HIPAA Compliance for Medical Practices
72.3K views | +23 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Top 5 Tips for HIPAA Compliance | EMR and HIPAA

Top 5 Tips for HIPAA Compliance | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Manny Jones, health care solution manager at LockPath, recently sent me 5 tips to consider in order to meet HIPAA guidelines. It addresses some of the following questions: What does the HIPAA Omnibus rule mean for me? How do I know if I’m compliant? Where do I even begin?

This list of 5 tips are a good place to start.

1. Be prepared for more frequent audits and a fine structure based on knowledge – The new tiered approach means organizations can face much higher fines if they’re not in compliance with the rule.

2. Update Notice of Privacy Practice (NPP) – These should explain that individuals will be notified if there is a breach, disclosures around areas that now require authorizations, and more. Once updated, organizations should redistribute to patients and others to ensure they’re aware of changes.

3. Develop new processes – These should address additional restrictions on use or disclosure of protected health information (PHI).

4. Identify assets containing PHI – Once an organization has an inventory of these assets, they can determine where safeguards/breach notification obligations apply.

5. Understand the new definitions – Organizations should understand how “breach” and “business associate” are now defined and how they apply to their organization.

For those wanting to really dig into the details of HIPAA compliance, you’ll want to consider a HIPAA Compliance training course. These are easy online courses for both the HIPAA privacy officer or your staff. As is noted above, more frequent audits and fines are coming.

 

Technical Dr. Inc.'s insight:

Have you done a HIPAA Risk Assessment yet?  We can help you immediately with this!  Contact us at inquiry@technicaldr.com today to schedule your assessment with the #1 medical IT support firm!

-          The Technical Doctor Team

more...
No comment yet.
Scoop.it!

New HIPAA Compliance Help on the Way

New HIPAA Compliance Help on the Way | HIPAA Compliance for Medical Practices | Scoop.it

The federal "wall of shame" tally of major health data breaches, and the results of HIPAA compliance audits conducted so far, illustrate that the healthcare sector has a long way to go when it comes to protecting patient privacy and improving information security.

For example, one key problem area has been risk assessments, which many healthcare providers do poorly, if at all, based on the findings of federal audits and breach investigations. Another weak spot has been the use of encryption. Stolen and lost unencrypted computing devices have been the culprit in more than half of major health data breaches in the last four years.

 Many covered entities and BAs can certainly use whatever help they can get to improve HIPAA compliance, especially when it comes to risk assessments and mobile device security. 

That's why it's good news that federal regulators plan to offer two new guides to help organizations address key security challenges in the weeks to come. I've learned that a tool to help smaller providers conduct a risk analysis, as well as a video on privacy and security issues, will be available soon.

Stricter HIPAA enforcement is coming in the New Year, along with a renewal of HIPAA compliance audits.

So it's more important than ever for healthcare organizations of all sizes, and their business associates, to take advantage of these and other free resources to help bolster their efforts to protect patient privacy and improve information security

Under the HIPAA Omnibus Rule, business associates are now directly liable for HIPAA compliance, and penalties for each HIPAA violation can go as high as $1.5 million.

The Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, will resume its HIPAA compliance audit program next year. The expanded audit program will include business associates for the first time. And it will focus more narrowly on the problem areas that stuck out in the previous OCR audits.

The Office of the National Coordinator for Health IT, another HHS unit, is developing a new tool designed to help smaller physician practices with one of those problem areas: risk assessments.

Conducting a thorough risk assessment is a critical component of any information security program. It's also required under the HIPAA Security Rule as well as the HITECH Act's electronic health record incentive program. To qualify for incentives in Stage 2, hospitals and physician groups must attest to performing a risk analysis that, among other things, addresses the use of encryption for stored patient information.

An ONC spokesman told me: "We are working on a tool for small practices, and we expect this to be released in 2014. We hope that this tool will help providers perform a risk assessment in their practices and help them evaluate the administrative, technical and physical safeguards in their organizations as required under the HIPAA Security Rule."

