HIPAA Compliance for Medical Practices
75.3K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

While HIPAA covers a broad scope of healthcare related items, its Security Rule specifically sets forth standards concerning the safety of electronic Protected Health Information or ePHI. Furthermore, the Security Rule can be broken down into three keys areas of implementation: Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In Part I of this blog series we will discuss the basics regarding HIPAA Physical Safeguards, or Section 164.310 of the Security Rule, and how they relate to ePHI (electronic Protected Health Information).

 

The Department of Health and Human Services defines HIPAA Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings from natural and environmental hazards, and unauthorized intrusion”. In short, a covered entity must have physical protocols in place to protect is ePHI from disaster and/or theft.

HIPAA Physical Safeguards can be broken down into the following standards:

  • Facility Access ControlThis standard requires covered entities to implement policies and procedures to limit physical access to information systems and the facilities in which they are stored. Proper authorization to access these systems should also be ensured. The Facility Access Control Standard also requires the following implementations:
    • Contingency Operations
    • Facility Security Plan
    • Access Control and Validation Procedures
    • Maintenance Records

 

  • Workstation Use: A workstation is defined as an electronic computing device and any electronic media stored in its immediate environment. According to this standard, covered entities must implement policies and procedures surrounding the functions and physical attributes of any workstation that can access ePHI. The importance of these policies and procedures is to limit exposure to viruses, compromisation of information systems, and breaches of confidential information.

 

  • Workstation Security: This standard differs from Workstation Use in that it refers specifically to how workstations are to be physically protected from unauthorized users. Under this standard, converted entities must implement physical safeguards for all workstations that access ePHI to restrict unauthorized users. Essentially, a covered entity must take precautions - such as locked doors/equipment – to prevent non-employees from physically accessing a workstation.

 

  • Device and Media Controls: Device and Media controls refer to electronic media- meaning electronic storage media devices in computers (hard drives) and any removable/transportable digital memory medium such as tapes, disks, or digital memory cards. The purpose of this standard is to have policies and procedures in place to govern the receipt and removal of hardware and electronic media that contains ePHI, into and out of a facility, and the movement of these items within the facility. Covered entities must be able to account for all ePHI as it is moved between electronic devices. They must be able to account for this ePHI, even if it is disposed of. This standard is broken down into the following implementations:
    • Disposal
    • Media Re-Use
    • Accountability
    • Data Backup and Storage

In order to comply with these standards related to HIPAA Physical Safeguards, here are some examples of basic practices that any covered entity can apply to its medical practice:

  • Keep access to any device that stores or processes ePHI restricted to authorized personnel only. Avoid having these devices in areas that can easily be accessed by patients or visitors.
  • Ensure that ePHI is disposed of properly. Hard drives and any other devices that store patient information must be destroyed in the proper manner, and a certificate of disposal should be obtained and kept as a record.
  • Keep an inventory of all devices in the office that store or process ePHI. Additionally, note down which staff have accesses to these devices and what roles they play in processing ePHI.

 

These are examples of general steps that will help covered entities comply with HIPAA.   It is important that the annual mandatory HIPAA risk assessments be comprehensive and should review all physical safeguards at your location, pinpoint specific vulnerabilities and determine the corresponding action items and additional physical safeguards that may need to be implemented.

In summary, the Physical Safeguards standard of the HIPAA Security Rule sets forth a comprehensive framework regarding the physical protection of ePHI. As covered entities continue to modernize and move away from traditional paper-based records keeping, they will need to keep these standards in mind for the privacy of their patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Staff Nurse Faces Jail Time for HIPAA Violations

Staff Nurse Faces Jail Time for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

Her breach of a patient's privacy jeopardized the clinic from which she was subsequently fired.

 

What began as routine file maintenance ended in arrest and possible jail time for a licensed practical nurse who shared a patient's medical information with her spouse.

 

Ms. A, 29, had been employed by a midsize regional clinic for five years. While she enjoyed her job and got on well with her supervisor, Dr. P, she was known to bemoan what she saw as low pay and the financial strain it created for herself and her husband. That strain intensified when her husband was in an auto accident and then sued by people in the other car seeking compensation for their injuries.

 

One day, as Ms. A was flipping through charts to straighten up the files, she saw the plaintiff's name. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file. That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she'd taken earlier. “I think this will help,” she said.

 

The next day, Mr. A phoned the patient. During the conversation, he made it known that he had medical information which he believed weakened the man's case. Mr. A suggested that he consider dropping the lawsuit.

