate HIPAA privacy and security regulations by scheduling more frequent audits and issuing stiffer fines. And practices are being forced to respond with more rigorous compliance plans. The same federal stimulus law that offered incentives for practices to purchase electronic health records (EHR) systems also beefed up HIPAA’s privacy and security regulations. If your practice hasn’t reviewed and updated your HIPAA policy recently, then now’s the time.


It’s been 12 years since the April 14, 2003, compliance date for the HIPAA Privacy Rule, so most, if not all, physician practices should know better than to post protected health information (PHI) in a public forum such as Google Docs or Dropbox.


Here are some simple common sense tips for keeping your practice on the right side of the law:


Train your staff. HIPAA requires that you have a training program in place regarding the proper handling of PHI. All staff members must know what they are authorized to view, how to manage computer passwords, what they may and may not say in front of patients, and so on. Providing an annual refresher on this type of training is highly recommended. Make sure everyone, including physicians, receives the training. Document it.


Establish written protocols for information access. Staff should have access to the portions of patients’ PHI that are necessary to perform their jobs — and that’s all. This should be perfectly clear and in writing. And your protocols should include examples of the specific types of information that different staff members are authorized to view, based on job function.


Use discretion in the reception area. Don’t use public sign-in sheets. Don’t make any mention of the reason for a patient’s appointment until you’re both out of earshot of the waiting room. Make sure computer screens aren’t visible to non-staff members in any public areas of the office.


Plan for breaches. What would happen if there were an accidental breach of patient information? Say, someone mistakenly includes patient information in an email attachment, and the attached document includes patient names and Social Security numbers? Or how would you handle an intentional breach? You should prepare a specific response for scenarios like these because they do happen.


Use computer passwords correctly. If you have any centralized computer terminals that get used by more than one staffer, make sure everyone logs out whenever they’re finished. To be safe, set up those computers so a login is required after brief periods of inactivity, say two or three minutes. Even if you don’t have centralized computer stations (and most small practices don’t), you should require your employees to change their own passwords every few months.


If necessary, hire a consultant to help you comply with HIPAA’s security provisions, which are far more technical than the Privacy Rule. Alas, mere common sense won’t help you determine whether your computer network is properly encrypted. Get help. What’s new is that the government is no longer limiting its enforcement actions to hospitals and the biggest practices.


But since most private practices should have been following HIPAA plans for at least 10 years now, it’s likely they’ll need to do little more than review, update, and continue to implement their plan, assuming of course you have a HIPAA compliance plan currently in place.



Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Six Tips For Providers To Reduce The Risk Of Obtaining Unreliable HIPAA Compliance & Protection Software

Six Tips For Providers To Reduce The Risk Of Obtaining Unreliable HIPAA Compliance & Protection Software | HIPAA Compliance for Medical Practices | Scoop.it

Our partner Elizabeth Litten and I had a recent conversation with our good friend Marla Durben Hirsch who quoted us in her Medical Practice Compliance Alert article, “Beware False Promises From Software Vendors Regarding HIPAA Compliance.” Full text can be found in the February, 2016, issue, but some excerpts regarding 6 tips to reduce the risk of obtaining unreliable HIPAA compliance and protection software from vendors are summarized below.


As the backdrop for her article, Marla used the $250,000 settlement of the Federal Trade Commission (the “FTC”) with Henry Schein Practice Solutions, Inc. (“Henry Schein”) for alleged false advertising that the software it marketed to dental practices provided “industry-standard encryption of sensitive patient information” and “would protect patient data” as required by HIPAA. Elizabeth has already posted a blog entry on aspects of the Henry Schein matter that may be found here.


“This type of problem risk of using unreliable HIPAA software vendors is going to increase as more physi­cians and health care professionals adopt EHR systems, practice management systems, patient portals and other health IT.”


The six tips listed by Marla are summarized as follows:


  1. Litten and Kline:"Vet the software vendor regarding the statements it’s making to secure and protect your data. If the vendor is claiming to provide NIST-standard encryption, ask for proof. See what it’s saying in its marketing brochures. Check references, Google the company for lawsuits or other bad press, and ask whether it suffered a security breach and if so, how the vendor responded.


  1. Kline: Make sure that you have a valid business associate agreement that protects your interests when the software vendor is a business associate.” However, a provider must be cautious to determine first whether the vendor is actually a business associate before entering into a business associate agreement.


  1. Litten: “Check whether your cyberinsurance covers this type of contingency. It’s possible that it doesn’t cover misrepresentations, and you should know where you stand.”


  1. Litten and Kline: See what protections a software vendor contract may provide you.”   For instance, if a problem occurs with the software or it’s not as advertised, if the vendor is not obligated to provide you with remedies, you might want to add such protections, using the Henry Schein settlement as leverage.


  1. Litten and Kline: Don’t market or advertise that you provide a level of HIPAA protection or compliance on your web-site, Notice of Privacy Practices or elsewhere unless you’re absolutely sure that you do so.” The FTC is greatly increasing its enforcement activity.


  1. Kline:Look at your legal options if you find yourself defrauded.” For instance, the dentists who purchased the software [from Henry Schein] under allegedly false pretenses have grounds for legal action.


