HIPAA Compliance for Medical Practices
82.5K views | +10 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Data Backup Plan and Disaster Recovery Plan

HIPAA Data Backup Plan and Disaster Recovery Plan | HIPAA Compliance for Medical Practices | Scoop.it

The requirements of a HIPAA data backup plan and disaster recovery plans are discussed below.

What are the Requirements of a HIPAA Data Backup Plan?

A HIPAA data backup plan is a component of the administrative safeguards that must be implemented under the HIPAA Security Rule.

 

The data backup plan, which is part of the administrative safeguard requirement to have a contingency plan, consists of establishing and implementing procedures to create and maintain retrievable, exact copies of electronic protected health information (ePHI).

 

Is your organization protected against breaches? Download the free cybersecurity eBook to get tips on how to protect your patient information.

 

Data that is secured and backed up must be capable of being recovered (i.e., must be recoverable or retrievable).

 

The requirement that data be capable of being recovered comes from a related provision of the contingency plan requirement – the disaster recovery plan requirement.

 

Under a disaster recovery plan, a covered entity or business associate establishes (and implements as needed) procedures to restore any loss of data.

What Should I Consider When Developing a HIPAA Data Backup Plan?

When developing a HIPAA data backup plan, covered entities and business associates should consider the nature of the ePHI that must be backed up, including how many identifiers the ePHI has. 

 

The HIPAA Security Officer should make an inventory of all sources of data, to determine the nature and type of ePHI an organization stores.

 

There are many potential sources of ePHI. These include, among others, patient accounting systems, electronic medical records, health maintenance and case management information, digital recordings of diagnostic images, electronic test results, and any other electronic documents created or used.

Where Should I Store Backup Copies of Data?

There are two types of backup storage organizations should use:

 

Backup #1 (Local Storage Backup): The first kind of backup (Backup #1) you should use is backup through a local, onsite appliance. In this kind of data backup, backup data is stored on a local storage device (appliance), such as a hard disc, CD, or hard drive.

Backup #2 (Offsite Backup): The second kind of backup is offsite backup. Offsite backup consists of either backing up data to the cloud, or storing backup data at an offsite facility. Storing backup data with a HIPAA compliant cloud provider allows an organization to easily retrieve information from the cloud.

 

With cloud storage, backup data can be retrieved at any time. Storing backup data at an offsite facility (a physical location other than your worksite) allows recovery of backup data if backup data stored locally, onsite, is destroyed or damaged because the premises themselves have been damaged to emergencies such as earthquakes and floods. 

What is the Difference Between a HIPAA Data Backup Plan and a Disaster Recovery Plan?

The difference between backups and disaster recovery is a matter of scope. Backing up data refers to backing up actual copies of data.

 

A backup plan does not take disaster response into account. A disaster recovery (DR) plan, in contrast, is a strategy for disaster event response, which response includes deployment of the backups – in other words, putting the backups into action.

What Steps Does the Disaster Planning Process Consist of?

There are four essential steps to complete in the disaster recovery planning process. These are discussed in turn.

 

Step 1: Performing a Business Impact Analysis (BIA)

 

A business impact analysis (BIA) is a thorough assessment and inventorying of an organization’s virtual environment.

 

In this process, the organization must take into account the volume and type of data that is being managed; where the data is being stored; how much in terms of resources and time must be expended to restore access to different types of data; and how critical each type of data is to business operations.

 

The more vital the data is to the business’s ability to function, the higher that data’s priority of restoration, and resource allocation, should be.

 

Step 2: Performing a Risk Assessment

 

Conducting a risk assessment consists of running and evaluating hypothetical external situations that can hurt your business. External situations that can damage your business include natural disasters, such as hurricanes and blizzards.

 

External situations also include man-made events, such as active shooter situations and acts of terror. 

 

When conducting the risk assessment, an organization should consider all potential external incident types, and the likelihood of their occurrence.

 

The organization should also consider the nature and severity of the impact each incident may have on the organization’s ability to continue normal operations.

 

It is necessary to consider all the possible incident types, as well as the impact each may have on the organization’s ability to continue to deliver its normal business services.

 

In preparing the risk assessment, organizations should review all records and sources of information at their disposal to assess the threat posed by each instance. Records and sources of information can include, for example:

  • Employee recollection of prior disruptive events and how they affected business operations;
  • First-responder organizations advice; and
  • Disaster recovery resource libraries from government agencies, such as the Federal Emergency Management Agency (FEMA).

