HIPAA Compliance for Medical Practices
61.1K views | +12 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Which Type of HIPAA Training Is Right for Your Practice?

Which Type of HIPAA Training Is Right for Your Practice? | HIPAA Compliance for Medical Practices | Scoop.it

How to Choose Training
Looking at the NueMD survey from this year, the results show only 58% of the practices surveyed said they have implemented annual training for their staff. If you aren’t training annually, this is a MAJOR hole in your HIPAA Compliance Plan. You can have the best Compliance Plan money can buy, but without staff training, this plan is effectively useless.

Two types of training are required under the HIPAA Law.

  1. Training on the HIPAA Law
  2. Training on your specific policies and procedures

Training on the law can be difficult, unless you happen to have a HIPAA expert on staff. Training on your specific policies and procedures, however, should be handled by internal staff who are familiar with your practice’s decisions since they likely had a hand in creating them.


What to Look for in Training
There are a multitude of training choices out there. Do you train everyone yourself, hire an outside resource, or use an online training solution? This is really a choice that is best answered by how confident you are in your knowledge of HIPAA, what your budgets look like, and the size of your staff.


Training Staff Yourself
Theoretically, this is the cheapest option, provided you have a strong understanding of HIPAA and a dedicated employee who can train your entire staff. However, many practices struggle to find an internal staff member that truly understands HIPAA, has the time to train staff annually, and can train any new staff as they come on board in addition to any other responsibilities they may have within the practice.

  1. Strengths - Cost effective, easy to incorporate new staff
  2. Weaknesses - Requires you have a staff member that understands all aspects of HIPAA, additional responsibility for a staff member, have to store training records internally, finding time to train staff, and training development costs that reflect updates in the HHS rulings


Hiring an Outside Resource
Your legal counsel should be able to supply someone to train your staff on HIPAA and your Compliance Plan, but this a more expensive option than training staff on your own. Another issue you may run into is coordinating staff to be available when the trainer is onsite, and the inflexibility of training new staff members when they come on board.

  1. Strengths - Expert trainer in office
  2. Weaknesses - Difficult to incorporate new staff into training program, expensive, finding time that is convenient to train all staff at same time


Online Training
For many practices, this has all the benefits they are looking for: expert training, cost-effective and easy to incorporate new trainees as they come in. The drawbacks are, you still need to train your employees on the specifics of your plan. This option stands a chance if it is motivating and memorable.

  1. Strengths - Cost effective, easy to incorporate new staff, expert training, staff can train when it is convenient for their schedule
  2. Weaknesses - May not be up-to-date and still have to train staff on specifics of your practice’s HIPAA Compliance Plan

Any of these three approaches can be pretty boring. I recommend you try the training before you buy in, and make sure it’s not the dreaded “Death by PowerPoint.”


What about HIPAA certifications?
This is actually a marketing claim that will ultimately end up costing you more money with little to no additional benefit. HHS does not have a certification program, nor do they recognise these certifications. Usually, this is a way for companies to justify charging more for their services. 


What are auditors looking for?
In the upcoming audits, HHS is going to be looking at your training logs. This means having a date workforce members were last trained, individual test scores, and regular training updates. The training records are important to show that you are taking HIPAA seriously, and have consistently trained your staff. If you don’t dedicate a budget to HIPAA compliance and training, you probably will not meet OCR’s requirements for HIPAA training.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

A New Way to Sue Health Care Professionals Using HIPAA?

A New Way to Sue Health Care Professionals Using HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees.  While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.

The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.

The ex did not appreciate this, and told the Walgreens pharmacy about what happened.  At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.


Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach.  The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.

As I said above, it may not sound like a big deal, but it potentially is.

Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.

Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.

Mr. Eggeson, who specialises in privacy law and medical malpractice, in an interview with Lawyers.com, said “10 years into the HIPAA privacy rule, I should not be the only attorney in the country doing this type of work.”

But, recently, a pathologist reader who is also an attorney wrote me and said the manner in which HIPAA was used in the Walgreens case was actually not novel after all.

The reader also stated he believes there will likely be a lot more of these HIPAA-type privacy lawsuits “as more and more plaintiff attorneys realise pharmacies, hospitals, and other health organisations are vulnerable and have deep pockets.”

After I received the reader’s email, I reached out to Neal Eggeson, the lawyer who successfully argued the Walgreens case and asked him for clarification regarding his case and how he used HIPAA.  He was kind enough to respond.

My reader’s thoughts on the article are below, followed by Mr. Eggeson’s. Many thanks to both of them for helping me understand both this case and how HIPAA is being used in civil lawsuits better.


The reader:

“As a multiple personality professional, I have a great amount of respect for HIPAA, its use as a shield for privacy data, and its use as a sword in litigation.  As such, even though the federal HIPAA statutes may not have a specific private right of action, I believe pathologists and other health care providers should recognise that breach of privacy litigation, both health care related and non-health care related, has been around for many years as a private (common law, sometimes statutory law) right of action.

What plaintiffs commonly have been doing in recent years is to use a HIPAA violation as the underlying predicate offence in their breach of privacy, defamation, negligence, breach of fiduciary duty, or other likewise suit.  Since HIPAA does not have a private right of action, common folks like you and I cannot use HIPAA directly in a privacy lawsuit, only the government can sue with HIPAA (civilly and criminally I might mention).  What private citizens have been doing, though, is proving to the court that if a HIPAA violation occurred, then this violation serves as a breach of duty by the health care professional in negligence cases, fiduciary duty cases, and straight forward violation of privacy cases.

…Doe v. Quest in the Missouri Supreme Court, where the court allowed a breach of fiduciary claim to stand verses Quest after their phelebotomist wrongly faxed HIV results without the express permission of Mr. Doe.  This case used overtones of HIPAA and similar state privacy laws, like state HIV privacy laws, as the underlying predicate (underlying wrong) in the suit.  Additionally, I easily found three other cases where HIPAA violations were used as the underlying predicate for private rights of action in state law privacy violation claims.


The first is a federal case (attached) from the Eastern District of Missouri by Judge Stephen Limbaugh (he is either the brother or cousin of El Rushbo), I.S v Washington Univ (E.D. Mo 2011).  In this case, Judge Limbaugh recognised that there was no individual private right of action under HIPAA, but that under Missouri law, HIPAA could be used to provide a standard of care from which to judge a defendant’s actions, and that HIPAA could also be used to establish a legal duty of care.  States vary in their laws, so every state may not agree with Missouri state law, but many do.

Second, in a 2006 state court case (attached), the North Carolina Court of Appeals allowed HIPAA to be used to demonstrate the standard of care element in a psychiatric privacy case where the plaintiff sued for negligent infliction of emotional distress.  If one can use HIPAA as the standard of care and show HIPAA was violated, then the next logical step is that the health care professional breached a duty owed to the plaintiff by violating the standard of care.  After that, all that remains is proving damages.

Finally, in a more recent West Virginia Supreme Court case, a case that cites many underlying cases from other states in a survey of the law, the Court found that HIPAA does not preempt state laws and that HIPAA may be used as the basis of a negligence claim (used as the standard of care to which a breach of duty is judged). See R. K. v St. Mary’s Med Ctr, (2012) attached.

I hope you find this discussion interesting.  HIPAA is a very complex and tricky set of laws and regulations, and I fear litigating HIPAA will become the next new cottage industry for plaintiff attorneys. The more pathologists and physicians know about HIPAA, the better.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance Checklist for Small Medical Practices

HIPAA Compliance Checklist for Small Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

If your experience is similar to that of most doctors who decide to take the plunge and start their own small medical practice, you probably had no idea how many  non-medical things you have to take care of to ensure your fledgling business is setting out on the right foot. Securing a business loan, hiring a staff, finding office space and moving in—so much to do. Well, here’s another thing to worry about: compliance with the data security requirements of the Health Insurance Portability and Accountability Act (HIPAA).

When you’re the employee of a hospital or large healthcare network, HIPAA compliance is largely taken care of for you. When you own a small medical practice, the responsibility for protecting your patient’s sensitive health information (and protecting your own business from steep HIPAA penalties) rests squarely on your shoulders.

IT—computers, software, Internet connections, networks—is what makes most modern businesses run smoothly, and doubly so for medical practices, as paper-based patient records become a thing of the past. As you build your practice, choosing how to spend your IT investment is a huge decision. Part of the decision has to be ensuring that whatever configuration and vendors you go with, the protected heath information (PHI) of your patients is safe from falling into the wrong hands.

To help you make the right IT choices for your small medical practice, here is a checklist of the main HIPAA requirements for data security:


Area 1: Access Control

Access Control is tech-speak for the concept of allowing users access to the functions they need to perform their jobs—and none of the functions they don’t need. This limits the likelihood any user will jeopardize information security by using systems they have no business accessing. Here is what HIPAA requires in the area of access control:

  • Unique user identifications. Every user on your system must have his or her unique login ID and you must be able to trace all activity back to one of these unique IDs.
  • Emergency access procedure. There must be a plan in place to access the patient information you need in the event of an emergency. For example, to protect against a power outage, you could keep a fully charged laptop on hand equipped with a mobile hotspot.
  • Offsite backups. In case all the data stored on servers or computers in your office is destroyed (by a natural disaster or otherwise) you must have up-to-date offsite backups ready to take over.
  • Automatic logoffs. Your system should automatically log users off when their station is left unattended. This prevents unauthorised users from seeing information left open during somebody else’s session.
  • Encryption. Digital information must be encrypted (basically, secured by a computerised secret code) as it’s transmitted within your practice.


Area 2: Audit Controls

When IT people talk about auditing, what they mean is the ability to record and examine activity by every user in every system. HIPAA prescribes no specific requirements for auditing, but a big part of complying with HIPAA is being able to determine when and if a security violation occurred. There are no requirements for how often audit reports should be reviewed or even what specific data should be gathered, but:

  • A medical practice must keep, at minimum, basic audit reports.
  • These reports should record when a totally unauthorised user (somebody outside the system entirely, like a hacker) logs in or attempts to log in.


