HIPAA Compliance for Medical Practices
70.8K views | +3 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA: What happens when you don't comply?

HIPAA: What happens when you don't comply? | HIPAA Compliance for Medical Practices | Scoop.it
Health care providers, learn how much violations can cost you and your employer.

 Most nurse practitioners understand the basics of HIPAA. But, with the abundance of social media and a newfound cultural acceptance of sharing your life online, HIPAA violations are frequent. What are the repercussions of a HIPAA slip-up?

With 77 percent of workers in the U.S. holding a Facebook account and two-thirds of these employees accessing their accounts on the job, it is now easier than ever to make a HIPAA-related lapse in judgment. Both employers and employees are liable when these lapses occur. What penalties do they face?

HIPAA violations will cost you and your employer

Individuals and entities such as hospitals and insurance companies face anywhere from a $100 to $50,000 government fine (maximum of $1.5 million per year) for negligence in handling private patient information. The real penalties, however, lie in civil lawsuits. Should a patient sue you for breaking HIPAA law, you could also be liable for thousands of dollars or more in monetary penalties paid to the patient. In extreme cases, HIPAA violations can result in jail time. Obtaining patient information for personal or commercial gain, for example, carries a maximum ten year prison sentence.

Companies lose big in HIPAA violations

Several major companies have paid large settlements in relation to HIPAA violations. Massachusetts Eye and Ear Infirmary was fined $1.5 million after a physician's laptop was stolen while he was traveling abroad. The laptop contained 3,500 patient health records. It was never confirmed that patient confidentiality was breached or that any individual patient suffered as a result of this incident. The hospital was still fined after informing the U.S. Department of Health and Human Services of the episode. CVS Caremark has also faced steep HIPAA-related penalties. They paid a $2.5 million dollar fine after employees disposed of patient health information in garbage bins.

Individual consequences of HIPAA infractions

On an individual level, many nurses and other providers have been charged with HIPAA violations. While most violations end in a lesser penalty such as termination or suspension of employment, one nurse found herself serving an eight day jail sentence for breaching patient privacy laws. She took photos of elderly patients and posted them on her Facebook wall (the photos were disturbing in nature, influencing her harsher punishment). Several employees at the University of California Los Angeles were found snooping into medical records of various celebs including Britney Spears and Tom Cruise. These employees were suspended and UCLA fined $875,000 for the incident.

So, what's the bottom-line? HIPAA law is strict. For the protection of your patients and your own legal security, it must be followed closely. Be smart with patient information. Keep patient records away from the prying eyes of others. Don't post information about your patients on Facebook or other social media channels. Never take pictures of anything involving patient care. Most of all, mind your own business! 

No comment yet.

HIPAA Theft and Fines - Technical Doctor Inc. - EHR Chicago, EMR Chicago, HIPAA Assessments

HIPAA Theft and Fines - Technical Doctor Inc. - EHR Chicago, EMR Chicago, HIPAA Assessments | HIPAA Compliance for Medical Practices | Scoop.it
No comment yet.

Some Linksys routers targeted by TheMoon malware

Some Linksys routers targeted by TheMoon malware | HIPAA Compliance for Medical Practices | Scoop.it

Security researchers have discovered a flaw in the firmware of some Linksys routers that could allow a hacker to gain control remotely, possibly turning a group of infected routers into a botnet.

The vulnerability has been exploited by malware dubbed TheMoon, according to a story at Computerworld, and the SANS Institute’s Internet Storm Center reports it has spotted Linksys E1000 and E1200 routers that were scanning the Net for other routers to infect.

Linksys routers have the ability to be managed remotely via a Web page or a smartphone app. The flaw involves a one or more scripts used in this process. Once the malware is installed, it tells the router to begin looking for others to infect in the same way. The malware also appears to contain code that may have it looking for a command and control server that would tell it what to do.

A PC World story lists these Linksys models as being potentially vulnerable, based on details posted to Reddit by a user who created a proof-of-concept exploit:

The following models are listed: E4200, E3200, E3000, E2500, E2100L, E2000, E1550, E1500, E1200, E1000, E900, E300, WAG320N, WAP300N, WAP610N, WES610N, WET610N, WRT610N, WRT600N, WRT400N, WRT320N, WRT160N and WRT150N. However, Rew notes that the list might not be accurate or complete.

A spokesperson for Belkin – which now owns Linksys – confirmed the exploit to PC World, and said it can be prevented but making sure Remote Management Access is turned off. She said the routers ship with that feature disabled by default.

Linksys has posted information about how to update its routers to the latest firmware and make sure that Remote Management Access is turned off. If you’ve got a Linksys router, you should read it and take action ASAP.

No comment yet.

Easter Seals notifies 3,026 clients of health data breach | HealthITSecurity.com

Easter Seals notifies 3,026 clients of health data breach | HealthITSecurity.com | HIPAA Compliance for Medical Practices | Scoop.it

The Easter Seal Society of Superior California sent health data breach notification letters to 3,026 Easter Seals clients and potential clients on Friday after an employee’s work-issued laptop was stolen.

According to the release, the laptop was among the stolen items when the employee’s vehicle was broken into on December 10. Though not all patients had the same data compromised, the report said that there was some grouping of date of birth, health care provider information, patient identification number, health care billing information and therapy notes.

Though Easter Seals doesn’t believe any sort of fraudulent activity has occurred to this point, it has hired forensics experts to assist in determining the scope of the incident. The charity advised clients to review healthcare insurer benefits to see if there are any disparities.

“Easter Seals also encourages all concerned individuals to remain vigilant, to review account statements, and to monitor credit reports for suspicious activity,” stated the press release.

Easter Seals didn’t indicate whether the laptop was encrypted or even password-protected. Because it’s an organization dedicated to services and education for those with disabilities and not a healthcare provider, it’s likely considered a HIPAA business associate in this case.

The charity serves children and adults in Alpine, Amador, Calaveras, El Dorado, Nevada, Placer, Sacramento, San Joaquin, Stanislaus, Sutter, Tuolumne, Yolo and Yuba counties. Easter Seals offers teachers, therapists and other health professionals help people with disabilities to speak, walk, work and care for themselves.


No comment yet.

HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance

HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case - HIPAA-HITECH Compliance Software & Consulting - Clearwater Compliance | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Risk Analysis Tip – FTC Exerting Data Security Authority | LabMD Case

On August 29, 2013, The Federal Trade Commission filed a complaint against medical testing laboratory LabMD, Inc. alleging that the company failed to reasonably protect the security of consumers’ personal data, including medical information.

Less than six months later, in a letter dated January 6, LabMD president Michael Daugherty informed the company’s customers and workforce that the medical testing laboratory would no longer be accepting new specimens after January 11 and that the company’s phones and internet access would be discontinued shortly thereafter.   The company has decided to wind down operations according to its press release dated January 28, 2014, entitled FTC ACTIONS FORCE LABMD TO WIND DOWN OPERATIONS.

I spoke to Mr. Daugherty on Saturday, February 1st about the FTC actions and his plans. He recently wrote a book, “The Devil Inside the Beltway”, telling the story of LabMD’s journey through the FTC process. The book exposes a systematic and alarming investigation by one of the US Government’s most important agencies. Mr. Daugherty indicated he plans to speak out publicly on his ordeal and write additional books to help other small business avoid LabMD’s experience.

