HIPAA Compliance for Medical Practices
76.9K views | +6 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Why Ignoring the Minimum Necessary Standard in HIPAA Could Cost You

Why Ignoring the Minimum Necessary Standard in HIPAA Could Cost You | HIPAA Compliance for Medical Practices | Scoop.it

Does your healthcare organization develop and implement policies and procedures that are appropriate and reflect your organization’s business practices?

Under the HIPAA Minimum Necessary Standard, all covered entities must have policies and procedures that identify who needs access to Protected Health Information (PHI) to perform their job duties, the categories of PHI required, and the conditions where access is justified.

 

For instance, as a hospital, you can allow doctors, surgeons, or others to access a patient’s medical records if they’re involved in the treatment of that patient. If the entire medical history is required, your organization’s policies and procedures must explicitly state so and include a justified reason.

 

As a provider, you also need to take reasonable steps to make sure that no PHI is accidentally available for access. For example, if you’ll be hosting a meeting in your office, then you must ensure that no one from the meeting can access PHI documents accidentally.

How Does The Minimum  Necessary Requirement Work?

As the name implies, under the HIPAA Minimum Necessary Standard, it’s mandatory for covered entities to take reasonable measures to limit the use or disclosure of PHI and requests for PHI, to the minimum necessary needed to achieve the intended goal.

However, it’s important to note that the minimum necessary standard does not apply to:

  • Requests for disclosure by a healthcare provider for treatment purposes  
  • Disclosing information to the patient in question   
  • Uses or disclosures after a patient’s authorization  
  • Uses or disclosures needed to comply with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules  
  • Disclosing PHI to the Department of Health and Human Services (HHS) under the Privacy Rule for reasons of enforcement  
  • Disclosing PHI for use under other laws

The Minimum Necessary Standard of the HIPAA Privacy Rule requires that your covered entity develops and implements policies and procedures that are appropriate for your organization and that reflect your business’ practices and workforce. Only those who need access to PHI should receive access, and even then, the PHI should be restricted to the minimum necessary information needed to perform the job.

Why Does It Matter?

Did you know the healthcare industry is one of the most vulnerable sectors when it comes to cyber-attacks and data theft? If your organization fails to meet the minimum necessary standard, you could face fines of $50,000 or more.     

 

In fact, penalties for HIPAA violations can reach $1,500,000 annually per violation based on the type of breach.  

The largest American health data breach to ever occur took place in January 2015. It exposed the electronic PHI of nearly 79 million people and resulted in Anthem Insurance paying OCR $16 Million!  

The investigation found that Anthem did not perform

enterprise-wide risk analysis and the organization’s procedures did not regularly review information system activity. Anthem also failed to identify and respond to security incidents, and they did not implement proper minimum access controls to prevent the risk of cyber-attacks from stealing sensitive ePHI.

 

Complying with HIPAA’s minimum necessary standard matters if you want to avoid the risk of an expensive fine.

How Can You Comply?

Under HIPAA’s minimum necessary standard, the terms ‘reasonable’ and ‘necessary’ are open to interpretation and left up to the judgment of the covered entity. It’s up to your organization to determine what information should be disclosed and what information needs restricted access.

 

However, to make sure that you’re complying with this requirement, there are some basic steps you should follow:

  1. Prepare a list of all systems that contain PHI and what types of PHI they include.
  2. Establish role-based permissions that restrict access to certain kinds of PHI. All information systems should limit access to certain types of information. For instance, you can limit access to health insurance numbers, Social Security numbers, and medical histories if it’s not necessary for everyone to see that PHI.
  3. Design and implement a policy for sanctions if violations of the minimum necessary standard occur.
  4. Provide proper employee training about the types of information they’re permitted to access and what information is off limits. Be clear about the consequences of obtaining information when not authorized.
  5. Create alerts when possible that notify the compliance team if there’s an unauthorized attempt to access PHI.
  6. Ensure that the minimum necessary rule is being applied to all information shared externally, with third parties and subcontractors. It’s mandatory for covered entities to limit how much PHI is disclosed based on the job duties and the nature of the third party’s business.
  7. Perform annual reviews and periodic audits of permissions and review logs to determine if anyone has knowingly or unknowingly accessed restricted information. Such reviews may also be required when a major incident takes place, such as the treatment of a celebrity in your organization, or if a shooting or newsworthy accident takes place and your organization is involved.
  8. Document all actions taken to address cases of unauthorized access or accessing more information than is necessary and the sanctions that took place as a result.

