HIPAA Compliance for Medical Practices
75.3K views | +31 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

While HIPAA covers a broad scope of healthcare related items, its Security Rule specifically sets forth standards concerning the safety of electronic Protected Health Information or ePHI. Furthermore, the Security Rule can be broken down into three keys areas of implementation: Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In Part I of this blog series we will discuss the basics regarding HIPAA Physical Safeguards, or Section 164.310 of the Security Rule, and how they relate to ePHI (electronic Protected Health Information).

 

The Department of Health and Human Services defines HIPAA Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings from natural and environmental hazards, and unauthorized intrusion”. In short, a covered entity must have physical protocols in place to protect is ePHI from disaster and/or theft.

HIPAA Physical Safeguards can be broken down into the following standards:

  • Facility Access ControlThis standard requires covered entities to implement policies and procedures to limit physical access to information systems and the facilities in which they are stored. Proper authorization to access these systems should also be ensured. The Facility Access Control Standard also requires the following implementations:
    • Contingency Operations
    • Facility Security Plan
    • Access Control and Validation Procedures
    • Maintenance Records

 

  • Workstation Use: A workstation is defined as an electronic computing device and any electronic media stored in its immediate environment. According to this standard, covered entities must implement policies and procedures surrounding the functions and physical attributes of any workstation that can access ePHI. The importance of these policies and procedures is to limit exposure to viruses, compromisation of information systems, and breaches of confidential information.

 

  • Workstation Security: This standard differs from Workstation Use in that it refers specifically to how workstations are to be physically protected from unauthorized users. Under this standard, converted entities must implement physical safeguards for all workstations that access ePHI to restrict unauthorized users. Essentially, a covered entity must take precautions - such as locked doors/equipment – to prevent non-employees from physically accessing a workstation.

 

  • Device and Media Controls: Device and Media controls refer to electronic media- meaning electronic storage media devices in computers (hard drives) and any removable/transportable digital memory medium such as tapes, disks, or digital memory cards. The purpose of this standard is to have policies and procedures in place to govern the receipt and removal of hardware and electronic media that contains ePHI, into and out of a facility, and the movement of these items within the facility. Covered entities must be able to account for all ePHI as it is moved between electronic devices. They must be able to account for this ePHI, even if it is disposed of. This standard is broken down into the following implementations:
    • Disposal
    • Media Re-Use
    • Accountability
    • Data Backup and Storage

In order to comply with these standards related to HIPAA Physical Safeguards, here are some examples of basic practices that any covered entity can apply to its medical practice:

  • Keep access to any device that stores or processes ePHI restricted to authorized personnel only. Avoid having these devices in areas that can easily be accessed by patients or visitors.
  • Ensure that ePHI is disposed of properly. Hard drives and any other devices that store patient information must be destroyed in the proper manner, and a certificate of disposal should be obtained and kept as a record.
  • Keep an inventory of all devices in the office that store or process ePHI. Additionally, note down which staff have accesses to these devices and what roles they play in processing ePHI.

 

These are examples of general steps that will help covered entities comply with HIPAA.   It is important that the annual mandatory HIPAA risk assessments be comprehensive and should review all physical safeguards at your location, pinpoint specific vulnerabilities and determine the corresponding action items and additional physical safeguards that may need to be implemented.

In summary, the Physical Safeguards standard of the HIPAA Security Rule sets forth a comprehensive framework regarding the physical protection of ePHI. As covered entities continue to modernize and move away from traditional paper-based records keeping, they will need to keep these standards in mind for the privacy of their patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Understanding the HIPAA Security Rule: Administrative Safeguards

Understanding the HIPAA Security Rule: Administrative Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

The Administrative Safeguards are the most comprehensive standards, as they cover over half of the HIPAA Security Rule. These standards encompass many of the oversight aspects of managing a covered entity. The other two posts in this blog series covered Technical Safeguards and Physical Safeguards.

 

The Department of Health and Human Services defines these safeguards as “administrative” actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information”.