The primary responsibility for compliance with healthcare data privacy and security standards rests with the covered entity. It must show reasonable due diligence in selecting, contracting with, and monitoring performance of, software vendors to avoid liability for the foibles of its vendors.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Ensure your medical practice complies with HIPPA data privacy

Ensure your medical practice complies with HIPPA data privacy | HIPAA Compliance for Medical Practices | Scoop.it

Do have a plan

 When it comes to HIPAA compliance, a minimum plan is better than none. A basic policy forbidding employees to release patient health data and covering paper documentation and online viewing in the office is a good start. Make this policy a part of your New Hire Orientation Packet. Some of the best policy practices, however, incorporate items related to security access and protocol, non-use of public servers or unsecured Internet hotspots, and reporting infringements without retaliation from the employer. A solid IT team will assist you with implementation and policy for your technology resources. You will also want to confirm you meet your state’s privacy laws and that your service providers meet compliance at a federal and state level.


Do provide safeguards for physical and online archives

 One key aspect of HIPAA relates to information storage - on site, online or off premises. If this is paper documentation, a simple lock and key system may suffice with a limited number of users. For online systems, it’s important to train staff on how to prevent unauthorised access. Each computer station, application or program, and websites requiring a login should be accessed by each individual with his or her own unique username and password. Be sure that if the employee voluntarily leaves or is terminated, you have a procedure in place to deactivate or delete access to all systems.


Do involve all staff levels 

Most plans for HIPAA compliance work best when everyone is in the loop. From doctors to front desk clerical workers, everyone should know what the business policy is and how to achieve it together. When you are creating your policy or revise, a facilitated group meeting can raise points and identify potential risks that may have otherwise been overlooked.


Do brainstorm the most effective communications protocols

With information overload and a lot of hardships encountered by medical businesses in meeting HIPAA compliance, your patients will want to know how you handle their sensitive information, especially as more and more practices utilises electronic health record systems. Have handouts or other materials available to assure them you have a system in place to proactively manage and handle their data. Your plan should also include procedures on how your staff discusses patient cases on and off site and the importance of keeping identifiable patient information secure. Offices that take time in coming up with a good system stand the best chance of building a truly adaptive HIPAA compliance plan.


Do ask questions

 Some government agencies and other groups can help advise a medical business on the best way to comply with HIPAA, where doctors who try to do this entirely on their own can overlook some major issues or take compliance entirely too far. Questions to ask might include:

  • What are the basics my plan has to include? What elements aren’t mandatory but necessary?
  • What security measures are required for technology resources?
  • How often do I have to update my policy?
  • What information is not restricted by HIPAA?
  • Do I have to inform my patients on how I use or disclose their information?


Do not assume that staffers will get the message

 Passive office structures often leave key people uninformed and uninstructed. Make sure that messages on HIPAA compliance and other critical administrative aspects get to all of the right people on a regular basis. If it is a policy or procedure, formalise this process with a sign off and acknowledgement that the individual has read, understood, and will comply.


Do not overbuild HIPAA infrastructure

 Some medical offices fall into the trap of creating elaborate indoor areas with fountains, cubicles, or other sound reducing features. While this may be effective in some cases, in others, it may not be enough for true compliance and might also end up being quite expensive. Ensure that the basics are met including keeping all paper based patient and financial sensitive data face down or covered, computer screens go blank if unused after a certain time frame, and computer programs are set to auto logout if idle after a specific amount of time has passed.


Do not act only on a punitive basis

 One of the big mistakes made by top management is to disregard HIPAA compliance issues until there is a breach, and then come down hard on employees. Instead, create the up-front plan to be more informative than threatening so that employees will feel safe in voicing concerns without fear of reprisal. You may want to include a section on how to report a potential or actual breach and the action steps that will follow.


Do not just have a paper plan

 HIPAA compliance plans that happen in back rooms are sometimes just filed away and never acted on. While this might be somewhat of a hedge in the case of HIPAA violation, it’s not really going to do much during any kind of substantial audit. Review and update your plan at least annually and take the time to retrain your staff on meeting compliance.


Do not overlook social media

 From regular e-mail to Facebook and Twitter, there are a lot of new ways that employees can unknowingly create HIPAA violations. Cover all of these social media platforms in your staff training's and certainly address them in your HIPAA compliance plan. Cover specifics like never post information about actual patients unless you have written consent from the patient, never use patient names in electronic communications unless the platform meets HIPAA compliance, and never post photographs unless written authorisation from the patient is on file.


Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Keeping Staff HIPAA Compliant Best Practices

Keeping Staff HIPAA Compliant Best Practices | HIPAA Compliance for Medical Practices | Scoop.it

It is important to comply with HIPAA for medical providers and medical groups because non compliance can cost fines of up to $50,000 or more for a violation.

As per HHS’ OCR (Office of Civil Rights) which implements HIPAA, correction actions are mostly needed in private practices. Other medical facilities that require correction are general hospitals, pharmacies, outpatient facilities and health plans.

Office of Civil Rights has resolved 2385 HIPAA violation cases since 2003 through changes in private practices, corrective actions or by extending technical assistance. In other 26 issues, HIPAA violation has amounted to $23 million in fines paid by national pharmacy chains, hospital chains and medical provider offices and others.