The original complaint alleged LabMD billing information for over 9,000 consumers was found on a peer-to-peer (P2P) file-sharing network and then, in 2012, LabMD documents containing sensitive personal information of more than 500 consumers were found in the hands of identity thieves.

The case is part of an ongoing effort by the Commission to ensure  companies take reasonable and appropriate measures to protect consumers’ personal data.  Many argue — including LabMD –the FTC is overstepping its bounds and becoming hyper-vigilant in the absence of FTC regulations around data security.

Mr. Daugherty responded, “The FTC does not know — –nor can they prove — if or where our file got out or else they are refusing to tell us.” He had further comments on what kind of P2P protections were available at the time in question. “Hindsight is always 20/20. P2P risks were not widely known in 2008 and millions of files leaked as late as 2009  per congressional testimony. This is a story about doing it right and still getting screwed.  Many vulnerabilities today are unknown and in 2018 the FTC will say you should have known them based on their term “reasonably foreseeable”. We believe in knowledgable power, not compliance by fear.”

The Biggest Lesson Learned: Covered Entities and Business Associates Need to Identify and Manage Risk Related to Any Personally Identifiable Information Stored, Maintained or Transferred

HIPAA Covered Entities and Business Associates need to consider all sources of risk and liability related to safeguarding sensitive information whether it is Protected Health Information (PHI) or any other Personally Identifiable Information (PII). Any such information stored, maintained or transferred is at risk. To identify potential liabilities and put an effective risk management plan in place it is important to ask the following kinds of questions:

Do you have compliance obligations which overlap with HIPAA Privacy, Security and Breach Notification Rules such as Meaningful Use Attestation, or CMS or Insurance Exchange privacy requirements?

Do you handle any “super PHI” (e.g., drug and alcohol addiction, STD, psychotherapy notes) which is subject to even more stringent requirements?

If your company is a publicly traded organization, is the company meeting Securities and Exchange Commission (SEC) requirements?

Could you be liable for enforcement action by the Federal Trade Commission (FTC) for unfair or deceptive practices under Section 5 of the FTC Act?

Is your State Attorney General active in enforcement of state and federal Privacy and Security regulations?

Are you subject to a whistleblower filing a complaint under the False Claim Act?

Have you completed pre-emption analyses for all states / jurisdictions in which you operate?

Are you compliant with all applicable state breach notification laws?

Are you or your colleagues subject to sanctions under professional ethics provisions of your associations or other affiliations?


Technical Dr. Inc.'s insight:

Yikes!  Is your practice using HIPAA compliant methods to store patient information?  Have you had a HIPAA Risk Assessment done this year?  Contact Technical Doctor today to schedule this immediately!  Email us at inquiry@technicaldr.com or call 877-910-0004 x300.

The Technical Doctor Team

No comment yet.

HIPAA Breach Exposes 42000 In Wisconsin

HIPAA Breach Exposes 42000 In Wisconsin | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Breach Exposes 42,000 In Wisconsin

By Christine Kern


Unity Health Plans reveals breach of health care records, affects some 42,000 individuals

Healthcare IT News reports Unity Health Plans Insurance Corporation discovered an unencrypted portable computer hard drive containing individual health records was missing from the University of Wisconsin-Madison School of Pharmacy which had this information as part of a benefits program evaluation. As a result, Unity - which serves approximately 140,000 members - “has notified nearly 42,000 of its members that their protected health information may have been compromised following a HIPAA privacy breach.”

In a disclosure notice on Unity’s website, the company issued an apology to its members and an assurance that they are taking proper steps to correct the breach and protect the safety of member information. The missing hard drive did not contain the name, street address, Social Security Number, credit card, banking or financial information of any Unity member.

The Press release state, “The information on the hard drive included some protected health information relating to certain prescription drugs. The information on the hard drive was limited to the Unity member number, date of birth, city of residence, name of drug, and date of service, if any. We have identified 41,437 members who may have been affected. We are notifying each of those members by letters mailed January 29, 2014.”

Further, it assured that there is no reason to believe the hard drive was stolen to gain access to member information or that this information has been accessed or misused in any way. To date, only 17 of the more than 80,000 HIPAA breach cases OCR has received since 2003 have resulted in fines.

Just this past December, the five-hospital Riverside Health System in southeast Virginia announced that the PHI of nearly 1,000 patients had been compromised in a privacy breach that continued for four years. From September 2009 through October 2013, a former Riverside employee inappropriately accessed the Social Security numbers and electronic medical records of 919 patients. The breach wasn't discovered until Nov. 1 following a random company audit.


Technical Dr. Inc.'s insight:

Get your practice protected!  Call or email Technical Doctor today to learn about our HIPAA Risk Assessments.  



- The Technical Doctor Team

No comment yet.

North Country Hospital has second breach in 4 months

North Country Hospital has second breach in 4 months | HIPAA Compliance for Medical Practices | Scoop.it

The Centers for Medicare and Medicaid Services (CMS) issued a regulatory citation to North Country Hospital in Newport, Vermont after two unauthorized employees accessed confidential medical records, according to a report from WCAX.com. The incident was discovered during an unannounced CMS visit in the fall.

Prior to the incident, hospital employees worked on an honor system: upon hire they promise to follow confidentiality policies, and the hospital trusts that their employees will uphold this promise. Now the hospital is using an audit system to monitor patient record compliance and prevent future data breaches. The system is expected to be running by February 15. It is not known if the records viewed were paper or electronic.

While the hospital’s Medicare and Medicaid programs are not affected by the incident, it is unclear if there was any disciplinary action taken against the two employees.

This is not the first patient privacy incident to involve North Country Hospital. In October, former IT employee Christian Cornelius claimed a broken laptop he was repairing contained protected health information (PHI) for 3,000 patients, but the hospital would not return his calls. The hospital claims that Cornelius refused to return the unencrypted laptop.

No comment yet.

Paper records stolen from CaroMont employee car | HealthITSecurity.com

Paper records stolen from CaroMont employee car | HealthITSecurity.com | HIPAA Compliance for Medical Practices | Scoop.it

Paper records for 191 patients of CaroMont Regional Medical Center were stolen from an employee’s car in Dallas on December 16, according to a report from the Gaston Gazette. The records were part of a census report created by the hospital.

The information was reportedly stolen from the employee’s car during a stop on the way to work, and the employee notified Dallas Police Department. CaroMont spokeswoman Dallas Paddon stated that employees have been known to take patient information out of the medical center, including transport by car, but certain steps are required to protect the information.

The census report was a single, printed document containing patient names, dates of birth, medical record number, and the reason for the hospital visits. In its notification letter, CaroMont advised affected patients to monitor their credit and contact Experian, Trans Union, and Equifax, since financial information may have been at risk, but did not state why.

According to the hospital, the staff member has been disciplined, and staff is being reeducated on patient information disclosure and CaroMont’s Notice of Privacy Practices.

It is unclear why the employee had the report in his or her car.

In August, information from 1,310 patients with CaroMont Medical Group was sent through an unsecured email. Infromation included names, addresses, phone numbers, dates of birth, dates of service, medical record number, diagnonses, medication, and insurance company names, as well as two patients’ Medicare numbers.

No comment yet.

Beware: The top 4 hurdles to a successful EHR implementation | Healthcare IT News

Beware: The top 4 hurdles to a successful EHR implementation | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

If you were a healthcare provider and all you did was read press releases, you'd be tempted to think that transitioning to a new EHR involved little more than opening the package and plugging in the contents.