Meanwhile, OCR and the Centers for Medicare and Medicaid Services are developing a video focused on privacy and security issues tied to the HITECH Act's EHR meaningful use incentive program. "We hope to have this posted before January 2014," an OCR spokeswoman says, declining to elaborate on details.

Many covered entities and business associates can certainly use whatever help they can get to improve HIPAA compliance, especially when it comes to risk assessments and mobile device security.

Technical Dr. Inc.'s insight:

Call Technical Doctor today if you haven't done a HIPAA Risk Assessment yet!


-The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Secure Texting Streamlines Clinical Communication

Secure Texting Streamlines Clinical Communication
To access this content, please Register or Sign In.

By Susan Kreimer, contributing editor

A Canadian hospital installs a secure texting solution to facilitate physician paging and to provide more details about consulting cases.

A mobile software application is paving the way for more secure texts among healthcare team members at The Ottawa Hospital, which has 12,000 employees, including 1,200 staff physicians and about 900 residents. The solution (Amcom Mobile Connect) links to the hospital call center’s directory, simplifying the process of locating physicians. According to Margaret Quirie, The Ottawa Hospital’s director of information organization and access, this eliminates wasted time that used to be spent waiting for pages to be placed manually and acknowledged. It’s also more HIPAA-compliant and may reduce the number of devices that a clinician has to carry.

“Now, all pages are tracked, which helps with audits and risk management,” Quirie said. “It also closes the accountability loop. We know that a person received the page.” Confirmation occurs when the recipient presses a thumbs-up button.



more...
No comment yet.
Scoop.it!

Google will sign a BAA but it will cost you

Google has announced that they will sign a BAA for customers that use their Google Apps platform which includes Gmail, Google Calendar, Google Drive.
Technical Dr. Inc.'s insight:



Microsoft used to be one of the only large cloud providers that was willing to sign a HIPAA Business Associate Agreement (BAA). That has changed now that Google has announced that they will sign a BAA for customers that use their Google Apps platform. Google Apps includes: Gmail, Google Calendar, Google Drive, and Google Apps Vault services.

Under HIPAA, certain information about a person’s health or health care services is classified as Protected Health Information (PHI). Google Apps customers who are subject to HIPAA and wish to use Google Apps with PHI must sign a Business Associate Agreement (BAA) with Google.

Administrators for Google Apps for Business, Education, and Government domains can request a BAA before using Google services with PHI. Google offers a BAA covering Gmail, Google Calendar, Google Drive, and Google Apps Vault services.

BAA Required to use Google Services
Google has also made it clear that if a customer does not have a BAA and is storing Protected Health Information (PHI), they should not use Google products

Google Apps customers are responsible for determining whether they are subject to HIPAA requirements and whether they use or intend to use Google services in connection with PHI. Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.

Not Free

Google is willing to sign a BAA but only for users of their paid Google Apps services. The BAA is not available on Google’s free services (Gmail, Google Calendar, Google Drive, etc.).

To request a HIPAA Business Associate Agreement (BAA), you must be signed in to an Administrator account for your Google Apps for Business, Education, or Government domain. Non-Administrator Google Apps users or users of Google Apps Free Edition (sometimes referred to as “Standard Edition”) cannot request a BAA from Google at this time.

Google Apps for Business starts at $5/month per user or $50/year per user.

Limited Google App Services

Google’s BAA only covers certain Google Apps Services including: Gmail, Google Calendar and Google Drive. Other services such as Google Docs, Google Groups, Google+, and Google Sites are not covered by the BAA and should be disabled.

more...
No comment yet.
Scoop.it!