What can you do to keep your staff HIPAA compliant? Some of the best practices are:

  • Train your staff to handle PHI (protected health information) appropriately.
  • Employ a staff exclusively to manage HIPAA compliance and security standards, and to educate staff members from time to time.
  • Different levels of security must be given to different staffs, to prevent security breach beyond a staff’s scope of work.
  • Do not allow staff to share passwords.
  • Make it a point not to disclose PHI unless it is necessary.
  • Staff must be warned against accessing patient records unless necessary and written permission must be taken before accessing such records.
  • Computer programs must properly before moving to another task. You can use practice management systems that goes offline after a set amount of time.
  • Safeguard electronic data using passwords, encryption and authentication wherever required.
  • Use two step verification processes. For example, use password as well as voice detection, mobile phone verification or fingerprint detection.
  • If patient details are stored in paper files, put it in locked cabinets and shred it while disposing and use a cover sheet while faxing.
  • Always use a HIPAA compliant server for data security. Server is safe to safeguard patient records.
  • Make sure all third parties involved in your medical business comply with HIPAA guidelines.


Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance Tips for Medical Practices

HIPAA Compliance Tips for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

Complying with HIPAA is more critical — and more complicated — than ever. The government is ramping up its efforts to crackdown on violations, and small- to medium-sized practices are no exception.

In April 2012, a five-physician cardiac surgery practice in Arizona became the first small practice to pay a significant HIPAA-related penalty to HHS — to the tune of $100,000. The investigation stemmed from a complaint that the practice posted surgery and appointment schedules on a publicly-accessible Internet-based calendar. The department's Office of Civil Rights (OCR) found that the practice had implemented few policies and procedures to comply with HIPAA, and had limited safeguards in place to protect patients' electronic protected health information.

This case is "a wakeup call for smaller practices that they can get on the [government's] radar screen," says Elizabeth Warren, a Nashville-based health law attorney at Bass, Berry & Sims. "Certainly [OCR] could have looked at the situation this group had and just advised them on how to fix it, but they did choose to impose a penalty and the resolution agreement and kind of put them publicly out there," Warren says. " ... It definitely seems to point to, if you're not doing anything or not doing much of anything [to comply], you may trigger an enforcement action even if you're small."The HITECH Act, which was part of the American Recovery and Reinvestment Act of 2009, enhanced privacy and security enforcement provisions and increased penalties. It also required HHS to provide for periodic audits to ensure covered entities are complying with HIPAA.

To help ensure you are prepared for whatever HIPAA-related issues may be heading your way, here's what experts say your practice should be doing — and what it should definitely not be doing — when it comes to the privacy and security rules.


Do polish your policies

To ensure you are ready if an auditor comes knocking, critically assess your policies and procedures and update them if necessary, says Ericka Adler, a health law attorney at Kamensky Rubinstein Hochman & Delott, LLP, based in Lincolnwood, Ill. "I think one of the most important things is that a lot of practices did what they were supposed to do [when the laws first came out] in terms of getting their policy together and getting their forms out there, and they haven't talked about HIPAA since," she says, noting that some of the laws have changed and practices need to alter their policies accordingly. In addition, practices must have an active program in terms of training staff on the privacy and security rules, tracking patient record requests, HIPAA violations, etc. "HIPAA needs to be a living breathing part of a practice and not a policy that sits on a shelf so the practice can say they have a policy," says Adler.

Keep in mind that new technology use at your practice or by your staff members, such as e-mail and social media, could lead to privacy and security issues. Make sure your policies account for these changes, says Sharona Hoffman, a professor of law and bioethics at Case Western Reserve University School of Law in Cleveland. "Technology always gives rise to a lot of benefits, but it also creates a lot of risks, and you have to be sensitive to those," she says. "... You have to make sure that security is maintained."


Do audit effectiveness

Ensuring all your policies and procedures are updated is a good start, but you must also make certain those policies are working. As Adam Greene, a health law attorney and partner at national business and litigation law firm Davis Wright Tremaine LLP, points out, "A lot of things sound good on paper, but in practice don't actually work." For example, "If your policy that you created back in 2003 was that all protected health information should go in the orange bin, which will then be sent to the shredder, it's worth looking into whether that's actually working — and there's a pretty good chance that it won't be," he says. "It's always better to find that out yourself rather than through a patient complaint, or ... an OCR audit."


Do plan for worst-case scenarios

If a security or privacy breach does occur at your practice, it's crucial to handle it quickly and appropriately. "You definitely want to make sure you've got a HIPAA breach policy, which not everybody does …" says Warren. Covered entities must notify individuals affected by a breach within 60 days of its discovery, and the sooner they are notified of a breach the better, she says. "The privacy officer needs the more detailed map of — if this happens, here's what I do, here's what notifications have to go out — but the rank and file don't necessarily need to know all of that detail. They just need to understand things have to be reported quickly, and then I think it's helpful to provide training of concrete examples of things that should be reported." For example, reporting a stolen or missing laptop or thumb drive, even if staff believes it is encrypted or does not contain personal health information, or mistakenly providing private information to the wrong patient.


Do reevaluate and reeducate

It's important to provide HIPAA training to staff as soon as they begin working at your practice. But one initial training session is not sufficient, says Adler. "I recommend to my clients that you make this an annual event because it just fades into the background unless [HIPAA compliance] is something that's repeated to employees all the time," she says. "They just forget about it and they don't even think in certain contexts, 'Oh yeah, HIPAA, I need to remember about that.' There should be a constant education program."

