HIPAA Compliance for Medical Practices
59.3K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Beware: The top 4 hurdles to a successful EHR implementation | Healthcare IT News

Beware: The top 4 hurdles to a successful EHR implementation | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

If you were a healthcare provider and all you did was read press releases, you'd be tempted to think that transitioning to a new EHR involved little more than opening the package and plugging in the contents.

Naturally, things are a little more complicated than that, but many providers aren't aware of just how much more complicated the truth really is.

As Michael Gleeson, senior vice president of product strategy for Arcadia Solutions, a Boston-based health IT consulting company, put it recently, "We've found that using technology is really new for a lot of practices."

Given that naiveté, Gleeson said, many practices struggle with performance issues related to their workflows, largely because their care delivery structures aren't always suited to taking advantage of EHRs and they're not clear on the proper steps toward greater efficiency.

As Gleeson sees it, there are four generally unanticipated issues that providers encounter when they transition from paper records to EHRs.

  1. Network issues. "This," said Gleeson, "is one of the most difficult areas." He went on to explain that if a practice uses a hosted EHR, accessing it through the Internet, it could cause delays as the information gets loaded slowly. That, naturally, leads to provider frustration.
  2. Untested upgrades. Upgrades make things better, right? Maybe. The problem, according to Gleeson, is that "the upgrade might come from the vendor, but the customer has customized the original system and the upgrade hasn't been tested within their own (now customized) ecosystem."
  3. Ineffective template design. Templates are a love 'em or hate 'em proposition. On the one hand they allow for data input uniformity, while on the other they often restrict the capacity of providers to make comprehensive notes. On an operational level, Gleeson pointed out, templates are often just plain inefficient, and they offer too many distracting alerts. Providers new to EHRs may not understand how to solve either of those problems.
  4. Genuine application performance issues. Many problems, Gleeson said, stem from how the EHR has been deployed. Again, these aren't plug-and-play systems, a fact which too many providers don't realize until they're knee deep in impediments to productivity. The good news, however, is that systems can be analyzed, with an eye toward determining what modules need to be tweaked or moved to different parts of the system.

While there are few problems that can't be solved post-implementation, Gleeson pointed out that often providers don't realize they have problems to correct until their systems have been in place for some time. In large part, that's because even less than optimally installed EHRs can help with upcoding right away. Consequently, providers who may now be able to bill for services that once fell by the wayside may not realize until later that, in reality, their overall productivity has decreased.

The truth, Gleeson said, is that the problems listed above can lead to up to a 30 percent decrease in productivity.

Technical Dr. Inc.'s insight:

Are you having a similar problem?  If you need immediate IT support for your practice, contact a Technical Doctor team member today at inquiry@technicaldr.com for more information.

The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Lost thumb drive leads to $150K fine | Healthcare IT News

Lost thumb drive leads to $150K fine | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

An unencrypted USB drive has ended up costing one dermatology practice, which has settled with the Department of Health and Human Services for failing to address HITECH's breach notification provisions.

Adult & Pediatric Dermatology (known as APDerm), which provides dermatology services in Massachusetts and New Hampshire, agreed on a settlement of $150,000 for privacy and security violations, and will be required to put a corrective action plan in place to fix deficiencies in its HIPAA compliance program, according to a notice posted Dec. 26 on the HHS website.

It's the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act, say officicials from HHS' Office for Civil Rights.

OCR launched its investigation of APDerm after being tipped off that an unencrypted thumb drive containing the protected health information of some 2,200 people was stolen from a vehicle of one its staff members. The drive was never recovered.

The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security management process, officials say.

Moreover, APDerm failed to fully comply with the HITECH Breach Notification Rule, which requires organizations to have written policies and procedures in place and to train workforce members.

In addition to the $150,000 resolution amount, AP Derm's settlement includes a corrective action plan requiring development of a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. The practice will also be required to provide an implementation report to OCR.

"As we say in healthcare, an ounce of prevention is worth a pound of cure," said OCR Director Leon Rodriguez, in a press statement. "That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information."

 

Technical Dr. Inc.'s insight:

Are you HIPAA Compliant?  Technical Doctor offers HIPAA Risk Assessments that help you get -- and stay -- compliant.  Email us at inquiry@technicaldr.com for more information.


- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Top 5 Tips for HIPAA Compliance | EMR and HIPAA

Top 5 Tips for HIPAA Compliance | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Manny Jones, health care solution manager at LockPath, recently sent me 5 tips to consider in order to meet HIPAA guidelines. It addresses some of the following questions: What does the HIPAA Omnibus rule mean for me? How do I know if I’m compliant? Where do I even begin?

This list of 5 tips are a good place to start.

1. Be prepared for more frequent audits and a fine structure based on knowledge – The new tiered approach means organizations can face much higher fines if they’re not in compliance with the rule.

2. Update Notice of Privacy Practice (NPP) – These should explain that individuals will be notified if there is a breach, disclosures around areas that now require authorizations, and more. Once updated, organizations should redistribute to patients and others to ensure they’re aware of changes.

3. Develop new processes – These should address additional restrictions on use or disclosure of protected health information (PHI).

4. Identify assets containing PHI – Once an organization has an inventory of these assets, they can determine where safeguards/breach notification obligations apply.

5. Understand the new definitions – Organizations should understand how “breach” and “business associate” are now defined and how they apply to their organization.

For those wanting to really dig into the details of HIPAA compliance, you’ll want to consider a HIPAA Compliance training course. These are easy online courses for both the HIPAA privacy officer or your staff. As is noted above, more frequent audits and fines are coming.

 

Technical Dr. Inc.'s insight:

Have you done a HIPAA Risk Assessment yet?  We can help you immediately with this!  Contact us at inquiry@technicaldr.com today to schedule your assessment with the #1 medical IT support firm!

-          The Technical Doctor Team

more...
No comment yet.
Scoop.it!

New HIPAA Compliance Help on the Way

New HIPAA Compliance Help on the Way | HIPAA Compliance for Medical Practices | Scoop.it

The federal "wall of shame" tally of major health data breaches, and the results of HIPAA compliance audits conducted so far, illustrate that the healthcare sector has a long way to go when it comes to protecting patient privacy and improving information security.

For example, one key problem area has been risk assessments, which many healthcare providers do poorly, if at all, based on the findings of federal audits and breach investigations. Another weak spot has been the use of encryption. Stolen and lost unencrypted computing devices have been the culprit in more than half of major health data breaches in the last four years.

 Many covered entities and BAs can certainly use whatever help they can get to improve HIPAA compliance, especially when it comes to risk assessments and mobile device security. 

That's why it's good news that federal regulators plan to offer two new guides to help organizations address key security challenges in the weeks to come. I've learned that a tool to help smaller providers conduct a risk analysis, as well as a video on privacy and security issues, will be available soon.

Stricter HIPAA enforcement is coming in the New Year, along with a renewal of HIPAA compliance audits.

So it's more important than ever for healthcare organizations of all sizes, and their business associates, to take advantage of these and other free resources to help bolster their efforts to protect patient privacy and improve information security

Under the HIPAA Omnibus Rule, business associates are now directly liable for HIPAA compliance, and penalties for each HIPAA violation can go as high as $1.5 million.

The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, will resume its HIPAA compliance audit program next year. The expanded audit program will include business associates for the first time. And it will focus more narrowly on the problem areas that stuck out in the previous OCR audits.

The Office of the National Coordinator for Health IT, another HHS unit, is developing a new tool designed to help smaller physician practices with one of those problem areas: risk assessments.

Conducting a thorough risk assessment is a critical component of any information security program. It's also required under the HIPAA Security Rule as well as the HITECH Act's electronic health record incentive program. To qualify for incentives in Stage 2, hospitals and physician groups must attest to performing a risk analysis that, among other things, addresses the use of encryption for stored patient information.

An ONC spokesman told me: "We are working on a tool for small practices, and we expect this to be released in 2014. We hope that this tool will help providers perform a risk assessment in their practices and help them evaluate the administrative, technical and physical safeguards in their organizations as required under the HIPAA Security Rule."

Meanwhile, OCR and the Centers for Medicare and Medicaid Services are developing a video focused on privacy and security issues tied to the HITECH Act's EHR meaningful use incentive program. "We hope to have this posted before January 2014," an OCR spokeswoman says, declining to elaborate on details.