Naturally, things are a little more complicated than that, but many providers aren't aware of just how much more complicated the truth really is.

As Michael Gleeson, senior vice president of product strategy for Arcadia Solutions, a Boston-based health IT consulting company, put it recently, "We've found that using technology is really new for a lot of practices."

Given that naiveté, Gleeson said, many practices struggle with performance issues related to their workflows, largely because their care delivery structures aren't always suited to taking advantage of EHRs and they're not clear on the proper steps toward greater efficiency.

As Gleeson sees it, there are four generally unanticipated issues that providers encounter when they transition from paper records to EHRs.

  1. Network issues. "This," said Gleeson, "is one of the most difficult areas." He went on to explain that if a practice uses a hosted EHR, accessing it through the Internet, it could cause delays as the information gets loaded slowly. That, naturally, leads to provider frustration.
  2. Untested upgrades. Upgrades make things better, right? Maybe. The problem, according to Gleeson, is that "the upgrade might come from the vendor, but the customer has customized the original system and the upgrade hasn't been tested within their own (now customized) ecosystem."
  3. Ineffective template design. Templates are a love 'em or hate 'em proposition. On the one hand they allow for data input uniformity, while on the other they often restrict the capacity of providers to make comprehensive notes. On an operational level, Gleeson pointed out, templates are often just plain inefficient, and they offer too many distracting alerts. Providers new to EHRs may not understand how to solve either of those problems.
  4. Genuine application performance issues. Many problems, Gleeson said, stem from how the EHR has been deployed. Again, these aren't plug-and-play systems, a fact which too many providers don't realize until they're knee deep in impediments to productivity. The good news, however, is that systems can be analyzed, with an eye toward determining what modules need to be tweaked or moved to different parts of the system.

While there are few problems that can't be solved post-implementation, Gleeson pointed out that often providers don't realize they have problems to correct until their systems have been in place for some time. In large part, that's because even less than optimally installed EHRs can help with upcoding right away. Consequently, providers who may now be able to bill for services that once fell by the wayside may not realize until later that, in reality, their overall productivity has decreased.

The truth, Gleeson said, is that the problems listed above can lead to up to a 30 percent decrease in productivity.

Technical Dr. Inc.'s insight:

Are you having a similar problem?  If you need immediate IT support for your practice, contact a Technical Doctor team member today at inquiry@technicaldr.com for more information.

The Technical Doctor Team

No comment yet.

Lost thumb drive leads to $150K fine | Healthcare IT News

Lost thumb drive leads to $150K fine | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

An unencrypted USB drive has ended up costing one dermatology practice, which has settled with the Department of Health and Human Services for failing to address HITECH's breach notification provisions.

Adult & Pediatric Dermatology (known as APDerm), which provides dermatology services in Massachusetts and New Hampshire, agreed on a settlement of $150,000 for privacy and security violations, and will be required to put a corrective action plan in place to fix deficiencies in its HIPAA compliance program, according to a notice posted Dec. 26 on the HHS website.

It's the first settlement with a covered entity for not having policies and procedures in place to address the breach notification provisions of the HITECH Act, say officicials from HHS' Office for Civil Rights.

OCR launched its investigation of APDerm after being tipped off that an unencrypted thumb drive containing the protected health information of some 2,200 people was stolen from a vehicle of one its staff members. The drive was never recovered.

The investigation revealed that APDerm had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of PHI as part of its security management process, officials say.

Moreover, APDerm failed to fully comply with the HITECH Breach Notification Rule, which requires organizations to have written policies and procedures in place and to train workforce members.

In addition to the $150,000 resolution amount, AP Derm's settlement includes a corrective action plan requiring development of a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities. The practice will also be required to provide an implementation report to OCR.

"As we say in healthcare, an ounce of prevention is worth a pound of cure," said OCR Director Leon Rodriguez, in a press statement. "That is what a good risk management process is all about – identifying and mitigating the risk before a bad thing happens.  Covered entities of all sizes need to give priority to securing electronic protected health information."


Technical Dr. Inc.'s insight:

Are you HIPAA Compliant?  Technical Doctor offers HIPAA Risk Assessments that help you get -- and stay -- compliant.  Email us at inquiry@technicaldr.com for more information.

- The Technical Doctor Team

No comment yet.

Top 5 Tips for HIPAA Compliance | EMR and HIPAA

Top 5 Tips for HIPAA Compliance | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Manny Jones, health care solution manager at LockPath, recently sent me 5 tips to consider in order to meet HIPAA guidelines. It addresses some of the following questions: What does the HIPAA Omnibus rule mean for me? How do I know if I’m compliant? Where do I even begin?

This list of 5 tips are a good place to start.

1. Be prepared for more frequent audits and a fine structure based on knowledge – The new tiered approach means organizations can face much higher fines if they’re not in compliance with the rule.

2. Update Notice of Privacy Practice (NPP) – These should explain that individuals will be notified if there is a breach, disclosures around areas that now require authorizations, and more. Once updated, organizations should redistribute to patients and others to ensure they’re aware of changes.

3. Develop new processes – These should address additional restrictions on use or disclosure of protected health information (PHI).

4. Identify assets containing PHI – Once an organization has an inventory of these assets, they can determine where safeguards/breach notification obligations apply.

5. Understand the new definitions – Organizations should understand how “breach” and “business associate” are now defined and how they apply to their organization.

For those wanting to really dig into the details of HIPAA compliance, you’ll want to consider a HIPAA Compliance training course. These are easy online courses for both the HIPAA privacy officer or your staff. As is noted above, more frequent audits and fines are coming.


Technical Dr. Inc.'s insight:

Have you done a HIPAA Risk Assessment yet?  We can help you immediately with this!  Contact us at inquiry@technicaldr.com today to schedule your assessment with the #1 medical IT support firm!

-          The Technical Doctor Team

No comment yet.

New HIPAA Compliance Help on the Way

New HIPAA Compliance Help on the Way | HIPAA Compliance for Medical Practices | Scoop.it

The federal "wall of shame" tally of major health data breaches, and the results of HIPAA compliance audits conducted so far, illustrate that the healthcare sector has a long way to go when it comes to protecting patient privacy and improving information security.

For example, one key problem area has been risk assessments, which many healthcare providers do poorly, if at all, based on the findings of federal audits and breach investigations. Another weak spot has been the use of encryption. Stolen and lost unencrypted computing devices have been the culprit in more than half of major health data breaches in the last four years.

 Many covered entities and BAs can certainly use whatever help they can get to improve HIPAA compliance, especially when it comes to risk assessments and mobile device security. 

That's why it's good news that federal regulators plan to offer two new guides to help organizations address key security challenges in the weeks to come. I've learned that a tool to help smaller providers conduct a risk analysis, as well as a video on privacy and security issues, will be available soon.

Stricter HIPAA enforcement is coming in the New Year, along with a renewal of HIPAA compliance audits.

So it's more important than ever for healthcare organizations of all sizes, and their business associates, to take advantage of these and other free resources to help bolster their efforts to protect patient privacy and improve information security

Under the HIPAA Omnibus Rule, business associates are now directly liable for HIPAA compliance, and penalties for each HIPAA violation can go as high as $1.5 million.

The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, will resume its HIPAA compliance audit program next year. The expanded audit program will include business associates for the first time. And it will focus more narrowly on the problem areas that stuck out in the previous OCR audits.