Consider mixing smaller HIPAA training sessions in with other staff gatherings, says Greene. For instance, if you want to train staff members on a specific scenario, such as what to do if a police officer asks for information about a patient, add it to the agenda at a monthly staff meeting. Also, just as you should your other policies, ensure your training program is continually updated and revised.


Do tailor to job function

Keep in mind that while every policy needs to have a staff member trained on it, not every staff member needs to be trained on every policy, says Greene. "Your training should not be focused on making everyone a HIPAA expert," he says. Instead, it should cater to each employee's particular needs. For instance, "The person who's responsible for responding to requests for medical records may need to have different training than the receptionist,

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA: Not Just for Medical Practices

HIPAA: Not Just for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

By now, most people who work in healthcare know that physicians, dentists and other medical providers must comply with the Health Insurance Portability and Accountability Act of 1996 – usually known as HIPAA – or face stiff penalties. But not everybody realises that many jobs outside of direct patient care also demand strict adherence.

The HIPAA Privacy Rule mandates that “covered entities” who deal with protected health information follow measures to keep data private. This information is anything that can be used to identify a patient. It may relate to their health condition (past, present or future), provision of healthcare, or payment for healthcare. Something as simple as a birth-date, name or address — as well as obviously sensitive information like Social Security numbers – is considered protected health information.


Exactly who is responsible for meeting HIPAA regulations? Anybody who meets HIPAA’s definition of a covered entity, such as health plans, healthcare providers and healthcare clearinghouses. On the surface, this sounds clear. But beyond the optometrists and chiropractors are less obvious covered entities. Nonprofit organisations, schools and government agencies which provide some healthcare services must also comply with HIPAA.



Organisations that perform both covered and non-covered functions may decide to become what is known as a “hybrid entity.” The organisation designates which are the healthcare components within its operation, and which components are not. The healthcare components must then comply with HIPAA rules.

Consider a university. If a university includes an academic hospital which electronically transmits health records – and many other departments which have nothing to do with health information – the university may decide to be a hybrid entity. It can designate the hospital as its healthcare component, while departments like geography and engineering are clearly separate. The privacy rule would then apply only to the hospital and other designated components, governing health info maintained, created or received by or on behalf of these healthcare components. If the hospital were to disclose patient information to other parts of the university, it would be regulated just as if the data were being disclosed to an entity outside the university. A university research lab that also serves as a healthcare provider may or may not be included as a designated healthcare component, depending on whether or not it conducts specified electronic transactions.



Most states have gone above and beyond federal standards when it comes to HIPAA. Texas has especially strict medical privacy rules. In 2012, Texas created the Texas Medical Records Privacy Act, one of the country’s most stringent. Texas expanded the definition of “covered entity” and “business associate” to make even more organisations comply with HIPAA. For example, accounting firms, law firms, government agencies and insurance providers who come into possession of protected health information all squarely fall within the Texas definition.

A variety of Texas codes include privacy laws regarding health information, such as the Texas Occupations Code, the Texas Code of Criminal Procedure, the Texas Family Code, and many others. Everything from blood donations to hearing loss in newborns to mental impairments in offenders in correctional facilities is covered by some Texas code.

Texas also requires more extensive HIPAA training, and not just for physicians. Business associates and subcontractors who work with healthcare providers must undergo training, and may be found liable if they don’t. The Texas laws apply mostly to entities who exchange protected health information electronically.



What does it take to keep protected health information safe? Unfortunately, it takes a lot. The IT departments of most covered entities are overwhelmed by HIPAA rules, and many simply can’t afford the safeguards needed to comply. HIPAA-compliant data centre environments provide a secure solution for covered entities. All records must retain:

  1. Integrity – the information within medical records themselves must remain accurate.
  2. Confidentiality – to ensure medical records are only viewed on an as-needed basis by professionals.
  3. Availability – Medical records can be recalled at a moment’s notice with little to no downtime.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Ensuring HIPAA Compliance for Your Medical Practice

Ensuring HIPAA Compliance for Your Medical Practice | HIPAA Compliance for Medical Practices | Scoop.it

With the adoption of electronic health records (EHR) systems, a changing health insurance landscape, and rapid technological advances, it seems that no other industry that is undergoing as much change as the healthcare industry. As mandated compliance to the HIPAA final omnibus rule—which went into effect in September 2013, strengthening provider requirements for ensuring patient privacy protections—and healthcare providers have a lot to think about.


The evolving HIPAA landscape is also reflective of—and a direct response to—the countless privacy breach threats the healthcare industry faces. Hospitals, institutions and small practices are increasingly targeted for the acquisition of confidential patient information. Providers who do not adequately protect patient health information (PHI) not only risk damage to their reputation and face civil lawsuits, but also run afoul of increasing scrutiny by the Department of Health and Human Services Office for Civil Rights (OCR). Recently, the OCR handed out a record-breaking $4.8 million HIPAA fine to New York Presbyterian Hospital and Columbia University Medical Center for failure to protect PHI. This should serve as a cautionary tale, not only for large healthcare institutions but also for doctors and practitioners with smaller practices.


HIPAA compliance doesn’t necessarily mean having to invest in costly electronic systems; often it comes down to basic, common sense methods for maintaining continuous privacy for your patients’ health information. While the pilfering of electronic health information through hacking and cyber-attacks is certainly on the rise, breaches of hardcopy information are still common.