 

After hanging up with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney.

 

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her.

 

After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed them that no breach of these laws would be tolerated under any circumstances.

 

Meanwhile, Ms. A's problems were just beginning. The district attorney forwarded the patient's complaint to a federal prosecutor, and within a month, both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. Ms. A pleaded guilty to one count of wrongful disclosure of individual health information for personal gain. In exchange for her plea, the charges against her husband were dismissed.

 

Ms. A is awaiting sentencing. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation. The state nursing board is seeking to revoke her license.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches

Beyond HIPAA Risk Assessments: Added Measures for Avoiding PHI Breaches | HIPAA Compliance for Medical Practices | Scoop.it

Last year, several high profile security incidents occurred at healthcare organizations where a HIPAA Risk Assessment (HSRA) had previously been conducted. This should provoke some pointed questions: Was the HSRA comprehensive enough? Was the remediation plan implemented correctly and in a timely manner? Was an ongoing process of risk management adopted? In this webinar, attendees will learn why HSRA's are a necessary but not sufficient part of maintaining the security of protected health information (PHI).

  • What qualifies as a comprehensive HIPAA risk analysis?;
  • Learn why HIPAA Risk Assessments are necessary but not sufficient;
  • What are the elements of an ongoing security risk management program?
  • What else can be done to lower the risk of hacking incidents?.
Background

HIPAA Risk Assessments are a valuable component of a healthcare organization's information security program. They fulfill a mandatory requirement of the HIPAA Security Rule, Omnibus Rule, and where applicable, the EHR Meaningful Use Incentive Program. Compliance, however, is not synonymous with security.

The purpose of an HSRA is to identify threats and vulnerabilities. But without a comprehensive remediation and ongoing risk management plan, the HSRA itself is of little value. Further, many HSRA's are too limited in scope, focusing only on policies or "low-hanging" fruit while ignoring more critical and complex risks.

From 2010-2013, the vast majority of breaches of PHI resulted from lost or stolen portable devices. In 2014, the landscape changed. Hackers went on the attack, attracted by high value of data stores of PHI. Millions of health records were stolen. Hackers typically exploit vulnerabilities in the network infrastructure or in web applications. In addition, individual credentials are often compromised through "phishing" email attacks. Were these risks identified in your HSRA?


more...
No comment yet.
Scoop.it!

Five Steps to HIPAA Compliance for a Doctor's Office

Five Steps to HIPAA Compliance for a Doctor's Office | HIPAA Compliance for Medical Practices | Scoop.it

Why do you, as a doctor, dentist or any other medical provider, need to comply with HIPAA? HIPAA, the Health Insurance Portability and Accountability Act, was enacted by the US government to not only protect patient confidentiality and privacy but also to ensure that doctors and other medical practices protect their data to prevent unauthorized persons and criminals from getting access to patients' confidential, private and financial information.

 

Patient health records called PHI (Protected Health Information) are a valuable commodity for criminals and sell for high prices in the black market.   Medical professionals must therefore strictly abide by HIPAA rules in order to avoid monetary fines, damage to their reputation, loss of their license(s), and even imprisonment. Over the last few years, we have been hearing of multiple instances of doctors, nurses and healthcare workers being jailed or fined hefty sums for HIPAA violations. The Office of Civil Rights (OCR) has concentrated on education and outreach and has also focused on enforcement of HIPAA law especially when a healthcare organization suffers a breach or is in violation of HIPAA law.

 

Professionals in the medical field have the moral and ethical responsibility to abide by laws that govern them and to provide the utmost care, which includes protecting the health information of each and every patient. This requires the ability to make logical decisions minute by minute, plus a great deal of patience, professionalism, and high standards related to HIPAA compliance to ensure protection of ALL health information… which includes the following steps:

 

1. Exercise Privacy in Your Office Everywhere

  • Give patients the privacy they deserve in your office whether it’s in the lobby or their patient room.
  • Minimize references to patients; it is best to call patients by first or last name only when directing them to their patient room.
  • Allow for a quiet, private space when talking with patients individually so only those intended for the information are the ones who hear it.
  • Never leave patient documents/files unattended or unsecured.
  • Always knock before entering patient rooms.
  • While accessing electronic PHI (ePHI), make sure that no unauthorized person can see the data on your screen or device.
  • Continuously enforce this culture of privacy with your staff.