The Office of the National Coordinator for Health IT, another HHS unit, is developing a new tool designed to help smaller physician practices with one of those problem areas: risk assessments.

Conducting a thorough risk assessment is a critical component of any information security program. It's also required under the HIPAA Security Rule as well as the HITECH Act's electronic health record incentive program. To qualify for incentives in Stage 2, hospitals and physician groups must attest to performing a risk analysis that, among other things, addresses the use of encryption for stored patient information.

An ONC spokesman told me: "We are working on a tool for small practices, and we expect this to be released in 2014. We hope that this tool will help providers perform a risk assessment in their practices and help them evaluate the administrative, technical and physical safeguards in their organizations as required under the HIPAA Security Rule."

Meanwhile, OCR and the Centers for Medicare and Medicaid Services are developing a video focused on privacy and security issues tied to the HITECH Act's EHR meaningful use incentive program. "We hope to have this posted before January 2014," an OCR spokeswoman says, declining to elaborate on details.

Many covered entities and business associates can certainly use whatever help they can get to improve HIPAA compliance, especially when it comes to risk assessments and mobile device security.

Technical Dr. Inc.'s insight:

Call Technical Doctor today if you haven't done a HIPAA Risk Assessment yet!

-The Technical Doctor Team

No comment yet.

Secure Texting Streamlines Clinical Communication

Secure Texting Streamlines Clinical Communication
To access this content, please Register or Sign In.

By Susan Kreimer, contributing editor

A Canadian hospital installs a secure texting solution to facilitate physician paging and to provide more details about consulting cases.

A mobile software application is paving the way for more secure texts among healthcare team members at The Ottawa Hospital, which has 12,000 employees, including 1,200 staff physicians and about 900 residents. The solution (Amcom Mobile Connect) links to the hospital call center’s directory, simplifying the process of locating physicians. According to Margaret Quirie, The Ottawa Hospital’s director of information organization and access, this eliminates wasted time that used to be spent waiting for pages to be placed manually and acknowledged. It’s also more HIPAA-compliant and may reduce the number of devices that a clinician has to carry.

“Now, all pages are tracked, which helps with audits and risk management,” Quirie said. “It also closes the accountability loop. We know that a person received the page.” Confirmation occurs when the recipient presses a thumbs-up button.

No comment yet.

25 Tips for Passing a HIPAA Risk Assessment

25 Tips for Passing a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

Title II of the Health Insurance Portability and Affordability Act (HIPAA), known as the “Administrative Simplification Provisions,” requires medical practices to follow a set of national standards for electronic healthcare transactions and assigns national identifiers for providers, health insurance plans, and employers.

A checklist of security features is helpful in preparing for a HIPAA risk assessment.
Courtesy of Thinkstock

In addition, the requirements for meaningful use state that a practice must “conduct or review a security risk analysis and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” Thus, to meet the Meaningful Use requirements, practices must conduct periodic risk assessments to prove that they are HIPAA-compliant.

What is a HIPAA risk assessment?
A HIPAA risk analysis is a process that helps ensure that the practice is following these national standards. It involves a thorough look at the practice, in particular the information technology standards. As part of the assessment, someone in the office, typically a physician or the practice manager, should be designated as the HIPAA security officer.

But what does a risk analysis entail, and what must be included in the report? According to the Department of Health and Human Services (HHS) Security Standards Guide, a risk analysis has nine mandatory components. Any healthcare or healthcare-related organization that stores or transmits electronic protected health information (ePHI) must include the following components in their risk analysis document:

  • Scope of the analysis—any potential risks and vulnerabilities to the privacy, availability, and integrity of ePHI
  • Data collection—where data is being stored, received, maintained, or transmitted
  • Potential threats and vulnerabilities—identifies and documents any anticipated threats and vulnerabilities that may lead to an ePHI breach
  • Current security measures—steps being taken to protect data, such as encryption
  • Likelihood of threat occurrence—the probability of potential risks to ePHI
  • Potential impact of threat occurrence—the impact of a data threat, as determined by using either qualitative or quantitative measures
  • Determination of level of risk—the average of the assigned likelihood of occurrence and the potential impact, plus a list of corrective actions that would be performed to mitigate risk
  • Documentation—the written analysis required by HHS
  • Reviews and updates—subsequent risk analyses whenever new technology or changes to business operations are planned or implemented

Although many practices may be able to conduct a risk assessment without using an outside vendor, others may decide that an outside vendor can be more objective and efficient. Asking other practices how they approached the project, searching the Internet, and checking with the practice’s current IT vendor are ways a practice can find companies that specialize in conducting risk assessments.

Any vendor selected should provide a certificate that states the practice has had a HIPAA risk assessment. If the assessment is completed by practice physicians and staff, it is important to document each activity in the process.

25 tips 
The following list will help you prepare for a risk assessment (and are also good habits to form):

  1. Always follow HIPAA guidelines and rules.
  2. Keep all paper medical records under lock and key and make sure only authorized personnel have access to them.
  3. Ensure that any paper records that are past their required storage date or have been digitized and are no longer needed are properly destroyed.
  4. Install antivirus and firewall software on all personal computers, laptops, tablets, and the practice’s internal network. If possible, the internal network should have only limited Internet access.
  5. Make sure that computer screens do not face the reception room or any direction within view of unauthorized personnel. In addition, be sure that password locks are used when staff step away from their computers.
  6. Train staff to always log out of the electronic health record system when they leave the computer.
  7. Do not use social security numbers as unique patient identifiers.
  8. Because patients have the right to revoke access to any health information network the practice is part of, be sure that proper written consent is obtained before any information is shared.
  9. Require that passwords be changed on a regular basis. Ensure that passwords are not exchanged, written down, or posted in places where others can see them.
  10. Keep portable hardware containing data secure and locked away when not in use.
  11. Keep all hardware—including servers—in a clean environment, with minimal or no access by unauthorized personnel.
  12. Train all staff members on data security policies and procedures. Make sure everyone in the practice understands and observes the policies and procedures for protecting patient health information.
  13. Ensure that staffing policies and procedures are up to date. If an employee leaves the practice, change his or her user status to inactive on the last day of employment.
  14. Review audit trails on a regular and periodic basis to identify potential system abuse or misuse.
  15. Have a disaster recovery procedure.
  16. Make sure data are backed up every day.
  17. Ensure that the computer(s) that stores the patient data is encrypted.
  18. Keep a list of the practice’s third-party vendors and ensure that they all sign a Business Associates Agreement stating that they won’t disclose any practice information.
  19. Designate a staff member to be a “security officer,” who is in charge of making sure the practice is HIPAA-compliant.
  20. Provide all employees with badges or other form of identification that proves they work for the practice.
  21. Train the staff on proper Internet use, including avoiding the use of the practice’s computers for personal business.
  22. Do not include any information that can identify a person as a patient in records that are not part of the EHR system.
  23. Do not allow flash drives or any external data device used in the practice to be removed from the practice or used on computers that are not owned by the practice.
  24. Notify the security officer immediately if a computer shows signs of being infected.
  25. Never put flash drives or external media found on the ground into a practice’s computer.

Dave Kunz is vice president, sales, for Technical Doctor, Inc., Arlington Heights, Ill., a healthcare IT company that specializes in HIPAA-compliant solutions. For more information, visit www.technicaldr.com

March 2014 Issue

No comment yet.

