HIPAA Compliance for Medical Practices
62.2K views | +12 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA Audit Survival Tips and Strategies

HIPAA Audit Survival Tips and Strategies | HIPAA Compliance for Medical Practices | Scoop.it

What to Do if You’re Contacted by OCR

When the Department of Health and Human Services (HHS) or the Office for Civil Rights (OCR) reaches out to health care organizations in response to a potential HIPAA investigation, auditors follow a very specific path toward contact, investigation, and resolution. Once a complaint is received and OCR has determined that it is legitimate, it will issue letters of notification to both the complainant and the recipient. These letters will outline a timeline for the investigation and will explicitly identify the investigating party as the OCR.

Once the investigation begins, OCR will collect and review documentation submitted by both parties. They may use any number of investigative methods including interviews and onsite visits to determine if there is sufficient evidence to support the allegations. Once again, OCR will send a letter explaining their findings. Resolutions will then vary depending on the outcome of their investigation.

HIPAA Audit Survival

HIPAA audit survival starts with keeping informed about OCR procedures. Knowledge is power. In this case, being aware and prepared is the best way to prepare your practice for a potential investigation. OCR will only contact you directly via a certified letter or email. Disreputable parties regularly attempt to lure unsuspecting practitioners into buying “certification” services that are fraudulent.

FACT: There is no certifying body for HIPAA compliance by any federal or private entity–any organization that claims otherwise is using misleading or potentially fraudulent language.

  1. Your best defence then is to keep in mind the above described process, and stop communicating with any party that suggests a deviation from the standard procedure outlined.
  2. Next, if you’re unsure if you’ve been contacted by a federal agency or not, ask the sender to confirm the identity of their organization, then verify them with a google search about their services
  3. If your organization receives an email or call from an entity claiming that you need to have a “Mandatory HIPAA Risk Assessment Review with A Certified HIPAA Compliance Adviser” be on full alert. This deviation from the official procedure described above will let you know that the caller is not providing a legitimate notice from a federal or state regulatory agency. Do not feel obligated to provide or share any of your information if you receive such notice.

To protect yourself, be leery of misleading language and marketing efforts targeted at health care professionals by such third party organisation. Some such advertising will occasionally try to leverage the threat of a federal offence to garner a sale of technology that isn’t legal. This type of fraud has become so widespread that OCR has responded to this unlawful conduct with a statement telling health care officials not to follow any of the links in the email. For more information on how to mitigate HIPAA breaches and fines, check out these upcoming HIPAA educational webinars brought to you by Telemental Health’s HIPAA compliance affiliate, the Compliance Group.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance: Facts vs Myths

HIPAA Compliance: Facts vs Myths | HIPAA Compliance for Medical Practices | Scoop.it

There is more confusion about the new HIPAA compliance  rules than ever before. While the new omnibus updates go into effect September 21st, 2013, becoming HIPAA compliant doesn't need to to be a costly or expensive affair. In fact, our own data collected over 37 months across 11,500+ medical providers suggests that the HIPAA compliance update can be a source of new revenues. Here are the top nine questions, myths or factoids we encounter about the new HIPAA compliance rules and its affect on practice revenues.

1) Is it true we are eligible for a Federal incentive check as part of Meaningful Use Stage II for using HIPAA compliant email?

A major component of Meaningful Use Stage II is "patient engagement." That means 5% of your patient population has to be registered for and communicating with your office electronically. While much of this will end up being routine requests for medical records, appointment questions, Rx requests and follow up questions - much of this can be automated or handled by mid-level staff through a mobile-based secure messaging system. We say mobile because we have seen desktop based system will most often fail to achieve patient participation rates that are significant enough for MUS2.

Unfortunately, most existing patient portals have failed to achieve the 5% meaningful use number quite simply because current patient portal technology was developed in the nineties and early 2000's, "long before" much of the American population had smart mobile devices and tablets. Because legacy patient portals lack the ability to handle SMS-based texts or mobile-device based emails, patients have simply not adopted them. So patients have continued to carry on with the pattern they know best - to call the office to book an in-office visit, even for tasks as routine as a prescription refill request.

Having a HIPAA compliant email system must incorporate both text messaging from doctors to patients, email from mobile devices and the ability to support the attachment of images from mobile device cameras and .PDF files from desktop computers. This would not only meet the criteria and allow for attestation of this component of Meaningful Use Stage II, but would complete what many argue is the most difficult to achieve component of receiving the Meaningful Use Stage II incentive payments for HIPAA compliance.

2) Can I achieve Meaningful Use Stage II with my current patient portal?

Statistically it is not likely that a medical provider organization with more than 2,000 covered and eligible patients could attest to the 5% meaningful use figure with a legacy desktop-based patient portal.

3) Email is secure for HIPAA compliance. Or email is not secure for HIPAA compliance.

While most email is not inherently encrypted, even encrypting the emails your office sends does not mean the receiving party can read it without installing the same software on their mobile device or desktop computer. Imagine your encrypted email recipient getting the following first message -

"You have received an encrypted message from HIPAA Compliance Hero LLC - the leaders of secure medical messaging. Download this app - trust us, there's no virus."

One can encrypt email for HIPAA compliance all they want, but it's unlikely the other party will read it. So in essence, they're useless even though they're encrypted.

4) Free email services meet standards for HIPAA compliance.

Most free email services are not HIPAA Omnibus compliant because they scan the contents of the email and match them with advertisements. The new HIPAA Compliance Omnibus Rule 2013 is different from the prior HIPAA regulations in that it accounts for the rise of free email services. While it seems petty and a major annoyance for medical practices, with the ubiquity of Internet-connected mobile devices this update to the HIPAA compliance rules protect patients. It was very smart of the committee to incorporate this component, here's an example why this is relevant -

Patient Randal sends an email to his Dr. Lee about something he feels may be a sexually transmitted disease and includes a picture from his smartphone. Either Patient Randal or Dr. Lee mentions the word "genital herpes" in one of their email messages and suddenly, wherever Patient Randal goes online, he seems to see advertisements for Valtrex. Which seems odd to his wife who uses a shared tablet device and she suddenly sees herpes treatment ads when she's on Zappos.com looking for shoes. Because advertising matching algorithms (this particular technique is called "re-targeting") have become so accurate, scanning our medical emails in a free email service have the potential to violate HIPAA with alarming frequency and to the great embarrassment of our patients.

5) Texting patients is secure enough for HIPAA compliance. Texting patients is not secure enough for HIPAA compliance.

Texting patients was never secure, can't ever be secure. The rise of "Secure Text Messaging Apps" do not make texting secure. They simply mimic texting through an app to app service - that both the initiating and receiving party must download - but it is not text messaging. This has the same inherent problems as encrypted email services - the other party must download the same app. Again, in essence secure text messaging is not text and though it may be secure, practically speaking they're largely ignored by patients.

6) I need an attorney or consultant to get our practice to meet HIPAA compliance standards. 

It's true that any business should have good legal counsel. There are also HIPAA expert consultants who can help guide medium-sized and larger organisations through the HIPAA Omnibus update. It's not as costly or annoying as one would think, but, while it may be prudent to retain the services of a HIPAA Omnibus attorney or expert, the reality is that most small practices are under such financial pressure that they will likely rather risk penalties than make the upfront investment. For such practices that want to take the bare minimum to protect themselves, we recommend -

i) Signup and use the free version of Doctor Base PANDA 6. It's secure, mobile (works on phones and tablets as well as desktop computers) will help you achieve the 5% portion of meaningful Use Stage II. And it's free.

ii) Complete a The firm Nixon Peabody has an example checklist for your practice and Business Associates.

* This is in no way meant to be a complete list or legal advice. And yes, our attorneys make us write sentences like this.



7) Other than the law, why use secure forms of messaging?

In the 3 years that Doctor Base has been tracking consumer patient behaviour on mobile devices, we have seen an increasing correlation with 4 - 5 star ratings of medical providers on social media sites be directly correlated to the acceptance of email as a form of communication. A study by Patty and Nathan Sakunkoo at Stanford University show how consumers making even "important" choices are swayed by star ratings of a minority online.

Even by our own internal metrics, we have seen a one star rise in ratings for a doctor equal approximately a 14.3% increase in online appointments (as measured across 5 specialities within CA and TX over a period of 37 months). A two star increase resulted in a 41.1% increase in online appointments, further reinforcing some of the findings in the Stanford study which indicated that more reviews leads to even more reviews. Or as P.T. Barnum once stated, "a crowd draws a crowd."

Caveat Emptor: P.T. Barnum also stated that, "there's a sucker born every minute." But that never seemed to stop people from coming to the circus.

You get the point - reviews will have an economic impact on your business and hence, accepting patient email will positively affect your ratings in social media. The HIPAA Omnibus rule update can actually be a revenue generator for your practice when executed and adopted correctly.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Where Is HIPAA Taking Physician Practices?

Where Is HIPAA Taking Physician Practices? | HIPAA Compliance for Medical Practices | Scoop.it


Several provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, were intended to encourage electronic data interchange (EDI) and safeguard the security, privacy, and confidentiality of patient health information In the context of this act, security is the means by which confidentiality and privacy are insured. Confidentially defines how patient data can be protected from inappropriate access, while privacy is concerned with who should have access to the patient data. This article explores how the policies stipulated by HIPAA are shaping the practice of medicine and will likely affect your practice in the future.


HIPAA Security vs Innovation:

If you're a typical small-practice physician, odds are that you view HIPAA as simply another federally mandated cost of practising medicine, regardless of the intended outcome of the act. This position is understandable, given the cost of mandated training for you and your office staff. Furthermore, if your practice is computerised, then you'll need to spend even more money on software upgrades and possibly additional training from the vendor.