 

Administrative Safeguards are broken down into the following standards:

  • Security Management Process: A covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations. There are four required implementations for this standard:
    • Risk Analysis
    • Risk Management
    • Sanction Policy
    • Information System Activity Review
  • Assigned Security Responsibility: This standard requires the designation of a security official who is responsible for the development and implementation of policies and procedures.
  • Workforce Security: Under this standard, a covered entity must implement policies and procedures to ensure that all staff members have appropriate access to ePHI, and also to prevent those workforce members who do not have permission, from accessing it. There are three addressable implementations under this standard:
    • Authorization and/or Supervision
    • Workforce Clearance Procedure
    • Termination Procedures
  • Information Access Management: This standard relates to the implementation of policies and procedures regarding the authorization of access to ePHI. There are three addressable implementations under this standard:
    • Isolating Healthcare Clearinghouse Functions
    • Access Authorization
    • Access Establishment and Authorization
  • Security Awareness and Training: Under this standard, a covered entity must have a security awareness and training program for all members of its workforce, including physicians and management. There are four implementations for this standard:
    • Security Reminders
    • Protection of Malicious Software
    • Log-in Monitoring
    • Password Management
  • Security Incident Procedures: Covered entities must have policies and procedures in place to address security incidents. There is one implementation:
    • Response and Reporting
  • Contingency Plan: The purpose of this standard is for covered entities to establish policies and procedures for responding to emergencies or other occurrences (fire, vandalism, natural disasters, etc.) that may damage systems containing ePHI. There are five implementations for this standard:
    • Data Backup Plan
    • Disaster Recovery Plan
    • Emergency Mode Operation Plan
    • Testing and Revision Procedures
    • Applications and Data Criticality Analysis
  • Evaluation: This standard requires covered entities to perform periodic technical and nontechnical evaluations in response to environmental and operational changes affecting the security of ePHI.
  • Business Associate Contracts and Other Arrangements: The final standard relates to the relationship between a covered entity and the vendors it uses. It states that the covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf, only if the covered entity obtains the correct assurances. There is one implementation under this standard:
    • Written Contract or Other Arrangement

HIPAA Administrative standards provide a broad and wide-encompassing scope of administrative functions that a covered entity must implement regarding the security of ePHI. Here are some basic practices that a covered entity can put into place:

 

  • Perform a regular risk analysis of systems used by the office to determine any new vulnerabilities or weaknesses.
  • Appoint a HIPAA Security Officer who oversees the implementation of these standards and maintains all policies and procedures related to security measures.
  • Ensure that all staff members adhere to a policy of creating strong passwords to access workstations/software programs that access ePHI. These passwords should not be common words or phrases and should not be shared among employees.
  • Create regular backups of any servers or systems that process ePHI. This can be done via a cloud-based system or an encrypted backup tape/hard drive.
  • Immediately remove access to any programs that process ePHI (EMR, billing/scheduling software, etc.) for any employee that becomes no longer associated with the covered entity (termination or job change). This will help prevent improper access to patient data.
  • Obtain and maintain Business Associate Agreements (BAAs) with any third-party vendors that store or process PHI. These agreements must ensure that the vendor will appropriately safeguard patient information.

 

As with Physical and Technical Standards, Administrative Standards need to be reviewed for each covered entity through an annual HIPAA Security Risk Assessment. These assessments are not only mandatory, but they are essential to determine any risks that can lead to a breach of data.

 

In closing, the HIPAA Security Rule covers a wide range of standards and implementations that covered entities must employ to ensure HIPAA compliance. Failure to adhere to these policies can lead to OCR (Office of Civil Rights) sanctions in the forms of audits and even severe civil penalties.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

What you should know about HIPAA PRIVACY RULE

What you should know about HIPAA PRIVACY RULE | HIPAA Compliance for Medical Practices | Scoop.it

Does the HIPAA Privacy rule affect you?  