Group slapped with $6.8M HIPAA fine | Healthcare IT News

Group slapped with $6.8M HIPAA fine | Healthcare IT News | HIPAA Compliance for Medical Practices | Scoop.it

Federal HIPAA violation penalties may be capped at $1.5 million per incident per year, but there's also state and regional fines for those disregarding privacy and security laws.


Case in point, Triple-S Management Corp., a San Juan-based insurance holding company, who was recently slapped with $6.8 million in penalties for improperly handling the medical records of some 70,000 individuals, according to HHS data and a Caribbean Business report. 


Triple-S reportedly mailed letters to its Medicare Advantage patients with the Medicare numbers visible from the outside.


Puerto Rico's Health Insurance Administration slapped with company with the fines, based on a breach that occurred September of last year. This is the second big HIPAA breach for Triple-S -- who currently handles the benefits for some 2.2 million people -- according to HHS data.


Federal HIPAA requirements require HIPAA-covered entities and business associates to provide breach notification to affected individuals no more than 60 days upon discovering the breach.


As far as federal investigations underway, HHS spokesperson Rachel Seeger told Healthcare IT News the investigations involving the breaches at Triple-S Salud are still open and under investigation. "We cannot comment further on the status of these cases at this time," she said.


"The (Puerto Rico Health Insurance Administration) in its obligation to ensure the privacy and integrity of your protected health information reiterates its commitment to comply with its affiliates to prevent situations like this from recurring in the future," read a notice on Puerto Rico's Health Insurance Administration website.


Puerto Rico HIPAA-covered entities and business associates have been responsible for breaching the medical records of nearly 699,000 individuals since 2008.


Nationwide, some 29.3 million individuals have been affected by a HIPAA privacy or security breach.


Technical Dr. Inc.'s insight:

Is your practice HIPAA Compliant?  Have a risk assessment done today by Technical Doctor to find out.  Contact inquiry@technicaldr.com for more information.  

- The Technical Doctor Team

No comment yet.

University of Miami Health System loses patient records | HealthITSecurity.com

University of Miami Health System loses patient records | HealthITSecurity.com | HIPAA Compliance for Medical Practices | Scoop.it

The University of Miami Health System (UHealth) has lost patient records containing protected health information (PHI), according to a report by Miami New Times. The Health System, which is one of Southern Florida’s largest health providers, learned of the missing records on June 27, 2013, but has only recently begun to notify patients.

While the UHealth has not disclosed the number of missing records, they have announced that the files contained patient names, dates of birth, physician’s name, insurance company name, medical record name, visited facility, visit number, procedures, diagnostic codes, and Social Security numbers. The records were described as billing vouchers, and medical were records were not believed to be at risk.

In June, the Department of Otolaryngology contacted an off-site storage vendor to locate the records, but the vendor was unable to do so. After searching for the records, the health system confirmed on August 28, 2013 that the files were lost. Affected patients were notified this week.

UHealth has not received any reports of misused information, but they are offering affected patients credit monitoring services. However, considering the fact that patients are only being notified of the event over six months later, it is unlikely that affected patients would have connected any potential fraud to the hospital prior to notification.

According to UHealth’s statement, it will report the incident to the Department of Health and Human Services (HHS):

"At the University of Miami Health System, we take the privacy and security of our patients’ information very seriously. We continue to review and refine our physical and electronic safeguards to enhance protection of all patient data. We are committed to protecting all information entrusted to us, and pursuant to the Federal HITECH Breach Notification Rule, we will report this incident to the U.S. Department of Health and Human Services."

No comment yet.

Top 10 Myths of Security Risk Analysis | Providers & Professionals | HealthIT.gov

Top 10 Myths of Security Risk Analysis | Providers & Professionals | HealthIT.gov | HIPAA Compliance for Medical Practices | Scoop.it

As with any new program or regulation, there may be misinformation making the rounds. The following is a top 10 list distinguishing fact from fiction.

1. The security risk analysis is optional for small providers.

  • False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

2. Simply installing a certified EHR fulfills the security risk analysis MU requirement.

  • False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

3. My EHR vendor took care of everything I need to do about privacy and security.

  • False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

4. I have to outsource the security risk analysis.

  • False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

5. A checklist will suffice for the risk analysis requirement.

  • False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

6. There is a specific risk analysis method that I must follow.

  • False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

7. My security risk analysis only needs to look at my EHR.

  • False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

8. I only need to do a risk analysis once.

  • False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.

9. Before I attest for an EHR incentive program, I must fully mitigate all risks.

  • False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

10. Each year, I’ll have to completely redo my security risk analysis.

  • False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.


Technical Dr. Inc.'s insight:

Have you had a Risk Analysis done yet?  As a required item for Meaningful Use, it is important to get this taken care of immediately.  Contact us at inquiry@technicaldr.com today to get your risk analysis scheduled!

- The Technical Doctor Team

No comment yet.

How a stolen USB memory stick led to $150k HIPAA settlement for a small practice

How a stolen USB memory stick led to $150k HIPAA settlement for a small practice | HIPAA Compliance for Medical Practices | Scoop.it

As we start 2014, HIPAA compliance remains an important and ongoing concern for dental practices large and small. Last year was an active one for publicized security breaches and, despite frequent admonitions from the gurus, all signs point to more HIPAA news for the coming year.

Many security breaches happened as a result of relatively mundane situations made worse by a lack of properly implemented security controls. One common culprit is encryption (or more precisely, lack thereof), which remains an under-implemented safeguard no matter an organization’s size or sophistication. This is especially true for portable devices such as USB memory sticks, external hard drives, smartphones, tablets, and others.

Case in point: In late 2011, a small dermatology practice based in Massachusetts notified the Department of Health and Human Services (HHS) following the theft of an unencrypted USB memory drive containing electronic protected health information (ePHI) of about 2,200 individuals.

Though there is no evidence that the ePHI contained on the USB device was accessed or disclosed by an unauthorized person, HHS announced at the end of 2013 a $150,000 dollar settlement with the practice for alleged HIPAA violations discovered during an investigation following the reported breach. The proposed settlement also included an aggressive corrective action plan (CAP) to bring the practice into compliance.

Unfortunately for the practice, the investigation following the breach uncovered additional alleged HIPAA violations, and these findings ultimately led to the costly settlement.

Did you notice how things escalated when this incident came to the regulators’ attention? HIPAA breaches are like that. It reminds us to make the investment in time and resources. Whether it’s portable storage devices, copier machines, or laptops, nothing is immaterial when it comes to safeguarding sensitive patient data.


What can your organization do to avoid a similar outcome?

• Conduct a review of the types of portable devices (USB drives, external hard drives, laptops, tablets, smartphones) you use to store PHI. Are these devices properly encrypted? If not, are the files encrypted?

• Ensure documented policies and procedures are in place, being followed, and reflect actual practices.

• Make sure to regularly train your workforce on all relevant HIPAA compliance topics.

• Regularly review your organization’s portable devices to ensure encryption is installed and operational.

• Complete a thorough, bona fide risk analysis of all mobile devices to ensure that all threats, vulnerabilities, and controls have been considered.

Technical Dr. Inc.'s insight:

HIPAA Compliance is no joking matter.  If you haven't had a HIPAA Risk Assessment done on your practice, contact Technical Doctor today to get that scheduled.  You can reach us at inquiry@technicaldr.com or 877-910-0004.