HIPAA rules and regulations are complex, in part because much of compliance is open to interpretation. For example, security issues, which are predominantly in the domain of software and hardware vendors, are based on “risk assessment,” not specific technology standards. The act doesn't stipulate specific technologies or endorse nationally recognised procedures, but leaves it up to the physician practice or medical enterprise to ensure that patient health data are secure. (HIPAA's security standards take effect on April 20, 2005, for all “covered entities” except small health plans However, because HIPAA enforcement is complaint-driven – there are no “HIPAA Police” checking to see that your practice meets the law's requirements – differences in interpretation of the act are likely to end up in a courtroom at some point. For this reason, some experts recommend assessment of HIPAA compliance by outside counsel.

Most physicians are understandably concerned with the immediate compliance issues surrounding HIPAA and privacy and confidentiality of patient data. Even though the security standards were designed to be “technology-neutral,” the vagaries of these requirements are having a direct impact on medicine beyond the acute phase of compliance, especially in the introduction of new technologies in the clinical arena. New technologies, from wireless to tablet PCs, bring with them added functionality, potential workflow enhancements, and efficiencies – as well as new HIPAA security compliance issues.

Consider, for example, the effect of HIPAA's privacy rules on a physician contemplating the purchase of a Palm Pilot or other PDA. Even late adopters have probably observed the benefit of PDAs. Need to share patient data? Just beam it across the infrared link from one PDA to the next. Need to review patient lab data? Just touch the screen and the data are only a second away.

But it isn't that simple once HIPAA enters into the picture. Now a PDA carrying patient data is a compliance concern, as HIPAA's privacy rule applies to all mediums of a patient's protected health information, whether it's print, verbal, or electronic. Does your PDA have a login and auto logout feature? If not, then anyone could take your PDA and look up patient data. Consider the liability issues if you forgot your PDA at a coffee shop and someone picked it up and scanned through your list of patients. But with a login screen, one of the major benefits of a PDA – instant access to data – is lost.

If you use one of the wireless PDAs, such as the BlackBerry, then there are additional HIPAA-related issues: Does your PDA support the encryption of email and patient data it sends over the Internet? Is the encryption enabled? Is the level of encryption good enough for HIPAA?

Perhaps you've been considering adding a wireless (WiFi) LAN to your clinic or practice. You may have good reason to; wireless will allow you to carry a laptop into examining rooms for decision support and not have to worry about Ethernet cords. But considering HIPAA, is your WiFi system secure? Is the data encryption good enough? If not, will you have to buy new PCs and PDAs, or simply upgrade the operating systems? Do you need to hire a consultant? Maybe it's easier to simply string cables to each office and forget about the laptop this year. Or maybe it would be better to hold off on the computer-assisted decision support project altogether.

Paradoxically, although proponents of HIPAA once thought that it would enhance the move toward the electronic medical record (EMR), I believe that it is having the opposite effect. Because of the uncertainty surrounding HIPAA compliance and whether the legal system will be swamped with cases alleging violations of privacy, it's simply safer for small practices to stay with paper charts, and let the big medical practices deal with the inevitable lawsuits.

This brings up another cost issue: Does your insurance cover a patient suit over HIPAA? If so, how inclusive is the insurance? For example, let's say your practice regularly sends digital audio files overseas for transcription. You send the audio files and receive text documents a day later. Do you know how the patient data are handled at the transcription service? If a transcriptionist overseas decides to protest his or her low wages by posting a transcription of your patient's clinic visit openly on the Web, are you liable? Will your insurer pay? This example isn't as far-fetched as it might seem. In October 2003, a disgruntled Pakistani transcriber threatened the University of California-San Francisco over back pay.[3] She threatened to post patients' confidential files on the Internet unless she was paid more money. To show that she was serious, she sent UCSF an unencrypted email with a patient record attached.


HIPAA, Privacy, and the Physician:

Whereas compliance with HIPAA's upcoming security requirements is largely in the purview of vendors and the information services department in most larger medical centres, privacy concerns are usually addressed at the physician level. Consider the major privacy provisions of the act, most of which took effect in April 2003, listed in the Table.

Major Privacy Components of HIPAA, Based on Data From the DHHS.

Implementing each of these privacy components falls squarely on you and your office staff. You, your office manager, or someone else in your practice must be designated the Privacy Officer and given the responsibility of ensuring compliance with the act. If you haven't already had at least 1 practice walk-through with the major privacy provisions, make sure you do so.



Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

5 Security Issues Threatening HIPAA Compliance

5 Security Issues Threatening HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The security of your organization is a high priority, especially when dealing with PHI and medical records. There are many causes of breaches in security, and knowing which issues pose the most risk for your facility is key. While security issues compound and grow larger based on the size and scope of your organization, having the right perspective in addressing these problems makes a difference in avoiding noncompliance. These five security issues have been identified as being the most common in organisations that threaten HIPAA compliance:

  • Awareness, Training and Implementation

It is important that all employees, agents and business associates be fully aware of the security policies and protocols of the organization. As new technology is introduced and continues to change the infrastructure of the operation, compliance officers must make a concerted effort to keep all lines of communication open, encouraging employees to ask questions regarding new technology, its uses, and any other issues that may pose a risk.

  • Unexpected Events

An unexpected event can create serious problems. They vary from natural disasters, inclement weather to security breaches. You must have a plan in place to handle these issues quickly and professionally. It is wise to conduct drills, revisit your disaster plans on a continual basis and make sure all employees are aware of all contingency plans.

  • Smart Devices and Remote Accessibility

Smartphones, tablets and other mobile devices have posed challenges for organisations and their security policies. It is essential to work with the IT department to make sure all devices used on the campus are completely secure. Implementing a comprehensive training program, and conveying this information to any visitors is crucial in this process. Restricting access to PHI, having defined data wiping procedures, and restricting vendor access is key.

  • Documentation

During an audit, documentation is one of the easiest ways to find deficiencies within your HIPAA compliance. It is important to have accurate, up-to-date documentation on every protocol used to prevent misuse of PHI and operate safely within the designated guidelines. Using resources like the HIPAA Audit Protocol and the National Institutes of Science and Technology HIPAA Security Rule Toolkit can be used to prepare and manage your documentation to stay in compliance with HIPAA laws and regulations. Having a detailed strategy in place to have the right documentation will help prevent ongoing security issues.

  • Policies and Procedures

Many organisations have an overlap of policies and procedures, which causes inconsistencies within the infrastructure. There should be a designated compliance officer and/or team in place to review and update the policies on a continuous basis, taking note of any deficiencies, overlap and possible areas where policies and procedures are not being carried out efficiently, or employees are unaware of.

Understanding the risks associated with each of these security issues is paramount in developing and implementing effective strategies to remain in HIPAA compliance. The ultimate objective is to ensure your employees, business associates and other agents of the organization stay updated with any security protocols to comply with their directives. Keeping HIPAA compliance initiatives and efforts in the forefront of your organisational goals will help in avoiding these and other security issues that may be specific to your organization. Working as a unit is the most effective method in combating helping to combat the problem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Mobile Devices and HIPAA Compliance

Mobile Devices and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

It’s important to make sure your mobile devices are HIPAA compliant. As technology continues to become an integral part of the healthcare environment, it is common for healthcare professionals to communicate with their colleagues via text message or mobile device. Many facilities and practitioners use tablets and other software to transfer and record patient information, but this poses great risks in staying within HIPAA guidelines.


Guidelines for Establishing Effective Protocols

When determining your current compliance protocols on mobile devices, there must be specific questions answered to make sure all areas are covered. These questions should include:

  • Owners of the devices
  • Whether or not the devices are registered with the facility
  • Whether or not any PHI noted on a mobile device is uploaded and backed up on the server
  • Whether or not the devices can be wiped, both on premises and remotely
  • Whether or not a VPN (Virtual Privacy Network) is used to exchange information
  • Whether or not all policies and procedures address the use of mobile devices
  • Whether or not there is a separate mobile device usage policy in place
  • Whether or not the company utilises a BYOD (bring your own device) system
  • Whether or not the staff is properly trained on the mobile device policy

When analysing these protocols, these questions should provide insight into any changes that need to be made, or if additional protocols should be implemented. It is important to make sure all mobile device use pertaining to the patients and the healthcare facility be under a strict monitoring schedule.


Implementing Security Measures for Mobile Device Use

There are a number of security measures that will assist in securing PHI on mobile devices:

  • Use of encrypted passwords that change every month, or an alternative secure user authentication process.
  • Implementation of an automatic screen lock feature that will time-out after a certain period of time.
  • Remote disabling.
  • Remote wipe features.
  • Disabling of any file-shared applications and software.
  • Using firewalls.
  • Using security software.
  • Custom encryption.
  • Corporate permission when attempting to download applications.
  • Wi-Fi navigation controls with encryption.
  • Deletion of PHI before transferring the device to someone else, or getting rid of the device.

All of these security measures must be enforced and included as a part of the training process for employees. Your organization should always have best practices in effect and fully documented to meet compliance with HIPAA rules.


How to Develop a Mobile Device Policy

Staying compliant takes a concerted effort from the entire management team. Policies must be developed, implemented and consistently reviewed. Here are a few steps:

  • Make concrete decisions

Deciding how the devices will be used plays a major role in your strategy. Each option, whether for access, retrieval, storage or for creation of PHI should be carefully outlined with all the risks involved. Common issues that should be addressed include lost or stolen devices, downloads, use from unauthorised users and the use of unsecured networks.

  • Determine accessibility

Once you have identified the risks of using mobile devices, carefully assess whether or not it would be a good idea to implement their usage. It is important to factor in devices that are company owned, and whether or not employees will use their own devices, which will pose great risks to PHI. Carefully analyse what information will be accessible, retrievable, transmitted and stored when using a mobile device, how the HIPAA rules will be applied, and what types of devices will be used on the system.

  • Identify a viable strategy

The strategy you develop should include all security safeguards and solutions to maintain privacy. Your strategy should be evaluated at every benchmark.

  • Development

Proper documentation must be in place for an effective implementation. This documentation should include the development of a management system, a BYOD system, all restrictions that should be in effect, any security settings, what can be stored on the device, protocols for misuse, a deactivation and recovery process, and training of all professionals.