2. Post Notice of Privacy Practices

  • Print notice of privacy practices and place it in a common and clearly visible area in your office, so that patients are openly provided with the privacy laws and information that strives to keep their care confidential.
  • If you have a website for your practice, then be sure to post a copy of the Notice of Privacy Practices prominently on your website.
  • Keep copies of the Notice of Privacy Practices available in case any of your patients asks for a copy.

3. Maintain and Follow Written Policies and Procedures

  • Develop a written policies and procedures manual for everyone in your practice to follow, to ensure patient privacy and security. The manual should also contain forms, notices, disclosures and step-by-step procedures for patient privacy notification and overall HIPAA compliance.
  • Your policies and procedures should be accessible to all staff.  Get attestations from your staff that they have read and will abide by your written policies and procedures.
  • Review your policies and procedures annually to ensure that they are still current, and review them with your staff every year after this review.
  • Review, and if needed update, your policies and procedures whenever there is a major change in your practice, for instance, a change in your EHR or key software used like anti-virus, data backup service or anything similar.

4. Train Your Team on HIPAA Do’s and Don’ts

  • Ensure that your employees go through HIPAA training every year.
  • Your employees should sign and acknowledge their awareness of these HIPAA policies and procedures.
  • Document training dates and employee names as proof that all your employees have been trained.
  • All healthcare providers - doctors, nurses, and all staff - should undergo annual HIPAA training.
  • Ensure that your Business Associates also undergo annual HIPAA training.

5. Conduct the Mandatory Annual HIPAA Security Risk Assessment

  • This mandatory HIPAA security risk assessment should be completed in order to analyze risks within the practice. Typically, a security risk assessment will check your office for compliance with the HIPAA Security Rule and the HIPAA Privacy Rule.   Your security risk assessment would involve reviewing in detail your technical safeguards, physical safeguards and administrative safeguards which are all key elements of the HIPAA Security Rule.
  • You can either do this annual assessment internally or hire a HIPAA expert to perform the assessment.
  • If any evaluated areas require remediation or follow-up, plans of action will have to be developed with timelines to address them.
  • Be sure to address your follow-up action items within a reasonable period of time.  About 3-4 months is often considered a reasonable time for most doctors' offices.  For instance, if you are using a straight-cut shredder, your report might ask you to procure a cross-cut shredder or shredding service to make your document disposal process more secure.
  • Know where your patients' Protected Health Information is - where it is stored on your EHR, where your data backups are kept, on which employees you or your employees store any PHI, where printed versions of PHI may be kept.
  • If you don't already have Business Associate Agreements with your vendors, you should arrange to get them immediately.  These are important legal documents where you can specify the roles and responsibilities of your vendors or business associates when it comes to handle your patients' protected health information that you are ultimately responsible for.
  • While disposing of anything that has PHI on it - in any format - use secure disposal techniques. Your security consultant can guide you on how to securely dispose of PHI on different media. 
  • Some of the action items may be very technical, for instance, it may recommend that you implement secure email or encrypt your storage devices, or that you may need to get a vulnerability assessment done. Your IT vendor or security vendor should be able to guide you in these situations.

 

Ultimately, medical facilities that do not stray from complying with current rules and laws that govern their care and practice will continue to have the best reputation and the best rapport with their patients. Enforcing the highest level of HIPAA compliance within your facility means that you understand the importance of protecting health information and providing continuity of care across the medical spectrum to provide the best care outcomes for each and every patient in every way possible.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Top Tips on Conducting a HIPAA Risk Assessment

Top Tips on Conducting a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

A HIPAA risk assessment is essential for all covered entities (CEs). Ideally, organizations conduct such an analysis before the Office for Civil Rights (OCR) comes knocking on their door. That way, CEs learn about potential weak spots in their security systems and can make the necessary adjustments to strengthen them.


HealthITSecurity.com discussed this process with several healthcare IT experts and industry leaders to determine best practices for conducting a HIPAA risk assessment. Moreover, we wanted to see what some common oversights could be, and how CEs can ensure that they do not make those mistakes.


Carlyn Choate, MSHI, RHIA, CHPS, Privacy and Policy Coordinator at the Multnomah County Department of Human Services said that it’s important for healthcare facilities to reach out to the right people within the organization itself. From there, facilities can ensure that the necessary questions are being answered and that frontline staff, as well as managers, are being included in the process.


A major component of conducting a HIPAA risk assessment is to get a full working picture of the security process. Managers on their own are not always part of that business process and how information is collected and then moved through the organization, Choate said.