-The Technical Doctor Team

No comment yet.

Of Meaningful Use – I wouldn’t remove anything! | EMR and HIPAA

Of Meaningful Use – I wouldn’t remove anything! | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it
Of Meaningful Use – I wouldn’t remove anything!

The following is a guest blog post by Joel Kanick in response to the question I posed in my “State of the Meaningful Use” call to action.

If MU were gone (ie. no more EHR incentive money or penalties), which parts of MU would you remove from your EHR immediately and which parts would you keep?

Joel Kanick
President and CEO of Kanick And Company and Lead Developer and Chief Architect of interfaceMD

In fact, the pursuit of Meaningful Use (MU) certification has given our company many new ideas that allowed us to go above and beyond the bar MU already set.

Initially, doctors bought into EMRs for the financial incentive. Now that they are educated consumers, they want everything that was promised to them to work for them. Doctors have learned that EMRs are only one small part of the Healthcare Information Technology (HIT) puzzle. They need help putting the rest of the puzzle together.

No one is complaining about MU regarding the direction it is taking healthcare or HIT industries.

Any complaining that comes from a vendor is usually because their technology is outdated and behind the technology curve. They are angry because MU is calling them out. So, shame on vendors for becoming rich, fat and lazy, and not keeping with current technology.

Of the complaints I hear from providers, there are two scenarios:

First scenario: the providers who resent the government telling them how to practice medicine. However and upon deeper review, these providers already ask and track most of all these data points. They just don’t like the way it has been required and thus crammed into their current systems. I understand their anger, they were not consulted as to how to fit all this into their workflow and so it is cumbersome to use.

Second scenario, the providers’ office is still using fax machines, some required by their EMR vendor. They are still dictating (PCs, iPhone apps, phone recorders) all their exam data and still relying on paper charts. In practices of all sizes, providers complain of MU because they don’t want to change how they operate their business. After all, they have been doing it this way for many years, successfully. They complain of this change because they fear the unknown.

They are doctors; highly skilled and highly educated in medicine but not in business or technology. I see so many doctors closing their privately held medical practices to join a group practice or a hospital setting. Most will freely admit that it’s because they don’t want to address the fear and go through the anticipated pain of migrating to a paperless environment. They don’t know how to choose or maintain the system, with or without MU.

What I know MU is positively doing:

  • Setting a standard language (ie: XML)
  • Setting a standard format (ie: HL7)
  • Setting a secure communication channel (ie: Direct Protocol)
  • Requiring patient portals to potentially aid in convenience to the patient and lower the workload on office staff
  • Creating a standard method to share data electronically (ie: CCDA)
  • Demanding security and encryption and planning for emergency scenarios
  • Utilizing eRx to reduce fraud, abuse and increase safety in drugs that are prescribed
  • Reducing paperwork (eg: lab requests), speeding-up information delivery (eg: lab results electronically instead of by paper delivery)
  • Promoting communication to educate patients
  • Demanding reconciliation of data when exchanged between two organizations to make certain correct information is gained

Selfishly, from my point of view, the largest complaint regarding MU2 is that it requires all pertinent health information be exported and imported in a standard format allowing providers to easily change EMR vendors. This MU requirement should scare some EMR vendors!

Effectually, MU is pushing change and as a result it is getting a bad rap.

No comment yet.

Yahoo Confirms Hackers Swiped Yahoo Mail Users' Passwords

Yahoo Confirms Hackers Swiped Yahoo Mail Users' Passwords | HIPAA Compliance for Medical Practices | Scoop.it
Yahoo certainly had some fun kicking Gmail while it was down last week—a particularly bold move considering its own recent share of missteps. But in a bit of an uncomfortable karmic twist (at least from Yahoo's point of view), the company has taken to Tumblr to acknowledge a recent mass of security attacks with the vaguest details possible.

Yahoo certainly had some fun kicking Gmail while it was down last week—a particularly bold move considering its own recent share of missteps. But in a bit of an uncomfortable karmic twist (at least from Yahoo's point of view), the company has taken to Tumblr to acknowledge a recent mass of security attacks with the vaguest details possible.

Based on the announcement, while attacks on Yahoo Mail accounts are becoming a "regular occurrence," it's the most recent (and presumably largest) security breach that's prompted Yahoo to take action. According to the update:

"Recently, we identified a coordinated effort to gain unauthorized access to Yahoo Mail accounts. Upon discovery, we took immediate action to protect our users, prompting them to reset passwords on impacted accounts."

Yahoo claims that all of the usernames and passwords that may have been compromised came from some "third-party database" and that it "has no evidence that they were obtained directly from Yahoo's systems." By lifting the usernames and passwords from Yahoo Mail users, the attackers were apparently looking to acquire the names and email addresses of the affected accounts' most recent sent messages.

If your account was in fact one of the ones affected, Yahoo should be automatically resetting your password, and you'll be prompted to change it the next time you log in. Yahoo will also be taking unspecified "additional measures." Comforting. [Yahoo]

No comment yet.

TD Sync - Benefits of using our cloud solution!

TD Sync - Benefits of using our cloud solution! | HIPAA Compliance for Medical Practices | Scoop.it

Universal file access; sync across stationary and mobile devices

What this means for your clients:

“No more dependency on FTPs, VPNs, or file servers. This cloud software allows you access your files at home, in the office or on any mobile device, including iOS and Android devices. Because files are uploaded to ‘the cloud’ there are no large file-sharing issues.”


448-bit Blowfish encryption on-device and in-transit

What this means for your clients:

“Consumer cloud products -- Dropbox, Box, Google Drive, Microsoft SkyDrive and SugarSync -- were built to protect insensitive documents, and some of those documents aren’t securely transferring across devices. TD Sync has the highest level of security for any cloud platform, ensuring that your sensitive documents (contracts, designs, client history) are safe from hacking and breaches. Note: some consumer products, like Google Drive, do not encrypt your data at all.”


Private encryption key management

What this means for your clients:

“Consumer cloud products -- Dropbox, Box, Google Drive, Microsoft SkyDrive and SugarSync -- are hosted publicly, meaning that everyone shares the same encryption key; when that encryption key is compromised, your businesses’ documents, your clients’ documents, and your personal documents will be vulnerable. This happened with Dropbox in August, 2012, when users had their logins and passwords stolen. With TD Sync, you’ll have an encryption key that is exclusive to your business and documents, and not shared with anyone. You won’t have to worry about data loss.”


Remote wipes of endpoints and mobile devices

What this means for your clients:

“Access to business documents is a privilege. With the FTP, VPN and file server, it is difficult to revoke the access that employees have. TD Sync allows you to perform remote wipes of desktops for clients, former employees and rogue employees. This is complete control that businesses really need. Additionally, when an employee leaves, all files are auto deleted).”


Custom deleted file retention periods

What this means for your clients:

“Consumer cloud products perform file trimming -- that means that your deleted files are preserved for a very limited amount of time. If an employee (accidentally) deletes a file, it will be gone in a matter of weeks, or even days. With TD Sync you can conveniently extend or shorten the deleted file retention periods, so that it you will never lose a file again.”


Granular user-access and security controls

What this means for your clients:

“Each business has an organizational structure. TD Sync allows you to set policies for individuals within your company, including which employees can share files, can delete files and revisions, access certain files, and what types of files they can upload. This administrative feature allows companies to provide certain employees with unique privileges.”