  • Training

Training is one of the most important components of any policy implementation. All employees should be fully aware of any risks attached to using a mobile device, the HIPAA guidelines for protecting PHI, how to fully secure their device and any health information on the device, and procedures for avoiding any mistakes. The training should be separate components to ensure every employee fully understands, in addition to receiving these policies in writing. Every team member is obligated to ensure the organization stays in compliance.

Although mobile devices are very useful, there are many opportunities for breaches and attacks to occur. The risk is very high within the healthcare environment, and making sure all risks can be avoided is key. Being proactive in ensuring your company is HIPAA compliant will keep you protected from any enforcement procedures that can occur as a result of non-compliance. The safety of PHI is very important. Having high standards and effective protocols in place while using technology can make a significant difference.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why Staff Are Your Biggest HIPAA Vulnerability?

Why Staff Are Your Biggest HIPAA Vulnerability? | HIPAA Compliance for Medical Practices | Scoop.it

Editor's note: This is the third blog in a series of articles on HIPAA compliance and is produced in partnership with Total HIPAA Compliance. The second blog in this series discussed HIPAA training for your staff and can be viewed here.

While 2015 was accurately dubbed “The Year of the Healthcare Hack”, according to Experian’s 2016 Data Breach Report, 2016’s largest threat hits much closer to home – it’s your own staff.

The Experian report states, “While large breaches may be compromising millions of people’s records in one fell swoop, smaller incidents caused by staff negligence will also continue to compromise millions of records each year.” Experian predicts that these staff driven breaches will actually cause more damage.

These smaller incidents collectively put you at a risk for an OCR audit, which in addition to being a distraction from your practice can also lead to fines and penalties. Even if there are none, a minor breach can add up in legal fees, patient notices and above all the cost of patient retention communication.

In most cases these are not malicious staff actions. The majority will be caused by lack of understanding and complacency. The first is very easy to address, you train and test your staff on your HIPAA Policies and Procedures, as required by HIPAA, so they understand the role they play in protecting health information they touch.


Complacency can be a little more difficult to remedy. Once you have trained your staff on your Policies and Procedures, they go back to their daily routine. Initially, they are more aware of HIPAA and protecting important data, but after a short while they let down their guard. After all, they know their job; they know your patients and a breach has never happened before so they begin to feel immune to the potential dangers. Fortunately, there are two steps you can take to keep your staff sharp:

  1. Educate them about the Value of Healthcare Data – It can be difficult for staff to understand why anyone would go to great lengths to get this health information. Helping them see what that data is worth in the wrong hands will give them more of an appreciation for the Policies and Procedures you’ve put in place to protect it.
  2. Remind them regularly – To maintain your HIPAA compliance, all of your staff should be trained annually, but it is unrealistic to expect them to keep that information at the top of their minds long term. Brief monthly training or reminders that touch on just one piece of your Policies and Procedures can be enough to make HIPAA a priority all year long.

Staff breaches may be the biggest threat to healthcare data this year, but it doesn’t have to affect you. The Experian Report points out that, “Organisations that implement regular security training with staff and a culture of security committed to safeguarding data will be better positioned for success.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Which Type of HIPAA Training Is Right for Your Practice?

Which Type of HIPAA Training Is Right for Your Practice? | HIPAA Compliance for Medical Practices | Scoop.it

How to Choose Training
Looking at the NueMD survey from this year, the results show only 58% of the practices surveyed said they have implemented annual training for their staff. If you aren’t training annually, this is a MAJOR hole in your HIPAA Compliance Plan. You can have the best Compliance Plan money can buy, but without staff training, this plan is effectively useless.

Two types of training are required under the HIPAA Law.

  1. Training on the HIPAA Law
  2. Training on your specific policies and procedures

Training on the law can be difficult, unless you happen to have a HIPAA expert on staff. Training on your specific policies and procedures, however, should be handled by internal staff who are familiar with your practice’s decisions since they likely had a hand in creating them.


What to Look for in Training
There are a multitude of training choices out there. Do you train everyone yourself, hire an outside resource, or use an online training solution? This is really a choice that is best answered by how confident you are in your knowledge of HIPAA, what your budgets look like, and the size of your staff.


Training Staff Yourself
Theoretically, this is the cheapest option, provided you have a strong understanding of HIPAA and a dedicated employee who can train your entire staff. However, many practices struggle to find an internal staff member that truly understands HIPAA, has the time to train staff annually, and can train any new staff as they come on board in addition to any other responsibilities they may have within the practice.

  1. Strengths - Cost effective, easy to incorporate new staff
  2. Weaknesses - Requires you have a staff member that understands all aspects of HIPAA, additional responsibility for a staff member, have to store training records internally, finding time to train staff, and training development costs that reflect updates in the HHS rulings


Hiring an Outside Resource
Your legal counsel should be able to supply someone to train your staff on HIPAA and your Compliance Plan, but this a more expensive option than training staff on your own. Another issue you may run into is coordinating staff to be available when the trainer is onsite, and the inflexibility of training new staff members when they come on board.

  1. Strengths - Expert trainer in office
  2. Weaknesses - Difficult to incorporate new staff into training program, expensive, finding time that is convenient to train all staff at same time


Online Training
For many practices, this has all the benefits they are looking for: expert training, cost-effective and easy to incorporate new trainees as they come in. The drawbacks are, you still need to train your employees on the specifics of your plan. This option stands a chance if it is motivating and memorable.

  1. Strengths - Cost effective, easy to incorporate new staff, expert training, staff can train when it is convenient for their schedule
  2. Weaknesses - May not be up-to-date and still have to train staff on specifics of your practice’s HIPAA Compliance Plan

Any of these three approaches can be pretty boring. I recommend you try the training before you buy in, and make sure it’s not the dreaded “Death by PowerPoint.”


What about HIPAA certifications?
This is actually a marketing claim that will ultimately end up costing you more money with little to no additional benefit. HHS does not have a certification program, nor do they recognise these certifications. Usually, this is a way for companies to justify charging more for their services. 


What are auditors looking for?
In the upcoming audits, HHS is going to be looking at your training logs. This means having a date workforce members were last trained, individual test scores, and regular training updates. The training records are important to show that you are taking HIPAA seriously, and have consistently trained your staff. If you don’t dedicate a budget to HIPAA compliance and training, you probably will not meet OCR’s requirements for HIPAA training.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

A New Way to Sue Health Care Professionals Using HIPAA?

A New Way to Sue Health Care Professionals Using HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees.  While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.

The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.

The ex did not appreciate this, and told the Walgreens pharmacy about what happened.  At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.


Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach.  The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.

As I said above, it may not sound like a big deal, but it potentially is.

Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.

Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.

Mr. Eggeson, who specialises in privacy law and medical malpractice, in an interview with Lawyers.com, said “10 years into the HIPAA privacy rule, I should not be the only attorney in the country doing this type of work.”

But, recently, a pathologist reader who is also an attorney wrote me and said the manner in which HIPAA was used in the Walgreens case was actually not novel after all.

The reader also stated he believes there will likely be a lot more of these HIPAA-type privacy lawsuits “as more and more plaintiff attorneys realise pharmacies, hospitals, and other health organisations are vulnerable and have deep pockets.”

After I received the reader’s email, I reached out to Neal Eggeson, the lawyer who successfully argued the Walgreens case and asked him for clarification regarding his case and how he used HIPAA.  He was kind enough to respond.

My reader’s thoughts on the article are below, followed by Mr. Eggeson’s. Many thanks to both of them for helping me understand both this case and how HIPAA is being used in civil lawsuits better.


The reader:

“As a multiple personality professional, I have a great amount of respect for HIPAA, its use as a shield for privacy data, and its use as a sword in litigation.  As such, even though the federal HIPAA statutes may not have a specific private right of action, I believe pathologists and other health care providers should recognise that breach of privacy litigation, both health care related and non-health care related, has been around for many years as a private (common law, sometimes statutory law) right of action.

What plaintiffs commonly have been doing in recent years is to use a HIPAA violation as the underlying predicate offence in their breach of privacy, defamation, negligence, breach of fiduciary duty, or other likewise suit.  Since HIPAA does not have a private right of action, common folks like you and I cannot use HIPAA directly in a privacy lawsuit, only the government can sue with HIPAA (civilly and criminally I might mention).  What private citizens have been doing, though, is proving to the court that if a HIPAA violation occurred, then this violation serves as a breach of duty by the health care professional in negligence cases, fiduciary duty cases, and straight forward violation of privacy cases.

…Doe v. Quest in the Missouri Supreme Court, where the court allowed a breach of fiduciary claim to stand verses Quest after their phelebotomist wrongly faxed HIV results without the express permission of Mr. Doe.  This case used overtones of HIPAA and similar state privacy laws, like state HIV privacy laws, as the underlying predicate (underlying wrong) in the suit.  Additionally, I easily found three other cases where HIPAA violations were used as the underlying predicate for private rights of action in state law privacy violation claims.


The first is a federal case (attached) from the Eastern District of Missouri by Judge Stephen Limbaugh (he is either the brother or cousin of El Rushbo), I.S v Washington Univ (E.D. Mo 2011).  In this case, Judge Limbaugh recognised that there was no individual private right of action under HIPAA, but that under Missouri law, HIPAA could be used to provide a standard of care from which to judge a defendant’s actions, and that HIPAA could also be used to establish a legal duty of care.  States vary in their laws, so every state may not agree with Missouri state law, but many do.

Second, in a 2006 state court case (attached), the North Carolina Court of Appeals allowed HIPAA to be used to demonstrate the standard of care element in a psychiatric privacy case where the plaintiff sued for negligent infliction of emotional distress.  If one can use HIPAA as the standard of care and show HIPAA was violated, then the next logical step is that the health care professional breached a duty owed to the plaintiff by violating the standard of care.  After that, all that remains is proving damages.