For example, in another recent occurrence, a complaint was filed against a large drugstore chain for alleged HIPAA violations, including accusations of PHI being left unattended on desks and in public areas. While the OCR did not find widespread or systematic non-compliance, individual instances were noted and suggestions were made for ensuring safeguards, one of which was enhanced staff training.


Protecting patient privacy

These troublesome violations highlight the need for ongoing HIPAA training of the doctors, practitioners and administrative staff within your practice. All employees should understand privacy and security policies and associated consequences of a violation. Policies for the handling of PHI should also be made clear. Procedures for storing, accessing and disposing of medical records and business documents should also be clearly outlined.

Patient information should never be left in plain view for others to see. On-site file rooms should be locked and access to records highly regulated. Inactive files should be transferred off-site to a secure records center where they can be protected and managed for the duration of their retention life cycle.


Records and other paperwork should promptly be disposed of. A secure NAID AAA certified shredding service eliminates expired records being left on desktops or workstations where they run the risk of being compromised. Shred collection containers can be strategically placed within your practice, enabling documents and files to be quickly and securely disposed of and shredded in accordance with HIPAA standards.


Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

What HIPPA compliance says to Physicians ?

What HIPPA compliance says to Physicians ? | HIPAA Compliance for Medical Practices | Scoop.it

Compliance with the updated regulations require medical practices to:

  • conduct a risk analysis to determine the vulnerability of electronic protected health information (PHI) to loss or theft, and document that they have done so;

  • encrypt patient PHI so that it can’t be used if it’s lost or stolen;

  • review policies and procedures for what do if PHI is lost, stolen, or inappropriately disclosed;

  • review contracts with vendors and other “business associates” that have access to PHI to ensure that the vendors have proper safeguards in place to secure patient PHI.

The penalty for unauthorized disclosure of PHI consists of fines that range from $100 to $50,000, depending on the circumstances of the disclosure and the size of the practice.

The new regulations also:

  • allow patients to forbid disclosure of information about a test or treatment for which the patient has paid out-of-pocket, thus requiring  practices to be able to identify and separate information a patient doesn’t disclose so that it’s not accidentally sent to an insurance provider;

  • permit patients to request their health information in electronic form, and require practices to comply with the request within 30 days with one 30-day extension permitted; and

  • require practices to update their notice of privacy practices to include all patients’ rights, and send the updated notice to all patients and posting it in the practice’s office and on its Web site.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

Tracey Mathew's curator insight, October 19, 2016 3:08 AM
Share your insight

Personally Identifiable Information: HIPAA Best Practices

Personally Identifiable Information: HIPAA Best Practices | HIPAA Compliance for Medical Practices | Scoop.it

For most healthcare organizations, protecting patient privacy is the most important aspect of HIPAA, and the most difficult. HIPAA uses the term Protected Health Information (PHI) to refer to protected data, but the concept is very similar to the term Personally Identifiable Information (PII), which is used in other compliance regimes. Understanding how PII and PHI overlap can help organizations unify compliance efforts across regimes, reducing the risk, cost and complexity of keeping data safe.


PHI vs. PII: As the name implies, personally identifiable information is any data that can identify a person. Certain information like full name, date of birth, address and biometric data are always considered PII. Other data, like first name, first initial and last name or even height or weight may only count as PII in certain circumstances, or when combined with other information.


For example, a record that referred to “Mr. Smith in New York” would be unlikely to contain enough information to give away the subject’s identity. If the patient had a less common name and lived in a small city, however, it would probably count as PII, since it would be easy to deduce who the subject was.


Although it doesn’t explicitly address personally identifiable information, HIPAA regulates situations like this under the term Protected Health Information. PHI includes anything used in a medical context that can identify patients, such as:


  • Name
  • Address
  • Birthday
  • Credit card number
  • Driver’s license
  • Medical records


PHI is subject to strict confidentiality and disclosure requirements that don’t apply to most other industries in the United States. In other words, protecting PHI is always legally required, but protecting PII is only mandated in some cases.


Developing a Unified Compliance Approach


The United States is unusual in having no single privacy and data protection standard or government entity. Instead, American companies face industry-specific laws, along with city, state and international compliance regulations.


Although this allows many industries to use consumer data more extensively, it also creates serious compliance risks. For example, because California has tougher PII laws than other states, a company that legally tracks users from Nevada when they visit its website could breach compliance if a Californian surfed in.

Although PHI requirements are strict, a HIPAA compliance checklist won’t necessarily address PCI, EU data protection laws and other regulations. Rather than developing individual programs for each regime, organizations should implement PII security best practices across the board, then iterate to meet remaining, regime-specific rules.


Auditing PII: Developing Compliance-Ready Security


Good security starts with identifying PII across your organization, whether it’s in medical databases, email, backups or a partner’s IT environment. PII then needs to be categorized by how much harm a breach could cause — a measurement known as the confidentiality impact level. The NIST recommends considering the following factors:


  • Identifiability: Is it easy to uniquely identify the individual using the PII?


  • Quantity of PII: How many identities could be compromised by a breach? The way your data is organized is a factor. For example, a clinic would likely have more PII at risk if it shared a database with allied clinics than if it maintained a separate database.


  • Data Field Sensitivity: How much harm could the data cause, if breached? A phone number is less sensitive than a credit card or social security number, for example. However, if a breach of the phone number would most likely also compromise name, SSN or other personal data, that phone number should be considered sensitive.