Many covered entities and business associates can certainly use whatever help they can get to improve HIPAA compliance, especially when it comes to risk assessments and mobile device security.

Technical Dr. Inc.'s insight:

Call Technical Doctor today if you haven't done a HIPAA Risk Assessment yet!


-The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Secure Texting Streamlines Clinical Communication

Secure Texting Streamlines Clinical Communication
To access this content, please Register or Sign In.

By Susan Kreimer, contributing editor

A Canadian hospital installs a secure texting solution to facilitate physician paging and to provide more details about consulting cases.

A mobile software application is paving the way for more secure texts among healthcare team members at The Ottawa Hospital, which has 12,000 employees, including 1,200 staff physicians and about 900 residents. The solution (Amcom Mobile Connect) links to the hospital call center’s directory, simplifying the process of locating physicians. According to Margaret Quirie, The Ottawa Hospital’s director of information organization and access, this eliminates wasted time that used to be spent waiting for pages to be placed manually and acknowledged. It’s also more HIPAA-compliant and may reduce the number of devices that a clinician has to carry.

“Now, all pages are tracked, which helps with audits and risk management,” Quirie said. “It also closes the accountability loop. We know that a person received the page.” Confirmation occurs when the recipient presses a thumbs-up button.



more...
No comment yet.
Scoop.it!

Google will sign a BAA but it will cost you

Google has announced that they will sign a BAA for customers that use their Google Apps platform which includes Gmail, Google Calendar, Google Drive.
Technical Dr. Inc.'s insight:



Microsoft used to be one of the only large cloud providers that was willing to sign a HIPAA Business Associate Agreement (BAA). That has changed now that Google has announced that they will sign a BAA for customers that use their Google Apps platform. Google Apps includes: Gmail, Google Calendar, Google Drive, and Google Apps Vault services.

Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a Business Associate Agreement (BAA) with Google.

Administrators for Google Apps for Business, Education, and Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services.

BAA Required to use Google Services
Google has also made it clear that if a customer does not have a BAA and is storing Protected Health Information (PHI), they should not use Google products

Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.

Not Free

Google is willing to sign a BAA but only for users of their paid Google Apps services. The BAA is not available on Google’s free services (Gmail, Google Calendar, Google Drive, etc.).

To request a HIPAA Business Associate Agreement (BAA), you must be signed in to an Administrator account for your Google Apps for Business, Education, or Government domain. Non-Administrator Google Apps users or users of Google Apps Free Edition (sometimes referred to as “Standard Edition”) cannot request a BAA from Google at this time.

Google Apps for Business starts at $5/month per user or $50/year per user.

Limited Google App Services

Google’s BAA only covers certain Google Apps Services including: Gmail, Google Calendar and Google Drive. Other services such as Google Docs, Google Groups, Google+, and Google Sites are not covered by the BAA and should be disabled.

more...
No comment yet.
Scoop.it!

Running Windows XP means you are non-compliant and open to liability

Running Windows XP means you are non-compliant and open to liability | HIPAA Compliance for Medical Practices | Scoop.it

On April 8, 2014, Microsoft will not release any security patches for Windows XP, which will effectively make it non-compliant with HIPAA / HITECH.


By Jeffrey Brady


Technology Pros in the healthcare industry may want to get a head start on their spring cleaning. Microsoft extended support for Windows XP ends on April 8, 2014. After this date, Microsoft will not release any security patches or updates for Windows XP. This will effectively make Windows XP non-compliant with HIPAA / HITECH after Microsoft support ends.

Goodbye XP

Windows XP was released August 24, 2001 and has been widely deployed in homes and corporate environments alike. In the Healthcare arena, XP may be found on workstations used by clinical staff, CT machines, and other critical medical devices.

 

Most of these devices are connected to the network to connect to EHR/EMR systems, so simply disconnecting them is not an option. In addition, many of these devices are running old and proprietary applications that may not run on a newer operating system such as Windows 7 or 8.

 

What can an IT pro do when faced with this dilemma? In an ideal world your systems would already be off XP or you would be well into a migration effort. However, some of us have inherited this problem and must find a solution that not only addresses this problem, but also does so in a cost effective manner. Ideally, you will even have the opportunity to make technical improvements in your infrastructure, enhance security and manageability of your systems, and provide your clinical staff with a more efficient computing environment.