It can also be beneficial to compare risk assessments from one year to the next, according to Choate.


“It’s good to know where the organization stands as far as its level of risk and its vulnerability, and what it has accomplished from year to the next,” she said. “You can also see if those changes still meet the needs of the organization or what types of changes may in the future impact the organization.”


According to Michael Archuleta, HIPAA Security Officer and Director of IT at Mt. San Rafael Hospital, it is also best practice to work with the right organization on the risk assessment. There are various entities that can assist in the process, and it is important for CEs to find a partner that will best meet their privacy and security needs.

“Basically do an overall background of your organization to determine where you stand with HIPAA, find any type of risks, and determine the individual work flows,” Archuleta said. “An assessment methodology is good as well.”


The key thing for any organization is to ensure it knows all aspects of is its PHI, according to Archuleta. A facility must ensure that it gets an accurate assessment of where its PHI is located and is being used.

Moreover, it is also important to have policy procedure reviews. If a healthcare organization wants an individual or a group of employees to follow specific HIPAA guidelines, it needs to have a policy procedure in place, Archuleta said.


“It’s also important when you have these HIPAA risk analyses, you really need to start focusing on training,” according to Archuleta. This will ensure that the end user understands HIPAA and how potential risks apply to the facility.”


Archuleta also suggested that CEs conduct a penetration test, which will help determine where current system gaps are and what specific ports are open. If organizations do not conduct a penetration test, it could lead to security issues, he said.


Avoiding common mistakes


Choosing to skip a penetration test can be a major mistake for healthcare organizations, according to Archuleta. This can be essential in determining the location of all of a facility’s PHI.

“I’ve seen a lot of facilities exclude that because thinking they don’t need it,” Archuleta said. “They think it’s just a waste of revenue to get that included in the risk analysis, but in my opinion, it is key to determine where you stand with your overall secure infrastructure to keep PHI safe.”


In terms of penetration tests though, Choate added that it is not wise to assume that a penetration test by itself is enough. Doing a penetration test or installing encryption on mobile devices are simply part of the risk assessment process, Choate said.

“There are so many other components and so many other levels to a risk assessment,” Choate said.

A penetration test only looks at the network, she explained, whereas a risk assessment looks at how information is collected, how it’s used throughout the organization, who has access to it, and whether they should or shouldn’t have that right level of access. Essentially, a penetration test determines how vulnerable a facility could be to hackers, Choate said.

Phil Curran, Chief Information Assurance and Privacy Officer at Cooper University Healthcare said that healthcare organizations not understanding the process of the risk assessment can be a setback. If a CE doesn’t understand the process, then they will not perform it properly, he said. Agencies such as the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator (ONC) have comprehensive guidelines and assisting tools that organizations should take advantage of.

Moreover, sometimes a CE will not do any type of follow up after the initial risk assessment to ensure that necessary security changes were made.


“They do the risk assessment and they say, ‘This is a risk.  This is what we’re going to do about the risk.’ And then they don’t do any follow up to verify that they’re actually doing what they said that they were going to do. And that is a concern,” Curran said.

Comparing risk assessments from one year to the next is also essential, he said. Processes and technology are always changing, which is why reviewing previous assessments, as well as any audits, are part of a proper risk assessment, according to Curran. This helps CEs see and understand any organizational changes, as well as identify potential gaps from a control perspective. Additionally, this approach can also highlight any improvements that occurred from one year to the next.


Looking ahead for comprehensive security


All three healthcare IT experts agreed that evolving technology can definitely have an effect on HIPAA risk assessments.

According to Curran, more devices in a facility’s network makes it more difficult in that there are now more things to review.

“Part of the risk assessment is asking where does the data reside or where is the data going to?” Curran said. “So now you have to take into account more types of devices that we are sending data to.”

Moreover, Curran explained that whenever new technology is implemented that stores or transmits data and allows access to electronic PHI,  a risk assessment on that technology is supposed to be performed. This is done instead of waiting until the end of the year to do the overall risk assessment. However, the multitude of new devices makes the number of potential end points more comprehensive, he said.


Overall, CEs must ensure that risk assessments are not only comprehensive, but that they are tailored to an organization’s workflow. For example, if a facility still uses paper health records, it must understand how that paper flows, according to Choate. Otherwise, the CE opens itself up to potential risk. But a good system administrator, privacy officer, or security officer will be able to mold the risk assessment questions and ensure that it is tailored to the facility’s work flow.


more...
No comment yet.