Area 3: Integrity

Maintaining the integrity of your data means, from HIPAA’s point of view, that your data is neither altered nor destroyed except by someone who is authorised to do so.

  • To maintain integrity, HIPAA requires that you have a mechanism to authenticate electronic protected health information (PHI). This could take the form of, for example, a function that can check the number of records in a database to ensure that nothing has been deleted without being properly accounted for.
  • Backups are essential here, too, so you can recover any information that has been destroyed without authorisation.


Area 4: Person or Entity Authentication

In the eyes of HIPAA, this is slightly different from the access controls requirements we discussed earlier. When we talk about person or entity authentication we’re talking about procedures that verify that a person (or entity) is who they say they are. All Internet users are familiar with this one. Think of the password you use to log in to your email or Facebook account.

  • HIPAA’s minimum requirement is a password or personal identification number (PIN) that only the authorised user knows.


Area 5: Transmission Security

Transmission security refers to guarding against unauthorised access to protected information as it is being transmitted outside your practice—via email, over the web, etc. HIPAA’s requirements for transmission security include:

  • Integrity controls. In this case, the integrity of the data means that it has not been modified during transmission. Standard network protocols should be used to ensure the data received is the same as the data sent.
  • Encryption. Sending and receiving encrypted information to and from organisations outside of your practice can be tricky. For encryption to work, both the sender and receiver have to be using the same encryption and decryption method. For example a small medical practice like yours would have to encrypt patient information (like procedures performed) as it’s transmitted to and from insurance providers and other kinds of patient information (medications, for example) as it’s transmitted to and from another medical office. The encryption to and from the insurance office might be a different kind of encryption than to and from another medical office.  So, the HIPAA requirement is to have in place as many kinds of encryption as necessary.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

DocMate's comment, December 2, 2016 1:13 AM
Today healthcare practices are considered a marketplace by patients and thus the services also have to be customer centred or as as it is called patient centred in healthcare. http://docmate.com/commerce-related-to-the-practice-management-systems/

7 Important Reasons Why Employees Need Online HIPAA Training

7 Important Reasons Why Employees Need Online HIPAA Training | HIPAA Compliance for Medical Practices | Scoop.it

Since HIPAA was first enacted in 1996, health care organisations have been required to provide periodic training to their employees to ensure that they understand what’s required of them under the law.

As we know, employee training can be time consuming, expensive, and it can have a negative impact on productivity. Today, technology gives us significant advantages when it comes to employee training in that it can now be accomplished online. That includes keeping employees compliant with the ever-changing requirements of HIPAA regulation.

Here are seven important reasons why your employees need to keep up-to-date with their HIPAA training, and why it is more effective when they receive that training online:


1. Online Training Provides the Most Current Information

HIPAA regulation and requirements are always changing to meet the needs of today’s health care industry. Printed materials, therefore, can quickly become outdated, which is why it is important to accomplish this training online. It is easier for both government agencies and health care organisations to keep track of modifications when they are made online. Moreover, employees can receive the information quickly, and learn it more efficiently.


2. Online Training Makes HIPAA Compliance Easier to Achieve

HR and compliance professionals know that keeping employees compliant can be a big burden. Online training makes things easier because the training is distributed online, rather than in person. Employees no longer have to attend costly off-site seminars that take them away from their jobs and their families. Online training can be completed at the employee’s convenience, taking the burden out of attesting to policies and procedures and making total HIPAA compliance that much easier to attain.


3. Online Training Is Easy to Manage

When you finally take the plunge by adopting online training, you’ll be surprised at how easy the courses are to manage. All HIPAA training materials are kept in one central location that everyone can access. There is no more stress about posters and other printed materials disappearing from break rooms, and fewer opportunities for employees to claim that they were unaware of new regulations or training requirements. When everything is stored online, excuses disappear and access to education increases.


4. Online Training Is Affordable

Most businesses are trying to keep expenses down wherever possible. Hiring trainers to hold seminars in-person is a significant expense, as is sending employees to off-site locations to obtain training. Online training eliminates these expenses by providing information that is accessible on office computers as well as personal or mobile devices. Training can be accessed from anywhere that a high-speed internet connection is available, which makes it much easier for employees to keep up with their training requirements.


5. Online Training Makes On boarding New Employees Easier

Very often, new employees can become overwhelmed when they start a new position. Online training, particularly for something as important as HIPAA compliance, makes their new job a little less daunting, and helps prevent common mistakes new employees will often make during the early days of a new position.


6. Online Training Ensures That Everyone Is Protected

The easier the training is to access and complete, the greater the amount of protection your business and your employees will have. No one wants to be in violation of HIPAA regulations, or subject to an audit, so having all HIPAA information readily available ensures that compliance is as up-to-date as possible.


7. Semi-Annual and Annual Re-Training Is No Longer a Headache

Organisations that are required to periodically re-train employees dread having to spend all that time and money achieving compliance, particularly for something as important as HIPAA. Online training makes it easier to ensure that annual or semi-annual training can be completed in a timely fashion. Additionally, many online training platforms contain tools that will help supervisors and management ensure that employees attest that they’ve understood and will comply with the training they’ve received.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How can you be sure you have HIPAA compliant Email?

How can you be sure you have HIPAA compliant Email? | HIPAA Compliance for Medical Practices | Scoop.it

Last updated August 29, 2016. The Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data. Any organisation dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. This of course includes HIPAA compliant email.

Organisations include Covered Entities (anyone who provides treatment, payment and operations in healthcare) and Business Associates(anyone with access to patient information and provides support in treatment, payment or operations). This also includes making sure you have HIPAA compliant email baked in when it comes to your email service provider.

Even subcontractors, or business associates of business associates, must also be in compliance.


What is HIPAA Compliant Email?

The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. It allows Covered Entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate will use the information only in the scope of which it was engaged by the Covered Entity.

If you are using a third party to transmit or host PHI, they are required by law to sign a Business Associate Agreement (BAA) with you. The BAA establishes that certain administrative, physical and technical safeguards are in place.

While there’s no certification that makes an email provider achieve HIPAA compliant email status, meeting the requirements set by the HIPAA Privacy Rule is the best place to start, along with strong technical security measures to make sure PHI is protected inbox to inbox.


HIPAA Compliance Violations are Increasing

  • HIPAA violations tripled over 10 years. Confirmed HIPAA violations are skyrocketing. Their growth rate over the past 10 years outpaces almost any trend that comes to mind.
  • Stolen laptops continue to result in huge fines. In several instances, a single stolen laptop led to fines in excess of $1,000,000 from HHS.
  • A stolen thumb drive averages $925,000 in HIPAA fines. Since 2012, it costs an average of $925,000 in HIPAA fines for a single stolen thumb drive.
  • Stolen office computers can be subject to fines too. Even a computer that never leaves your office can still be subject to a costly fine due to a HIPAA Privacy Act violation.
  • Unpatched and unsupported software can also lead to fines.


How can you be sure you have HIPAA compliant Email?

In order to make sure your organisation has HIPAA compliant email, you need to be sure you have processes and workflows in place to insure your staff is properly trained on HIPAA compliance. But you also need the right technology to be sure those procedures can be made as efficient as possible.

Paubox can help you protect your patients’ data while providing it to them in a way that’s easy to access. We are able to do this because we believe in the term ‘seamless encryption.’ Seamless encryption is about providing the expected benefit, HIPAA compliant email, without asking the user (you) to change behaviour.

Seamless encryption, like that used in Paubox’s Encrypted Email, reduces the risk of accidentally sending PHI over email. It can be easy to forget to press an encrypt button before pressing send, or simply not realising there was PHI in an email that was sent. But Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop and mobile device – Paubox seamlessly works behind the scenes to keep all outbound email within HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How HIPAA Can Help Deter Hackers

How HIPAA Can Help Deter Hackers | HIPAA Compliance for Medical Practices | Scoop.it

The number of hacks and breaches that occur continues to rise exponentially. Though you may have security measures in place, hackers are finding new ways to infiltrate your system. So, what can you do to stay one step ahead of the hackers?

A 2015 Reader’s Digest article outlines “20 Things Cyber Crooks Don’t Want You to Know”. From this list of 20 things, we chose a few that are more specific to businesses and describe how they relate to HIPAA. Review these 5 tricks hackers use to access your PHI so you can avoid becoming an easy target.


Personalised phishing emails.

Hackers use phishing emails to trick people into clicking links that often lead to the installation of malware or ransom ware on your computer. These emails used to be a lot more obvious. For example, an email from a Nigerian prince or an email saying you have have a distant wealthy relative who just died. These emails have become a lot more sophisticated and include information that matches your online activities. This leads you to believe the email is legitimate. If you are not careful, you could fall into the trap.

Phishing is the cause of many PHI breaches. In fact, in 2013, University of Washington Medicine experienced a breach that affected over 90,000 patients. This breach was due to malware installed through a phishing scam. It was recently reported that University of Washington Medicine paid a settlement of $750,000 in penalties for this breach of PHI. ¹

Avoid phishing scams by being cautious of each email you open. Avoid clicking links or downloading files from emails with which you are unfamiliar. Phishing emails often ask for your personal information in order to claim gifts or recover/verify an account you have. This is an alert to STOP. Do not enter any personal information (passwords, social security numbers, etc) if prompted.


Typo squatting

“Typo squatting” is when hackers purchase domain names similar to names of real websites.² For example: a hacker may buy the domain name microsfot.com. The success of typo squatting depends on you incorrectly typing in the URL. Once you enter the site, hackers can install malware on your computer or they try to convince you to share personal information. Make sure you check the web address before visiting the website. Web pages that require you to enter personal information like Social Security Number or credit card info should have “https” in the address bar, and a lock. If the site does not have both of these items, this page is not secure and you should not enter your information.