Revised file backup

What this means for your clients:

“One of the biggest problems with VPN’s, FTP’s and file servers is the fear of file revision: when employee change/edit and upload a file, that file is permanently changed. Previous drafts and revisions are lost, permanently. TD Sync stores file revisions which allow your employees to collaborate without worry.”


Managed file sharing for internal/external parties

What this means for your clients:

“You can share files with external parties through TD Sync and through unique web addresses. However, TD Sync also allows you to monitor the files you shared within the company and externally. For example, you can see how many times the file has been downloaded, and set file expirations. Both of these features protect the propriety of your documents.”


Multiple folder backup (Documents, Desktop, Pictures, etc.)

What this means for your clients:

TD Sync is customized for business needs, which means you’ll be able to sync all different file types. But because it’s tedious to sync and backup file-by-file, with TD Sync you’ll be able to backup entire folders and the files within them.

Technical Dr. Inc.'s insight:

For our solution information contact us here

Rachel Roberson's comment, October 4, 2016 3:18 AM
Google Drive, formerly Google Docs, is a file storage and synchronization service created by Google. It's is a safe place for all your files and puts them within reach from any device. Google Drive including Google Docs, Google Sheets, Google Slides, Google Drawings and more.
To access and manage your files in Gdrive, you have to sign in to your Google Account. This tutorial shows you how to log into Google Drive.
Rachel Roberson's comment, October 4, 2016 3:18 AM
It’s not easy to truly become an expert-level user of Google Drive, though. There are a ton of keyboard shortcuts and features that are tough to master. These little-known features and shortcuts are actually going to save you a boatload of time, though.

Running Windows XP means you are non-compliant and open to liability

Running Windows XP means you are non-compliant and open to liability | HIPAA Compliance for Medical Practices | Scoop.it

On April 8, 2014, Microsoft will not release any security patches for Windows XP, which will effectively make it non-compliant with HIPAA / HITECH.

By Jeffrey Brady

Technology Pros in the healthcare industry may want to get a head start on their spring cleaning. Microsoft extended support for Windows XP ends on April 8, 2014. After this date, Microsoft will not release any security patches or updates for Windows XP. This will effectively make Windows XP non-compliant with HIPAA / HITECH after Microsoft support ends.

Goodbye XP

Windows XP was released August 24, 2001 and has been widely deployed in homes and corporate environments alike. In the Healthcare arena, XP may be found on workstations used by clinical staff, CT machines, and other critical medical devices.


Most of these devices are connected to the network to connect to EHR/EMR systems, so simply disconnecting them is not an option. In addition, many of these devices are running old and proprietary applications that may not run on a newer operating system such as Windows 7 or 8.


What can an IT pro do when faced with this dilemma? In an ideal world your systems would already be off XP or you would be well into a migration effort. However, some of us have inherited this problem and must find a solution that not only addresses this problem, but also does so in a cost effective manner. Ideally, you will even have the opportunity to make technical improvements in your infrastructure, enhance security and manageability of your systems, and provide your clinical staff with a more efficient computing environment.


Evaluate your current situation

Getting your vendors involved is very important at this stage. You will want to find out about how to move to newer versions of their software which are compatible with Windows 7 or beyond. If you have current maintenance you may just need to download their newest software and apply your testing process. If you are not in maintenance, you may face pricey upgrades to move to their new platform.


Another option may be to run the application on a terminal server and have your clients access the application via a remote desktop connection.


Lastly you will also want to do an assessment on your medical devices to see which of these systems may be impacted by the Windows XP "sunset".

Your next steps are to evaluate your current workstations. Do they have the resources to run a newer version of Windows? If so you can exercise your volume licensing upgrade options, or purchase the proper licensing to upgrade your environment. A more likely scenario would be that you have old workstations that are overdue for replacement anyway, in which case, upgrading would not be practical.


You can look at simply replacing your desktops with new shiny boxes and work on your migration plan for applications and user data. Another option you may strongly consider is implementing a VDI (virtual desktop infrastructure).



Virtualization has been hugely successful in the server arena. This technology uses a hypervisor on top of the hardware that allows multiple copies of an operating system to share the resources of the hardware. In most applications, there is no penalty for running multiple servers on the same hardware if your environment is planned correctly.


One can do the same using VDI. You can run fifty maybe even one hundred desktops on one physical server. These desktops would share the fast CPU, memory, and storage of the physical server to give the end user a high performance-computing environment. You can repurpose your existing desktops to connect to your VDI setup, or you can deploy thin-clients to your endpoints.


VDI also will provide your staff with centralized management and control of your desktops. This will help your lean staff manage and maintain your environment effectively.


Bottom line

Now is the time to take action. Start working on your strategy for moving your computers and medical devices off Windows XP. Size up your vendor support for upgrading to a newer OS, get an inventory of your impacted devices, and evaluate how you will update your endpoints. Moving to a newer operating system will help you provide a more secure environment in your facility and ensure compliance with HIPAA / HITECH.

Technical Dr. Inc.'s insight:

Are you keeping up with HIPAA Compliance standards? Technical Doctor team members are experts in this field!  Put the #1 medical IT support firm to work for you today!  Contact us at inquiry@technicaldr.com to learn more.

-          The Technical Doctor Team

No comment yet.

Six 2014 Healthcare IT, EMR, and HIPAA Predictions | EMR and HIPAA

Six 2014 Healthcare IT, EMR, and HIPAA Predictions | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Let’s take a bold, but realistic look at what we can expect in 2014 when it comes to healthcare IT, EMR and HIPAA. It will be fun to look back at the end of 2014 to see if I’m right. Hopefully you’ll add your 2014 predictions in the comments.

HIPAA Omnibus Poster Children – In 2014, I think we’re going to see a few companies have major issues with HIPAA Omnibus. Those examples will be widely reported and be the “poster children” for violating HIPAA Omnibus. I’ll go further in my prediction to say that a couple of them will be companies who are business associates who didn’t comply with HIPAA. In fact, I won’t be surprised if one of those poster children isn’t a really large corporation who didn’t realize that they were a business associate and required to comply with HIPAA. Plus, we’re going to see some major HIPAA violation related to SMS messages.

Direct Project Takes Off – With many getting set for meaningful use stage 2, watch for 2014 to be the breakout year for Direct Project. Direct project won’t surpass the fax machine for sharing medical records in healthcare, but many doctors will start asking for someone’s direct address as opposed to fax number. Doctors will finally start being able to know the answer to that question.

EHR Adoption Increases – Meaningful Use Participation Falls Off a Cliff (ambulatory, not acute) – This seems to be a contradiction, but I know many doctors who happily use an EHR and have no desire to touch meaningful use with a long stick. As the meaningful use money goes down and the requirements ramp up, many doctors are going to eschew meaningful use, but continue meaningfully using their EHR the way they think is right. EHR is here to stay, but meaningful use is going to take a big hit.

Wearable Tech Finds Its Place in Hospitals – In 2014, Google Glass will finally be put out as an official product. I believe it will be considered a failure as a consumer product in 2014 (give it until 2016 to be a great consumer device), but it will find some amazing uses in healthcare. Kyle Samani talks about some of his thoughts in this video, but I think we’ll discover many more. A PA and dentist friend of mine were some of the most interesting demos I’ve done with Google Glass. Of course, other competitors to Google Glass will come out as well. It will be fun to see which one of those wins.