 

Step 3: Create a Risk Management Strategy

 

Once you have identified data processes and the business impacts of disruptions to them, combined with likelihood of a given disaster taking place, you should develop a risk mitigation strategy. This strategy should provide for specific backup solutions and disaster recovery procedures for critical data.

 

Factors to consider in developing a strategy (among others) include legal factors (laws may restrict where data can be stored); recovery point objectives (RPOs), which measure how much data an organization can afford to lose as the result of a disaster; and recovery time objectives (RTOs), which are metrics that calculate how quickly an organization needs to recover IT services and infrastructure after a disaster to maintain business continuity. 

 

Step 4: Configure and Run Testing Exercises on Your Disaster Recovery Plan

 

Once the risk management strategy is in place, you must engage in testing scenarios to ensure that strategy is properly configured. Testing exercises can differ in complexity.

 

The goal of any testing exercise is to ensure that data has been backed up in accordance with your recovery point objectives, and to ensure that the strategy actually works.

 

Once testing has confirmed that the risk management strategy is sound, the strategy is “ready to use.” Bear in mind, however, that testing should not be conducted only before strategy rollout.

 

Testing should be performed continuously – especially after an incident occurs. This way, you can refine and make changes to the strategy you deploy.

 

Data backup plans and disaster recovery plans are required under the HIPAA Security Rule. Implementing robust backup and disaster recovery plans can help keep your business running smoothly and securely. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

mark's curator insight, May 3, 10:44 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.

WE OFFER MONEY BACK GUARANTEE TO EVERYONE PURCHASING MEDICINES FROM US YOU CAN LOOK AT SOME FEW QUESTIONS THAT HAVE BEEN ANSWERED TO BACK THIS POINT HERE

If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE

 

 

Scoop.it!

Protecting PHI: Managing HIPAA Risk with Outside Consultants

Protecting PHI: Managing HIPAA Risk with Outside Consultants | HIPAA Compliance for Medical Practices | Scoop.it

The rising complexity of healthcare, particularly as it relates to providers’ growing technical needs, is increasingly prompting healthcare organizations to seek the help of outside consultants. In engagements with healthcare entities, thought IT consultants try to minimize interaction with patient data, they often have access to protected health information (PHI). When working with HIPAA Covered Entities, consultants are treated as “business associates” and are required to comply with Privacy Rules designed to protect PHI.

Managing HIPAA compliance when engaging outside consultants requires that consultants enter into a Business Associate Agreement (BAA). The BAA must:

  • Describe the permitted and required uses of PHI by the business associate in the context of their role
  • Provide that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided for by the contract

Here are several best practices to follow to ensure the protection of PHI in consulting arrangements.

 

FTE Mentality

During the contract period, the expectation is that consultants act as if they were an employee of the hospital or provider organization and therefore treat PHI in this manner. It is important to know that consultant business associates could be held liable or equally responsible for a PHI data breach in the same way a full-time employee could be.

 

Role-Based Access Rules

Limit access to PHI based on role to ensure that only the parties that need PHI have access to it. An IT strategist, for example, does not need to see live patient data. Associates leading implementation projects, on the other hand, may need access to live PHI. Typically, this occurs late in the implementation process, when the time comes to test a system with live, identifiable patient data.

 

Safeguard Access Points

If a hospital wants a consultant to have regular access to PHI, it would be preferable that the hospital provides the consultant with a computer or device with appropriate access authorizations and restrictions in place. Avoid the use of personal devices whenever possible. Make sure that only approved and authorized devices can be used inside the firewall and require multi-factor authentication during log-in. Avoid inappropriate access to PHI by way of shared or public data access points. Don’t allow private access to PHI where others could intervene.

 

Keep it Local

Don’t take PHI away from the source of use. Consultants should avoid storing PHI on personal devices, including smart phones, which are particularly susceptible to theft and loss. Devices used to store or access PHI must be registered. Best practices often include controls giving IT staff advance permission to remotely wipe or lock a stolen registered device. Avoid leaving registered devices in cars or unprotected areas.