  • Context of Use: Does the way the information is used affect its impact? For example, imagine your hospital had an opt-in a newsletter to patients, doctors, organizations and other community members. A list of newsletter subscribers would contain the PII of some patients, but that info would be less sensitive than the same PII in patient medical records, since it wouldn’t necessarily indicate patient status.


  • Obligations to Protect Confidentiality: What information are you required to protect under HIPAA, HITECH, PCI and other regimes? This is obviously a key consideration for healthcare organizations.


  • Access to and Location of PII: The personally identifiable information HIPAA governs is often stored, transported and processed by third party IT services, accessed offsite by medical professionals who aren’t employees of the organization and processed by a variety of business associates. This creates risks that wouldn’t be present, for example, if the PII were locked in a vault, and could only be accessed by one doctor.


Implementing PII Security Best Practices


Any data you store is potentially vulnerable. Collecting less data and purging unnecessary PII from your records is the easiest way to reduce that vulnerability. You should also de-identify data where possible. When done properly, measures like anonymizing patient feedback and remove or tokenizing PII can take that data out of the scope of HIPAA entirely.


Access control is another valuable PII security best practice. Sensitive information should only be accessible by people who need it to do their jobs. For example, front desk staff that don’t handle billing, don’t need access to complete medical records.

In any compliance regime, all sensitive information should be encrypted by default. HIPAA compliant email and encrypted cloud storage prevent hackers from deciphering PII, even if they intercept it.



Beyond Personally Identifiably Information — HIPAA Business Associates


HIPAA goes beyond PII security best practices in its requirements for partner organizations. Under the HIPAA privacy rule, health care providers have considerable legal liability for breaches caused by business associates.


Cloud services, contractors, medical claim processors and most other organizations which use, store or process PHI all count as business associates. You need to sign Business Associate Agreements (BAAs) with each of these organizations, describing:


  • Appropriate use of PHI
  • Safeguards for protecting breaches
  • Steps to remediate breaches and violations
  • Breach notification procedures


Your organization should evaluate business associates carefully to ensure they’re actually capable of holding up their end of the bargain. Organizations should have clearly documented data security policies and practices in place before they sign a BAA, and should voluntarily undergo regular audits to ensure compliance.


Beyond Personally Identifiably Information — HIPAA Notices and Notifications


HIPAA also has strict requirements for how health information can be used and disclosed, and requires a notice of privacy practices be provided to the patient. The notice of privacy should cover a range of information, including:


  • How the organization can use and disclose the patient’s information
  • The patient’s rights
  • The organization’s duty to protect the information, and other legal duties
  • Who the patient should contact for more information


HIPAA also has specific rules for breach notification. Under HIPAA compliance best practices organizations must notify anyone whose data has been compromised within 60 days of the breach. Making sure your partners use encryption is crucial. Encrypted data is exempt from breach notification, unless the key is exposed as well. In many cases, this can make the difference between a close call and a costly breach notification.


Following PII security best practices helps organizations err on the side of caution. HIPAA isn’t a set of arcane and arbitrary rules to make your life difficult — it’s a useful framework to ensure a high standard of care and confidentiality for your patients. A PII best practices approach simplifies compliance by turning it into a single set of rules that can be used across your organization. That makes it easier to keep patients safe, and ensure sensitive information doesn’t fall through the cracks.



Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA’s Role in Fostering Trust between Patients and Providers

HIPAA’s Role in Fostering Trust between Patients and Providers | HIPAA Compliance for Medical Practices | Scoop.it

The following scenario is true, but some of the details have been changed to protect the innocent, and the guilty. The setting is the cramped reception area of a small dental practice. The office manager, who also works the front desk, is on the phone there with a patient.


“Julie Jones? This is Dr. Burton’s office. Your lab results are in and they indicate you’ve tested positive for an STD. You’ll need to schedule an appointment as soon as possible with your primary care physician.”


Her voice drifts over into the nearby waiting room. A few people look up from the magazines they’ve been flipping through. One of them, who happens to be a neighbor of Ms. Jones, arches an eyebrow and softly clucks her tongue. Information that should be confidential between this office and patient is now dangerously close to public knowledge. With this particular neighbor in the know, people in Julie’s cul-de-sac will probably hear these results well before her current boyfriend.


Informing patients of test results is a normal and necessary part of the workday at every office that deals in healthcare. But in this case, having that conversation where it can be overheard violates Ms. Jones’ right to privacy. A right protected by the law known as HIPAA.


Privacy. A fundamental patient right.


With so much involved in running a successful healthcare practice today, it’s easy to understand how HIPAA has come to be viewed as more of a nuisance than a necessary part of good care. But at its core, HIPAA isn’t about extra logistical hassles or additional work, it’s really about best practices — and creating and maintaining a professional environment that protects every patient’s rights.


The relationship patients have with healthcare professionals is one that involves openness, honesty, and a deep level of trust. Patients tell their providers things about themselves that few others know, intimate details of their lives and health histories.

And they expect that their privacy will be respected – by their doctors and dentists, staff members, and other providers such as labs, XRAY services, and anyone and everyone involved in their treatment. Patients expect that outsiders will not be able to access their information, and that those who need to know will be able to view only the information that’s necessary for treatment.