 

Evaluate your current situation

Getting your vendors involved is very important at this stage. You will want to find out about how to move to newer versions of their software which are compatible with Windows 7 or beyond. If you have current maintenance you may just need to download their newest software and apply your testing process. If you are not in maintenance, you may face pricey upgrades to move to their new platform.

 

Another option may be to run the application on a terminal server and have your clients access the application via a remote desktop connection.

 

Lastly you will also want to do an assessment on your medical devices to see which of these systems may be impacted by the Windows XP "sunset".

Your next steps are to evaluate your current workstations. Do they have the resources to run a newer version of Windows? If so you can exercise your volume licensing upgrade options, or purchase the proper licensing to upgrade your environment. A more likely scenario would be that you have old workstations that are overdue for replacement anyway, in which case, upgrading would not be practical.

 

You can look at simply replacing your desktops with new shiny boxes and work on your migration plan for applications and user data. Another option you may strongly consider is implementing a VDI (virtual desktop infrastructure).

 

Virtualization

Virtualization has been hugely successful in the server arena. This technology uses a hypervisor on top of the hardware that allows multiple copies of an operating system to share the resources of the hardware. In most applications, there is no penalty for running multiple servers on the same hardware if your environment is planned correctly.

 

One can do the same using VDI. You can run fifty maybe even one hundred desktops on one physical server. These desktops would share the fast CPU, memory, and storage of the physical server to give the end user a high performance-computing environment. You can repurpose your existing desktops to connect to your VDI setup, or you can deploy thin-clients to your endpoints.

 

VDI also will provide your staff with centralized management and control of your desktops. This will help your lean staff manage and maintain your environment effectively.

 

Bottom line

Now is the time to take action. Start working on your strategy for moving your computers and medical devices off Windows XP. Size up your vendor support for upgrading to a newer OS, get an inventory of your impacted devices, and evaluate how you will update your endpoints. Moving to a newer operating system will help you provide a more secure environment in your facility and ensure compliance with HIPAA / HITECH.

Technical Dr. Inc.'s insight:

Are you keeping up with HIPAA Compliance standards? Technical Doctor team members are experts in this field!  Put the #1 medical IT support firm to work for you today!  Contact us at inquiry@technicaldr.com to learn more.

-          The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Six 2014 Healthcare IT, EMR, and HIPAA Predictions | EMR and HIPAA

Six 2014 Healthcare IT, EMR, and HIPAA Predictions | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Let’s take a bold, but realistic look at what we can expect in 2014 when it comes to healthcare IT, EMR and HIPAA. It will be fun to look back at the end of 2014 to see if I’m right. Hopefully you’ll add your 2014 predictions in the comments.

HIPAA Omnibus Poster Children – In 2014, I think we’re going to see a few companies have major issues with HIPAA Omnibus. Those examples will be widely reported and be the “poster children” for violating HIPAA Omnibus. I’ll go further in my prediction to say that a couple of them will be companies who are business associates who didn’t comply with HIPAA. In fact, I won’t be surprised if one of those poster children isn’t a really large corporation who didn’t realize that they were a business associate and required to comply with HIPAA. Plus, we’re going to see some major HIPAA violation related to SMS messages.

Direct Project Takes Off – With many getting set for meaningful use stage 2, watch for 2014 to be the breakout year for Direct Project. Direct project won’t surpass the fax machine for sharing medical records in healthcare, but many doctors will start asking for someone’s direct address as opposed to fax number. Doctors will finally start being able to know the answer to that question.

EHR Adoption Increases – Meaningful Use Participation Falls Off a Cliff (ambulatory, not acute) – This seems to be a contradiction, but I know many doctors who happily use an EHR and have no desire to touch meaningful use with a long stick. As the meaningful use money goes down and the requirements ramp up, many doctors are going to eschew meaningful use, but continue meaningfully using their EHR the way they think is right. EHR is here to stay, but meaningful use is going to take a big hit.