Healthcare - Achieving HIPAA and HITECH compliance

Healthcare - HIPAA/HITECH

"The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules."
Department of Health and Human Services (www.HHS.gov)

Information technology is radically transforming the healthcare industry. Electronic health records (EHR) now enable greater access to patient records and facilitate sharing of information among providers, payers and patients themselves. But with broader access, more centralized data storage, and confidential information sent over networks, there is an increased risk of privacy breach through data leakage, theft, loss, or cyber-attack.

The Federal government, specifically the Department of Health and Human Services (HHS), the Office of Civil Rights (OCR) and the Center for Medicare and Medicaid Services (CMS) addressed the new security challenges in the HITECH Act, the HIPAA Omnibus Rule, and the EHR Meaningful Use Incentive Program. The Omnibus Rule extends existing HIPAA regulations and strengthened enforcement provisions, including increases in potential civil and criminal penalties. The EHR Meaningful Use Incentive Program also requires specific security measures – eligible hospitals and other providers must conduct a HIPAA Security Risk Analysis before they can attest to completing each stage of meaningful use.

In summary, two things are clear. First, the healthcare industry's migration to EHR will enable providers to deliver better care more efficiently. Second, IT security will become a critical success factor in every health organization's future. Everyone stands to gain in this prodigious shift and no one can afford to lose.

What You Need to Do
Eligible Hospitals / Critical Access HospitalsHow Redspin Can HelpMeaningful Use Stage 1Objective:Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.HIPAA Security Risk AnalysisMeaningful Use Stage 2Objective:Protect electronic health information created or maintained by the Certified EHR Technology through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308 (a)(1), including addressing the encryption/security of data at rest and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.


Data Encryption Risk Worksheet

What You Need to Do
Eligible ProfessionalsHow Redspin Can HelpMeaningful Use Stage 1Objective:Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.Meaningful Use Stage 2Objective:Protect electronic health information created or maintained by the certified EHR technology (CEHRT) through the implementation of appropriate technical capabilities. Measure:Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a) (1), including addressing the encryption/security of data stored in CEHRT in accordance with requirements under 45 CFR 164.312 (a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process for EPs.


Data Encryption Risk Worksheet

What You Need to Do
All HIPAA Covered EntitiesHow Redspin Can HelpHIPAA Security Rule — §45 CFR 164.308 Administrative Safeguards

(a) A covered entity must, in accordance with §164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).

HIPAA Security Rule — Administrative Safeguards (45 CFR 164.308(a)(8))

(8) Standard: Evaluation. Perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.


HIPAA Policy Gap Analysis

Technical Dr. Inc.'s insight:

We specialize on over 20 types of HIPAA Risk Assessments ! Contact us at inquiry@technicaldr.com today to schedule your assessment with the #1 medical IT support firm!
- The Technical Doctor Team

more...
No comment yet.
Scoop.it!

HIPAA Compliance in the Cloud: Q&A

HIPAA Compliance in the Cloud: Q&A | HIPAA Compliance for Medical Practices | Scoop.it

All companies handling personal health information (PHI) are required to comply with HIPAA regulations. These laws are important, yet complex. Confusion has ensued in healthcare businesses, who wish to understand what their obligations are. As more companies migrate to cloud computing, many new questions arise. Here, we answer some of the most frequent questions regarding HIPAA compliance and cloud security:

What is the purpose of HIPAA?

HIPAA regulations ensure that individual patient information remains private, while allowing the health system to function. PHI should not be available to anyone who doesn’t need the information, yet it should be available and usable to those who do legitimately need it – such as caregivers. Thus, patients can receive good medical care without compromising their right to privacy.

 

What is a Covered Entity?

HIPAA sets rules for “Covered Entities.” In simple terms, these are the organizations that provide healthcare. They may, for example, be health care providers (doctors, clinics, hospitals, etc.) or health plans (insurers, HMOs, health programs, etc.)

 

What is a Business Associate?

Covered entities often engage other businesses, business associates, to help them carry out their healthcare activities and functions. HIPAA defines rules for these business associates as well.

The covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to protect the privacy and security of health information. In addition to these contractual obligations, business associates are directly liable under HIPAA for compliance with certain provisions of the rules.

The latest updates to HIPAA extend the Business Associate definition to cloud service providers and other hosting providers used in the health industry.

 

What are the advantages of securing data in the cloud?

There are many good business reasons to use the cloud for managing healthcare applications and data. They include flexible infrastructure and a pay-as-you-go economic model. Taking advantage of these benefits, while meeting regulations, requires proper security for your cloud deployment.

This task is not more daunting than securing data in a traditional physical data center. In fact, if you have used a good cloud provider, much of it may have already be done for you. Just as in the “old” physical world, you should check that your cloud provider does a good job of security, reviewing its documentation and practices; and you should also study best practices for using the cloud securely.

One new area were you should devote time and attention is a stronger emphasis on encryption and management of the encryption keys in the cloud.

If you do this properly, you will actually have a HIPAA compliant solution which is much more flexible and cost effective, with less effort.

 

Does all data in the cloud need to be encrypted?

While HIPAA does not require cloud encryption, but it is strongly suggested. The best way to ensure data security when in use, in transit or in storage – is with encryption. Additionally, companies who have encrypted their data can claim “SafeHarbor” if a security problem occurs. To enable organizations to minimize the risk of both data loss and the need to report, the HIPAA guidelines specify technologies that render data unreadable and unusable. If those technologies are implemented, the organization can usually claim to have achieved a “safe harbor,” thus freeing the organization from the obligation of reporting the breach.

 

Should backups be encrypted as well?

Any storage medium which contains private information about patients needs to be secured. This includes backups and snapshots.

 

What is the best method of cloud encryption?

As a first step, use strong encryption for your data – the standard is AES-256.

Secondly, take good care of your encryption keys. Encryption is worthless if the hacker gets hold of the encryption keys. The best practice is to keep ownership of encryption keys completely to yourself – it is the one thing you do not want to share with your cloud provider.

The most secure method of protecting encryption keys is split-key encryption with homomorphic key management. This is a state-of-the-art solution for securing your keys so they remain in the hands of your company and are not available even to the cloud provider. Even if security is breached, the data will not be readable by anyone outside the company, and you are likely to enjoy Safe Harbor rules.

 

Do good Cloud Providers and Cloud Encryption cover all bases?

Technology is critical, but people are no less important. Your employees must be trained to use technology properly and processes must be put in place for the handling of private patient information.

Procedures are also important. These range from how you handle suspected breaches to the use of strong passwords.

And in HIPAA, everything you do must also be documented. This is onerous, but you cannot escape it.



Technical Dr. Inc.'s insight:

Don't forget - Technical Doctor performs HIPAA Risk Assessments for your practice!  Call or email us to learn more!


The Technical Doctor Team

more...
No comment yet.
Scoop.it!

Best Practices For Healthcare Texts ;)

Best Practices For Healthcare Texts ;) | HIPAA Compliance for Medical Practices | Scoop.it
Best Practices For Healthcare Texts ;)

By Katie Wike, contributing writer

Texting - with patients and within departments - is a natural step in the evolution of mobile healthcare; now providers need to set best practices

Healthcare Technology Online quoted Cheri Lattimer, RN, BSN, CMSA executive director of TCS as saying, “While traditional communication methods such as phone and face-to-face advice from physicians and care managers still dominate the field, the use of new HIT applications and solutions including smartphones, social networking, and text messaging is quickly increasing. The widespread acceptance of email communication is a perfect example of how care managers can adopt new technologies that patients are comfortable with, thereby avoiding potential barriers associated with new technology, and focus their efforts directly on patient guidance and engagement.”

Lattimer makes an important point - healthcare professionals are adopting new technologies constantly in order to communicate with their patients. MU requires a certain percentage of patients use portals, and there are apps for making appointments and finding doctors. But the one way to easily contact the majority of patients is via cell phone. Banks send text message account updates, so why couldn’t hospitals use the same technology to remind patients of appointments or prescriptions that need to be filled?