Finally, in a more recent West Virginia Supreme Court case, a case that cites many underlying cases from other states in a survey of the law, the Court found that HIPAA does not preempt state laws and that HIPAA may be used as the basis of a negligence claim (used as the standard of care to which a breach of duty is judged). See R. K. v St. Mary’s Med Ctr, (2012) attached.

I hope you find this discussion interesting.  HIPAA is a very complex and tricky set of laws and regulations, and I fear litigating HIPAA will become the next new cottage industry for plaintiff attorneys. The more pathologists and physicians know about HIPAA, the better.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance Checklist for Small Medical Practices

HIPAA Compliance Checklist for Small Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

If your experience is similar to that of most doctors who decide to take the plunge and start their own small medical practice, you probably had no idea how many  non-medical things you have to take care of to ensure your fledgling business is setting out on the right foot. Securing a business loan, hiring a staff, finding office space and moving in—so much to do. Well, here’s another thing to worry about: compliance with the data security requirements of the Health Insurance Portability and Accountability Act (HIPAA).

When you’re the employee of a hospital or large healthcare network, HIPAA compliance is largely taken care of for you. When you own a small medical practice, the responsibility for protecting your patient’s sensitive health information (and protecting your own business from steep HIPAA penalties) rests squarely on your shoulders.

IT—computers, software, Internet connections, networks—is what makes most modern businesses run smoothly, and doubly so for medical practices, as paper-based patient records become a thing of the past. As you build your practice, choosing how to spend your IT investment is a huge decision. Part of the decision has to be ensuring that whatever configuration and vendors you go with, the protected heath information (PHI) of your patients is safe from falling into the wrong hands.

To help you make the right IT choices for your small medical practice, here is a checklist of the main HIPAA requirements for data security:


Area 1: Access Control

Access Control is tech-speak for the concept of allowing users access to the functions they need to perform their jobs—and none of the functions they don’t need. This limits the likelihood any user will jeopardize information security by using systems they have no business accessing. Here is what HIPAA requires in the area of access control:

  • Unique user identifications. Every user on your system must have his or her unique login ID and you must be able to trace all activity back to one of these unique IDs.
  • Emergency access procedure. There must be a plan in place to access the patient information you need in the event of an emergency. For example, to protect against a power outage, you could keep a fully charged laptop on hand equipped with a mobile hotspot.
  • Offsite backups. In case all the data stored on servers or computers in your office is destroyed (by a natural disaster or otherwise) you must have up-to-date offsite backups ready to take over.
  • Automatic logoffs. Your system should automatically log users off when their station is left unattended. This prevents unauthorised users from seeing information left open during somebody else’s session.
  • Encryption. Digital information must be encrypted (basically, secured by a computerised secret code) as it’s transmitted within your practice.


Area 2: Audit Controls

When IT people talk about auditing, what they mean is the ability to record and examine activity by every user in every system. HIPAA prescribes no specific requirements for auditing, but a big part of complying with HIPAA is being able to determine when and if a security violation occurred. There are no requirements for how often audit reports should be reviewed or even what specific data should be gathered, but:

  • A medical practice must keep, at minimum, basic audit reports.
  • These reports should record when a totally unauthorised user (somebody outside the system entirely, like a hacker) logs in or attempts to log in.


Area 3: Integrity

Maintaining the integrity of your data means, from HIPAA’s point of view, that your data is neither altered nor destroyed except by someone who is authorised to do so.

  • To maintain integrity, HIPAA requires that you have a mechanism to authenticate electronic protected health information (PHI). This could take the form of, for example, a function that can check the number of records in a database to ensure that nothing has been deleted without being properly accounted for.
  • Backups are essential here, too, so you can recover any information that has been destroyed without authorisation.


Area 4: Person or Entity Authentication

In the eyes of HIPAA, this is slightly different from the access controls requirements we discussed earlier. When we talk about person or entity authentication we’re talking about procedures that verify that a person (or entity) is who they say they are. All Internet users are familiar with this one. Think of the password you use to log in to your email or Facebook account.

  • HIPAA’s minimum requirement is a password or personal identification number (PIN) that only the authorised user knows.


Area 5: Transmission Security

Transmission security refers to guarding against unauthorised access to protected information as it is being transmitted outside your practice—via email, over the web, etc. HIPAA’s requirements for transmission security include:

  • Integrity controls. In this case, the integrity of the data means that it has not been modified during transmission. Standard network protocols should be used to ensure the data received is the same as the data sent.
  • Encryption. Sending and receiving encrypted information to and from organisations outside of your practice can be tricky. For encryption to work, both the sender and receiver have to be using the same encryption and decryption method. For example a small medical practice like yours would have to encrypt patient information (like procedures performed) as it’s transmitted to and from insurance providers and other kinds of patient information (medications, for example) as it’s transmitted to and from another medical office. The encryption to and from the insurance office might be a different kind of encryption than to and from another medical office.  So, the HIPAA requirement is to have in place as many kinds of encryption as necessary.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

DocMate's comment, December 2, 2016 1:13 AM
Today healthcare practices are considered a marketplace by patients and thus the services also have to be customer centred or as as it is called patient centred in healthcare. http://docmate.com/commerce-related-to-the-practice-management-systems/

7 Important Reasons Why Employees Need Online HIPAA Training

7 Important Reasons Why Employees Need Online HIPAA Training | HIPAA Compliance for Medical Practices | Scoop.it

Since HIPAA was first enacted in 1996, health care organisations have been required to provide periodic training to their employees to ensure that they understand what’s required of them under the law.

As we know, employee training can be time consuming, expensive, and it can have a negative impact on productivity. Today, technology gives us significant advantages when it comes to employee training in that it can now be accomplished online. That includes keeping employees compliant with the ever-changing requirements of HIPAA regulation.

Here are seven important reasons why your employees need to keep up-to-date with their HIPAA training, and why it is more effective when they receive that training online:


1. Online Training Provides the Most Current Information

HIPAA regulation and requirements are always changing to meet the needs of today’s health care industry. Printed materials, therefore, can quickly become outdated, which is why it is important to accomplish this training online. It is easier for both government agencies and health care organisations to keep track of modifications when they are made online. Moreover, employees can receive the information quickly, and learn it more efficiently.


2. Online Training Makes HIPAA Compliance Easier to Achieve

HR and compliance professionals know that keeping employees compliant can be a big burden. Online training makes things easier because the training is distributed online, rather than in person. Employees no longer have to attend costly off-site seminars that take them away from their jobs and their families. Online training can be completed at the employee’s convenience, taking the burden out of attesting to policies and procedures and making total HIPAA compliance that much easier to attain.


3. Online Training Is Easy to Manage

When you finally take the plunge by adopting online training, you’ll be surprised at how easy the courses are to manage. All HIPAA training materials are kept in one central location that everyone can access. There is no more stress about posters and other printed materials disappearing from break rooms, and fewer opportunities for employees to claim that they were unaware of new regulations or training requirements. When everything is stored online, excuses disappear and access to education increases.


4. Online Training Is Affordable

Most businesses are trying to keep expenses down wherever possible. Hiring trainers to hold seminars in-person is a significant expense, as is sending employees to off-site locations to obtain training. Online training eliminates these expenses by providing information that is accessible on office computers as well as personal or mobile devices. Training can be accessed from anywhere that a high-speed internet connection is available, which makes it much easier for employees to keep up with their training requirements.


5. Online Training Makes On boarding New Employees Easier

Very often, new employees can become overwhelmed when they start a new position. Online training, particularly for something as important as HIPAA compliance, makes their new job a little less daunting, and helps prevent common mistakes new employees will often make during the early days of a new position.


6. Online Training Ensures That Everyone Is Protected

The easier the training is to access and complete, the greater the amount of protection your business and your employees will have. No one wants to be in violation of HIPAA regulations, or subject to an audit, so having all HIPAA information readily available ensures that compliance is as up-to-date as possible.


7. Semi-Annual and Annual Re-Training Is No Longer a Headache

Organisations that are required to periodically re-train employees dread having to spend all that time and money achieving compliance, particularly for something as important as HIPAA. Online training makes it easier to ensure that annual or semi-annual training can be completed in a timely fashion. Additionally, many online training platforms contain tools that will help supervisors and management ensure that employees attest that they’ve understood and will comply with the training they’ve received.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How can you be sure you have HIPAA compliant Email?

How can you be sure you have HIPAA compliant Email? | HIPAA Compliance for Medical Practices | Scoop.it

Last updated August 29, 2016. The Health Insurance Portability and Accountability Act (HIPAA), sets the standard for protecting sensitive patient data. Any organisation dealing with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed. This of course includes HIPAA compliant email.

Organisations include Covered Entities (anyone who provides treatment, payment and operations in healthcare) and Business Associates(anyone with access to patient information and provides support in treatment, payment or operations). This also includes making sure you have HIPAA compliant email baked in when it comes to your email service provider.

Even subcontractors, or business associates of business associates, must also be in compliance.


What is HIPAA Compliant Email?

The HIPAA Privacy Rule created, for the first time, a set of national standards for the safeguard of certain health information. It allows Covered Entities to disclose PHI to a Business Associate if they receive assurances that the Business Associate will use the information only in the scope of which it was engaged by the Covered Entity.

If you are using a third party to transmit or host PHI, they are required by law to sign a Business Associate Agreement (BAA) with you. The BAA establishes that certain administrative, physical and technical safeguards are in place.

While there’s no certification that makes an email provider achieve HIPAA compliant email status, meeting the requirements set by the HIPAA Privacy Rule is the best place to start, along with strong technical security measures to make sure PHI is protected inbox to inbox.


HIPAA Compliance Violations are Increasing

  • HIPAA violations tripled over 10 years. Confirmed HIPAA violations are skyrocketing. Their growth rate over the past 10 years outpaces almost any trend that comes to mind.
  • Stolen laptops continue to result in huge fines. In several instances, a single stolen laptop led to fines in excess of $1,000,000 from HHS.
  • A stolen thumb drive averages $925,000 in HIPAA fines. Since 2012, it costs an average of $925,000 in HIPAA fines for a single stolen thumb drive.
  • Stolen office computers can be subject to fines too. Even a computer that never leaves your office can still be subject to a costly fine due to a HIPAA Privacy Act violation.
  • Unpatched and unsupported software can also lead to fines.