Wearable Tech Finds Its Place in Hospitals – In 2014, Google Glass will finally be put out as an official product. I believe it will be considered a failure as a consumer product in 2014 (give it until 2016 to be a great consumer device), but it will find some amazing uses in healthcare. Kyle Samani talks about some of his thoughts in this video, but I think we’ll discover many more. A PA and dentist friend of mine were some of the most interesting demos I’ve done with Google Glass. Of course, other competitors to Google Glass will come out as well. It will be fun to see which one of those wins.

ICD-10 Will Drive Many Organizations Towards Bankruptcy – Many underestimate the impact that ICD-10 will have on organizations. If it doesn’t send many to bankruptcy it will certainly cause cash flow issues for many. This is going to happen and many organizations are planning for it. We’ll see how well they prepare. Overpriced EHR software won’t be helping those that head towards bankruptcy either. Combine the two forces and some organizations are going to suffer this year.

EHR Vendors Will Start Dropping Like Flies – As I’ve said many times before, we won’t see the EHR consolidation that many are talking about (ie. 5 EHR vendors). However, we will start to see major EHR vendor fall out in 2014. Most of the press releases will spin it as a win for the company and the end users, but there are going to be a lot of unhappy EHR users when these companies start folding up shop through acquisition or otherwise.

Technical Dr. Inc.'s insight:

Don't be a statistic!  Technical Doctor can help your practice with HIPAA Compliance and EMR selection.  Contact us at inquiry@technicaldr.com to learn more!


- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Healthcare - Achieving HIPAA and HITECH compliance

Healthcare - HIPAA/HITECH

"The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules."
Department of Health and Human Services (www.HHS.gov)

Information technology is radically transforming the healthcare industry. Electronic health records (EHR) now enable greater access to patient records and facilitate sharing of information among providers, payers and patients themselves. But with broader access, more centralized data storage, and confidential information sent over networks, there is an increased risk of privacy breach through data leakage, theft, loss, or cyber-attack.

The Federal government, specifically the Department of Health and Human Services (HHS), the Office of Civil Rights (OCR) and the Center for Medicare and Medicaid Services (CMS) addressed the new security challenges in the HITECH Act, the HIPAA Omnibus Rule, and the EHR Meaningful Use Incentive Program. The Omnibus Rule extends existing HIPAA regulations and strengthened enforcement provisions, including increases in potential civil and criminal penalties. The EHR Meaningful Use Incentive Program also requires specific security measures – eligible hospitals and other providers must conduct a HIPAA Security Risk Analysis before they can attest to completing each stage of meaningful use.

In summary, two things are clear. First, the healthcare industry's migration to EHR will enable providers to deliver better care more efficiently. Second, IT security will become a critical success factor in every health organization's future. Everyone stands to gain in this prodigious shift and no one can afford to lose.

What You Need to Do
Eligible Hospitals / Critical Access HospitalsHow Redspin Can HelpMeaningful Use Stage 1Objective:Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.HIPAA Security Risk AnalysisMeaningful Use Stage 2Objective:Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.


Data Encryption Risk Worksheet

What You Need to Do
Eligible ProfessionalsHow Redspin Can HelpMeaningful Use Stage 1Objective:Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.Meaningful Use Stage 2Objective:Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.


Data Encryption Risk Worksheet

What You Need to Do
All HIPAA Covered EntitiesHow Redspin Can HelpHIPAA Security Rule — §45 CFR 164.308 Administrative Safeguards

(a) A covered entity must, in accordance with §164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

HIPAA Security Rule — Administrative Safeguards (45 CFR 164.308(a)(8))

(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.


HIPAA Policy Gap Analysis

Technical Dr. Inc.'s insight:

We specialize on over 20 types of HIPAA Risk Assessments ! Contact us at inquiry@technicaldr.com today to schedule your assessment with the #1 medical IT support firm!
- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

HIPAA Compliance in the Cloud: Q&A

HIPAA Compliance in the Cloud: Q&A | HIPAA Compliance for Medical Practices | Scoop.it

All companies handling personal health information (PHI) are required to comply with HIPAA regulations. These laws are important, yet complex. Confusion has ensued in healthcare businesses, who wish to understand what their obligations are. As more companies migrate to cloud computing, many new questions arise. Here, we answer some of the most frequent questions regarding HIPAA compliance and cloud security:

What is the purpose of HIPAA?