Adhering to the HIPAA Minimum Necessary Standard is important to protect your organization and your patient relationships. When you take the appropriate steps to comply with HIPAA, you’ll not only have a much better chance of avoiding the risk of a costly data breach, but you’ll also build trust with your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button? 

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button?  | HIPAA Compliance for Medical Practices | Scoop.it

Indeed, it is. According to the latest statics from the HHS Office of Civil Rights (OCR), 43% of all reported breaches are now caused by hacking or other related information network discrepancies—not to mention those breaches that are the result of impermissible disclosures made by members of the work force.

 

Let’s face it, breaches will happen, especially those related to information systems. When it comes to breaches, most network security experts say it is “when” and not “if.” Regardless of whether the breach is related to the network or some other means such as lost or stolen devices containing ePHI, what is important is having a process in place to deal with it. This includes the ability to conduct an internal investigation to determine the basics such as how the breach was caused, the type of breach, and how many individuals were affected.

 

The HIPAA Breach Notification Rule states that a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. The exception is when the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

 

So, what is the best way to conduct the breach risk assessment to determine this probability? Start with some type of Breach Notification Risk Assessment Tool which is a decision tree-based process. This will help determine if the breach is reportable. Even if the determination is made that the breach is not reportable, documentation that this assessment was conducted must be maintained.

 

Having a comprehensive breach notification policy is critical. This will save a lot of headaches and layout a process to follow during the period of uncertainty associated with a breach. The policy should state the obvious such as who needs to be notified internally within the organization, who is responsible for conducting the assessment, and what specific notifications need to be made. What is even more important is the actual procedure to implement the policy. Procedures should cover how to undertake the investigation of the breach to cover the who, what, how, and when of the occurrence. If it is a reportable breach, this type of information is required for submitting “Notice of a Breach” to the Secretary of HHS (which technically is delegated to OCR.) When submitting the Notice, one should be prepared to answer a number of questions. This is why it is important that the internal investigation uncover as much information as possible.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

10 Best Practices for HIPAA Compliance 

10 Best Practices for HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

A failure to understand HIPAA requirements can be a very costly mistake, as CardioNet learned just a couple months ago. In April, the wireless health services provider agreed to a settlement of $2.5 million for a potential noncompliance with the HIPAA Privacy and Security Rules. (1) The violation occurred when a company laptop containing the ePHI of 1,391 individuals was stolen from an employee’s vehicle parked outside their home. The Office for Civil Rights (OCR)’s investigation revealed that CardioNet had insufficient risk analysis and risk management processes in place at the time of the theft. In addition, the company’s policies and procedures implementing the standards of the HIPAA Security Rule were in draft form and had not been implemented. CardioNet was also unable to produce any final policies or procedures regarding the implementation of safeguards for ePHI, including those for mobile devices. 

 

“Mobile devices in the health care sector remain particularly vulnerable to theft and loss,” said Roger Severino, OCR Director. “Failure to implement mobile device security by Covered Entities and Business Associates puts individuals’ sensitive health information at risk. This disregard for security can result in a serious breach, which affects each individual whose information is left unprotected. 

 

Most HIPAA violations can be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring all individuals with access to patient information receive the proper training. Below are ten best practices for keeping your practice HIPAA compliant.