How can you be sure you have HIPAA compliant Email?

In order to make sure your organisation has HIPAA compliant email, you need to be sure you have processes and workflows in place to insure your staff is properly trained on HIPAA compliance. But you also need the right technology to be sure those procedures can be made as efficient as possible.

Paubox can help you protect your patients’ data while providing it to them in a way that’s easy to access. We are able to do this because we believe in the term ‘seamless encryption.’ Seamless encryption is about providing the expected benefit, HIPAA compliant email, without asking the user (you) to change behaviour.

Seamless encryption, like that used in Paubox’s Encrypted Email, reduces the risk of accidentally sending PHI over email. It can be easy to forget to press an encrypt button before pressing send, or simply not realising there was PHI in an email that was sent. But Paubox’s Encrypted Email allows users to write and send emails as normal from a laptop, desktop and mobile device – Paubox seamlessly works behind the scenes to keep all outbound email within HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How HIPAA Can Help Deter Hackers

How HIPAA Can Help Deter Hackers | HIPAA Compliance for Medical Practices | Scoop.it

The number of hacks and breaches that occur continues to rise exponentially. Though you may have security measures in place, hackers are finding new ways to infiltrate your system. So, what can you do to stay one step ahead of the hackers?

A 2015 Reader’s Digest article outlines “20 Things Cyber Crooks Don’t Want You to Know”. From this list of 20 things, we chose a few that are more specific to businesses and describe how they relate to HIPAA. Review these 5 tricks hackers use to access your PHI so you can avoid becoming an easy target.


Personalised phishing emails.

Hackers use phishing emails to trick people into clicking links that often lead to the installation of malware or ransom ware on your computer. These emails used to be a lot more obvious. For example, an email from a Nigerian prince or an email saying you have have a distant wealthy relative who just died. These emails have become a lot more sophisticated and include information that matches your online activities. This leads you to believe the email is legitimate. If you are not careful, you could fall into the trap.

Phishing is the cause of many PHI breaches. In fact, in 2013, University of Washington Medicine experienced a breach that affected over 90,000 patients. This breach was due to malware installed through a phishing scam. It was recently reported that University of Washington Medicine paid a settlement of $750,000 in penalties for this breach of PHI. ¹

Avoid phishing scams by being cautious of each email you open. Avoid clicking links or downloading files from emails with which you are unfamiliar. Phishing emails often ask for your personal information in order to claim gifts or recover/verify an account you have. This is an alert to STOP. Do not enter any personal information (passwords, social security numbers, etc) if prompted.


Typo squatting

“Typo squatting” is when hackers purchase domain names similar to names of real websites.² For example: a hacker may buy the domain name microsfot.com. The success of typo squatting depends on you incorrectly typing in the URL. Once you enter the site, hackers can install malware on your computer or they try to convince you to share personal information. Make sure you check the web address before visiting the website. Web pages that require you to enter personal information like Social Security Number or credit card info should have “https” in the address bar, and a lock. If the site does not have both of these items, this page is not secure and you should not enter your information.


Brute Force Attacks

Hackers use a method called “brute force attack” to crack your password. Brute force attack is a trial-and-error process that uses logic to try many different combinations of characters and guess your password. This is why easy passwords like “letmein” or “qwertyuiop” can easily be cracked. The longer and more complex the password, the harder it is for the software to guess your password. This malware can run in the background trying to determine your passwords while you are using the computer. It takes basically no effort on the part of the hacker. They just have to launch the program, which can be done remotely. Hackers are relentless.

It was revealed that the 2012 LinkedIn breach included millions of accounts that contained very easily cracked login credentials. At the top of the list was “123456” (appearing over 1 million times) followed by other equally simple passwords like “linked in” and “password”.³ These passwords are easy targets for brute force attacks. A random assortment of characters is a lot harder to crack than a simple password or one that contains words in the dictionary. It is important to change passwords frequently in case your computer is a target.

Password management tools, such as Last Pass, One Pass, or Dash line help you manage your passwords. Not only do they generate strong passwords for you, but they save each password in their encrypted database so you don’t have to remember them. You do need to remember the master password to the management site. This option is a lot safer than saving your passwords in your browser’s password management feature or on an electronic note on your desktop. Make sure you keep these programs up-to-date, and change your master password frequently.


Wi-Fi Software

One major security flaw is that people do not select a new administrator’s username and password when they install a router. Make sure to change both the username and administrator’s password to avoid easily being hacked. With a simple internet search of the router and model number, anyone can access the administrator password the router came with and then gain access to your network. Be sure that you are also keeping your router’s software updated as it helps to protect against vulnerabilities in the firewall.

It is also important to check that your router uses WPA2 encryption. WEP encryption can easily be exploited. Software to crack WEP encryption is widely available. It is best to go with the newer WPA2 which uses more secure AES algorithms.


Vulnerability of Public Wi-Fi Networks

It’s best not to log into a public network if you plan to use a credit card as public networks are often do not have protection. Many hackers target public Wi-Fi networks like those in coffee shops. They use man-in-the-middle attacks allowing hackers to put themselves between you and the information you want to access through the network. This means that when you request information like a webpage from the server, that information would first go to the hacker. The hacker can then take what they want from it, or alter it in some way, before then sending it on to you. This tactic is beneficial to hackers when you access your bank accounts. Many people think the only risk of taking home PHI is leaving a storage device behind in a public place or having your laptop or iPad stolen. However, doing work in a coffee shop through their public Wi-Fi can cause a breach. It is best to avoid emailing PHI or accessing any important accounts through public Wi-Fi.

Unfortunately, even if we take all the right security measures, we will never be invincible. However, taking the right steps like creating strong passwords, activating a firewall and following HIPAA security recommended policies and procedures can help protect your data and can lessen the chance of an embarrassing and expensive breach.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA omnibus rule

HIPAA omnibus rule | HIPAA Compliance for Medical Practices | Scoop.it

Identifying your organisation's weak spots through a risk assessment is a best practice ahead of the HIPAA omnibus regulations.


This is the first of a two-part series of tips on preparing for the HIPAA omnibus rule to go into effect. The first part covers how to identify your organisation's greatest risk in advance of the rule's enforcement.


The HIPAA omnibus rule went into effect in early 2013, and federal enforcement was set to begin this fall after a 180-day grace period expires Sept. 23. With this in mind, Jaime Dupuis, practice consultant for the Regional Extension Centre of New Hampshire (RECNH) offered a checklist of compliance tasks for attendees of a recent webinar, some of whom were smaller physician practices and medical groups:

  • Update your Notice of Privacy Practices (NPP). Dupuis gave examples from the Department of Veterans Affairs, Beth Israel Deaconess Medical Centre, Harris County Hospital District Texas and Stanford University Hospitals as recently updated NPPs that might inspire your organisation's next draft.
  • Rework business associate agreements (BAAs) to reflect the fact that they are now directly liable for HIPAA compliance as well as subject to new breach notification rules.
  • Make risk analysis an ongoing process that includes at minimum: defining and assembling a risk analysis team; evaluating the likelihood and impact of potential risks to protected health information (PHI); listing the findings (including the policy or security gaps) in the assessment; develop a work plan and timeline for mitigating risks; implement appropriate security measures to address identified risks; develop and refine written policies and procedures to fully comply with regulations; and, finally, have the team meet regularly to ensure continuous, reasonable and appropriate security protections.
  • Work on highest-risk vulnerabilities first. Risk assessments are a big part of meaningful use attestation and HIPAA compliance moving forward. While only your own risk assessment reveals your own punch list of breach possibilities, HHS's Office of Civil Rights pegs physical theft of patient records the number-one cause of HIPAA violations (55%), followed by disclosure of PHI without patient consent (20%) and data lost/not accounted for (12%).
  • Confirm that risk analyses cover the following topics: physical security of hardware and devices; password management and role-based security access; portable and mobile device policies; data encryption and network security. Administrative safeguards such as data backup and employee termination policies that also cut off former employees' network access should be covered as well.
  • Strengthen your employee password policy and require employees to regularly change passwords. Get more advice on this topic -- and the whys behind it -- here.
  • Employ a network firewall; install and regularly update antivirus software. While these two pieces of "data security 101" advice might not sound particularly earth-shattering, they bear repeating as many offices still aren't employing these basics.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

4 Steps to Assess a Possible HIPAA Data Breach

4 Steps to Assess a Possible HIPAA Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach. An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorised access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.

There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorised to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident. Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:

  1. PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.
  2. Unauthorised Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.
  3. Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.
  4. Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.

If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements. If you have encountered a breach, within 60 days of discovery of the breach, you have to:

  • Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.
  • Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.
Technical Dr. Inc.'s insight:
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Bring Your Own Device (BYOD) Guidance 

Bring Your Own Device (BYOD) Guidance  | HIPAA Compliance for Medical Practices | Scoop.it

Bring Your Own Device (BYOD) Guidance


                   Bring Your Own Device, or BYOD, is when employers allow their employees to use their own electronic devices (phones, computers, tablets, etc.) on the organisations network.

BYOD has progressed from infrequent implementation to the norm. In 2015, Tech Pro Research released a study which reported that about 74% of respondents were already using or planning to use BYOD in their organization.¹

Despite its growth, not many organisations are completely confident in BYOD. In 2016, NueMD conducted a HIPAA survey. In this survey, they asked participants how confident they are that the devices they use in their business are HIPAA compliant, and found that only 20% of respondents were at all confident.

                  BYOD can open organisations up to serious security issues if not handled correctly. Since employees are using their own devices, they will take these devices home (and everywhere else); thus, there is more of a chance for these devices to be lost or stolen. Electronics were a lot more secure when it was the norm to leave them in the office. It was up to the company to protect those devices. Now with BYOD, employees will have to use extra caution in order to keep their devices safe.