HIPAA regulations ensure that individual patient information remains private, while allowing the health system to function. PHI should not be available to anyone who doesn’t need the information, yet it should be available and usable to those who do legitimately need it – such as caregivers. Thus, patients can receive good medical care without compromising their right to privacy.

 

What is a Covered Entity?

HIPAA sets rules for “Covered Entities.” In simple terms, these are the organizations that provide healthcare. They may, for example, be health care providers (doctors, clinics, hospitals, etc.) or health plans (insurers, HMOs, health programs, etc.)

 

What is a Business Associate?

Covered entities often engage other businesses, business associates, to help them carry out their healthcare activities and functions. HIPAA defines rules for these business associates as well.

The covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to protect the privacy and security of health information. In addition to these contractual obligations, business associates are directly liable under HIPAA for compliance with certain provisions of the rules.

The latest updates to HIPAA extend the Business Associate definition to cloud service providers and other hosting providers used in the health industry.

 

What are the advantages of securing data in the cloud?

There are many good business reasons to use the cloud for managing healthcare applications and data. They include flexible infrastructure and a pay-as-you-go economic model. Taking advantage of these benefits, while meeting regulations, requires proper security for your cloud deployment.

This task is not more daunting than securing data in a traditional physical data center. In fact, if you have used a good cloud provider, much of it may have already be done for you. Just as in the “old” physical world, you should check that your cloud provider does a good job of security, reviewing its documentation and practices; and you should also study best practices for using the cloud securely.

One new area were you should devote time and attention is a stronger emphasis on encryption and management of the encryption keys in the cloud.

If you do this properly, you will actually have a HIPAA compliant solution which is much more flexible and cost effective, with less effort.

 

Does all data in the cloud need to be encrypted?

While HIPAA does not require cloud encryption, but it is strongly suggested. The best way to ensure data security when in use, in transit or in storage – is with encryption. Additionally, companies who have encrypted their data can claim “SafeHarbor” if a security problem occurs. To enable organizations to minimize the risk of both data loss and the need to report, the HIPAA guidelines specify technologies that render data unreadable and unusable. If those technologies are implemented, the organization can usually claim to have achieved a “safe harbor,” thus freeing the organization from the obligation of reporting the breach.

 

Should backups be encrypted as well?

Any storage medium which contains private information about patients needs to be secured. This includes backups and snapshots.

 

What is the best method of cloud encryption?

As a first step, use strong encryption for your data – the standard is AES-256.

Secondly, take good care of your encryption keys. Encryption is worthless if the hacker gets hold of the encryption keys. The best practice is to keep ownership of encryption keys completely to yourself – it is the one thing you do not want to share with your cloud provider.

The most secure method of protecting encryption keys is split-key encryption with homomorphic key management. This is a state-of-the-art solution for securing your keys so they remain in the hands of your company and are not available even to the cloud provider. Even if security is breached, the data will not be readable by anyone outside the company, and you are likely to enjoy Safe Harbor rules.

 

Do good Cloud Providers and Cloud Encryption cover all bases?

Technology is critical, but people are no less important. Your employees must be trained to use technology properly and processes must be put in place for the handling of private patient information.

Procedures are also important. These range from how you handle suspected breaches to the use of strong passwords.

And in HIPAA, everything you do must also be documented. This is onerous, but you cannot escape it.



Technical Dr. Inc.'s insight:

Don't forget - Technical Doctor performs HIPAA Risk Assessments for your practice!  Call or email us to learn more!


The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Best Practices For Healthcare Texts ;)

Best Practices For Healthcare Texts ;) | HIPAA Compliance for Medical Practices | Scoop.it
Best Practices For Healthcare Texts ;)

By Katie Wike, contributing writer

Texting - with patients and within departments - is a natural step in the evolution of mobile healthcare; now providers need to set best practices

Healthcare Technology Online quoted Cheri Lattimer, RN, BSN, CMSA executive director of TCS as saying, “While traditional communication methods such as phone and face-to-face advice from physicians and care managers still dominate the field, the use of new HIT applications and solutions including smartphones, social networking, and text messaging is quickly increasing. The widespread acceptance of email communication is a perfect example of how care managers can adopt new technologies that patients are comfortable with, thereby avoiding potential barriers associated with new technology, and focus their efforts directly on patient guidance and engagement.”