You should be familiar with the Health Insurance Portability and Accountability Act also known as HIPAA, but do you know how the privacy rule affects you? The U.S Department of Health and Human Services (HHS) has worked diligently since establishing HIPAA law to regulate privacy standards in the healthcare industry. When you think of the word privacy many things may come to mind, such as closing the door during a patient’s consultation or ensuring confidentiality while discussing patient treatments with fellow staff members. As a covered entity it is your responsibility to protect the privacy of your patients. 

 

6 ways in which you can implement a Culture of Privacy:

During your day to day operations, you need to be aware of how to implement the culture of privacy in your practice and comply with the law. Across all roles, every employee in your practice needs to be exercising compliance with HIPAA. Here are six ways in which you can implement a culture of privacy.

  • Provide HIPAA training to all your employees and maintain documentation that your entire staff has completed HIPAA training.
  • Ensure that your entire staff knows what patient information can be shared and not shared outside and inside of the workplace.
  • Get your patients to sign consent forms regarding sharing any form of PHI for any purpose including your own marketing purposes.
  • Stay updated on changes in the law on new disclosure restrictions and Update your patient authorization forms updated regularly on any such new disclosure restrictions.
  • Educate your patients and give them a clear outline of how they can request or obtain a copy of their medical records.
  • Ensure that you are giving your staff only the minimum necessary access to PHI to perform quality healthcare.

 

It is your responsibility to maintain professional top-quality healthcare for all parties involved while maintaining compliance with the law. Exercising the privacy culture is the way your practice stays current and minimizes the potential of a data breach. As a covered entity you need to be aware of the potential consequences that come with non- compliance. Consequences range from significant monetary fines to criminal penalties like jail time and a damaged reputation.  In addition, there are strict breach notification requirements outlined in the law.

 

In the event of a breach, you may be investigated by the appropriate federal agency like Office of Civil Rights (OCR) or the Department of Homeland Security or the Department of Justice, or other federal agencies who may be involved.  Depending on the results of the investigation, you may face penalties. Here are some penalties for data breaches that may apply. 

 

  • 100 dollars per record per day under HIPAA law with the maximum annual penalty being 1.5 million dollars per violation.
  • Loss of patient trust and repeat business due to damage to your reputation.

 

Millions of dollars in fines could potentially cause you to lose your livelihood and business. A bad reputation would stop repeat business and new customers from coming. These top penalties and consequences are avoidable and quality healthcare is attainable if you are complying with the law and practicing the culture of privacy every day. Remember to instill a culture of privacy in your office and follow the Five Steps to HIPAA Compliance every year.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Breach Notification Rule

HIPAA Breach Notification Rule | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Breach Notification Rules under the HITECH and GINA Act were issued on January 25, 2013, resulting in modifications to HIPAA Privacy, Security, and Enforcement. This is commonly known as the Omnibus Rule. The Omnibus Rule mandates covered entities (CEs) and business associates (BAs) provide the required HIPAA breach notifications following an impermissible use or disclosure of protected health information (PHI).

What is a HIPAA Breach?

A HIPAA breach notification may be required because of an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) of an individual.  An impermissible use or disclosure is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the protected health information has been compromised.

A risk assessment must include consideration of at least the following factors:

  • The extent and nature of the PHI involved (i.e. types of identifiers and likelihood of re-identification);
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • If the PHI was viewed and/or acquired;
  • To what extent the risk to the PHI has been mitigated.

How Does a HIPAA Breach Notification Work?

(1) HIPAA Breach Notification Rule: Following a breach of unsecured PHI, CEs must notify affected individual(s) and the Secretary of Health and Human Services (HHS).”  In instances where the breach affects more than 500 residents of a State or jurisdiction, notice must be provided to prominent local media.  In addition, BAs must notify CEs that a breach has occurred.

Individual HIPAA breach notifications must occur without delay, but not later than 60 days from the date of the breach discovery.  A breach is considered to be “discovered” when at least one employee of the entity knows of the breach.  This does not include the person responsible for the breach.