 

Paper-based reports also pose threat of PHI leak. Documents you take home over the weekend, for example, could be accessed by family members, lost, or stolen. Electronic, paper, verbal and image-based PHI should all be confidently secured. Of course the regulations also relate to visual and verbal protections. When accessing PHI avoid allowing others to view your screen over your shoulder. When discussing PHI make sure only those who need to know and have appropriate authority can hear the conversation.

 

The healthcare industry is making great strides in establishing digital infrastructure, much of which is cloud-based, putting new onus on providers and their business partners to ensure the security of that information. No one wants to make headlines for the latest data breach, least of all the IT consultants hired by providers to help guide their data management efforts. Rigorous attention to HIPAA Privacy Rule guidelines is not only required – it’s imperative to maintaining trust in the healthcare ecosystem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Compliance And Data Protection 

HIPAA Compliance And Data Protection  | HIPAA Compliance for Medical Practices | Scoop.it

Patient privacy has become a major topic of concern over the past couple of years. With the majority of patient information being transferred over to digital format, to improve the convenience, efficiency and cost of storing the data, organizations expose themselves to risks.

 

Virtually all healthcare organizations in the United States are affected by HIPAA standards. This act applies to any health care provider, health plan or clearinghouse that electronically maintains or transmits health information pertaining to patients. 

HIPAA was designed to reduce the administrative costs of healthcare, to promote the confidentiality and portability of patient records, to develop standards for consistency in the health care industry, and to provide incentive for electronic communications.  With these standards in place, organizations can better protect their systems and patients can feel confident that their personal medical information will remain private.

 

Without exception, all healthcare providers and organizations must have data security standards in place according to the Standards for the Security of Electronic Protected Health Information rules (the “Security Rule”) of HIPAA. The Security Rule requires health care providers to put in place certain administrative, physical and technical safeguards for electronic patient data including a Data Backup Plan, a Disaster Recovery Plan, and an Emergency Mode Operation Plan.

 

HIPAA security standards will also require your organization to appoint someone as the security manager. This person will act as the only designated individual in charge of the security management process and will have access to the data, preventing unauthorized access or corruption.

 

It is important to choose a data protection solution that ensures all electronic protected health information (EPHI) is fully protected when it is backed up and stored. The most important consideration relates to assurances of data consistency which can be achieved with autonomic healing and integrity checks. The solution should encrypt all information (minimum AES 256 encryption) before transfer to the service providers SSAE 16 certified data facilities.

 

For healthcare providers and managed service providers – how are you addressing the requirements of HIPAA for you business, patients and customers? How does cloud backup address the requirements of HIPPA compliance? Please comment below to start the conversation. 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

No comment yet.
Scoop.it!

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster | HIPAA Compliance for Medical Practices | Scoop.it

Over the past few years, many natural disasters have hit the United States that have had direct impacts on healthcare organizations such as the direct hit on the hospital by a tornado in Joplin, Missouri or flooding that leaked into a hospital in Duluth, Minnesota. What about a loss of power to an organization or bad network connection? Healthcare has also seen a drastic increase in the number of ransomware attacks, which block an organization’s ability to access patient data. When disasters happen and impact access to patient information, it is easy for the healthcare organization to panic and not know what to do. We all know how vital it is to treat patients with the most up to date and current information so planning becomes essential to prepare your organization for disasters and emergencies.

 

The HIPAA Security Rule requires that healthcare organizations create a contingency plan to follow in the event of a disaster or loss of access to protected health information. Under the HIPAA Security Requirement, a contingency plan should consist of the following:

  1. Data backup plan (for all systems with protected health information)
    • Document the process in which your data is being backed up. Include the location of the backup, process for backup, and frequency of back up. If you are using a third party vendor to backup data, an organization should have a process to ensure successful data backups and define a process for failed backups.
  2. Disaster recovery plan
    • Once the emergency situation is over, the disaster recovery plan defines the steps the organization must take to restore data and systems to original operating status. This will include information on what information must be added back into the system and the specific order of data to be restored.
  3. Emergency mode operations
    • Define process to ensure that critical business functions occur when the emergency is happening and information is unavailable. This includes information on how data may be accessed, how data will be documented with system unavailability, what additional security measures will be used, whom to contact and when, and how the organization will function to provide patient care. The emergency mode operations may look different depending on the disaster.
  4. Testing and revision procedures
    • The contingency plan should be regularly tested and the appropriate updates made. The revised contingency plan should be provided to the appropriate people within the organization.
  5. Applications and data criticality analysis
    • Create a list of each of the different systems that house protected health information within the organization and rank the criticality (importance) to the organization. Your output for this step is a listing of every software application that has PHI and the importance to the daily operations of your organization. The goal of this step is to understand the data and know what systems are more critical to get up and running over others.