Brute Force Attacks

Hackers use a method called “brute force attack” to crack your password. Brute force attack is a trial-and-error process that uses logic to try many different combinations of characters and guess your password. This is why easy passwords like “letmein” or “qwertyuiop” can easily be cracked. The longer and more complex the password, the harder it is for the software to guess your password. This malware can run in the background trying to determine your passwords while you are using the computer. It takes basically no effort on the part of the hacker. They just have to launch the program, which can be done remotely. Hackers are relentless.

It was revealed that the 2012 LinkedIn breach included millions of accounts that contained very easily cracked login credentials. At the top of the list was “123456” (appearing over 1 million times) followed by other equally simple passwords like “linked in” and “password”.³ These passwords are easy targets for brute force attacks. A random assortment of characters is a lot harder to crack than a simple password or one that contains words in the dictionary. It is important to change passwords frequently in case your computer is a target.

Password management tools, such as Last Pass, One Pass, or Dash line help you manage your passwords. Not only do they generate strong passwords for you, but they save each password in their encrypted database so you don’t have to remember them. You do need to remember the master password to the management site. This option is a lot safer than saving your passwords in your browser’s password management feature or on an electronic note on your desktop. Make sure you keep these programs up-to-date, and change your master password frequently.


Wi-Fi Software

One major security flaw is that people do not select a new administrator’s username and password when they install a router. Make sure to change both the username and administrator’s password to avoid easily being hacked. With a simple internet search of the router and model number, anyone can access the administrator password the router came with and then gain access to your network. Be sure that you are also keeping your router’s software updated as it helps to protect against vulnerabilities in the firewall.

It is also important to check that your router uses WPA2 encryption. WEP encryption can easily be exploited. Software to crack WEP encryption is widely available. It is best to go with the newer WPA2 which uses more secure AES algorithms.


Vulnerability of Public Wi-Fi Networks

It’s best not to log into a public network if you plan to use a credit card as public networks are often do not have protection. Many hackers target public Wi-Fi networks like those in coffee shops. They use man-in-the-middle attacks allowing hackers to put themselves between you and the information you want to access through the network. This means that when you request information like a webpage from the server, that information would first go to the hacker. The hacker can then take what they want from it, or alter it in some way, before then sending it on to you. This tactic is beneficial to hackers when you access your bank accounts. Many people think the only risk of taking home PHI is leaving a storage device behind in a public place or having your laptop or iPad stolen. However, doing work in a coffee shop through their public Wi-Fi can cause a breach. It is best to avoid emailing PHI or accessing any important accounts through public Wi-Fi.

Unfortunately, even if we take all the right security measures, we will never be invincible. However, taking the right steps like creating strong passwords, activating a firewall and following HIPAA security recommended policies and procedures can help protect your data and can lessen the chance of an embarrassing and expensive breach.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA omnibus rule

HIPAA omnibus rule | HIPAA Compliance for Medical Practices | Scoop.it

Identifying your organisation's weak spots through a risk assessment is a best practice ahead of the HIPAA omnibus regulations.


This is the first of a two-part series of tips on preparing for the HIPAA omnibus rule to go into effect. The first part covers how to identify your organisation's greatest risk in advance of the rule's enforcement.


The HIPAA omnibus rule went into effect in early 2013, and federal enforcement was set to begin this fall after a 180-day grace period expires Sept. 23. With this in mind, Jaime Dupuis, practice consultant for the Regional Extension Centre of New Hampshire (RECNH) offered a checklist of compliance tasks for attendees of a recent webinar, some of whom were smaller physician practices and medical groups:

  • Update your Notice of Privacy Practices (NPP). Dupuis gave examples from the Department of Veterans Affairs, Beth Israel Deaconess Medical Centre, Harris County Hospital District Texas and Stanford University Hospitals as recently updated NPPs that might inspire your organisation's next draft.
  • Rework business associate agreements (BAAs) to reflect the fact that they are now directly liable for HIPAA compliance as well as subject to new breach notification rules.
  • Make risk analysis an ongoing process that includes at minimum: defining and assembling a risk analysis team; evaluating the likelihood and impact of potential risks to protected health information (PHI); listing the findings (including the policy or security gaps) in the assessment; develop a work plan and timeline for mitigating risks; implement appropriate security measures to address identified risks; develop and refine written policies and procedures to fully comply with regulations; and, finally, have the team meet regularly to ensure continuous, reasonable and appropriate security protections.
  • Work on highest-risk vulnerabilities first. Risk assessments are a big part of meaningful use attestation and HIPAA compliance moving forward. While only your own risk assessment reveals your own punch list of breach possibilities, HHS's Office of Civil Rights pegs physical theft of patient records the number-one cause of HIPAA violations (55%), followed by disclosure of PHI without patient consent (20%) and data lost/not accounted for (12%).
  • Confirm that risk analyses cover the following topics: physical security of hardware and devices; password management and role-based security access; portable and mobile device policies; data encryption and network security. Administrative safeguards such as data backup and employee termination policies that also cut off former employees' network access should be covered as well.
  • Strengthen your employee password policy and require employees to regularly change passwords. Get more advice on this topic -- and the whys behind it -- here.
  • Employ a network firewall; install and regularly update antivirus software. While these two pieces of "data security 101" advice might not sound particularly earth-shattering, they bear repeating as many offices still aren't employing these basics.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance for Clinician Texting

HIPAA Compliance for Clinician Texting | HIPAA Compliance for Medical Practices | Scoop.it

Text (or SMS) messaging has become nearly ubiquitous on mobile devices. According to one survey, approximately 72 percent of mobile phone users send text messages. Clinical care is not immune from the trend, and in fact physicians appear to be embracing texting on par with the general population. Another survey found that 73 percent of physicians text other physicians about work.

Texting can offer providers numerous advantages for clinical care. It may be the fastest and most efficient means of sending information in a given situation, especially with factors such as background noise, spotty wireless network coverage, lack of access to a desktop or laptop, and a flood of e-mails clogging inboxes.

Further, texting is device neutral-it will work on personal or provider-supplied devices of all shapes and sizes. Because of these advantages, physicians may utilise texting to communicate clinical information, whether authorised to do so or not.

It is essential for healthcare providers to understand the communication needs of their workforce in order to appropriately address any privacy and security risks they may pose. As many providers have discovered, trying to control how your workforce communicates is easier said than done, and policies that fail to account for clinicians' communication preferences often go unheeded.

This article addresses texting between clinician members of the workforce and discusses how to ensure safer texting practices as part of your organisation's privacy and security compliance program.


The Risks of Text Messaging

All forms of communication involve some level of risk. Text messaging merely represents a different set of risks that, like other communication technologies, needs to be managed appropriately to ensure both privacy and security of the information exchanged.

Text messages may reside on a mobile device indefinitely, where the information can be exposed to unauthorised third parties due to theft, loss, or recycling of the device. Text messages often can be accessed without any level of authentication, meaning that anyone who has access to the mobile phone may have access to all text messages on the device without the need to enter a password.

Texts also are generally not subject to central monitoring by the IT department. Although text messages communicated wirelessly are usually encrypted by the carrier, interception and decryption of such messages can be done with inexpensive equipment and freely available software (although a substantial level of sophistication is needed).

The HIPAA privacy rule provides an individual with the right to access and amend protected health information (PHI) about the individual that is maintained in a designated record set. The designated record set includes PHI "used, in whole or in part, by or for the covered entity to make decisions about individuals."

Accordingly, if text messages are used to make decisions about patient care, then they may be subject to the rights of access and amendment. There is a risk of noncompliance with the privacy rule if the covered entity cannot provide patients with access to or amend such text messages.


Include Texting in Compliance Programs

Under the HIPAA security rule text messaging may be addressed as part of an organisation's comprehensive risk analysis and management strategy.

As part of its risk analysis, a healthcare provider may identify where electronic PHI, or ePHI, is created, received, maintained, and transmitted. For texts, ePHI will primarily be created, received, and maintained on mobile phones (although text messages may also reside on workstations.

Texts also may be temporarily maintained on a telecommunications provider's servers while the message awaits delivery to the recipient's device (e.g., if the recipient's device is powered off or out of range). Texts primarily will be transmitted through the wireless cellular networks of telecommunications providers, although they also may get routed through the Internet in certain situations.

The next step is to identify and document any reasonably anticipated threats to ePHI, the security measures already in place (e.g., an existing policy on texting), the likelihood of each threat, and its potential impact. Examples of threats include:

  • Theft or loss of the mobile device
  • Improper disposal of the device
  • Interception of transmission of ePHI by an unauthorised person
  • Lack of availability of ePHI to persons other than the mobile device user

It is worth keeping in mind that the threat of external interception is likely far smaller than the threat of theft or loss of the device.

Based on the above risk analysis, a provider can determine the appropriate administrative, physical, and technical controls for the organisation. Examples of security controls include:

  • An administrative policy prohibiting the texting of ePHI or limiting the type of information that may be shared via text message (e.g., limiting condition-specific information or information identifying a patient)
  • Workforce training on the appropriate use of work-related texting
  • Password protection and encryption for mobile devices that create, receive, or maintain text messages with ePHI
  • An inventory of all mobile devices used for texting ePHI (whether provider-owned or personal devices)
  • Proper sanitation of mobile devices that text ePHI upon retirement of the device
  • A policy requiring annotation of the medical record with any ePHI that is received via text and is used to make a decision about a patient
  • A policy setting forth a retention period or requiring immediate deletion of all texts that include ePHI
  • Use of alternative technology, such as a vendor-supplied secure messaging application


Further Considerations for Compliant Texting

Providers may want to also consider whether any third party uses or discloses ePHI when texting occurs. With respect to telecommunications providers, the Department of Health and Human Services has stated that entities acting only as conduits of ePHI and that do not access the information other than on a random or infrequent basis as necessary for the performance of the transportation service do not qualify as business associates.