(2) Covered Entities HIPAA Breach Notification: Covered entities are required to notify affected individuals following the discovery of a breach of unsecured PHI. The CE must provide the individual notice in written form by first-class mail.  Notices by email are permissible if the affected individual has agreed to receive notices electronically.

What about Business Associates?

(1) Business Associates HIPAA Breach Notification:  If a breach of unsecured PHI occurs by a business associate, the BA must notify the CE following the discovery of the breach.  A business associate must provide notice to the covered entity no later than 60 days from the day of discovery of the breach.  BAs are required to provide the identification of each individual affected by the breach.  The covered entity is responsible for ensuring the individuals are notified of a breach by a business associate even if the covered entity is charged with the responsibility of providing individual notices to the business associate.

(2) Out-of-date Information: If the CE or BA has insufficient or out-of-date information for more than 10individuals, the CE must provide a substitute individual notice by one of two methods.  It may post the notice on the home page of its website for at least 90 days.  Or it may provide the notice in major print or broadcast media where the affected individuals reside. This notice must include a toll-free number that remains active for at least 90 days.  If the CE or BA has insufficient or out-of-date information for less than 10 individuals, the covered entity may provide a substitute notice by an alternative form of written, telephone, or other means of notification.

HHS Wall of Shame

As required by section 13402(e)(4) of the HITECH Act, the Secretary posts a list of HIPAA breaches of unsecured protected health information affecting 500 or more individuals. These HIPAA breaches can range from a laptop theft to a hacking/IT incident.In 2015 there were over 113 million breaches of individual records reported, and the number of incidents related to “hacking” and “IT incidents” have doubled since 2014.   And this only includes breaches involving 500 or more individuals!

Most recently, St. Joseph Health (SJH) has agreed to settle potential violations of HIPAA Privacy and Security Rules following the report that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012.  The public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.  SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan.  This plan requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff accordingly.

The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information. Entities must not only conduct a comprehensive HIPAA risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Device Cybersecurity - 4 Steps to Take 

Medical Device Cybersecurity - 4 Steps to Take  | HIPAA Compliance for Medical Practices | Scoop.it

As if the headlines today are not scary enough, now we have to be worried – very worried, it seems – about medical device cybersecurity!  Reports of hacking and other incidents related to medical device cybersecurity are all over the news lately.  Not only does it have a financial impact, but confidentiality and HIPAA issues come up immediately!  The first 6 months of 2017 have seen an inordinate number of cybersecurity meltdowns.   In addition, other HIPAA breaches and data leaks occur much too often.

  • In April 2017, hospitals in Europe were shut down by the WannaCry ransomware.  At least two contrast agent injectors were compromised as part of that attack.
  • In 2015, three hospitals suffered data breaches when devices were infected by malware.  The devices included a blood gas analyzer and a picture archiving and communications system (PACS) system.  In these instances, the malware made its way from the device to other systems in the hospitals, leaving the hospital facing a ransom demand to cleanse its systems.  And this happened even though the hospitals had firewalls, intrusion detection and other security tools in place!
  • In August 2017, the FDA approved a firmware patch to address cybersecurity vulnerabilities in 500,000 pacemakers manufactured by Abbott.  The problems were identified over a year ago!

 

Why are medical devices vulnerable to cyber attacks?

Most of the time, the medical device cybersecurity flaws are due to external software such as Windows.  Many devices have Windows operating systems as the interface to the persons operating the equipment.  Windows is also used to interface with electronic health record systems.  If the device is connected to the internet, a pathway exists for malware to infect the Windows software on the device.  Malware can then make its way to other connected devices or applications.

But as the pacemaker issue mentioned above shows, there can also be vulnerabilities in the devices themselves.  An investment firm lit a fire when it issued a report a year ago claiming most devices had little to no built-in cybersecurity measures.

What does the government advise about medical device cybersecurity?

