HIPAA Compliance for Medical Practices
76.9K views | +6 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The HIPAA Password Requirements

The HIPAA Password Requirements | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication.

 

The HIPAA password requirements can be found in the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”.

Experts Disagree on Best HIPAA Compliance Password Policy

Although all security experts agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case letters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be changed (if at all) and the best way of safeguarding them.

 

Whereas some experts claim the best HIPAA compliance password policy involves changing passwords every sixty or ninety days, other experts say the effort is a waste of time. A competent hacker should be able to crack any user-generated password within ten minutes using a combination of technical, sociological, or subversive methods (i.e. social engineering).

 

There is more agreement between experts when it comes to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority recommend the use of password management tools. Although these tools can also be hacked, the software saves passwords in encrypted format, making them unusable by hackers.

The HIPAA Password Requirements are Addressable Requirements

One important point to mention when discussing the HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be put off to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”

In the context of the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if an alternative security measure can be implemented that accomplishes the same purpose as creating, changing and safeguarding passwords, the Covered Entity is in compliance with HIPAA.

 

Two-factor authentication fulfills this requirement perfectly. Whether by SMS notification or push notification, a person using a username and password to log into a database containing PHI also has to insert a PIN code to confirm their identity. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.

Two Factor Authentication is Already Used by Many Medical Facilities

Interestingly, two factor authentication is already used by many medical facilities, but not to safeguard the confidentiality, integrity and security of PHI. Instead it is used by medical facilities accepting credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by others to comply with the DEA´s Electronic Prescription for Controlled Substances Rules.

 

Healthcare IT professionals will be quick to stress that two factor authentication can slow workflows, but recent advances in the software allow for LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only transmits PIN codes (and not PHI) the software does not need to be HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than frequent changes of passwords and password management tools.

 

Effectively, Covered Entities never need change a password again.

The only thing Covered Entities have to remember before implementing two factor authentication to protect PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for implementing the alternative solution have to be documented. This will satisfy the HIPAA requirements for conducting a risk analysis and also satisfy auditors if the Covered Entity is chosen to be investigated as part of HHS´ HIPAA Audit Program.

Why an Alternative to the HIPAA Password Requirements should be Considered

It was mentioned above that most user-generated passwords can be cracked within ten minutes. That may seem an outrageous claim to some IT professionals, but this tool on the ramdom-ize password generating website will give you an idea of how long it could take a determined hacker to crack any password by brute force alone. Social engineering and phishing will likely accelerate the speed at which the hacker succeeds.

 

Randomized passwords containing numbers, symbols and a mixture of upper and lower case letters obviously take a longer to crack – but they are still crackable. They are also much harder for users to remember; and although secure password management tools exist to store passwords securely, if a user wants to access a password-protected account from another device, password management tools are ineffective. The only way for the user to access the account is to have the password written down or saved on another device – such as an unsecured smartphone.

 

Accessing password-protected accounts from secondary devices increases the risk of a data breach due to keylogging malware. This type of malware runs undetected on computers and mobile devices, secretly recording every keystroke in a file for later retrieval by a hacker. As this is a foreseeable risk to the security of Protected Health Information, Covered Entities must either introduce policies to limit users to the devices from which they can access password-protected accounts, or find an alternative to the HIPAA password requirements.  

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Regulations for Radiologists 101

HIPAA Regulations for Radiologists 101 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are a complex set of rules and regulations that are designed to promote a more patient oriented medical system that enhances patient care. HIPAA regulations that promote the accessibility of medical records to patients and increase the security of electronic patient health information are also included in the HIPAA Omnibus Rule. Radiologists often receive patients through a referral system or send patient files to another medical doctor or facility after x-rays and other scans are interpreted. This constant sharing of sensitive patient information makes learning what are HIPAA regulations and how do they affect radiologists an important task for any radiologist.

 

HIPAA Omnibus Rule

The HIPAA Omnibus Rule has changed the way that patient information is collected, stored, transmitted and created in response to the HITECH Act. The HITECH Act offers organizations incentives for using electronic patient health information while improving the security of that data. When asking what are HIPAA regulations one of the most important things to consider is your organization’s privacy policy. New HIPAA regulations state that organizations and entities must update their privacy policies and business agreements to comply with the current standards.

 

Current HIPAA standards require that all businesses sharing patient information must be HIPAA compliant. For instance, if a radiologist receives referrals or bills insurance companies on behalf of clients, the insurance company and the organization referring clients should both be HIPAA compliant. Current business associate agreements will be allowed until late September of 2014, but after that date all business associates will need to comply with the HIPAA Security Rule to avoid penalties or fines.

 

What is Affected by HIPAA?

Nearly every aspect of creating, sharing and transmitting electronic patient health information has been affected by new HIPAA regulations. In addition to revising and updating your organization’s privacy policies and business agreements, you will also need to look at your internal records storage and the accessibility of patient records. For instance, your internal computer systems must be secure and protected from data loss or third-party access. Data encryption is required anytime that you transmit electronic patient information. If your organization is using a third-party storage system for patient health information, the company providing web-based storage services will also need to be HIPAA compliant.

 

One of the areas that will be most affected for radiologists is how patient information is disclosed. Since radiology is a field where referrals are very common, care must be taken to ensure formal, written consent is provided each time you share patient health information. For example, a radiologist sending the results of an x-ray to a general practitioner will need to have written consent by the patient to do so. In order to understand and comply with current HIPAA regulations, it is best to use a HIPAA compliance checklist and HIPAA compliance software. HIPAA compliance software will walk you through the process of meeting current HIPAA regulations and help you avoid the confusion of updating and revising your current policies and practices on your own.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Ignoring the Minimum Necessary Standard in HIPAA Could Cost You

Why Ignoring the Minimum Necessary Standard in HIPAA Could Cost You | HIPAA Compliance for Medical Practices | Scoop.it

Does your healthcare organization develop and implement policies and procedures that are appropriate and reflect your organization’s business practices?