This way of dealing with health information is more than professional courtesy, it’s a fundamental patient right – the very issue that HIPAA speaks to, ensuring that patients will know when their rights have been violated and can feel confident that the law will be enforced and violations punished.


If patient information isn’t protected, the effects can be far-reaching. In the wrong hands, a person’s health information can be used to tarnish his or her reputation or cause financial harm. In some cases, compromised information can even negatively impact care.


HIPAA helps keep patient data safe

Modern technology has facilitated the quick dispersal of information among various entities; HIPAA helps keep all that data safe. From installing firewalls in the office’s computer system to training employees in the proper protocols when contacting patients, HIPAA, in essence, is all about safeguarding every patient’s right to privacy, security and respect.


Ensuring a patient’s right to privacy is essential to the practice of good healthcare — and a vital part of the covenant between providers and patients. Implementing the mandates of HIPAA plays an important role in building and maintaining patient trust and a thriving practice.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

3 Email Security Tips for HIPAA Compliance

3 Email Security Tips for HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The passage of HIPAA in 2006 and HITECH in 2009 sent a clear message: the medical industry needed to move beyond paper records and low security ASAP. By now, secure, convenient digital communication between medical providers, patients, colleagues and even other facilities should be the norm. Yet today, many facilities struggle to get even a single patient to use their pricey portals.

The industry won’t solve this problem until providers revisit their most convenient, accessible and (if used properly) secure communication tool: email. Use these HIPAA email security tips to raise digital adoption rates and simplify compliance in your organization.

1. Protect the Login

HIPAA administrative safeguards require organizations to “Implement procedures for creating, changing, and safeguarding passwords.” Passwords should contain at least 12 characters, including upper and lowercase letters, numbers and symbols. Multi-factor authentication enhances security by requiring since users to enter an extra code — such as a number texted to their phone — each session.

HIPAA also requires organizations to monitor logins for improper access. For Gmail user, Google Apps security settings can help, allowing your admins to mandate strong passwords and multi-factor authentication, monitor accounts and respond to potential breaches.

2. Assume Low Technological Knowledge

HIPAA and HITECH require use of ePHI in all aspects of medical care. Healthcare portal systems are a common solution, allowing patients and healthcare providers to send secure, encrypted messages.

Unfortunately, patients aren’t using them. In a recent study, 66.4% of hospitals received no patient requests for EHR, causing CMS to scale back meaningful requirements to a single EHR request. Patients either don’t understand portals, or don’t want to bother installing software, creating an ID and learning the interface. Until providers adopt digital tools that don’t inconvenience patients, things aren’t likely to change.

Virtru Pro secures existing email accounts, removing the inconvenience of portals. Patients and providers can send HIPAA compliant encrypted emails with one click, without creating new logins or learning complex interfaces.

It also helps reduce your exposure risk against breaches by allowing users to revoke emails (even after they’ve been read), disable forwarding, and set time limits on messages.

3. Anticipate and Prevent Errors

Don’t assume everyone will use technology correctly. Sooner or later, someone in your organization will send ePHI to the wrong email address, forget a HIPAA rule or make some other mistake — unless your system can stop user errors and retrain employees.

Virtru DLP can automatically stop potentially non-compliant emails before they’re sent. Our HIPAA Compliance Rule Pack detects sensitive information, such as patient names, national provider numbers, dates, and ICD- and ICD-10 codes, triggering customizable rules that prevent breaches. Rules can be set to automatically encrypt the sensitive message or they can also be set to pop up warning messages that double as email security tips, retraining your users, while stopping them from breaking compliance. Rules can also be set to strip attachments and even forward copies of suspicious messages to supervisors. Watch this short demo to see it in action:


HIPAA email compliance doesn’t have to be hard. Virtru email encryption allows hospitals to ensure ePHI is never left unsecured because a patient doesn’t understand your portal, or another facility uses different software. That means your organization can implement a single set of security practices for all ePHI, simplifying workflow and radically decreasing the odds of a HIPAA breach.



Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why Should HIPAA Compliance Matter to You

Why Should HIPAA Compliance Matter to You | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare Professionals

If you are a healthcare provider or business associate, HIPAA compliance should matter because it is the law. According to the Code of Federal Regulation (CFR), if you are a provider or business associate who utilizes electronic health records, you must ensure the confidentiality, integrity, and availability of all records created, received, maintained, or transmitted. Civil monetary penalties for noncompliance that cause a breach of electronic patient records can be assessed up to $1.5 million. Criminal penalties can range from one to ten years in prison.

I believe one of the biggest issues facing small healthcare providers is lack of knowledge of exact requirements for HIPAA security compliance. Part of the problem for small providers is they often have an unclear understanding of what safeguards need to be in place for electronic health records. I see this as a huge concern. The U.S. Department of Health and Human Services (HHS) does an inadequate job providing specific guidance to small providers. It is difficult to navigate through the HHS website to find particular HIPAA compliance information.

I should know because I used to work for HHS and had oversight of complex health care fraud investigations. We had teams of lawyers and analysts to guide us in the regulatory world, whereas a small healthcare provider, if lucky, maybe will find the necessary guidance on the HHS website. Even then, the information becomes subject to interpretation by a provider with limited exposure to HIPAA regulatory compliance. Ask yourself how comfortable you are with this.