Two government agencies are concerned about medical device cybersecurity.  The Food and Drug Administration (FDA) has principally been concerned about patient safety.  The Office of Civil Rights (OCR)  of the Health and Human Services Department (HHS) administers the Privacy and Security HIPAA rules.

In its focus on patient safety, the FDA did not focus much on the HIPAA security issues related to medical device cybersecurity.  The FDA expanded its view of medical device cybersecurity considerations with its Postmarket Management of Cybersecurity in Medical Devices guidance issued on December 28, 2016.  This non-binding guidance advises device manufacturers to consider several strategies for reducing medical device cybersecurity risks.

  • Maintaining robust software lifecycle processes that include monitoring third party software components for new vulnerabilities.
  • Understanding, detecting and establishing communication processes with users when vulnerabilities are recognized.
  • Adopting coordinated vulnerability disclosure policies and deploying mitigation measures that address risks.

The 4 things medical device users should do

First, ask vendors how they are implementing the FDA Postmarket Management Guidance.  In this day and age, there is really no excuse for not keeping third party software like Windows up to date.

Second, expand the information you keep in your inventory of medical devices to include several factors, including:

  • The risk of each device, e.g., use of third party software, connection to the internet, etc.
  • The type of data kept on the device, whether it is static or dynamic.
  • The security controls that exist on the device, e.g., encryption, use of passwords, etc.

Third, include medical devices with third party software in the periodic HIPAA Security Rule Risk Assessment you perform.

Fourth, keep a sharp eye out for communications about vulnerabilities of your medical devices – and for patches to firmware that can improve the resistance of devices to hacking.

Medical device cybersecurity is not a particularly glamorous issue, but paying attention to it is vital in this environment.  Hospitals have long had to keep electrical/electronic equipment safe to use around patients.  Cybersecurity is just another part of that culture of safety.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do you know the HIPAA Technical Safeguards-Security Rule?

Do you know the HIPAA Technical Safeguards-Security Rule? | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Security Rule is broken down into three specific implementations – Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In this post, we will discuss the specific standards surrounding HIPAA Technical Safeguards, or section 164.312 of the HIPAA Security Rule.

 

The HIPAA Security Rule defines Technical Safeguards as “the technology and the policy and procedures for its use that protect electronically protected health information (ePHI) and control access to it”. Essentially, these safeguards provide a detailed overview of access and protection of ePHI.

 

Technical Safeguards can be broken down into the following standards:

  • Access Control: This standard requires a covered entity to implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights. The Access Control Standard is broken down into four specific implementations:
    • Unique User Identification
    • Emergency Access Procedure
    • Automatic Logoff
    • Encryption and Decryption

These implementations ensure that only the correct person is logging on to an electronic device and accessing information on that device in an appropriate manner.

 

  • Audit Controls: Under this standard, covered entities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. By implementing this standard, a covered entity can examine its information systems and determine if any security violations are taking place.
  • Integrity: The Integrity standard requires the covered entity to implement policies and procedures to protect ePHI from improper alteration or destruction. This standard has one specific implementation:
    • A mechanism to Authenticate Electronic Protected Health Information

Under this implementation, the covered entity must have mechanisms in place to ensure that ePHI has not been altered or destroyed in an unauthorized manner.

 

  • Person or Entity Authentication: Under this standard, covered entities must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
  • Transmission Security: The final standard requires covered entities to implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. This standard has two specific implementations:
    • Integrity Controls
    • Encryption

Much of the language surrounding the HIPAA Technical Safeguards can be a little overwhelming, but here are some example practices that covered entities can implement as they strive to get HIPAA compliant:

 

  • Ensure that all staff have unique user IDs/log-in credentials for all workstations and any programs that store or process ePHI. This will allow the HIPAA Security officer or IT administrator to determine exactly which staff member has accessed specific data.
  • Create defined roles for staff members within medical software/programs (EMR, scheduling, billing, etc.) based on their job status with the practice. For example, some staff members can be given read-only access, while others can change and edit data.
  • Avoid transmitting ePHI over unsecured electronic means such as email. If the covered entity maintains a website, a good practice would be to make sure it does not transmit or store any ePHI unless the website is protected with encryption.
  • Update/patch all technological devices that process ePHI regularly. The software can become quickly outdated, it is crucial to implement these updates to stay current with security needs.