 

10 Best Practices for HIPAA Compliance

  • Implement safeguards such as password protected authorization and encryption to access patient-specific information on all computers, laptops, and devices.
  • Practices should keep all patient paperwork, charts, and records locked away and safe out of the public's view. Never leave patient information out or unattended.
  • Computer programs containing patient information should be closed and logged out of when not in use. Never share passwords between employees.
  • Ensure all computers have updated anti-virus software installed. This will help keep a practice guarded against malicious software.
  • Limit emailing PHI if the information can be sent another way. When faxing PHI, always use a cover sheet.
  • Always properly dispose of information containing PHI by shredding paper files.
  • Make sure employees are aware that using social media to share patient information is considered a violation of HIPAA law.
  • If patient information is being accessed at home, ensure all home computers and laptops are password protected.
  • Back up all disks that contain PHI. Store patients’ information in a HIPAA compliant cloud server.
  • Compliance training is one of the simplest ways to avoid a violation. Practices should provide ongoing, up-to-date training on the handling of PHI for all employees.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Physicians: Protect Your Data from Hackers in 5 Steps

Physicians: Protect Your Data from Hackers in 5 Steps | HIPAA Compliance for Medical Practices | Scoop.it

According to a recent CNBC report, hackers may have stolen personnel data and Social Security numbers for every single federal employee last December. If true, the cyberattack on federal employee data is far worse than the Obama administration has acknowledged.

J. David Cox, president of the American Federal of Government Employees Union, believes "hackers stole military records and veterans' status information, address, birth date, job and pay history, health insurance, life insurance, and pension information; [as well as] age, gender, race data," according to the report. This would be all that is needed for cybercriminals to steal identities of the employees, divert funds from one account to another, submit fake healthcare claims, and create fake accounts for everything from credit cards to in-store credit card purchases.


Although physicians maintain personal and professional data which is especially valuable to thieves, you are not the federal government. Make it hard enough on cybercriminals, and they will move on for lower-hanging fruit. Readers Digest offers good advice in five simple steps in its article, "Internet Security, How not to Get Hacked":


1. Be aware of what you share.


On Facebook, Twitter, or social media, avoid posting birth dates, graduation years, or your mother's maiden name — info often used to answer security questions to access your accounts online or over the phone.


2. Pick a strong password.


Hackers guess passwords using a computer. The longer your password and the more nonsensical characters it contains, the longer it takes the computer. The idea here is that longer, more complicated passwords could take a computer 1,000 years to guess. Give 'em a challenge


3. Use a two-step password if offered.


Facebook and Gmail have an optional security feature that, once activated, requires you to enter two passwords: your normal password plus a code that the companies text to your phone-to access your account. "The added step is a slight inconvenience that's worth the trouble when the alternative can be getting hacked,"  CNET tech writer Matt Elliot told Readers Digest. To set up the verification on Gmail, click on Account, then Security. On Facebook, log in, click on the down icon next to Home, and then click on Account Setting, Security, and finally Login Approvals.


4. Use Wi-Fi hot spots sparingly.


By now, you probably know that Internet cafés and free hotspots are not secure. You shouldn't be doing your online banking from these spots. However, the little button that turns off your laptops Wi-Fi so that your laptop cannot be accessed remotely is also handy. In Windows, right click on the wireless icon in the taskbar to it off. On a Mac, click the Wi-Fi icon in the menu bar to turn off Wi-Fi.


5. Back up your data.


Hackers can delete years' worth of e-mails, photos, documents, and music from your computer in minutes. Protect your digital files by using a simple and free backup system available on websites such as Crashplan and Dropbox


Take this basic instruction and build on it yourself. Google, for example offers advice expanding on the concept of "stong passwords." The worst thing you can do is use "dictionary words," the word "password," and sequential keystrokes, such as "1234" or "qwerty," because the hacker's computers will try these first. For e-mail, pick a phrase, such as "[m]y friends Tom and Jasmine send me a funny e-mail once a day" and then use numbers and letters to recreate it as a cryptic password. "MfT&Jsmafe1ad."

more...
No comment yet.