In contrast, if texts are being stored indefinitely on a third party's server, such as when a text is sent to an e-mail account of a member of the workforce and the e-mail account is administered by a third party, then a business associate contract with the third party may be required.

Finally, providers may wish to address the use and disclosure of ePHI in their privacy policies and training and should consider sanctioning members of the workforce who violate such policies. Providers must also consider whether texts of PHI are subject to the HIPAA accounting of disclosures and, if so, whether they need to be included in a disclosure log.

There is no one-size-fits-all solution; different organisations may arrive at different conclusions regarding the threat posed by texting of PHI and what combination of controls reduces risks to a reasonable and appropriate level. There are some controls that are simply not going to be available for traditional texting, such as centralised audit controls that allow the IT department to monitor texts containing PHI.

Each healthcare organisation must decide whether it will prohibit or allow texting. This may be a fluid process, requiring the monitoring and reevaluation of policies to determine if they are effective. It is ultimately imperative to recognise both the value and risks of texting and to proactively address the issues.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

New HIPAA rules

New HIPAA rules | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare providers have until September 23 to put into place internal policies and procedures needed to comply with sweeping changes coming to the Health Insurance Portability and Accountability Act (HIPAA).

In January, the U.S. Department of Health and Human Services (HHS) released a set of rules, known collectively as the omnibus rule, designed to supplement and modify the privacy, security, breach notification, and enforcement rules governing patient health information in HIPAA. HHS has made it clear that the September 23 compliance deadline is final. Penalties can range from $100 to $1.5 million depending on the violation.


For primary care and other physicians in private practice, compliance will mean:

  • conducting and documenting a risk analysis, which HHS defines as “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability” of electronic protected health information (PHI) in your practice;

  • reviewing the practice’s policies and procedures for when PHI is lost or stolen or otherwise improperly disclosed, and making sure your staff members are trained in them;

  • ensuring that the electronic PHI your practice holds is encrypted so that it cannot be accessed if it is lost or stolen (see “Encrypting your patients’ health information”);

  • modifying the practice’s  electronic health record (EHR) system so that you can flag information a patient does not want shared with an insurance company;

  • having the ability to send patients their health information in an electronic format;

  • reviewing your contracts with any vendors that have access to your practice’s PHI; and

  • updating your practice’s notice of privacy practices.


Other provisions

Other provisions of the omnibus rule include restrictions on selling PHI or using it for marketing and fundraising purposes without obtaining the patient’s permission and loosening some of the restrictions on sharing PHI with family members or other caregivers of deceased patients. Disclosure is only permitted, however, to the extent that the PHI is relevant to the role the family member or caregiver played in the decedent’s treatment. Moreover, release is not permitted in cases in which the individual expressly stated before death that he or she did not want the PHI released.

The omnibus rule also permits doctors in states with compulsory vaccination laws to disclose a child’s immunisation records to schools without obtaining formal authorisation from parents. Physicians now can do so with only a verbal agreement, provided they document that they obtained the permission. Lastly, the rule prohibits health plans from using or disclosing genetic information for the purpose of insurance underwriting.

The rule also sets and describes the four categories of penalties for violating the rules and the dollar amounts for each.

The omnibus rule is the latest step in a process that began when Congress enacted the Health Information Technology for Economic and Clinical Health (HI TECH) Act in 2009. Among other provisions, the HI TECH Act required HHS to strengthen HIPAA’s privacy and security protections for health information. HHS adopted interim rules for doing so in 2010 and finalised the rules with adoption of the omnibus rule.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

What Does Increased Patient Access Mean for HIPAA Compliance?

What Does Increased Patient Access Mean for HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

A recent AHA report shows increased patient access to their data, but organisations must continue to maintain HIPAA compliance.

More individuals than ever before now have electronic access to their own health information, according to a recent report from the American Hospital Association (AHA). However, organisations are required to offer patient access as part of their HIPAA compliance measures.

With increased electronic access, covered entities must ensure that they are still adhering to all aspects of the HIPAA Privacy and Security Rules.


Patient access to data is necessary, but the necessary data security measures cannot be compromised in the process.

The latest AHA Trend Watch report found that 92 percent of hospitals offered the ability to view medical records online in 2015, a large increase from the 43 percent that offered the same option in 2013.

Additionally, 84 percent of hospitals allowed patients to download information from their medical record in 2015, compared to just 30 percent in 2013.

“A growing number of individuals also are able to perform everyday health care tasks, such as making a medical appointment online with their hospital-based care providers,” the report’s authors explained. “Offering these capabilities allows patients to more easily access their providers and engage in their care.”

Not only are more hospitals increasing their options when it comes to patient to provider communication, but more are also allowing patients to submit patient-generated data to their provider online, according to the report.

Specifically, 63 percent of hospitals allowed patients to message their providers online in 2015, an increase of 8 percentage points from the previous year. In 2015, 37 percent of hospitals had the ability for patients to submit patient-generated data, compared to just 14 percent in 2013.


As more hospitals are able to offer these services, individuals will have more insight into their medical data and the ability to interact with care providers at times and in ways that are convenient for the patient,” the report’s authors concluded.

While these numbers show that more covered entities continue to embrace technology, it is important to remember that HIPAA regulations require patients to have access to their own health data if they desire it.

Patient right of access is applicable to patient medical information, regardless of the form that the PHI is in at a healthcare organisation. Certain provisions may apply slightly differently, such as those related to requests for access, timely action, verification, form or format of access, and denial of access, but individuals have the right to their own medical records.

Another important aspect of patient access is whether or not patients can be charged for access to copies of their PHI. The fee may include only the cost of certain labour, supplies, and postage, but the Office for Civil Rights (OCR) encourages covered entities to provide the copies for free.


“Providing individuals with access to their health information is a necessary component of delivering and paying for health care,” OCR states on its website. “We will continue to monitor whether the fees that are being charged to individuals are creating barriers to this access, will take enforcement action where necessary, and will reassess as necessary the provisions in the Privacy Rule that permit these fees to be charged.”

Increased patient access to their own medical information should not be cause for concern, but a reminder to covered entities and business associates to ensure that they have the necessary safeguards in place to continue to ensure PHI security. For example, if more patients are utilising secure messaging options, then perhaps hospitals should review their mobile device policies and ensure they are utilising comprehensive data encryption options.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Email Compliance - 6 Best Practices

HIPAA Email Compliance - 6 Best Practices | HIPAA Compliance for Medical Practices | Scoop.it

As technology advances and legislation changes, HIPAA email compliance can seem like a constantly moving target. With the challenges facing today’s healthcare landscape, including the proliferation of electronic health records (EHRs) and health information exchanges (HIEs), hackers and “hacktivists” targeting hospitals and the adoption of  mobile technology in healthcare, HIPAA compliance is becoming more challenging — and more important — than ever.

Much has changed since 1996, when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. The World Wide Web was still relatively new, mobile phones were relatively rare (and great for your biceps!) and your health data was divided into thick manila folders stuffed with paperwork. Now, all that stands between patients and the entirety of their medical histories is a username and a password, and a startling number of those passwords is “password.”


The Challenge of Protecting Patient Data

When most of us think about HIPAA compliance, we think about its access control aspect — that is, who gets access to protected health information (PHI), and when. A leak of PHI can be as simple as a medical professional forgetting to log out of their portal, and leaving patient data open on the desktop to be viewed by anyone walking by (this is why automatic logout is one of the “technical safeguards” required to maintain HIPAA compliance).

When it comes to protecting PHI, the penalties add up fast — and since the passing of the 2009 Recovery Act, violating HIPAA has only grown more expensive. Each individual violation will run your business anywhere from$100 to $50,000, if it’s a first offence (and a lack of due diligence, as opposed to wilful neglect). Violations due to wilful neglect, however, cost a covered entity a minimum of $50,000 per violation. And when you consider how many patients have their data stored on a single server, those $50,000 violations stack up fast.

Doctors, hospital administrators, insurance professionals and anyone who deals with PHI need to be aware of the growing threats to patient privacy and be proactive with their information security. Here are six ways to lock down patient data and stay ahead of the threat.


1. Use strong data encryption.

Any PHI data you’re storing, whether it be on your desktop, on a server, should be encrypted. Encryption obscures your data, making it unintelligible to anyone who doesn’t have the key to decry-pt it. As proven by the 2014 CHS Heart-bleed attack, which resulted in the theft of 4.5 million social security numbers from one of the largest hospital groups in the United States, cyber-criminals have both the desire and the means to crack into hospital servers and steal sensitive data. With encryption, that data is still protected even after hackers get their hands on it, provided they weren’t able to also steal the encryption key.Data encryption isn’t just best practice for information security, though — it’s a written requirement to maintain HIPAA compliance. Established in 2009, the HIPAA Breach Notification Rule gives businesses 60 days to notify all parties who may be affected by a leak of “unsecured protected health information.” Here, “unsecured” is another way of saying “unencrypted.”The HHS actually goes into detail about its encryption standards for data at rest and data in motion. For data at rest (data that sits in storage), for example, the HHS’ standards are consistent with those of the National Institute of Standards and Technology (NIST), and include centrally managing all storage encryption, using multi-factor authentication for encryption solutions and using the Advanced Encryption Standard (AES) for encryption algorithms.