BYOD also opens up organisations to malware. With an employee using the device for personal use as well, it is easier for a phishing email to reach the employee if the proper security software is not loaded. In addition, malware may be part of a download when unapproved applications are added by the employee. That malware would then affect everything on the device, including work related information. This puts the PHI on your network at risk.

            Obviously, there must be some positives to BYOD, or it would not be as popular as it is. The main advantage is that it cuts costs for the organization. If employees can bring their own devices, organisations can save money because they do not have pay to provide devices for employees. BYOD also results in better productivity because employees are using a device they already understand. No time is wasted on training employees how to use the device.

The implementation of BYOD has grown every year. Eventually you will need to consider BYOD and establish guidelines for implementing it on your network that respect the privacy of the user’s device. Access should only be requested for security reasons outlined in your policy. If you do choose to implement BYOD, it’s important to clearly define this decision in your policies and procedures.

First, you should have policies and procedures in place outlining the use of devices on your network. The policies and procedures should include:

  1. Acceptable uses:
    1. What apps are employees allowed to run?
    2. What websites should and shouldn’t be accessed?
    3. Can they be used for personal use during work?
  2. Acceptable devices:
    1. Will you allow laptops, phones, and tablets?
    2. What type of devices will you allow (Apple, Android, Windows, Blackberry, PC, etc)?
    3. How are you encrypting devices?
  3. Policies:
    1. Is the device configuration set up by the organisation's IT department?
    2. Is connectivity supported by IT?
    3. How often will you require a password change?
    4. Do you have a remote wipe policy?


Second, decide whether or not to implement Mobile Device Management (MDM).  MDM creates a single unified console through which IT can administer different mobile devices and operating systems. MDM allows an organisation's IT department to do things like remotely wipe devices, encrypt devices, secure VPN, and locate devices.

MDM allows you to selectively wipe the information lost on stolen devices. Some devices such as iPhone's have a built-in application (i.e. Find My iPhone). Android phones can be tracked and wiped using Android Device Manager. Both applications are great for individuals, but not necessarily the best option for an enterprise situation where you will need to track more than one device. Wiping a device is a heavy handed approach that may make employees hesitant to use their device on your network, as all of their personal information could be wiped along with work related data. With BYOD in place, employees know what’s expected of them when they use their personal devices at work, including the possibility that the company will use MDM to remotely wipe information as needed.

Alternatives to consider are Mobile Application Management (MAM) and Agent-less BYOD. MAM is software that controls access to mobile apps on BYOD devices. A report by Bit-glass found that only 14% of participants have adopted MAM. Accordingly, MAM never really took off, and MDM has now stagnated due to privacy concerns.³ Their solution is Bit-glass Agent-less BYOD, which protects corporate data on any device without an application. It also has an automated deployment process that does not require IT intervention. Agent-less BYOD is meant to be more secure and less strict on the employee because of its selective wiping capabilities.⁴

Finally, a BYOD policy agreement should confirm that the BYOD user understands and agrees to the policies and procedures. The user should also understand that the organization owns the work-related information on their device. Therefore, the organization has the right to take away access to the company network at any time. The BYOD agreement should be signed by the user, a department manager, and IT.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Privacy and Security Training

HIPAA Privacy and Security Training | HIPAA Compliance for Medical Practices | Scoop.it

The Privacy Rule: requires a CE to train all members of its work force (employees, contract workers, volunteers, trainees, and management) on the policies and procedure with respect to PHI as necessary and appropriate for the work force to carry out their function within the CE.

  1. In addition to new hires, you must provide ongoing training when functions are affected by a material change in policies or procedures.
  2. Document evidence of compliance in written or electronic form and retain.
  3. You must have in place appropriate sanctions against workforce members who violate your privacy policies and procedures or the privacy rule itself.

The Security Rule: requires a CE to train the entire workforce, including management on security issues respective of organisational uniqueness. Security training updates based on technology and security risks must be offered periodically.


What Should Your Privacy and Security Training Include?

Privacy and Security training can be provided through your existing educational operations. Internet modular education program that is convenient for off site workers, contract personnel, and regular personnel, may be an appropriate way to meet compliance.  Off site personnel who find it difficult to be at an onsite training session, can easily meet compliance through online training.  However you wish to comply, your privacy and security training should include the following:

  • Education: knowledge and understanding
    • Cover PHI in all forms: verbal, written, electronic
    • Policies and procedures with respect to PHI
    • General confidentiality
    • Patient rights
    • Sanctions
    • Faxing
    • Complaints
    • Use of social media
    • General security policies
    • Physical and workstation security
    • Breaches: what is a breach and what is the ramification of breaches to the organization and the individual?
    • What is the Office for Civil Rights (OCR)?
      • Understanding of the agency’s responsibility to enforce privacy and security regulations
      • E-mail procedures
      • Faxing procedures
  • Training: how-to Privacy
    • How to handle PHI in the office
    • How to report a potential privacy violation
  • Training: how-to Security
    • Procedures for guarding against, detecting, and reporting malicious software
    • Procedures for monitoring log-in attempts and reporting discrepancies
    • Procedures for creating, changing, and safeguarding passwords
  • Ongoing awareness
    • Maintain a reference area where your privacy and or security officer maintains printed current policies and procedures for privacy and security.
    • Have a process in place to evaluate your training program effectiveness and reliability.
    • Ensure that all users have completed security awareness training before receiving access to electronic PHI (ePHI).
      • This should be an ongoing effort and constantly reviewed and revised when necessary. 
  • Address questions that arise from time to time.
    • Example: What should a HIPAA-compliant Fax form look like?
      • The HIPAA-compliant Fax Cover Sheet should contain all standard information: Date, To, From, Phone, Time, Fax number to, Fax number from, E-mail address, Number of pages including cover, and Message.  The cover sheet should also include a disclaimer similar to: “The information contained in this facsimile message is intended for the sole confidential use of the designated recipients and may contain confidential information. If you have received this information in error, any review, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and return the original message to us by mail or if electronic, reroute back to the sender. Thank you.”
      • How should an e-mail transmission look to be HIPAA-compliant?
      •  Your e-mail must contain a disclaimer similar to: “The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

        Note: The Federal Regulations for HIPAA

      • HIPAA Exams is your source for all HIPAA Requirements!

        Stay current with Federal HIPAA requirements through up-to-date educational online learning through HIPAA Exams, Inc. Current educational modules are available for Covered Entities, Business Associates, Administrators, Health Care Providers, Nurses, Medical Office Staff, and other Health Care workers.  Call with questions or to discuss your needs. We can help with any compliance training!

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Patient Privacy: Let’s Stop Calling It HIPAA

Patient Privacy: Let’s Stop Calling It HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Often times in medicine, or even life in general, we might be required to revisit the origin of a popular belief, phrase, or “common-sense” piece of knowledge. Through numerous transmissions, these concepts can stray far from their original meanings and transform into something entirely different and even erroneous. Unfortunately that seems to be happening with HIPAA. Speak the words among providers and you’ll likely invoke thoughts of uptight regulators in suits and extraordinarily hefty fines issued to those foolish enough to have loads of data on a unsecured laptop computer. However, HIPAA is not about overbearing rules or inconveniently adding to the documentation burden. It is about privacy.

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is simply a federal law put in place to protect the identifying information of any patient getting medical care. It gets a little detailed, but essentially the law was put into place so that providers, clearinghouses, and insurance companies make a serious effort to protect information like names, birth dates, social security numbers, photographs, and any other unique identifier a person may have. The end-goal is that a patient’s medical needs are kept private. Aside from being a basic human right, privacy should be protected for additional reasons like the possibility of discrimination against patients by employers or insurers (see preexisting conditions)


Big (Unsecured) Data
For better or worse, we will soon be so proficient at collecting data that nearly every aspect of our lives will be quantified. Despite being completely obtrusive and a little creepy, this massive data collection and analysis will have benefits like solving the obesity epidemic and finding new treatments for many diseases. Unfortunately that is an optimistic view. Currently, most of the data collected with our mobile devices is simply being used to find more efficient ways to market to us. Even more, as we’ve seen over the past couple of years, we are nowhere near experts at data security. Think back to 2013 when Target failed to protect the credit and debit cards of over forty million customers. However, health data is much more sensitive, considering that we can’t simply cancel and replace health information in the same way we would a stolen credit card.


“We’re HIPAA compliant… right?”
Aside from data security, there’s a lot of confusion around HIPAA in general, especially with smaller medical practices. Our recent survey showed that practices are far from HIPAA compliant. Many practices are struggling to train their employees (only 56% of office staff said they’ve received HIPAA training within the last year). And only 45% of respondents reported that their practice has a (HIPAA-required) breach notification policy. At the end of the survey, respondents were asked, “How confident are you that someone in your business is actively ensuring HIPAA compliance?” With only 38% saying “very confident,” it’s clear that we, as an industry, have some work to do. Practices certainly have a lot on their plate, between ICD-10, Meaningful Use, the ACA - but we can’t let HIPAA fall to the wayside. Aside from increased communication and simple education, I suggest we do one more small thing to bring the focus back to what matters.


Ditch the Acronym
Whatever reason a patient may have to keep data private, providers should be making it a top priority. With so much conflict surrounding our personal information, we absolutely cannot afford to take this matter lightly. This isn’t about documentation written in 1996 or outrageous fines. It is about protecting the privacy of people. So, let us rid ourselves of the strange acronym that reminds us of a water animal and take on this issue by giving it a name that makes sense: PATIENT PRIVACY.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

Have you been the victim of a breach? Maybe not, but perhaps you know someone who has. Either way, deciding what to do next can be challenging if you're unprepared. 

First, it's important to determine whether the incident is truly a breach or simply a false alarm, then follow these guidelines to quickly respond.