ICD-10 Will Drive Many Organizations Towards Bankruptcy – Many underestimate the impact that ICD-10 will have on organizations. If it doesn’t send many to bankruptcy it will certainly cause cash flow issues for many. This is going to happen and many organizations are planning for it. We’ll see how well they prepare. Overpriced EHR software won’t be helping those that head towards bankruptcy either. Combine the two forces and some organizations are going to suffer this year.

EHR Vendors Will Start Dropping Like Flies – As I’ve said many times before, we won’t see the EHR consolidation that many are talking about (ie. 5 EHR vendors). However, we will start to see major EHR vendor fall out in 2014. Most of the press releases will spin it as a win for the company and the end users, but there are going to be a lot of unhappy EHR users when these companies start folding up shop through acquisition or otherwise.

Technical Dr. Inc.'s insight:

Don't be a statistic!  Technical Doctor can help your practice with HIPAA Compliance and EMR selection.  Contact us at inquiry@technicaldr.com to learn more!

- The Technical Doctor Team

No comment yet.

Healthcare - Achieving HIPAA and HITECH compliance

Healthcare - HIPAA/HITECH

"The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules."
Department of Health and Human Services (www.HHS.gov)

Information technology is radically transforming the healthcare industry. Electronic health records (EHR) now enable greater access to patient records and facilitate sharing of information among providers, payers and patients themselves. But with broader access, more centralized data storage, and confidential information sent over networks, there is an increased risk of privacy breach through data leakage, theft, loss, or cyber-attack.

The Federal government, specifically the Department of Health and Human Services (HHS), the Office of Civil Rights (OCR) and the Center for Medicare and Medicaid Services (CMS) addressed the new security challenges in the HITECH Act, the HIPAA Omnibus Rule, and the EHR Meaningful Use Incentive Program. The Omnibus Rule extends existing HIPAA regulations and strengthened enforcement provisions, including increases in potential civil and criminal penalties. The EHR Meaningful Use Incentive Program also requires specific security measures – eligible hospitals and other providers must conduct a HIPAA Security Risk Analysis before they can attest to completing each stage of meaningful use.

In summary, two things are clear. First, the healthcare industry's migration to EHR will enable providers to deliver better care more efficiently. Second, IT security will become a critical success factor in every health organization's future. Everyone stands to gain in this prodigious shift and no one can afford to lose.

What You Need to Do
Eligible Hospitals / Critical Access HospitalsHow Redspin Can HelpMeaningful Use Stage 1Objective:Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.HIPAA Security Risk AnalysisMeaningful Use Stage 2Objective:Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

Data Encryption Risk Worksheet

What You Need to Do
Eligible ProfessionalsHow Redspin Can HelpMeaningful Use Stage 1Objective:Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.Meaningful Use Stage 2Objective:Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.

Data Encryption Risk Worksheet

What You Need to Do
All HIPAA Covered EntitiesHow Redspin Can HelpHIPAA Security Rule — §45 CFR 164.308 Administrative Safeguards

(a) A covered entity must, in accordance with §164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

HIPAA Security Rule — Administrative Safeguards (45 CFR 164.308(a)(8))

(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.

HIPAA Policy Gap Analysis

Technical Dr. Inc.'s insight:

We specialize on over 20 types of HIPAA Risk Assessments ! Contact us at inquiry@technicaldr.com today to schedule your assessment with the #1 medical IT support firm!
- The Technical Doctor Team

No comment yet.

HIPAA Compliance in the Cloud: Q&A

HIPAA Compliance in the Cloud: Q&A | HIPAA Compliance for Medical Practices | Scoop.it

All companies handling personal health information (PHI) are required to comply with HIPAA regulations. These laws are important, yet complex. Confusion has ensued in healthcare businesses, who wish to understand what their obligations are. As more companies migrate to cloud computing, many new questions arise. Here, we answer some of the most frequent questions regarding HIPAA compliance and cloud security:

What is the purpose of HIPAA?

HIPAA regulations ensure that individual patient information remains private, while allowing the health system to function. PHI should not be available to anyone who doesn’t need the information, yet it should be available and usable to those who do legitimately need it – such as caregivers. Thus, patients can receive good medical care without compromising their right to privacy.


What is a Covered Entity?

HIPAA sets rules for “Covered Entities.” In simple terms, these are the organizations that provide healthcare. They may, for example, be health care providers (doctors, clinics, hospitals, etc.) or health plans (insurers, HMOs, health programs, etc.)


What is a Business Associate?

Covered entities often engage other businesses, business associates, to help them carry out their healthcare activities and functions. HIPAA defines rules for these business associates as well.

The covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to protect the privacy and security of health information. In addition to these contractual obligations, business associates are directly liable under HIPAA for compliance with certain provisions of the rules.

The latest updates to HIPAA extend the Business Associate definition to cloud service providers and other hosting providers used in the health industry.


What are the advantages of securing data in the cloud?

There are many good business reasons to use the cloud for managing healthcare applications and data. They include flexible infrastructure and a pay-as-you-go economic model. Taking advantage of these benefits, while meeting regulations, requires proper security for your cloud deployment.

This task is not more daunting than securing data in a traditional physical data center. In fact, if you have used a good cloud provider, much of it may have already be done for you. Just as in the “old” physical world, you should check that your cloud provider does a good job of security, reviewing its documentation and practices; and you should also study best practices for using the cloud securely.

One new area were you should devote time and attention is a stronger emphasis on encryption and management of the encryption keys in the cloud.

If you do this properly, you will actually have a HIPAA compliant solution which is much more flexible and cost effective, with less effort.


Does all data in the cloud need to be encrypted?

While HIPAA does not require cloud encryption, but it is strongly suggested. The best way to ensure data security when in use, in transit or in storage – is with encryption. Additionally, companies who have encrypted their data can claim “SafeHarbor” if a security problem occurs. To enable organizations to minimize the risk of both data loss and the need to report, the HIPAA guidelines specify technologies that render data unreadable and unusable. If those technologies are implemented, the organization can usually claim to have achieved a “safe harbor,” thus freeing the organization from the obligation of reporting the breach.


Should backups be encrypted as well?

Any storage medium which contains private information about patients needs to be secured. This includes backups and snapshots.


What is the best method of cloud encryption?

As a first step, use strong encryption for your data – the standard is AES-256.

Secondly, take good care of your encryption keys. Encryption is worthless if the hacker gets hold of the encryption keys. The best practice is to keep ownership of encryption keys completely to yourself – it is the one thing you do not want to share with your cloud provider.

The most secure method of protecting encryption keys is split-key encryption with homomorphic key management. This is a state-of-the-art solution for securing your keys so they remain in the hands of your company and are not available even to the cloud provider. Even if security is breached, the data will not be readable by anyone outside the company, and you are likely to enjoy Safe Harbor rules.


Do good Cloud Providers and Cloud Encryption cover all bases?

Technology is critical, but people are no less important. Your employees must be trained to use technology properly and processes must be put in place for the handling of private patient information.

Procedures are also important. These range from how you handle suspected breaches to the use of strong passwords.

And in HIPAA, everything you do must also be documented. This is onerous, but you cannot escape it.

Technical Dr. Inc.'s insight:

Don't forget - Technical Doctor performs HIPAA Risk Assessments for your practice!  Call or email us to learn more!

The Technical Doctor Team

No comment yet.