2. Encrypt your emails, as well.

A tremendous amount of PHI is exchanged over email, and HIPAA compliant email requires encryption, too. In a post-HI-TECH (Health Information Technology for Economic and Clinical Health) world, the data shared digitally between doctors and their patients can be extremely useful for enterprising hackers, and email is a particularly vulnerable vector of attack.The traditional route hospitals and providers take for HIPAA compliant email is a portal solution that uses Transport Layer Security (TLS) to encrypt messages. While these legacy portal solutions do provide for HIPAA email compliance, they are certainly not easy for either the providers or patients who use them. Web mail portals tend to be inconvenient to use, requiring separate usernames and passwords for each and every system and creating information silos for medical information.Newer email encryption solutions bypass the annoyance of email portals by integrating seamlessly with more popular email services, like Gmail. Virtue Pro, for example, works with the service you’re already using to provide client-side encryption for HIPAA compliant email. In this case, encrypted PHI can be delivered safely and securely directly to the inbox, with no need for separate accounts or credentials. This allows for both HIPAA compliant email and convenience. (To learn more, read our FAQ about how Virtue Pro enables HI-TECH and HIPAA compliance for Gmail, or download our free guide)


3. Use multi-factor authentication wherever possible.

If a hacker steals your password, can they access your data? If you’re using multi-factor authentication, you may still be safe. Without multi-factor authentication, your password is a single point of failure, the only gatekeeper separating you from the data thieves.To help satisfy the Person or Entity Authentication component of HIPAA compliance, the HHS recommends that businesses handling PHI require, in addition to a password or PIN, either something the individual possesses (like a token or smart card) or a bio-metric (for example, a fingerprint or iris scan) for identity verification. These are both examples of multi-factor authentication, which requires a combination of something a user knows with something a user has.Anyone who has used a debit card is familiar with multi-factor authentication. Even if someone gets a hold of your card, that person can’t withdraw money at an ATM without your PIN. Requiring two separate steps to verify your identity makes it doubly hard for someone to gain access to your money (or your data) by posing as you.


4. Make all of your employees HIPAA compliance experts.

One of the standards HIPAA lists among its Administrative Safeguards is Security and Awareness Training. Any business is only as secure as its least vigilant employee. All it takes is one tired worker uploading notes to their personal server, or leaving handwritten passwords in open spaces, to violate HIPAA compliance laws. It’s essential to make sure that every employee is thoroughly trained and refreshed in HIPAA and HI TECH regulations, as well as your company’s security policies.While many of the technical safeguards that protect HIPAA compliance are automated, like timed session logouts and password complexity requirements, nothing can replace thorough training and adequate knowledge sharing when it comes to strengthening your security posture.


5. Review the compliance and security practices of business associates.

When it comes to HIPAA compliance, you can’t just tidy up shop internally. As with its employees, a company is also only as compliant as its least secure partner/vendor/contractor, and every business your hospital, private practice or insurance company partners with is a potential vector for attack or HIPAA violation.There are a few precautions any HIPAA-covered entity should take when it enters into a business associate agreement, including securing the right to audit the associate for compliance. Lay down ground rules for HIPAA compliance best practices, including a mutual obligation to encrypt any shared PHI, and ensure that your business associate can’t pass PHI from your patients on to subcontractors without your approval. This includes using only HIPAA compliant email to exchange PHI.


6. Be aware of social engineering and inside threats.

While usually, the leak of PHI is simply an act of user error or negligence, many data leaks are caused by malice — both from the outside and within. While many info-sec efforts are directed at the stereotypical hacker, hiding in the shadows in a musty basement cracking into a distant server, 28 percent of security incidents come from within the organisation, and 66 percent of malicious hacks are acts of social engineering, a method of intrusion that relies on social manipulation.Social engineering can be as simple as someone walking into a hospital dressed like a convincing repair person, sneaking in a thumb drive and leaving with sensitive PHI. Make sure your internal security audits address these scenarios, as well as insider data threats.

Between legislation and technological advances, healthcare in the United States has recently undergone a dramatic transformation. It’s vital that healthcare providers and other covered entities keep pace with these changes. While it isn’t necessary to be an info-sec expert or a white hat hacker, doctors, nurses and administrators should know the law, know the threats and keep vigilant to protect the privacy of their patients and the HIPAA compliance of their practices.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

Austin Dodd's curator insight, November 12, 2016 4:40 PM
This article talks about how to maintain security when emailing private health information so that you follow in line with the Health Insurance Portability and Accountability Act. It advises encrypting information and maintaining knowledge on potential threats. I believe this information is valuable to those who must follow HIPAA email compliance.

HIPAA Compliance in a Fast-Paced Medical Practice

HIPAA Compliance in a Fast-Paced Medical Practice | HIPAA Compliance for Medical Practices | Scoop.it

Did you know that patient medical records can fetch more than $2,000 on the black market? Or that, because of the relative ease of medical insurance fraud, your medical records are worth significantly more on the black market than your credit card number? That’s right. Your medical history, including information about your insurance provider and your health status, are of great value to thieves. Even incomplete or partial records can be worth hundreds of dollars. If the value to hackers is hundreds or thousands of dollars, you can’t put a price on what those records are worth to the patient and their caregiver. We recently had a client whose medical records had been tampered with by a hacker. Her blood type had been switched in her medical records and, if not for a clerk noticing the change at the last minute, an upcoming surgery could have been a disaster. How do you put a price on that kind of threat? How do you overstate the need for robust security to protect medical records from theft or mishandling?


HIPAA Compliance in Theory and in Practice

The Health Insurance Portability and Accountability Act, also known as HIPAA, was established to protect patient medical records from being disclosed to unauthorised parties. HIPAA lays the groundwork for ensuring that these private details remain private and accessible only by patients and their caregivers. That’s the idea behind HIPAA: protecting patients and care providers by creating minimum standards for privacy and accessibility. Despite near-universal agreement on the need for patient privacy, there is no surefire method to protect patient records from being accidentally released or stolen. Many clinics count on their door locks, alarms, and firewalls to provide adequate security for the entire practice, including the medical records. While some protection is better than none, my experience is that most medical facilities and practices have woefully low amounts of security in place for their patients’ medical data. Aside from this lack of protection running counter to the patient’s best interests, it also greatly increases the chances of a HIPAA violation which can cause huge problems for the practice. Just a single incident can incur a fine of $50,000! The repercussions for all involved are nothing to take lightly.


Enhance HIPAA Compliance and Security

So what is a medical practice to do? Hope for the best and that nothing will happen? Certainly not. Fortify security measures? That’s not much better unless there is also a plan in place and an understanding of what level of security and precaution already exist. The first thing we would recommend to any medical provider interested in enhancing their security would be a network assessment that focuses on HIPAA compliance. This type of assessment, offered by Diamond IT, doesn’t just scan for vulnerabilities and areas of possible intrusion, it also evaluates how patient data is being stored, backed up, and secured, to provide a true diagnosis of HIPAA compliance across the network. Assessing your network and security will uncover even more information about your HIPAA compliance and how successful you’ve been in maintaining patient privacy.Moving to hosted Exchange allows for control and oversight to make sure messages are protected and monitored. Backing up data to an offsite location means that if there is an incident at the office there is no threat of permanent data loss. Once this assessment is complete, we work to find areas of improvement that have real results for the security of your organisation and your patients. By the time our team is finished, your practice will have a detailed plan on not only how to enhance physical and digital security, but also how to make sure you are remaining in compliance with HIPAA each and every day. So often patients choose a medical care provider based on an online review or a recommendation from friends and family. When is the last time you heard anyone say they chose their care provider because they had great confidence that provider could protect their privacy? The reality is that patient data security should be important to everyone but is often taken for granted by patients. Patients trust their providers to protect their private data, and care providers owe that protection to those patients. Ensuring that your practice is as secure as possible and mitigating the risk of data breach or HIPAA violation is not a mission to be taken on alone. With Diamond IT on your side, greater protection is not far away, giving you greater peace of mind so that you can focus on patient care.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Risk Management Plan

HIPAA Risk Management Plan | HIPAA Compliance for Medical Practices | Scoop.it

Simply put, a HIPAA Risk Management Plan is a compilation of an organisation's compliance policies, procedures, forms, logs and reports. A plan serves as a way to demonstrate your HIPAA compliance efforts in writing. This is critical because if a HIPAA breach or an audit occurs, rest assured the HHS Office of Civil Rights (OCR) will want to see specific written policies and procedures that your organisation has in place. 


The overall goal of a HIPAA Risk Management Plan is to address risk. A risk is an event or condition that, if it occurs, could have a positive or negative effect on an organisation. Risk management is the process of identifying, assessing, responding to, monitoring, controlling and reporting risks. A good plan will outline how risk management activities will be performed, recorded and monitored to comply with the HIPAA Security Rule. 


In guidance provided by OCR, HIPAA Covered Entities and Business Associates must adopt reasonable and appropriate policies and procedures to comply with the provisions of the Security Rule. A plan must be maintained until six years after the date of their creation or last effective date (whichever is later), with written security policies and procedures and written records of required actions, activities and assessments.


Covered Entities and Business Associates must periodically review and update their documentation in response to environmental or organisational changes that affect the security of electronic protected health information (e-PHI).  Reviewing and amending policies and procedures should occur on an as-needed basis. 


A comprehensive risk plan must cover all the HIPAA Security Rule Standards and Implementation Specifications. Under this Rule, the implementation of standards is required. The implementation specifications are defined as either “required” or “addressable.”  A required specification must be implemented with no exceptions.  An addressable specification allows additional flexibility with respect to compliance for the standard, but it is not optional.

Let’s look at little deeper at addressable implementation specifications. These specifications were developed to provide an organisation additional flexibility with respect to compliance with some of the security standards. However, one of the following must be done for each addressable specification:

  1. Implement the addressable implementation specifications;
  2. Implement one or more alternative security measures to accomplish the same purpose; 
  3. Not implement either an addressable implementation specification or an alternative. This choice must be documented. (I always advise to try and met the specification. Remember a clearly written justification as to why it is not being met is required.)  