 

The other big task with a contingency plan is to train the workforce. Your workforce should know and understand the processes in the event that the information becomes unavailable or your network is blocked off by a hacker. Workforce members should feel confident and comfortable with the process of working in emergency mode and having access to minimal, if not no information.

A contingency plan doesn’t have to be complex, but it should be written. In a recent discussion with a Senior Underwriter for Cybersecurity Insurance, he stated that he asks for the organization emergency preparedness plan when assessing and processing a cybersecurity insurance quote.

Don’t assume nothing will happen to your organization. Some plan is better than no plan so start having the conversation and creating the processes now. Also, make sure you take time to test the process to ensure that it works effectively for your organization. You want to feel confident regarding your plan so that if the unthinkable happens, you are prepared.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

5 Common HIPAA Mistakes

5 Common HIPAA Mistakes | HIPAA Compliance for Medical Practices | Scoop.it

Now more than ever, HIPAA compliance is a must. It’s hard to believe, but HIPAA violations can soar to over several million dollars and can even include jail time! We know HIPAA can be confusing. The devil’s in the details – there are a lot of rules to follow, which means a lot of mistakes you can make! While we can’t cover them all, this list of 5 common HIPAA mistakes and ways you can prevent them is a smart place to begin.

1. Lost or Stolen Devices

In January 2012, Pennsylvania –based CardioNet reported to HHS’ Office for Civil Rights (OCR) that a workforce member’s laptop was stolen from a parked vehicle outside of the employee’s home. The laptop contained the ePHI of 1,391 individuals. The outcome? A crippling 2.5 million dollar settlement.¹

Mobile devices like mobile phones and laptops or tablets are particularly vulnerable to theft and loss due to their size and – well – their ease of mobility! When covered entities and business associates don’t implement mobile device security, people’s sensitive health information is put at risk. Ignoring security can result in a serious breach, which affects each individual whose information is left unprotected.

What can you do today to safeguard your devices? Here’s what the U.S. Department of Health and Human Services recommends:

  • Use a password or other user authentication
  • Install and enable encryption
  • Install and activate remote wiping and/or remote disabling
  • Disable and do not install or use file sharing applications
  • Install and enable a firewall
  • Install and enable security software
  • Keep your security software up to date
  • Research mobile applications (apps) before downloading
  • Maintain physical control
  • Use adequate security to send or receive health information over public Wi-Fi networks

2. Hacking

Getting hacked is something we all fear, and for good reason. It seems like a new hacking technique is born every day. You’ve heard of some – phishing, viruses, ransomware – and maybe not of others – Fake WAP, Waterhole attacks. Hacking can happen to anyone, any time, any place, any… Let’s just say it’s serious business.

Check out this statistic on ransomware, specifically: A recent report from a U.S. Government interagency shows that, on average, there have been 4,000 daily ransomware attacks since early 2016. That’s a whopping 300% increase over the 1,000 daily ransomware attacks reported in 2015.²

What to do? Use these high-level tips as first steps:

  • Conduct a full risk assessment to discover all security vulnerabilities
  • Use strong passwords and two-factor authentication.
    • Read our “Creating and Managing Passwords” blog article for more info
  • Install all software patches promptly and ensure databases are up-to-date
  • Keep anti-virus definitions updated
  • Scan for viruses regularly
  • Check out this article for more info on ransomware: “WannaCry Ransomware Protection with HIPAA“

3. Employee Dishonesty

In 2012, the owner of a Long Island Medical Supply company was found guilty of $10.7 million dollars of Medicare fraud and HIPAA Violations. She was sentenced to 12 years in prison and fined $1.3 million dollars.

Employees accessing patient information when they are not authorized is a common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for another person, unauthorized access is illegal and can cost an organization substantial amounts. Also, people that use or sell PHI for personal gain can be subject to fines and even prison time. Staff members that gossip about patients to friends or coworkers is also a HIPAA violation that can result in a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients/clients to private places, and avoid sharing any patient information with anyone else.