Lattimer makes an important point - healthcare professionals are adopting new technologies constantly in order to communicate with their patients. MU requires a certain percentage of patients use portals, and there are apps for making appointments and finding doctors. But the one way to easily contact the majority of patients is via cell phone. Banks send text message account updates, so why couldn’t hospitals use the same technology to remind patients of appointments or prescriptions that need to be filled?

But security is an incredible concern. As HIT Consultant points out, “Text messages can sometimes get sent to the wrong person, and even if it gets to the correct number, the text could be read by someone other than the recipient. The information can be forwarded to anyone, and could remain on phones for indefinite amounts of time. In addition, if a phone gets lost — as they often do — a plethora of patient information could be compromised.”

HIT Consultant raises other questions: Would there be a charge for texting the doctor? What is an appropriate number of communications? What hours are appropriate to text? How many doctors are willing to text their patients? And most importantly, how can text messages be made more secure?

Healthcare IT News has recently posted best practices for text messaging in healthcare, based on the research of Frederick Muench, a clinical psychologist at Columbia University Medical Center who will be speaking at December’s HIMSS Media Health Summit.

"We ended up realizing that we were writing all sorts of different messages, but we didn't really know the basic tenets of what constitutes a good text message,” said Muench. “That is, what constitutes a good text message in that patients would be most receptive to receiving and heeding it?"

Muench’s study found 75 percent of respondents prefer receiving statements to questions, most are likely to prefer messages in "non-textese," and happy emoticons and correct grammar increase satisfaction with messages received.

 "We're still new to understanding texting as a unique medium," he concluded, since prior to this study there was little research into consumer preferences in text messages.



Technical Dr. Inc.'s insight:

Confused if your E-mail provider is HIPAA Compliant? Not sure if your communications to your patients and referring physicians are secure. Contact us at inquiry@technicaldr.com to be sure. Technical Doctor Inc. is the number 1 medical IT support specialists and HIPAA experts.


  - Technical Doctor Team

more...
No comment yet.
Scoop.it!

HIPAA Risk Assessment in Chicago and Houston by Techncial Doctor Inc

HIPAA Risk Assessment in Chicago and Houston by Techncial Doctor Inc | HIPAA Compliance for Medical Practices | Scoop.it
Unsure about your medical practice e-security and meaningful use readiness, get your HIPAA Risk Assessment done by Technical Doctor in Chicago and Houston


TechnicalDr’s HIPAA Risk Assessment ensures you have no worries. It has:
  • A Facility Walk-through Checklist.
  • Cyber-security and Best Practices Audit.
  • EHR Security Assessment and Review.
  • HIT Security Risk Assessment Questionnaire.
  • Privacy and Security Summary Report.
  • Remediation risk included.
What does a HIPAA Risk Assessment do for you?
  • A HIPAA Risk Assessment ensures that you are complying with all Meaningful Use norms, making your practice eligible for Financial SOPS.
  • A HIPAA Risk Assessment confirms that all HIPAA privacy and security guidelines are being followed and protects you from fines and court cases.
  • A HIPAA Risk Assessment makes your clinic truly secure. Your patients are happier knowing that their records are safe and secure with you.
Why Choose Technical Doctor Inc. as your preferred HIPAA Risk Assessment Consultant?
  • Technical Doctor provides an all round assessment of Hardware, Software, Employee and Medical processes of your Practice.
  • Technical Doctor specializes in Readiness Assessments and EHR selection, giving them vital experience in E-Health.
  • Technical Doctor assures a comprehensive report on all vulnerabilities detected and ways to overcome them.
  • Technical Doctor has a dedicated team to do a Risk Assessment within 3-8 hours at your Clinic.
  • Technical Doctor is partnered with HITREC and National Learning Consortium for this service.
  • Technical Doctor employs only HIT specialists with experience to conduct these Risk Assessments, with them you are in safe hands.
more...
Technical Dr. Inc.'s comment, December 16, 2013 4:11 PM
Do you need a HIPAA Risk Assessment? Contact Technical Doctor, the leader in medical IT support, at inquiry@technicaldr.com today!