You can apply the reasonable and appropriate standard to addressable implementation specifications.  This standard will depend on a variety of factors such as the risk assessment, risk mitigation strategy, what security measures are already in place and the cost of implementation. HIPAA Risk Management Plans should be created with the understanding that every member of the workforce must be able to access the plan. Organisations must require workforce members’ attestation to receiving the plan and knowing they are accountable for the contents. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Information Security versus HIPAA Compliance

Information Security versus HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

I recently read a headline that stated; “CISO: Compliance Is the Wrong InfoSec Focus”.  It goes on to say "I'm going to improve our maturity of information security controls and then, out of that improvement of those controls ... will come much better regulatory compliance.”  HIPAA is as much about privacy as it is about information security.


I have had many people explain to me that they didn’t need to be HIPAA compliant because they were already compliant with some other standard.  HIPAA HITECH and the Omnibus Rule share some attributes with other standards such as SSAE 16 / SOC 1 / SOC 2 but are much broader.  The Privacy Rule is something that IT departments tend to ignore.  
The Cycle of Compliance has three main components; HIPAA risk assessment (the NIST protocol is the industry standard), written policies and procedures that have been tailored to the organization, and training and awareness based on the organisation's policies and procedures.  Having a “canned set of policies and procedures is certainly not adequate, nor is training based on policies and procedures that are not in place in the organization.  Staff will adopt policies and procedures more readily if they are trained on the specific policies and procedures developed for their organization.
The Cycle of Compliance will cover all of the HIPAA requirements and documentation of these activities will help build a legal firewall around an organization.  Once set up properly this process will contribute towards greater productivity and job satisfaction for staff while only requiring a few hours a month to maintain.
Information security is an important part of HIPAA compliance but not the “whole enchilada” as we say here in California.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

New HIPAA Guidance Tackles Ransomware Epidemic In Healthcare

New HIPAA Guidance Tackles Ransomware Epidemic In Healthcare | HIPAA Compliance for Medical Practices | Scoop.it

HHS addresses ransom-ware infections in wake of healthcare attacks.

It took ransom-ware infections that brought two major hospital systems to their knees earlier this year to demonstrate how dangerous malware can be for healthcare organisations. Now the federal government has issued new guidance via the Healthcare Insurance Portability and Accountability Act (HIPAA) to address ransom-ware attacks.

The US Health and Human Services Office for Civil Rights this week issued guidelines for helping healthcare organisations understand, prevent, and prepare for ransom-ware attacks. It provides information on what ransom-ware is, how attacks work, how to spot it, how to quell damage, and of course how to protect data with regular backups. The guidance notes that existing HIPAA requirements basically cover ransom-ware attacks, and explains how a ransom-ware attack maps to those rules.

“The new guidance reinforces activities required by HIPAA that can help organisations prevent, detect, contain, and respond to threats,” Jocelyn Samuels, director of the Office of Civil Rights, wrote in a blog post. Among those practices: running a risk analysis of threats to electronic health information; training users to detect malware; limiting user access to electronic health records; and establishing a contingency plan including regular data backups, test restoration, and emergency operations.

“Organisations need to take steps to safeguard their data from ransom-ware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents,” Samuels said.

While having HIPAA address ransom-ware makes sense, some security experts say it’s no guarantee users won’t still fall for a phish or link in an email.  “Any new guidance that can help healthcare organisations prevent, detect, contain, and respond to threats (especially ransom-ware) is obviously good guidance. However, will guidance solve the bigger problem of the unsuspecting click?” says Stephen Gates, chief research intelligence analyst at NSFOCUS.

“Ransom-ware," he says, "is not an exploit that takes advantage of a vulnerable application or operating system. Ransom-ware is a payload that takes advantage of vulnerable people and their clicks. Even the best guidelines can’t solve that problem.” 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Is Apple Finally Entering the HIPAA Game?

Is Apple Finally Entering the HIPAA Game? | HIPAA Compliance for Medical Practices | Scoop.it

For years, Apple has notoriously avoided stepping into the burgeoning HIPAA-compliant health-tech market. Its peers–tech giants the likes of Amazon, Microsoft, Google, and FitBit–have all willingly begun signing Business Associate Agreements (BAAs), allowing their products and services to be used across the health care industry to store, transmit, or create protected health information (PHI).


So when Business Insider reported on a job listing posted by Apple looking for a “Privacy Counsel” focused on HIPAA and Health, heads rightfully turned.

With the exception of third party apps and some Apple Watch functionality, Apple has been decidedly quiet on the issue of HIPAA. There are a number of HIPAA compliant messaging and data storage apps that have long been popular with Apple users in the health care field, but its own iMessage messaging service remains insecure and non-compliant.


The job listing itself is vague, asking only for “health privacy expertise” in addition to a slew of requirements that make it clear they’re going for the best in the business to spearhead their interests in HIPAA compliance.

So it seems that Apple is poised to move ahead in a few directions.

They can go the way of Google and develop an end-to-end encrypted messaging service for doctors or other covered entities and business associates. This would serve the function of allowing PHI to be safely transmitted without risking the security or integrity of health data.

The other option is to go the way of health-tech manufacturer FitBit and create a suite of HIPAA-compliant health tracking services for the Apple Watch.

In the year since its release, the Apple Watch has been widely adopted as a health monitoring device.One report from April 2016 indicated that 80% of Apple Watch owners utilise its health and fitness tracking, and 56% say that that’s the primary reason they use it.


With discussions of data security and privacy reaching the national stage, the pressure is mounting against tech companies to take the plunge and begin protecting their customers’ data. Apple CEO, Tim Cook, commented on his plans for the Apple Watch. “One day,” he said, “this is my prediction, we will look back and we will wonder: how can I ever have gone without the Watch? Because the holy grail of the watch is being able to monitor more and more of what’s going on in the body.”

With this renewed focus on health, it’ll be worth watching Apple to see if anything comes of this new job listing and their potential foray into the world of HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

It's Time To Modernize The HIPAA Privacy Rule

It's Time To Modernize The HIPAA Privacy Rule | HIPAA Compliance for Medical Practices | Scoop.it

Here is a thought-provoking statement about the HIPAA privacy and security rules: These rules were required by the 1996 legislation to support the exchange of health information. They were intended to provide limits and protections on the exchange of information, and were not added after the fact as a reaction against free information exchange.

Radical notion? Not really. The HIPAA transaction provisions were aimed at enabling health information exchange, and the privacy and security rules were designed to support that goal.

Here are a couple of observations about what has changed in the nearly 20 years since HIPAA was enacted:

Rather than enabling information exchange, many in health care perceive the HIPAA privacy and security rules as barriers to the free flow of health information.


Technology has changed dramatically; 1996, when the rules were created, occurred before the modern Internet took root in our every day lives. Additionally, social network  and mobile computing computing platforms did not exist. The world of today, technologically speaking, barely resembles the world of 1996. HIPAA, however, has not changed.

So perhaps it makes sense to revisit the HIPAA rules, to make sure that the privacy and security protections are optimised for today’s technology, with the goal of protecting individuals as well as enabling information exchange.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Using HIPAA Guidelines to Protect Your Personal Information

Using HIPAA Guidelines to Protect Your Personal Information | HIPAA Compliance for Medical Practices | Scoop.it

Community Health Systems Inc. (CYH.N), one of the biggest U.S. hospital groups, said on Monday it was the victim of a cyber attack from China, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients.

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user names and password combinations and more than 500 million email addresses, security researchers say.


What in the name of HIPAA is going on out there?

Breaches of information are happening all around us, and it’s the big ones that are grabbing our attention these days. So, what can you do to protect yourself?

Well, HIPAA has great guidelines for not only protecting your client’s information, but also your personal information. Yep, I’m going to make everyone love them some HIPAA with this week’s blog… OK, love might be a tad strong. How about, gain a healthy respect?


HIPAA states that you are responsible for your Business Associates and/or Business Associate Subcontractor’s compliance. How do you do this? By asking to see Policies and Procedures, a Notice of Privacy Practices, and their training logs. Treat anyone to whom you give confidential information as if they were your Business Associates and Subcontractors. You won’t get training logs from a credit card company, or from the iTunes store, but you do get those handy little guides that tell you how they are going to use your information, and what are the limits. Now, I’m not saying you need to study these things, but if a company isn’t willing to give you a Notice of Privacy Practices, perhaps you shouldn’t be giving them your information? Look for security standards and marketing standards within the NPP. Apple is fairly forthcoming in their privacy policy

HIPAA requires you to have unique logins for each user in your company. Following these guidelines, you should have a unique password for every credit card, bank, etc. The easiest way protect your private information is to change those passwords, and make them super hard…. We’re talking 8+ random uppercase and lowercase letters, numbers and symbols. Most hackers are looking for an easy way in, and one of the easiest ways is through weak passwords. Make sure you update all your passwords regularly, quarterly at a minimum, and maybe use a password management program. Those are great tools, and go a long way in helping you to protect your personal information.


Taking this one step further, many people use their email address as their user name. This is easy for you to remember, and fairly easy for a hacker to use also. For more secure financial data, you should use a unique username that isn’t your email address. This will make your login that much harder to identify.

Use Two-factor authentication if the company supports it. Google uses it with Gmail; Facebook has it with their service. If the online services you frequent support it, USE IT! Two-factor authentication is great because you are required to authenticate access from an outside device – like text. Since hackers normally don’t have access to all your communication means, this gives you another level of protection.

HIPAA requires that all Protected Health Information be encrypted in transit. You should be discerning about what information you’re going to put into websites. Make sure they have a green lock that shows they have a valid SSL/TLS license. The SSL/TLS license verifies the site is what is says it is, and encrypts your information in transit. If you click on the lock, it will tell you if there is a valid SSL/TLS license, who issued it, and what level of encryption the site is using. HIPAA requires 128-bit encryption, and you want this at a minimum on any site you are sending data. It’s a good exercise to click on those locks, and see what’s going on. Make sure those certificates are valid.