 

These general steps are building blocks towards HIPAA compliance. Annual mandatory HIPAA risk assessments will help covered entities determine any additional vulnerabilities that need to be addressed regarding HIPAA Technical Safeguards.

 

The HIPAA Technical Safeguards are an integral part of the HIPAA Security Rule. Keeping in line with the standards mentioned above will allow a covered entity to ensure that it is doing all it can to secure the technology it uses to treat patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Is it time for your Annual HIPAA Risk Assessment?

Is it time for your Annual HIPAA Risk Assessment? | HIPAA Compliance for Medical Practices | Scoop.it

Top 5 actions you can take to prepare for your next HIPAA Compliance review or risk assessment:

  • Identify where all your Patient Health Information (PHI) is stored, received, maintained or transmitted.
  • Assess current security measures used to safeguard PHI.
  • Make a list of all vendors that may have access to your PHI.
  • Have all your written HIPAA Policies and Procedures in place.
  • Be ready to document the assessment and take action where necessary.

Identify where your PHI is stored:

On your Computer?

  • Electronic Health Records (EHR)
  • Shared network drives
  • Word documents
  • Faxes
  • Recycle bin
  • Emails

In your office?

  • Paper Charts or files
  • File rooms and closets
  • CDs and USB drives
  • Old computers/servers that are no longer in use
  • Shredders or shred bins
  • Tablets and other mobile devices
  • Diagnostic equipment such as ultrasound machines and scanners.

Within your network storage?

  • A database
  • Other folders on the hard drive
  • Unencrypted images on other folders
  • Remote servers
  • Documents on network shares

On the cloud?

  • Electronic Health Record systems
  • Online cloud backup service
  • e-Fax services
  • Online file storage and transmission services such as Box, Dropbox, Google Drive.
  • Email services

How to Safeguard your PHI?

  1. Administrative Safeguards are used to develop a formal security management process including having written HIPAA Policies and Procedures readily available for medical office staff. Require that all staff, including physicians undergo security training to stay current on the laws and guidelines. Develop policies and procedures for the transfer, removal, and reuse of PHI.  
  2. Physical Safeguards are used to secure location and workspaces for staff members limiting access to unauthorized people and potential intruders. Provide Physical Cameras and Alarm systems as needed. Lock all IT equipment and limit access to authorized personnel only.
  3. Technical Safeguards are used to secure and control access to ePHI.  This is done in many ways such as establishing passwords, PIN numbers, implementing automatic logoff control. Ensure that antivirus is updated on all PCs. The PCs/Laptops on which PHI data and Images are stored should be fully encrypted. Do not share passwords.

What are compensating controls?

Compensating controls or alternative controls are put in place to satisfy the requirement for a security measure that is impractical to implement at the present time.

Examples of compensating controls:

When a medical office has paper charts that are filed on open shelves in a storage room or behind the reception desk, it is recommended to lock the charts at the end of the day.  Many times it is not practical to put locks on all open shelves that are used to file charts.  A compensating security measure can be used to install cameras surrounding the premises to monitor and record all activities. It is important that you also have a process in place to monitor the video recordings periodically.

Or

If an Ultrasound Technician uses CDs, Tapes, and Disks to store images or uses a USB hard drive to transfer the images to PCs and the EHR, then these devices have to be encrypted.  Many times, the Technician is not sure if the Thumb drives are encrypted. A compensating control here would be to lock the CDs and flash drives in a cabinet when not in use.