With more and more healthcare providers utilizing electronic health records, consumers (patients) need to ask those providers if they are doing everything they can to secure their health information. For consumers, HIPAA compliance matters because it equals assurance that the proper safeguards are in place to prevent unauthorized access, tampering, and theft of medical records.

A recent study by the Ponemon Institute found criminal attacks on healthcare providers have increased dramatically, up 100% since 2010. Unlike having credit information stolen where the bank or credit card company may notify the consumer about suspicious activity in a timely manner, health information compromises take longer to recognize. With all the recent emphasis on newsworthy data breaches, this is a wake-up call for patients who must treat their online health information as they would their credit information.

Medical identity theft is a profitable industry for criminals who can make a lot more money selling health information than credit card numbers. According to Dell Secure Works, an information security services company, criminals can get paid $20 for a person’s stolen health identity information, as compared to credit card numbers that may yield $1 to $2 apiece. As a former Assistant Inspector General for Investigations at HHS, I know that Medicare card numbers could be sold for up to $50 apiece. In addition, there is much more personal data at stake with health records, which can include sensitive information such as pre-existing conditions, full-blown medical histories, and prescriptions, along with a plethora of financial, employment, and family information.

So the next time you go to your healthcare provider and you are asked to sign a HIPAA release form, read the fine print. Know your rights and expectations of privacy. Most importantly, ask your providers what they are doing to protect your electronic health records.

Author: Jay Hodes is the President of Colington Security Consulting LLC and the former Assistant Inspector General for Investigations at the U.S. Department of Health and Human Services, Office of Inspector General. In that position he supervised over 200 Special Agents and professional support staff responsible for health care fraud and medical identity theft investigations throughout the eastern United States.

His company provides assistance with HIPAA Security Rule compliance by conducting risk assessments and writing practice specific risk management plans. The assessments identify vulnerabilities and risks; determine the potential impact and provide a gap analysis action plan to prevent unauthorized access, tampering and theft.

Technical Dr. Inc.'s insight:

<p>Contact Details :<br>inquiry@technicaldr.com or 877-910-0004<br><a href="http://www.technicaldr.com/tdr" rel="nofollow">www.technicaldr.com/tdr</a></p>;

No comment yet.

HIPAA Survey Reveals A Reportable Benchmarking Breaches

HIPAA Survey Reveals A Reportable Benchmarking Breaches | HIPAA Compliance for Medical Practices | Scoop.it

In early, HCPro’s Medical Records Briefing (MRB)newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, implementation date. This year, MRBasked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.


With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% .However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase.


Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.


The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches.


The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.


This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the survey also serve as the privacy officer.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliant Data Backup Service

HIPAA Compliant Data Backup Service | HIPAA Compliance for Medical Practices | Scoop.it
How to find a HIPAA compliant Data Backup Service

Nowadays you have to make prudent decisions while purchasing a practice management system, a user-friendly EHR, and also while choosing the type of computer the practice staff will use. It is common for us to think of data backup in terms of a hard drive or an external storage. But it is important to note that you are dealing with sensitive personal health data and you should ensure that the data is not lost in case of an emergency. Since HIPAA compliant data backup is mandatory, it is a good idea to hire a data backup service.


First of all make sure the Data Backup Service Vendor is HIPAA compliant, which means they comply with HIPAA Security Rules. These rules require the vendor to have in place four safeguards.  As per the Office of the National Coordinator for ONC (Health Information Technology) these safeguards help the medical practice to prevent some of the common security gaps which could lead to data loss and cyber-attack. The four safeguards are detailed as follows:


  1. Physical Safeguards – These safeguards deal with infrastructure factors such as secure access areas, locks and protection against unauthorized entry into the ePHI (electronic protected health information) systems. It also provides security for the building that stores the information from environmental or natural hazards. Make sure your vendor has policies, procedures and technology to control access to ePHI.
  2. Administrative Safeguards – The policies, actions and procedures of administrative safeguards assist in the detection and prevention of security violations associated with any ePHI. These safeguards conduct security risk analysis and takes action to decrease identified risks.
  3. Organizational Standards – The vendor must be a “covered entity” with contracts or arrangement with other business associates that can access the ePHI when needed.
  4. Policies and Procedures – The vendor must maintain security policies and procedures in writing for at least six years (from the date of creation or the last effective date, whichever is later). The written policies and procedures must be reviewed and updated from time to time, as per the organizational or environmental changes that might impact the security of ePHI.This is mandated in the Office of the National Coordinator’s Guide to Privacy and Security of Electronic Health Information dated April 2015. You should also be aware that the U.S. Department of Health and Human Services made use of HITECH (Health Information Technology for Economic and Clinical Health Act) to support the HIPAA privacy and security rules.


Best Practices for Data Backup and Recovery


The data backup service should have a data backup plan, plan for emergency-mode operation and a disaster recovery plan to comply with HIPAA. The combination of these three plans would reassure the capabilities, policies and procedures of the provider to restore health information if an emergency occurs. This will give peace of mind to the medical practice and result in uninterrupted work.


How a Backup Service Provider can offer more help


A good HIPAA compliant vendor can offer additional benefits such as offsite data storage in case of power blackout, natural disaster or malware attack. The use of automatic data backup leaves you with no worries about backing up data periodically at your office. Several vendors also provide cloud based data systems to store different versions of files at different locations to provide additional protection in physical form and this is known as ‘data redundancy’.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.