HIPAA is a great guide to help you protect your clients and patients as well as yourself by giving you a set of Security and Privacy standards we should all be following. Most of this is pretty common sense stuff, but we all need reminders. That’s where the training comes into play. (Remember this is required under HIPAA!) Accidents still may happen, but you are well on your way to protecting yourself and those who trust you when you follow HIPAA’s guidelines.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Regulatory Compliance for Medical Practices

Regulatory Compliance for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it
The regulatory schemes covering medical practices are unbelievably complex, so this article only gives a bird’s eye view. For an outline of legal issues related to a medical corporation, read Legal Compliance Checklist for a Medical Corporation on my website. You should also read the related set of articles that you’ll find linked in that article.
Both the US and California have their own versions of the anti-kickback and Stark self-referral laws. To sum them up: Don’t make or take referrals for money.

○ Under the CA and federal anti-kickback laws, a physician may not knowingly offer or pay, or even receive, anything of value for a referral of medical work.
○ Under the CA and federal "Stark" self-referral laws, for certain designated health services, a physician may not refer a patient to a provider with which the physician (or a family member) has a financial relationship.

Violation of these laws is punishable by fines, exclusion from participation in Medicare and Medi-Cal (see next), loss of license to practice, and even imprisonment. The federal and state referral laws are very broad and very complex. They touch on almost all financial aspects of a practice, and it is very important that you hire an attorney to run each of your transactions through a referrals analysis.
For more on the referral laws as they relate to your group's compensation plan, read Stark and Anti-Kickback laws re the compensation structure of a group medical practice.

Billing Fraud and Exclusion from Medicare and Medi-Cal
You must be very careful when billing for services, because you do not want to inadvertently commit health care fraud. It is very easy for medical practices to become sloppy in their billings as they try to maximise reimbursement, for example, using a physician’s provider number to cover the work of a non-physician.

The federal Office of Inspector General (OIG) can exclude anyone who has engaged in billing abuse from participation in Medicare. Exclusion is very serious because you cannot get reimbursement from Medicare for your medical work. The California Department of Health Services has its own exclusion (suspension) provisions regarding Medi-Cal.
The OIG prohibits payment even to an innocent health care provider (e.g. a hospital) who employs an excluded individual. A provider can itself be excluded if it submits claims for payment connected with an excluded person. Hence a medical practice must be sure that all of its employees and contractors are not excluded. Both OIG and California maintain online lists of excluded health care providers.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires “covered entities” to protect electronic health information from unauthorised access, alteration, deletion, and transmission. Covered entities include medical practices.
HIPAA is extensive and I’m sure you’ve had about all you can stand of it already. One thing to keep in mind about HIPAA is that, when working with third-party contractors who handle patient data, a health care practice must obtain contractual assurances of their HIPAA compliance. Make sure your contracts with third parties have language to this effect.

Supervision of Staff
California has a multitude of regulations on your supervision of staff, including medical assistants, nurse practitioners and more. The California Medical Board’s website has many publications that address these regulations. I will not belabour them in this short outline.

Test Case -- Sharing Offices with other Health Care Providers
Sharing office space with other health care practices brings up all of the above issues. The primary problems are violation of the referral laws (above), creation of a de-facto partnership, and opening access to patient data in violation of HIPAA.
The various health care providers may make referrals to one another, but they must comply with the state and federal referral laws (Stark and Kickback). In essence, they may not take or receive any compensation (direct or indirect) for a referral. Be extra careful of the office leases for the shared space. The Stark and Kickback referral laws have specific requirements to prevent the leases from acting as indirect conduits for financial compensation.

The risk with a de-facto partnership is that patients of another practice sue you based on the argument that you and the other practice are partners. The more resources you and the other practices share, and the more integrated you look, the higher the risk. You must keep your medical practice absolutely separate from the other practices in the shared space. All health care practices in the shared space should give written disclosure of the space-sharing relationship to patients, including disclosure that the various practices are not in a partnership of any kind.One final note: Never let another health care practice bill under your provider number, no matter how many rationales that other practice has for it being OK. Most likely this would constitute billing abuse.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Six Tips for a Small Business to Avoid HIPAA Security Breach Headaches

Six Tips for a Small Business to Avoid HIPAA Security Breach Headaches | HIPAA Compliance for Medical Practices | Scoop.it

Michael and I spoke with Alison about the recent OCR pronouncements, and she pulled several of our comments together to create a list of tips for an SMB to consider to minimise HIPAA security breach headaches. The following 6 tips are excerpted from the full article:


  1. Hire a credible consultant to help you approach the issue, and how you would respond in the event of a breach. [In other words, perform your own security risk assessment, or, if impractical, hire an expert to perform one.]
  2. Document that you have policies and procedures in place to fight cyber crime. “If you didn’t document it, it didn’t happen,” Kline said.
  3. Stay informed of cyber security news in your industry, or join an association. Be aware of what other companies in your space are doing to protect themselves.
  4. Update your security settings on a regular basis, perhaps every time you add new employees or change systems, or on an annual basis.
  5. Present annually to your company board on where the company is in terms of cyber security protection, and where it needs to be to remain as safe as possible in the future.
  6. If you’re an IT consultant working with a healthcare organisation, be clear with your client what you need to access and when, Litten said. “A client that has protected health information in its software should carefully delineate who has access to that software,” she added.


The article also quotes Ebba Blitz, CEO of Alertsec, who offers an equally important tip for the SMB dealing with employees’ use of mobile devices that contain or are used to transmit PHI:


You need a good plan for mitigating BYOD,” Blitz said. She further recommends asking employees to document their devices, so businesses can keep track of them and install security tools.


In summary, confronting ever-growing and evolving challenges of cyber security for SMBs is dependent upon serious planning, development and implementation of current policies and procedures, documentation of cyber security measures taken and entity-wide commitment to the efforts.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Medical Practice Policies for HIPAA Compliance

Medical Practice Policies for HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Medical Economics article published 4/24/2014 “Be Proactive to avoid HIPAA violations” summaries HIPAA and how to best develop procedures to avoid any violations. The recommended policies and procedures listed below are the foundation on which HIPAA compliance is built, thus medical practices should update and implement them to maintain compliance.

  • Privacy Policies
  • Security Policies
  • Incident/Breach Report/Log
  • Procedure for making records available to patients
  • Incident Response Plan
  • Complete Risk Assessment
  • Train Employees


The article details the steps that should be followed for each of these policies and procedures. After policies are updated, the practice must also complete a Notice of Privacy Practices (NPP) that clarifies the law and the practice’s obligations to the patient including the following:

  • How Patient Health Information (PHI) can be used or disclosed
  • Patient’s rights
  • Practice’s Legal obligations
  • Practice contact that can provide additional information

In addition to the practice’s obligations to secure PHI, any business associate will also share the liability for any breach. Therefore it is important to draft and implement a Business Associate Agreement that clarifies these responsibilities and requires that business associate abide by agreement to do business with the practice (click on link for the Office of Civil Rights’ (OCR) sample business associate

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

$1.55 million settlement underscores the importance of executing HIPAA business associate agreements

$1.55 million settlement underscores the importance of executing HIPAA business associate agreements | HIPAA Compliance for Medical Practices | Scoop.it

North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to enter into a business associate agreement with a major contractor and failing to institute an organisation-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.


“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organisations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”

OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.


OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive Health, Inc., access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.

The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure -- including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.


In addition to the $1,550,000 payment, North Memorial is required to develop an organisation-wide risk analysis and risk management plan, as required under the Security Rule. North Memorial will also train appropriate workforce members on all policies and procedures newly developed or revised pursuant to this corrective action plan.


Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

What exactly is HIPAA compliance?

What exactly is HIPAA compliance? | HIPAA Compliance for Medical Practices | Scoop.it
In general, the Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. To date, the implementation of HIPAA standards has increased the use of electronic data interchange. Provisions under the Affordable Care Act of 2010 will further these increases and include requirements to adopt:
  • operating rules for each of the HIPAA covered transactions
  • a unique, standard Health Plan Identifier (HPID)
  • a standard and operating rules for electronic funds transfer (EFT) and electronic remittance advice (RA) and claims attachments.
  • In addition, health plans will be required to certify their compliance. The Act provides for substantial penalties for failures to certify or comply with the new standards and operating rules.Are you HIPAA compliant?  Would you know if you were not HIPAA compliant?  Below are a few tips to become HIPAA compliant.


How to be HIPAA Compliant

  • Check all your electronic safeguards, including network encryption, anti-virus software and email encryption. This is likely the most important part of HIPAA compliance because hackers seek out weak or unprotected networks.  Have a security risk analysis performed yearly on your network.
  • Ask patients to sign forms specifying who is and is not allowed access to their records beyond the standard of doctors and insurance companies. This could include family members, employers or friends whom they trust to view their information.
  • Verify authorisation and identity before releasing information to any person or company. Ask security questions or personal information such as social security number and date of birth to ensure you are speaking to the correct person. If a form is emailed or faxed authorising the release of records, check the patient’s signature against the signature on the form to ensure they match.

  • Check to see what type of information the person or company is authorised to receive. Health insurance companies are usually authorised to all information, while a patient may only want a family member to have access to certain parts of his medical information.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance for Direct Care Providers

HIPAA Compliance for Direct Care Providers | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accounting Act of 1996 ("HIPAA"), is an exceptionally important healthcare law that Direct Care providers need to be aware of. In this article, we’ll walk you through the nuts and bolts of the law, how to be compliant with HIPAA, how to evaluate tech companies to partner with, and just why Direct Primary Care providers should be particularly vigilant about its enforcement.



HIPAA, as a federal law, was designed to “allow portability of protected health information for billing purposes, so that we could engage in proper billing around the country,” explains one legal expert. “Plans and providers couldn't deal with fifty states having fifty different laws protecting privacy applicable to healthcare billing that just would not be workable.” In connection with enabling billing data portability, HIPAA also created certain privacy protocols and procedures that all “covered entities” (and now “business associates”) must follow.


