HIPAA Compliance for Medical Practices
69.7K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’ 

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’  | HIPAA Compliance for Medical Practices | Scoop.it

The recent Sony Pictures hack exposed embarrassing emails, unreleased intellectual property and plenty of passwords, social security numbers and financial data — but it was also a giant HIPAA violation. In addition to unencrypted spreadsheets full of sensitive medical data, the hackers leaked an HR exec’s memo about the special needs and diagnosis of an employee’s child.

While we don’t yet know the cost of Sony’s myriad of security failures, the medical details of many Sony employees and their families now exist on the Internet, where it will likely stay available for the foreseeable future.

 

The Sony hack has taught us plenty of information security lessons, but one of the stickiest is the importance of protecting protected health information (PHI). We’ve already written about the reasons Sony should have used client-side email encryption, but HIPAA compliance is yet another compelling reason to encrypt your email messages.

The Need for HIPAA Compliant Email

If you’re new to the world of HIPAA compliant email, the idea of safely sending messages and files to your patients, other health providers and business associates can seem overwhelming at first. While any professional email should be approached with mindfulness of data security and awareness of the threats to your email privacy, from hacking to phishing, businesses that deal with PHI must be extra vigilant to make sure their communications are compliant with HIPAA and HITECH. After all, a HIPAA violation is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of hundreds of thousands of dollars.

While HIPAA compliant email doesn’t need to be rocket science, the stakes facing the medical community are pretty high. Consumers want more and easier access to their personal health data, but have greater demands when it comes to privacy.

Protecting Patient Privacy In the Digital Age

Any organization that handles PHI (known as a “covered entity”), from health providers such as doctors, nurses, chiropractors, pharmacies and nursing homes to businesses that provide health plans like HMOs, company health benefits and government programs like Medicare — as well as all of their business associates — needs to ensure that their email solutions are HIPAA compliant. And it’s not just corporate organizations – state and local governments, universities, and non-profits also fall under HIPAA and must protect PHI.

 

Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it seems that the demand for greater digital access to health data is at odds with the HIPAA Privacy Rule, which demands that a patient’s past, present and future PHI be accessible only to authorized recipients. One of the goals of HITECH was to spur adoption electronic health records (EHRs) for patients and health information exchanges (HIEs) to help doctors share patient data. If your ophthalmologist recently asked you to sign up for an online patient portal, that’s HITECH in action.

 

But another HITECH provision put many covered entities on notice: where prior to HITECH, $250,000 was the maximum annual penalty for a HIPAA violation, that threshold has moved up to $1.5 million. This presents the medical community with the puzzle of how to increase digital access to data without compromising patient privacy.

The Importance of Encryption in HIPAA Compliant Email

The challenges facing healthcare data security, from data thieves and “hacktivists” targeting hospitals to user error and technology adoption, make HIPAA compliant email more important than ever. But what makes an email HIPAA compliant?

 

One of the most important steps any business handling PHI should take is enabling email encryption. Encryption uses a complex cipher algorithm to render your data unreadable to anyone without the necessary credentials (or the encryption key). In short, if a cybercriminal cracks into an email you send to a patient or insurance company, they won’t be able to use that data unless they also get ahold of your encryption key.

 

There are a few options when it comes to email encryption. Many hospitals, healthcare providers and insurance companies deploy portal solutions that use Transport Layer Security (TLS) to encrypt messages. In these scenarios, patients and other providers establish and maintain a separate account for a portal where they can exchange sensitive information. While these solutions do provide for HIPAA compliance, their user experience tends to be clunky and frustrating. At one time or another we’ve all forgotten our username or password and been locked out of our health or financial data.

 

At the end of the day, employees prefer to use the applications they’re used to — including their email service providers. Newer email encryption solutions are able to integrate with the email service you’re already using to provide a seamless, easy-to-use user experience with powerful client-side encryption.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Juan Carlos Moreno Angulo's curator insight, May 20, 3:57 PM
Before clicking send, do even think twice about it? What happens when hackers leak sensitive information under the name of famous companies/corporations such as the case of SONY is something common? In recent times, the Sony hack showed and taught us plenty of information security lessons, but one of the stickiest is the importance of protecting protected health information (PHI). What this article expose us to a violation that is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of a lot money. While we do not know about the security measures taken by the institution we put out trust in, there are medical details of many employees and their families on the Internet before you even know, a giant violation to your life. Protecting patient privacy in the digital age can be a really hard to do, especially when the world is just a click far from you. However, a positive thing to highlight such organization handles PHI which is known as a “covered entity” that allow companies to keep track of the user info. Opposite to that, the introduction of what happened with hacking patients; it seems that organizations demand for greater level of security when accessing health data and more. Moreover, just remember that every message, image, and video you send everything you do will be recorded and stored in a data collection base.
Scoop.it!