What is Considered a Breach?
The Department of Health and Human Services (HHS) defines a breach as:

“The unauthorised acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorised person to whom such information is disclosed would not reasonably have been able to retain such information.”

The reason I bring this up is that the definition was updated with the latest Omnibus Ruling which no longer includes the “Harm Standard.” This means if you have a release of information of any kind, be it a fax or email to the wrong person, malware attack, loss of unencrypted device, etc., you have a breach. This is different from the early version of the law which required you to prove the information had been compromised. Now, it’s presumed a breach unless proven otherwise.


Steps to Mitigating a Breach
When responding to a breach, HHS expects you to have your response protocol in place BEFORE a breach happens, so we highly recommend including this as part of your HIPAA Compliance Plan. This is the best way to protect yourself if and when a breach does occur. To get started, follow these four steps:


Step 1: Perform A Risk Analysis
This first step is important and is required by HIPAA. Your Risk Analysis needs to be conducted quickly and should be as thorough as possible. Here's what to look for:

  1. When did the breach start and end?
  2. What date did you discover the breach?
  3. Approximately how many individuals are affected?
  4. What type of breach has occurred?
    • Hacking/IT Incident
    • Improper disposal of PHI
    • Loss 
    • Theft 
    • Unauthorised Access/Disclosure
  5. Where did the breach occur?
  6. What type of PHI is involved?
    • Clinical
    • Demographic
    • Financial
    • Other

As you review this information, you will have a better idea of what happened and whether or not a breach actually took place.


Step 2: Contact the Authorities
At this point, if you’ve discovered that indeed this is a breach, and if you determine a criminal act has transpired, contact your local authorities. For malware issues, you may be referred to the FBI to file an official complaint. 


Step 3: Notification of Patients
Each patient must be notified of the breach by U.S. Mail, unless you have clearly outlined in your Notice of Privacy Practices that notifications will be sent by email. However, if you determine notifications will be sent electronically, all patients must agree and sign off on this method of communication. This can save you a lot of time and money, so we highly recommend including this clause in your compliance plan. To add this clause, contact your lawyer, or the team at Total HIPAA to make sure this is properly laid out.

The Substitute Notice: This is required when you cannot reach 10 or more individuals. You now have two options: 1) You may post the Notice on your website for 90 days, or 2) You can contact local media outlets and have them post the breach notification.


What is Required to be in the Patient Notification?

  1. A brief description of what happened, the date of the breach and the date the breach was discovered.

  2. A description of the types of unsecured PHI involved in the breach (name, address, date of birth, SSN, health information, treatment codes, etc.)

  3. The steps individuals should take to protect themselves from potential harm. The action could be different for each incident.

  4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate damage, and to protect against future breaches.

  5. Contact procedures for individuals to ask questions or learn additional information, a phone number, an email address, website or postal address.


Step 4: Notifying HHS of the Breach, or The Rule of 500

Under 500 Patients Affected
If you have a breach of fewer than 500 patients’ information, you are not required to notify HHS at the time the breach is discovered. You will however need to document all the items described above and report the breach to HHS at the end of the calendar year. Notifications must be submitted to HHS within 60 days of the last day of the year and can be filed online using the OCR's notification portal.


Over 500 Patients Affected
If you have a breach affecting more than 500 patients’ information, you are required to notify HHS immediately. You should also verify the HIPAA breach notification rules for your respective state, as these may vary. In several states, such as California, you are also required to notify the Office of the Attorney General. As always, check with your attorney if you have any questions about your specific state’s notification requirements.


What Happens if You Don’t Self-Report a Breach?
If you are chosen for a HIPAA audit and the auditor discovers you have not self-reported breaches, this falls under the Willful Neglect provision, and you may be fined starting at $10,000 per violation. 


Exceptions to Notification Rules
Law enforcement officials may ask the Covered Entity to refrain from posting any notification if they believe it could impede a criminal investigation or may cause damage to national security.


What Happens if your Business Associate is responsible for a Breach?
Unfortunately, this is happening more and more, and though you have a Business Associate Agreement in place, this could still open you up to an audit from HHS as a result of the Common Agency Provision in the Omnibus Ruling.

We recommend that you have a clause in your Business Associate Agreement that states you will be notified within 15 days of a suspected breach of information. Since you are the Covered Entity, it's best that you take the lead on patient notification. Make sure you get a full report from your Business Associate, and what they are doing to mitigate the breach. It’s important to communicate all relevant information to your patients so they can protect themselves.


We hope that you never have to face a breach, but in the event that you do, we hope you'll return and use this blog as a reference. With more and more small medical practices becoming the victims of hacks, malware attacks, lost devices, and employee negligence, it's so important to have a plan in place before you have an issue. Having this plan can save you time, mitigate a breach faster, and ultimately save you money.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

New York State Approves HIPAA Exams as Infection Control Training Provider

New York State Approves HIPAA Exams as Infection Control Training Provider | HIPAA Compliance for Medical Practices | Scoop.it

New York, NY, August 10, 2016 — HIPAA Exams, Inc, HIPAA Exams is a professional and management development training company with primary focuses on health care, workplace safety, and legislative compliance. HIPAA Exams is accredited by ANCC and is an SBA 8(a) corporation. The Company offers more than 25 health care-related courses that can be purchased, or leased individually, and viewed via the HIPAA Exams LMS or the client’s own viewing system.


New York State Department of Health Has Approved HIPAA Exams’ Infection Control & Barrier Precautions Training for All Healthcare Professionals.

In August 1992, legislation was passed establishing a requirement that certain health care professionals must receive training on infection control and barrier precautions every four years upon renewal of their license. The Infection Control and Barrier Precaution law applies to the following professions: dental hygienists, dentists, licensed practical nurses, optometrists, physicians, physician assistants, podiatrists, registered professional nurses and specialist assistants. As of November 3, 2008, the requirement for training will also include medical students, medical residents, and physician assistant students.

All HIPAA Exams’ courses are online independent study courses, allowing you to work at your own pace.  There is no limit to the number of times a participant may re-take the exam in order to obtain passing score.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Information Security versus HIPAA Compliance

Information Security versus HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

I recently read a headline that stated; “CISO: Compliance Is the Wrong InfoSec Focus”.  It goes on to say "I'm going to improve our maturity of information security controls and then, out of that improvement of those controls ... will come much better regulatory compliance.”  HIPAA is as much about privacy as it is about information security.


I have had many people explain to me that they didn’t need to be HIPAA compliant because they were already compliant with some other standard.  HIPAA HITECH and the Omnibus Rule share some attributes with other standards such as SSAE 16 / SOC 1 / SOC 2 but are much broader.  The Privacy Rule is something that IT departments tend to ignore.  
The Cycle of Compliance has three main components; HIPAA risk assessment (the NIST protocol is the industry standard), written policies and procedures that have been tailored to the organization, and training and awareness based on the organisation's policies and procedures.  Having a “canned set of policies and procedures is certainly not adequate, nor is training based on policies and procedures that are not in place in the organization.  Staff will adopt policies and procedures more readily if they are trained on the specific policies and procedures developed for their organization.
The Cycle of Compliance will cover all of the HIPAA requirements and documentation of these activities will help build a legal firewall around an organization.  Once set up properly this process will contribute towards greater productivity and job satisfaction for staff while only requiring a few hours a month to maintain.
Information security is an important part of HIPAA compliance but not the “whole enchilada” as we say here in California.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

New HIPAA Guidance Tackles Ransomware Epidemic In Healthcare

New HIPAA Guidance Tackles Ransomware Epidemic In Healthcare | HIPAA Compliance for Medical Practices | Scoop.it

HHS addresses ransom-ware infections in wake of healthcare attacks.

It took ransom-ware infections that brought two major hospital systems to their knees earlier this year to demonstrate how dangerous malware can be for healthcare organisations. Now the federal government has issued new guidance via the Healthcare Insurance Portability and Accountability Act (HIPAA) to address ransom-ware attacks.

The US Health and Human Services Office for Civil Rights this week issued guidelines for helping healthcare organisations understand, prevent, and prepare for ransom-ware attacks. It provides information on what ransom-ware is, how attacks work, how to spot it, how to quell damage, and of course how to protect data with regular backups. The guidance notes that existing HIPAA requirements basically cover ransom-ware attacks, and explains how a ransom-ware attack maps to those rules.

“The new guidance reinforces activities required by HIPAA that can help organisations prevent, detect, contain, and respond to threats,” Jocelyn Samuels, director of the Office of Civil Rights, wrote in a blog post. Among those practices: running a risk analysis of threats to electronic health information; training users to detect malware; limiting user access to electronic health records; and establishing a contingency plan including regular data backups, test restoration, and emergency operations.

“Organisations need to take steps to safeguard their data from ransom-ware attacks. HIPAA covered entities and business associates are required to develop and implement security incident procedures and response and reporting processes that are reasonable and appropriate to respond to malware and other security incidents,” Samuels said.

While having HIPAA address ransom-ware makes sense, some security experts say it’s no guarantee users won’t still fall for a phish or link in an email.  “Any new guidance that can help healthcare organisations prevent, detect, contain, and respond to threats (especially ransom-ware) is obviously good guidance. However, will guidance solve the bigger problem of the unsuspecting click?” says Stephen Gates, chief research intelligence analyst at NSFOCUS.

“Ransom-ware," he says, "is not an exploit that takes advantage of a vulnerable application or operating system. Ransom-ware is a payload that takes advantage of vulnerable people and their clicks. Even the best guidelines can’t solve that problem.” 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Is Apple Finally Entering the HIPAA Game?

Is Apple Finally Entering the HIPAA Game? | HIPAA Compliance for Medical Practices | Scoop.it

For years, Apple has notoriously avoided stepping into the burgeoning HIPAA-compliant health-tech market. Its peers–tech giants the likes of Amazon, Microsoft, Google, and FitBit–have all willingly begun signing Business Associate Agreements (BAAs), allowing their products and services to be used across the health care industry to store, transmit, or create protected health information (PHI).