The Health Insurance Portability and Accountability Act (HIPAA) is primarily concerned with the Privacy and Security of Patients' Protected Health Information.  All entities that come into contact with Protected Health Information on a regular basis are covered under the Act.  Has it been more than one year since your last HIPAA Risk Assessment?  Or have you never had a HIPAA Risk Assessment done before? Either way, be sure to schedule your 2018 HIPAA Risk Assessment and 2018 HIPAA Training right away - don't wait until its too late.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance and the HITECH Act in 2018

HIPAA Compliance and the HITECH Act in 2018 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is an essential part of running a medical practice. The current incarnation of the HIPAA regulations has been in place since 2003 and they haven’t changed much in the intervening years — until now, that is.

 

The HITECH Act (Health Information Technology for Economic and Clinical Health), which was signed into law in 2009, is expected to be fully adopted this year. What does the HITECH Act mean for HIPAA compliance, and what are the changes you need to make to your practice to ensure you’re in compliance with both HIPAA and HITECH?

 

Overview of the HITECH Act


The HITECH Act was designed to expand the types of businesses covered by HIPAA. It requires not only medical professionals to be HIPAA compliant, but any subcontractors, companies that cover the transmission of protected health information (PHI), electronic prescription gateways and patient safety organizations to also be in compliance with HIPAA regulations.

 

This doesn’t make any changes to the currently established exceptions to HIPAA’s business associate standard.

 

HITECH was also designed to focus more on the patient than HIPAA, allowing patients to more directly access their electronic health records (EHR). This also demands patients be informed by their provider if their health records are compromised in any way.

 

The act encouraged “meaningful use” of electronic health records, helping to improve communication between healthcare facilities in direct relation to patient care.

 

Universal Compliance


If your practice or facility has an IT security department, it’s probably entirely different than the ones that are part of other businesses surrounding you. Network security is usually managed by many different departments or even different businesses, making universal security compliance difficult to manage.

 

The new HIPAA/HITECH overlap mandates universal compliance. This makes security simpler and easier to maintain for workers while still ensuring the safety of patient PHI.

 

One solution that is being suggested is the use of “smart cards” which will act as employee identification, a security access token, and authenticator, all in one simple card. This helps to keep the system more regulated because you don’t have to worry about carrying — and potentially losing — multiple cards or remembering long identification numbers.

 

Know Your Compliance
How can you determine if your practice is compliant with both HIPAA and the HITECH Act? You can go over the rules yourself, but these laws are so sweeping and expansive that it’s easy to miss something that could end up costing you thousands of dollars.

 

If you’re still concerned about your current HIPAA and HITECH Act compliance, hiring a professional Privacy Officer can help you evaluate your current practices and ensure that you are checking all the boxes when it comes to meeting your obligations.

 

Changes in Fines


HIPAA fines, until now, have been standard — unfortunately, they often weren’t costly enough to discourage HIPAA violations. Before HITECH was enacted, it was impossible to impose fines of more than $100 for individual offenses or $25,000 for all offenses at the same time.

 

The new overlap has changed the cost of violating the HIPAA or HITECH Act. These offenses are broken into three categories, based on the intent of violation.

 

Violations in the Did Not Know category are the only ones that may still generate a $100 fine. The change here is that the U.S. Department of Health and Human Services now has the option to charge between $100 and $50,000 for each violation, with a total fine of $1.5 million for identical offenses in a calendar year.

 

Reasonable Cause violations will start at $1,000 with the same $1.5 million caps for identical violations.

 

Willful Neglect fines fall into two categories — corrected and not corrected. Fines for corrected Willful Neglect charges will range from $10,000 to $50,000. Fines for not corrected violations start at a minimum $50,000 each.

 

HIPAA and the HITECH Act are both essential tools for ensuring the security of patient health information. Take the time to review alone or with a professional that you are in compliance with both acts so you can continue to serve your patients without the worry of massive fines for privacy violations.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA and Email: there are rules

HIPAA and Email: there are rules | HIPAA Compliance for Medical Practices | Scoop.it

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

HIPAA Privacy and Security rules are concerned with email and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then it bears repeating that the Internet, and things like an email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

 

What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

 

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

 

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.