Take a look at these ideas for keeping staff compliant:

  • Establish and enforce sanction policies
  • Train and retrain staff on HIPAA
  • Monitor employee compliance:
    • Check work areas for obvious violations
    • Listen for any discussion in the workplace that includes PHI

4. Improper Disposal

In 2009, CVS paid $2.25 million to settle a violation of throwing pill bottles containing patient names, addresses, medications and personal information into open dumpsters.

HIPAA requires that you protect the privacy of PHI in any form when disposing of information (45 CFR 164.530(c)). This not only includes tangible documents like x-ray films or patient charts, but also electronic media like old laptops or external drives.

The U.S. Department of Health and Human Services has defined these proper disposal methods:

  • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • Maintaining labeled prescription bottles and other PHI in opaque bags in a secure area and using a disposal vendor who is a business associate to pick up and shred or otherwise destroy the PHI.
  • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).
  • Further, covered entities, business associates and subcontractor BAs must ensure that their workforce members receive training on and follow the disposal policies and procedures of the organization, as necessary and appropriate for each workforce member. See 45 CFR 164.306(a)(4), 164.308(a)(5), and 164.530(b) and (i). Therefore, any workforce member involved in disposing of PHI, or who supervises others who dispose of PHI, must receive training on disposal. This includes any volunteers. See 45 CFR 160.103 (definition of “workforce”).⁴

5. Third-Party Disclosure

North Memorial Health Care of Minnesota paid a fine of $1.5 million to settle HIPAA violation charges in 2011 after a business associate was given access to ePHI before a signed copy of a HIPAA-compliant Business Associate Agreement (BAA) was obtained.⁵

Under HIPAA law, covered entities must have a signed BAA from any vendor that provides functions, activities or services for or on behalf of a covered entity that has access to patient ePHI. A signed copy of the BAA must be obtained before access to patient health data is provided. The BAA must outline the responsibilities the business associate has to ensure PHI is protected and is not disclosed to any unauthorized parties.

Remember, your business associates’ HIPAA shortcomings impact you! Period.

Be sure to:

  • Establish who your Business Associates are, considering their subcontractors and your own contractors. (Read our own “Preparing Contractors for HIPAA Compliance” blog)
  • Obtain a Business Associate Agreement before your BA has access to any client/ patient health data
  • Ask for verification of HIPAA compliance for each and every BA, including their subcontractors
  • Read some of the previous articles we’ve written about Business Associates for smart ways on working with them:
    • “Auditing Business Associates”
    • “Business Associates Must Take HIPAA Compliance Seriously“
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Data Encryption Is Key for Protecting Patient Data

Data Encryption Is Key for Protecting Patient Data | HIPAA Compliance for Medical Practices | Scoop.it

According to the HIPAA Final Omnibus Rule, section 164.304 sets forth the following definition: "Encryption means the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key." Although encryption is considered an "addressable" issue, and not "required" or "standard," it really should be accounted for as "required." But why? Encrypting mobile devices, laptops, hard drives, servers, and electronic media (e.g., UBS drives and CD-ROMs) can prevent the practice from paying a large fine for a HIPAA breach.

As a reminder, both Concentra and QCA Health Plan paid over $2 million in combined fines to the Department of Health and Human Services, Office for Civil Rights. The "investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (PHI) was a critical risk," the Office for Civil Rights said. "While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time, leaving patient PHI vulnerable throughout the organization. OCR's investigation further found Concentra had insufficient security-management processes in place to safeguard patient information."

The problems with not encrypting data and failing to conform to the other requirements associated with HIPAA and the HITECH Act can have further reaching consequences. According to a recent article by Absolute Software, "Protected health information is becoming increasingly attractive to cybercriminals with health records fetching more than credit card information on the black market. According to Forrester, a single health record can sell for $20 on the black market while a complete patient dossier with driver's license, health insurance information, and other sensitive data can sell for $500."

Any physician who has had their DEA number compromised or been involved in a government investigation involving Medicare fraud knows firsthand about the importance of implementing adequate security measures and internal audits. Investing in encryption is one way to mitigate financial, reputational, and legal liability.


Justin Boersma's curator insight, March 27, 2015 7:28 AM

Data encryption is vital in the protection of private consumer data collected by companies, especially medical records. Innovation in data encryption is required to prevent breaches of sensitive information as The Information Age grows in the coming years.