The Privacy Rule

The Privacy Rule, as its name suggests, requires that covered entities (generally: plans and healthcare providers) with electronic personalised health information keep that health information private. Since a direct primary care practice is a covered entity, it has the same duty that all medical practices have--to maintain the privacy of their patient health information. Because direct primary care practices are typically even more connected with patients, engaged in more frequent communication (electronic or otherwise), these practice must pay close attention to HIPAA.

“I think everyone acknowledges that, whether it's a photocopier that's not only copying, but storing data images, or an EMR, or some other device, literally all medical practices have electronic personalised health data. And once you have that electronic data, the Privacy Rule protects everything--including paper files.” One legal expert says they have seen some physicians get confused, thinking that it doesn’t matter how they organise their files in their office or whether they talk about patient information within earshot of someone else. “But that’s not accurate,” he says. “Once there is electronic protected health information, then there's an obligation to maintain as private everything--file boxes, verbal communications, and data too.”

So is it enough to try to maintain privacy? No, you need an internal privacy plan that is documented.


The Security Rule

HIPAA requires that all covered entities engage in commercially reasonable efforts to consider various options, document that assessment in an internal memo or report called a “risk assessment,” and then implement a protocol or a program of protecting patient privacy for the practice. HIPAA's Security Rule is intended to be flexible; what is commercially reasonable for a small practice can vary from large medical providers. The Security Rule compliance requirements of a large major hospital will be different than the security protocol requirements of a solo physician practice. There’s no single hard and fast security compliance process or approach other than the requirement to reasonably consider different options and then implement a reasonable approach. One legal expert explains: “Whether you're a large hospital chain or a small medical practice, you need to document your Security Rule compliance in what's called a risk assessment memo.”

The risk assessment memo lays out a number of scenarios and protection actions for their patient’s security. These may include, but are not limited to, how the provider protects their mobile devices, what authentication measures they use, what kind of encryption their e-mails have, how they will protect portable storage devices (offsite, under lock and key, etc), who has access to files, and how and where they store patient files. The risk assessment serves as evidence of a covered entity’s consideration of different privacy protection measures while also documenting implemented solutions.


The Accounting Rule

Under the Accounting Rule, adopted as part of HITECH (a federal component of HIPAA), a patient who pays cash for certain medical services may request to have their data related to those private fee services segregated from plan-reimbursed data and not provided to plans. This rules reflects the original goal of HIPAA--increasing the portability of “plan” billing information. “When plans are handling billing, they need necessary patient data. However, when a patient is paying cash for certain services, HIPAA (as amended by HITECH) allows patients paying privately for services to segregate the health data from those services, because there's no reason for the plans to receive that information if it has no connection to plan reimbursement.”

The rule makes most sense in context. For example, if a psychiatric patient has a condition that they would like to pay their provider in cash for, that patient may be sensitive to the inclusion of that data in their general health care records shared with health plans, especially if their employer is reimbursing their health care.

Typically, for DPC practices that engage in primary care, the way the cash or the private fee is allocated don't typically generate a huge amount of patient interest in privacy. Of course, there's always going to be patients that are very interested in privacy, and they might ask for their data to be segregated. DPC practice EMR/EHR records platforms, and internal medical files, should be able to accommodate that request.

“DPC practices need to be mindful that their patients do have the right to request a segregation of their data,” one legal expert explains. “Providers need to ensure that their health care data platforms or systems have the ability to segregate that data, so it’s essential for them to ask their EMR or their EHR whether they can comply with the accounting rule when their patients pay cash or privately for certain amenities.”


How to Become HIPAA Compliant

There are several ways to become HIPAA compliant. Going it alone is a bad idea, says Chas Ballew, an attorney who co-founded of healthcare developer startup, Aptible. Hiring an expert like a consultant or attorney saves providers a massive headache and, in most cases, minimises the likelihood of fines. Alternatively, Ballew suggests using service providers or business associates to provide services to the provider, like handling personal health information (PHI) on their behalf.

The benefits are obvious. Instead of manually writing down patient health information, keeping it in a filing cabinet, and buying locks for storage and badges for the physical environment, a provider can seek out a third party software to handle security for them. “If they sign a business associate agreement (“BAA”), they can use that service and their third party access controls. Providers can use their security and keep PHI out of our their own physical office, which makes it much easier for providers to prove that you don't really have a whole lot of information for anybody to be worried about,” explains Ballew.

On a smaller scale, being HIPAA complaint requires that practices give notice of privacy practices given to their patients. Obviously, the provider needs to make sure that the notice of privacy practices includes everything mandated the Privacy Rule. “You've got to make sure that you and your entire office only uses personalised health information (“PHI”) for permissible purposes,” says Ballew. These permissible purposes include treatments, operations, and payments.

Unfortunately, Ballew explains, there's no super simple formula like "Do these three things and you're HIPAA compliant." To his mind, the best way to become HIPAA compliant is to partner with somebody “who's done it before and understands all the moving parts. Partnering with a compliance expert and then also partnering with software companies and other technology companies can shoulder some of the burden.”


How to Evaluate Tech Companies

If you’re a provider that is going to partner with a technology company, then Ballew recommends making them sign a BAA to ensure that they can handle patient and protected health information. “The BAA imposes contractual liability between the covered entity and the provider, or the covered entity and their business associate,” explains Ballew. “It checks a bunch of the regulatory boxes.” A BAA is the bare minimum that a provider needs to be compliant. The BAA itself serves as evidence that a party has satisfactory assurances that the business associate is meeting their obligations under HIPAA. Providers are not required to audit a business associate themselves, and they are allowed as far as the government is concerned, to trust that BAA and are not obligated to look further than that.

For Ballew, though, a BAA isn’t enough of evaluation of a tech company’s worth. It’s also important to ask a tech company who else they do business with. “You want to see if they've been evaluated by all of the larger entities,” Ballew says. Have they passed a security assessment? Or have they gone through security reviews with larger customers?

“You'd like to see some sort of reassurance of that, because as a provider, you're not really equipped to evaluate their security practices. You're good at practising medicine,” Ballew says. After all, providers seek vendors to free up their time so they can focus on what they do best.

To get more information, a provider can ask for a risk assessment, though this may require the provider to sign a nondisclosure agreement. Similarly, they can ask for a copy of a security assessment. “You can ask for a copy of their security plan or their security policies and procedures,” Ballew suggests. “That's how you would evaluate them from a compliance perspective.” Ballew also recommends requesting and reviewing customer reviews to see if other DPC providers have been satisfied with their services.

One legal expert has observed that some companies receive PHI but are unaware that under the HIPAA Final Rule (also called the “Omnibus Rule”) that business associates now are essentially like a “covered entity”--they must comply with the Privacy Rule and the Security Rule like a covered entity and are subject to regulatory action if they breach their obligations. One legal expert notes: “Companies that receive PHI but refuse to sign a BAA or acknowledge their HIPAA obligations are raising a red flag--be very careful and think about steering clear of companies that are not serious about accepting their PHI obligations.”

Graham Melcher, Chief Security Officer at Hint Health talks about the level of commitment required to maintain HIPAA compliance like this: "For a technology partner, being HIPAA compliant requires a significant investment in time and resources, and becoming HIPAA compliant can be a difficult and expensive transition. That's why we invested in our HIPAA compliance very early on. It's more than just encrypting your database, it's a culture and mindset around the security and privacy of PHI that reaches across an organisation."


Why is HIPAA Compliance Challenging for DPC Practitioners

By its nature, direct primary care eliminates obstacles between the patient and the provider, and as a result, providers are much more likely to engage electronic communication like text messages and e-mail. “They're much more likely to be implement electronic scheduling, and they're much more likely to be communicating electronically after hours, which sometimes can involve mobile devices, like iPad,” explains one legal expert. Direct private practices need to really carefully examine HIPAA requirements, because they--more than a standard practice or a plan reimburse practice--are going to be engaging in electronic communication.

If you need further motivation, consider that HIPAA compliance is in the interests of national security. “If you believe in a strong security apparatus for the United States, then you should believe in HIPAA. Why is that? Our enemies are hacking and penetrating our data systems, in part to defraud our country by false or fraudulent Medicare billing.”

While direct primary care providers may want to be free of regulations, one legal expert sees HIPAA as one that should be followed. In fact, he doesn’t want people to think of it as overreaching federal interference. “Think of it as our country coming together to better protect data and our national interests. I think if we could shift the paradigm or re frame HIPAA compliance from a unreasonable intervention into a, ‘Hey, this is good for all of us. This is protecting our country,’ then I think that we could achieve a higher degree of compliance.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Cyber security and HIPAA Compliance

Cyber security and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

With the recent cyber-attack of a major health system in the greater Washington, DC area, Med Star Health, it shows significant vulnerabilities still exist in managing and securing protected health information. Med Star is not alone as at least five other hospitals in California and Tennessee have been hacked in the last month not to mention many smaller organisations.


If a hospital system can be put into a virtual shutdown, how vulnerable are millions of small to mid-size physician practices? Fearing if your organisation is going to be compromised is a reality that needs to be faced. Most experts agree it is not if, but when.


Having the proper safeguards in place to prevent breaches are critical HIPAA requirements. These requirements include developing and maintaining contingency plans. Policy and procedure must be in place to address areas like data backup, disaster recovery, system criticality analysis and emergency mode operations.


The government can impose fines of up to $1.5 million if a breach occurs and the investigation reveals lax security measures were in place. Most reported HIPAA investigations have revealed organisations were not following some of the basic requirements, like conducting risk assessments.


At Colington, our HIPAA compliance experts understand what physician practices must have in place in order to demonstrate compliance requirements and mitigate risk. We specialise in assisting practices and organisations that may not have the current internal resources to perform these critical and required HIPAA functions.


Colington Consulting offers a full range of compliance and consulting services including required Security Awareness Training. Our affordable and scalable pricing packages are customised for your office or organisation.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.