Anthem data breach triggers phishing email scam

The Nevada attorney general’s office has issued a warning Nevadans who may have been impacted by the recent Anthem Inc. data breach of a potential phishing e-mail scam targeting current and former members.

Anthem Inc. representatives are not currently calling or e-mailing present or former members about the data breach and do not ask for credit card information or social security numbers by phone or e-mail. The phishing e-mail messages are designed to obtain the recipient’s personal information, and appear to be sent from Anthem Inc.

The body of the email contains a link that purports to offer free credit monitoring services; however, the email has no affiliation with Anthem Inc.

“I urge consumers to be wary of potential e-mail phishing scams, regardless of the source,” said Attorney General Adam Paul Laxalt. “This office will continue to investigate potential scams in an effort to protect Nevada’s consumers.”

Anthem Inc. representatives will only contact current and former members via U.S. Postal Service mail with specific information about how to enroll in credit monitoring.

Anthem Inc. launched a website for current and former members who may have been affected by the breach. It will allow consumers to enroll in two years of free credit reporting and identity theft repair services.

If you receive an email from a sender claiming to be Anthem Inc.:

• Do not click on any links in the e-mail.

• Do not reply to the email or reach out to the sender in any way.

• If you mistakenly click on the link provided, do not supply any information on the website.

• Do not open any attachments to the email.

Before responding to any email requesting personal information, always verify the source by calling a known and trusted phone number for the sender. Most legitimate businesses will not ask for personal information, such as account numbers, Social Security numbers, addresses, mother’s maiden name, PINs or other personal information via email or on a website.

In order to avoid falling victim to phishing scams, only transmit payment or other information through a secure website, which is denoted by the address https:// and a lock icon in the address bar.

more...
No comment yet.
Scoop.it!

Using E-mail at Your Medical Practice: 5 Security Tips

Using E-mail at Your Medical Practice: 5 Security Tips | HIPAA Compliance for Medical Practices | Scoop.it

Methods for transferring protected health information (PHI) have been broken for a long time. Even with the advent of EHRs, data exchange methods haven't kept pace with industry expectations for privacy and convenience.

It's time to retire the usual stable of secure alternatives to e-mail, like patient portals, faxes, or snail mail. They're far too burdensome for both practitioner and patient. Like it or not, e-mail is synonymous with accessibility. To deliver the best care possible, it's essential to meet patients on their terms. It's harder than ever to ignore e-mail, just as it's becoming more difficult to embrace it in good conscience.


Most e-mail security solutions focus on simple text, but the real risk comes with files and attachments. That's because sensitive data typically resides in files. Files, in turn, often get duplicated and cached on devices, making them hard to easily track or protect. So when we talk about the risks facing medical practices when it comes to communicating, it's about files—not simple text messages. The question, of course, is where all that leaves most practices.

The key lies with file encryption. Encryption essentially scrambles messages so that they're only legible by intended users. That's why encryption is so often the means through which healthcare providers guarantee HIPAA compliance. Although most secure e-mail tools focus on the body text of an e-mail, that part might not even be necessary to encrypt. After all, the real threat lies in what comes appended to the e-mail. Whether they're voice recordings, digital X-rays, intake forms, or medical bills, it's essential to encrypt the files themselves.


Seeking Solutions


Finding the right solution, though, is another story. E-mail encryption services exist for handling simple text correspondence with patients by scrambling the messages and sending them through a secure connection. But even these have risks. Many HIPAA-compliant e-mail providers are simply adding yet another system to your already disconnected work flows, rather than integrating seamlessly or solving some of the other problems you have, like storing files and auditing access. What's more, they aren't foolproof.


Here are five tips to help practices communicate with patients and other provider and business associates while maintaining airtight security.


1. Look for file encryption. File-level encryption ensures that protections follow the file no matter where it ends up. With built-in authentication controls, file-level encryption also eliminates the threats associated with mistakenly entering the wrong e-mail address.


2. Don't forget about secure file storage. Many encrypted e-mail services that purport to comply with HIPAA destroy messages after a set period of time. The issue, of course, is that practices need to keep detailed records — and the best place for that, in my humble opinion, is the cloud. Which brings us to …


3. The best solutions will integrate seamlessly with other work flows. The cost of inconvenience is too high, because inconvenience often leads users to seek out workarounds that aren't compliant, including popular cloud services like Dropbox. So the expensive EHR system you've built or bought is nothing more than a loophole to circumvent. In some ways, the cloud presents the ideal all-in-one solution, eliminating the need for e-mail attachments by allowing you to store and share links or folders themselves. In those deployments, it's essential to ensure that your Dropbox files are encrypted and HIPAA-compliant. If you have file encryption, you can use e-mail and Dropbox the same way you would in your personal life — just more securely.