But security is an incredible concern. As HIT Consultant points out, “Text messages can sometimes get sent to the wrong person, and even if it gets to the correct number, the text could be read by someone other than the recipient. The information can be forwarded to anyone, and could remain on phones for indefinite amounts of time. In addition, if a phone gets lost — as they often do — a plethora of patient information could be compromised.”

HIT Consultant raises other questions: Would there be a charge for texting the doctor? What is an appropriate number of communications? What hours are appropriate to text? How many doctors are willing to text their patients? And most importantly, how can text messages be made more secure?

Healthcare IT News has recently posted best practices for text messaging in healthcare, based on the research of Frederick Muench, a clinical psychologist at Columbia University Medical Center who will be speaking at December’s HIMSS Media Health Summit.

"We ended up realizing that we were writing all sorts of different messages, but we didn't really know the basic tenets of what constitutes a good text message,” said Muench. “That is, what constitutes a good text message in that patients would be most receptive to receiving and heeding it?"

Muench’s study found 75 percent of respondents prefer receiving statements to questions, most are likely to prefer messages in "non-textese," and happy emoticons and correct grammar increase satisfaction with messages received.

 "We're still new to understanding texting as a unique medium," he concluded, since prior to this study there was little research into consumer preferences in text messages.



Technical Dr. Inc.'s insight:

Confused if your E-mail provider is HIPAA Compliant? Not sure if your communications to your patients and referring physicians are secure. Contact us at inquiry@technicaldr.com to be sure. Technical Doctor Inc. is the number 1 medical IT support specialists and HIPAA experts.


  - Technical Doctor Team

more...
No comment yet.
Scoop.it!

HIPAA Risk Assessment in Chicago and Houston by Techncial Doctor Inc

HIPAA Risk Assessment in Chicago and Houston by Techncial Doctor Inc | HIPAA Compliance for Medical Practices | Scoop.it
Unsure about your medical practice e-security and meaningful use readiness, get your HIPAA Risk Assessment done by Technical Doctor in Chicago and Houston


TechnicalDr’s HIPAA Risk Assessment ensures you have no worries. It has:
  • A Facility Walk-through Checklist.
  • Cyber-security and Best Practices Audit.
  • EHR Security Assessment and Review.
  • HIT Security Risk Assessment Questionnaire.
  • Privacy and Security Summary Report.
  • Remediation risk included.
What does a HIPAA Risk Assessment do for you?
  • A HIPAA Risk Assessment ensures that you are complying with all Meaningful Use norms, making your practice eligible for Financial SOPS.
  • A HIPAA Risk Assessment confirms that all HIPAA privacy and security guidelines are being followed and protects you from fines and court cases.
  • A HIPAA Risk Assessment makes your clinic truly secure. Your patients are happier knowing that their records are safe and secure with you.
Why Choose Technical Doctor Inc. as your preferred HIPAA Risk Assessment Consultant?
  • Technical Doctor provides an all round assessment of Hardware, Software, Employee and Medical processes of your Practice.
  • Technical Doctor specializes in Readiness Assessments and EHR selection, giving them vital experience in E-Health.
  • Technical Doctor assures a comprehensive report on all vulnerabilities detected and ways to overcome them.
  • Technical Doctor has a dedicated team to do a Risk Assessment within 3-8 hours at your Clinic.
  • Technical Doctor is partnered with HITREC and National Learning Consortium for this service.
  • Technical Doctor employs only HIT specialists with experience to conduct these Risk Assessments, with them you are in safe hands.
more...
Technical Dr. Inc.'s comment, December 16, 2013 4:11 PM
Do you need a HIPAA Risk Assessment? Contact Technical Doctor, the leader in medical IT support, at inquiry@technicaldr.com today!