So when Business Insider reported on a job listing posted by Apple looking for a “Privacy Counsel” focused on HIPAA and Health, heads rightfully turned.

With the exception of third party apps and some Apple Watch functionality, Apple has been decidedly quiet on the issue of HIPAA. There are a number of HIPAA compliant messaging and data storage apps that have long been popular with Apple users in the health care field, but its own iMessage messaging service remains insecure and non-compliant.


The job listing itself is vague, asking only for “health privacy expertise” in addition to a slew of requirements that make it clear they’re going for the best in the business to spearhead their interests in HIPAA compliance.

So it seems that Apple is poised to move ahead in a few directions.

They can go the way of Google and develop an end-to-end encrypted messaging service for doctors or other covered entities and business associates. This would serve the function of allowing PHI to be safely transmitted without risking the security or integrity of health data.

The other option is to go the way of health-tech manufacturer FitBit and create a suite of HIPAA-compliant health tracking services for the Apple Watch.

In the year since its release, the Apple Watch has been widely adopted as a health monitoring device.One report from April 2016 indicated that 80% of Apple Watch owners utilise its health and fitness tracking, and 56% say that that’s the primary reason they use it.


With discussions of data security and privacy reaching the national stage, the pressure is mounting against tech companies to take the plunge and begin protecting their customers’ data. Apple CEO, Tim Cook, commented on his plans for the Apple Watch. “One day,” he said, “this is my prediction, we will look back and we will wonder: how can I ever have gone without the Watch? Because the holy grail of the watch is being able to monitor more and more of what’s going on in the body.”

With this renewed focus on health, it’ll be worth watching Apple to see if anything comes of this new job listing and their potential foray into the world of HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

It's Time To Modernize The HIPAA Privacy Rule

It's Time To Modernize The HIPAA Privacy Rule | HIPAA Compliance for Medical Practices | Scoop.it

Here is a thought-provoking statement about the HIPAA privacy and security rules: These rules were required by the 1996 legislation to support the exchange of health information. They were intended to provide limits and protections on the exchange of information, and were not added after the fact as a reaction against free information exchange.

Radical notion? Not really. The HIPAA transaction provisions were aimed at enabling health information exchange, and the privacy and security rules were designed to support that goal.

Here are a couple of observations about what has changed in the nearly 20 years since HIPAA was enacted:

Rather than enabling information exchange, many in health care perceive the HIPAA privacy and security rules as barriers to the free flow of health information.


Technology has changed dramatically; 1996, when the rules were created, occurred before the modern Internet took root in our every day lives. Additionally, social network  and mobile computing computing platforms did not exist. The world of today, technologically speaking, barely resembles the world of 1996. HIPAA, however, has not changed.

So perhaps it makes sense to revisit the HIPAA rules, to make sure that the privacy and security protections are optimised for today’s technology, with the goal of protecting individuals as well as enabling information exchange.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Using HIPAA Guidelines to Protect Your Personal Information

Using HIPAA Guidelines to Protect Your Personal Information | HIPAA Compliance for Medical Practices | Scoop.it

Community Health Systems Inc. (CYH.N), one of the biggest U.S. hospital groups, said on Monday it was the victim of a cyber attack from China, resulting in the theft of Social Security numbers and other personal data belonging to 4.5 million patients.

A Russian crime ring has amassed the largest known collection of stolen Internet credentials, including 1.2 billion user names and password combinations and more than 500 million email addresses, security researchers say.


What in the name of HIPAA is going on out there?

Breaches of information are happening all around us, and it’s the big ones that are grabbing our attention these days. So, what can you do to protect yourself?

Well, HIPAA has great guidelines for not only protecting your client’s information, but also your personal information. Yep, I’m going to make everyone love them some HIPAA with this week’s blog… OK, love might be a tad strong. How about, gain a healthy respect?


HIPAA states that you are responsible for your Business Associates and/or Business Associate Subcontractor’s compliance. How do you do this? By asking to see Policies and Procedures, a Notice of Privacy Practices, and their training logs. Treat anyone to whom you give confidential information as if they were your Business Associates and Subcontractors. You won’t get training logs from a credit card company, or from the iTunes store, but you do get those handy little guides that tell you how they are going to use your information, and what are the limits. Now, I’m not saying you need to study these things, but if a company isn’t willing to give you a Notice of Privacy Practices, perhaps you shouldn’t be giving them your information? Look for security standards and marketing standards within the NPP. Apple is fairly forthcoming in their privacy policy

HIPAA requires you to have unique logins for each user in your company. Following these guidelines, you should have a unique password for every credit card, bank, etc. The easiest way protect your private information is to change those passwords, and make them super hard…. We’re talking 8+ random uppercase and lowercase letters, numbers and symbols. Most hackers are looking for an easy way in, and one of the easiest ways is through weak passwords. Make sure you update all your passwords regularly, quarterly at a minimum, and maybe use a password management program. Those are great tools, and go a long way in helping you to protect your personal information.


Taking this one step further, many people use their email address as their user name. This is easy for you to remember, and fairly easy for a hacker to use also. For more secure financial data, you should use a unique username that isn’t your email address. This will make your login that much harder to identify.

Use Two-factor authentication if the company supports it. Google uses it with Gmail; Facebook has it with their service. If the online services you frequent support it, USE IT! Two-factor authentication is great because you are required to authenticate access from an outside device – like text. Since hackers normally don’t have access to all your communication means, this gives you another level of protection.

HIPAA requires that all Protected Health Information be encrypted in transit. You should be discerning about what information you’re going to put into websites. Make sure they have a green lock that shows they have a valid SSL/TLS license. The SSL/TLS license verifies the site is what is says it is, and encrypts your information in transit. If you click on the lock, it will tell you if there is a valid SSL/TLS license, who issued it, and what level of encryption the site is using. HIPAA requires 128-bit encryption, and you want this at a minimum on any site you are sending data. It’s a good exercise to click on those locks, and see what’s going on. Make sure those certificates are valid.


HIPAA is a great guide to help you protect your clients and patients as well as yourself by giving you a set of Security and Privacy standards we should all be following. Most of this is pretty common sense stuff, but we all need reminders. That’s where the training comes into play. (Remember this is required under HIPAA!) Accidents still may happen, but you are well on your way to protecting yourself and those who trust you when you follow HIPAA’s guidelines.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Regulatory Compliance for Medical Practices

Regulatory Compliance for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it
The regulatory schemes covering medical practices are unbelievably complex, so this article only gives a bird’s eye view. For an outline of legal issues related to a medical corporation, read Legal Compliance Checklist for a Medical Corporation on my website. You should also read the related set of articles that you’ll find linked in that article.
Both the US and California have their own versions of the anti-kickback and Stark self-referral laws. To sum them up: Don’t make or take referrals for money.

○ Under the CA and federal anti-kickback laws, a physician may not knowingly offer or pay, or even receive, anything of value for a referral of medical work.
○ Under the CA and federal "Stark" self-referral laws, for certain designated health services, a physician may not refer a patient to a provider with which the physician (or a family member) has a financial relationship.

Violation of these laws is punishable by fines, exclusion from participation in Medicare and Medi-Cal (see next), loss of license to practice, and even imprisonment. The federal and state referral laws are very broad and very complex. They touch on almost all financial aspects of a practice, and it is very important that you hire an attorney to run each of your transactions through a referrals analysis.
For more on the referral laws as they relate to your group's compensation plan, read Stark and Anti-Kickback laws re the compensation structure of a group medical practice.

Billing Fraud and Exclusion from Medicare and Medi-Cal
You must be very careful when billing for services, because you do not want to inadvertently commit health care fraud. It is very easy for medical practices to become sloppy in their billings as they try to maximise reimbursement, for example, using a physician’s provider number to cover the work of a non-physician.

The federal Office of Inspector General (OIG) can exclude anyone who has engaged in billing abuse from participation in Medicare. Exclusion is very serious because you cannot get reimbursement from Medicare for your medical work. The California Department of Health Services has its own exclusion (suspension) provisions regarding Medi-Cal.
The OIG prohibits payment even to an innocent health care provider (e.g. a hospital) who employs an excluded individual. A provider can itself be excluded if it submits claims for payment connected with an excluded person. Hence a medical practice must be sure that all of its employees and contractors are not excluded. Both OIG and California maintain online lists of excluded health care providers.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires “covered entities” to protect electronic health information from unauthorised access, alteration, deletion, and transmission. Covered entities include medical practices.
HIPAA is extensive and I’m sure you’ve had about all you can stand of it already. One thing to keep in mind about HIPAA is that, when working with third-party contractors who handle patient data, a health care practice must obtain contractual assurances of their HIPAA compliance. Make sure your contracts with third parties have language to this effect.

Supervision of Staff
California has a multitude of regulations on your supervision of staff, including medical assistants, nurse practitioners and more. The California Medical Board’s website has many publications that address these regulations. I will not belabour them in this short outline.

Test Case -- Sharing Offices with other Health Care Providers
Sharing office space with other health care practices brings up all of the above issues. The primary problems are violation of the referral laws (above), creation of a de-facto partnership, and opening access to patient data in violation of HIPAA.
The various health care providers may make referrals to one another, but they must comply with the state and federal referral laws (Stark and Kickback). In essence, they may not take or receive any compensation (direct or indirect) for a referral. Be extra careful of the office leases for the shared space. The Stark and Kickback referral laws have specific requirements to prevent the leases from acting as indirect conduits for financial compensation.

The risk with a de-facto partnership is that patients of another practice sue you based on the argument that you and the other practice are partners. The more resources you and the other practices share, and the more integrated you look, the higher the risk. You must keep your medical practice absolutely separate from the other practices in the shared space. All health care practices in the shared space should give written disclosure of the space-sharing relationship to patients, including disclosure that the various practices are not in a partnership of any kind.One final note: Never let another health care practice bill under your provider number, no matter how many rationales that other practice has for it being OK. Most likely this would constitute billing abuse.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.