4. Many easy-to-use secure providers don't include a safety net for mistakes. We're all familiar with the horror stories and HIPAA fines that have been levied against practices that mistakenly e-mailed lab results to the wrong patient or faxed a form to the wrong number. That's why the best HIPAA-compliant sharing tools will help prevent or create solutions for mistakes by showing just what was attached and offering the ability to revoke access to the wrong recipient. If a file itself is encrypted, access and modification can be audited even if it was mistakenly downloaded.


5. You don't need to encrypt everything. It isn't necessary — and maybe even inappropriate — to treat all information equally. Flexible solutions that allow you to set permissions according to their sensitivity are ideal.


There's no shortage of options for communicating, but many secure e-mail technologies can leave much to be desired. The key in striking a balance between convenience and compliance lies in finding a solution that does the hard work of communicating securely for you. The onus should be on the technology — not the patient or your employees — to strike that balance.


more...
No comment yet.
Scoop.it!

Redefining Healthcare Email & Data Archives in the Age of HIPAA

Redefining Healthcare Email & Data Archives in the Age of HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Information technology has long been an enabler of collaboration and openness in the healthcare industry – but it also adds an additional layer of complexity. And in 2003, the U.S. government’s Health Insurance Portability and Accountability Act (HIPAA) added a new level of complication for how healthcare organizations manage patient information. Yet, it’s a double edge sword. Healthcare IT professionals must devise ways to help workers access patient information faster, safely and securely, while maintaining compliance with HIPAA rules and internal protocols.

There’s a simple reason for that complication, personally identifiable information is extremely valuable. Any breach or act of non-compliance that results in the release of personal medical information can have devastating consequences for both patients and the healthcare organization. As a consequence, the healthcare industry is ramping up its efforts to secure systems to better protect sensitive data, adapt to evolving threats and comply with HIPAA.

The goal posts are moving too. Digital patient records on are growing and organizations need to better manage storage while ensuring continuity and maintaining absolute HIPAA compliance. In addition to front line security measures, healthcare organizations are also tasked with ensuring continuity-of-operations through the deployment of highly-secure disaster recovery and backup strategies.

How Archiving Solutions Can Help

Managing the growing complexity of any healthcare organization’s data, while ensuring and maintaining compliance, is no small feat. Communicating patient data  is critical in healthcare environments, and must remain fluid and fast, regardless of the archiving solution in place. It’s also essential that medical staff remains unaffected –access to data and systems should be transparent.

While many healthcare organizations are utilizing secure content collaboration systems like SharePoint to control access to patent data, email is still the primary tool that most healthcare workers use to communicate patient issues, their needs, requirements as well as a growing list of rich media from blood work, x-rays, sonograms, etc. Proper data management policies and sophisticated archiving solutions can help healthcare IT administrators manage storage growth and cost, while maintaining absolute compliance, eDiscovery and continuity. Robust email archiving solutions can help because they archive content from any platform – SharePoint, file servers, and email servers by providing a searchable and federated index, continuity and secure/compliant storage.

Furthermore, in the event of a legal dispute, HIPAA requires that all patient information, whether in a file or within the body of an email, must be securely stored and quickly retrievable. Many organizations stockpile this information on expensive storage without proper data rules to find that data fast. The result is a loss in productivity as administrators spend days or weeks searching through data in order to comply with legal orders.

HIPAA Isn’t Simple

Complying with HIPAA doesn’t just happen, it’s an on-going process best performed by healthcare IT professionals working in concert with their legal and healthcare end users to deliver the right information to give patients the best care possible. Sophisticated platforms such as Exchange can manage all of these tasks from one dedicated interface but healthcare organizations need to alter how they view patient data on a grassroots level.

1. Set and define internal rules. How long will an email be archived for? A blanket policy is best here. Filtering can always be added at a later date but a core, compliant retention policy is key.

2. Make sure everything can be audited. This also applies to every action carried out by an administrator or dedicated compliance asset – not just end users.

3. Everything must be discoverable. Use advanced content indexing across live data and archived metadata.

4. Learn the official rules. Read the Health Insurance Portability and Accountability Act to understand more about the act, its requirements of healthcare workers and the data they create and access, as well as  how it protects patients. While the data storage and accessibility portions are contained in the HIPAA’s Title II section, it is helpful to review Title I for information about helping patients to keep their data portable.

5. Access control. Who should be on the list of “super administrators”? Who can create policies, manage retention times?

6. Identify e-discovery requirements. Double check with the legal department – what needs to be stored? How long? What type of content? What about external consultants? What about mobile device usage?

7. Deletion policy. Considering a purge option is not an easy task. Rules change without notice. Think about moving older data to cheaper forms of secure storage media just in case your organization is asked to produce data.

8. Backup. Daily backups are 100% necessary for databases and Exchange. Take a close look at where you can save time and effort by creating solutions that store changes and not simply create full backups.



more...
No comment yet.