Under the HIPAA Minimum Necessary Standard, all covered entities must have policies and procedures that identify who needs access to Protected Health Information (PHI) to perform their job duties, the categories of PHI required, and the conditions where access is justified.

 

For instance, as a hospital, you can allow doctors, surgeons, or others to access a patient’s medical records if they’re involved in the treatment of that patient. If the entire medical history is required, your organization’s policies and procedures must explicitly state so and include a justified reason.

 

As a provider, you also need to take reasonable steps to make sure that no PHI is accidentally available for access. For example, if you’ll be hosting a meeting in your office, then you must ensure that no one from the meeting can access PHI documents accidentally.

How Does The Minimum  Necessary Requirement Work?

As the name implies, under the HIPAA Minimum Necessary Standard, it’s mandatory for covered entities to take reasonable measures to limit the use or disclosure of PHI and requests for PHI, to the minimum necessary needed to achieve the intended goal.

However, it’s important to note that the minimum necessary standard does not apply to:

  • Requests for disclosure by a healthcare provider for treatment purposes  
  • Disclosing information to the patient in question   
  • Uses or disclosures after a patient’s authorization  
  • Uses or disclosures needed to comply with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules  
  • Disclosing PHI to the Department of Health and Human Services (HHS) under the Privacy Rule for reasons of enforcement  
  • Disclosing PHI for use under other laws

The Minimum Necessary Standard of the HIPAA Privacy Rule requires that your covered entity develops and implements policies and procedures that are appropriate for your organization and that reflect your business’ practices and workforce. Only those who need access to PHI should receive access, and even then, the PHI should be restricted to the minimum necessary information needed to perform the job.

Why Does It Matter?

Did you know the healthcare industry is one of the most vulnerable sectors when it comes to cyber-attacks and data theft? If your organization fails to meet the minimum necessary standard, you could face fines of $50,000 or more.     

 

In fact, penalties for HIPAA violations can reach $1,500,000 annually per violation based on the type of breach.  

The largest American health data breach to ever occur took place in January 2015. It exposed the electronic PHI of nearly 79 million people and resulted in Anthem Insurance paying OCR $16 Million!  

The investigation found that Anthem did not perform

enterprise-wide risk analysis and the organization’s procedures did not regularly review information system activity. Anthem also failed to identify and respond to security incidents, and they did not implement proper minimum access controls to prevent the risk of cyber-attacks from stealing sensitive ePHI.

 

Complying with HIPAA’s minimum necessary standard matters if you want to avoid the risk of an expensive fine.

How Can You Comply?

Under HIPAA’s minimum necessary standard, the terms ‘reasonable’ and ‘necessary’ are open to interpretation and left up to the judgment of the covered entity. It’s up to your organization to determine what information should be disclosed and what information needs restricted access.

 

However, to make sure that you’re complying with this requirement, there are some basic steps you should follow:

  1. Prepare a list of all systems that contain PHI and what types of PHI they include.
  2. Establish role-based permissions that restrict access to certain kinds of PHI. All information systems should limit access to certain types of information. For instance, you can limit access to health insurance numbers, Social Security numbers, and medical histories if it’s not necessary for everyone to see that PHI.
  3. Design and implement a policy for sanctions if violations of the minimum necessary standard occur.
  4. Provide proper employee training about the types of information they’re permitted to access and what information is off limits. Be clear about the consequences of obtaining information when not authorized.
  5. Create alerts when possible that notify the compliance team if there’s an unauthorized attempt to access PHI.
  6. Ensure that the minimum necessary rule is being applied to all information shared externally, with third parties and subcontractors. It’s mandatory for covered entities to limit how much PHI is disclosed based on the job duties and the nature of the third party’s business.
  7. Perform annual reviews and periodic audits of permissions and review logs to determine if anyone has knowingly or unknowingly accessed restricted information. Such reviews may also be required when a major incident takes place, such as the treatment of a celebrity in your organization, or if a shooting or newsworthy accident takes place and your organization is involved.
  8. Document all actions taken to address cases of unauthorized access or accessing more information than is necessary and the sanctions that took place as a result.

Adhering to the HIPAA Minimum Necessary Standard is important to protect your organization and your patient relationships. When you take the appropriate steps to comply with HIPAA, you’ll not only have a much better chance of avoiding the risk of a costly data breach, but you’ll also build trust with your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

While HIPAA covers a broad scope of healthcare related items, its Security Rule specifically sets forth standards concerning the safety of electronic Protected Health Information or ePHI. Furthermore, the Security Rule can be broken down into three keys areas of implementation: Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In Part I of this blog series we will discuss the basics regarding HIPAA Physical Safeguards, or Section 164.310 of the Security Rule, and how they relate to ePHI (electronic Protected Health Information).

 

The Department of Health and Human Services defines HIPAA Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings from natural and environmental hazards, and unauthorized intrusion”. In short, a covered entity must have physical protocols in place to protect is ePHI from disaster and/or theft.

HIPAA Physical Safeguards can be broken down into the following standards:

  • Facility Access ControlThis standard requires covered entities to implement policies and procedures to limit physical access to information systems and the facilities in which they are stored. Proper authorization to access these systems should also be ensured. The Facility Access Control Standard also requires the following implementations:
    • Contingency Operations
    • Facility Security Plan
    • Access Control and Validation Procedures
    • Maintenance Records

 

  • Workstation Use: A workstation is defined as an electronic computing device and any electronic media stored in its immediate environment. According to this standard, covered entities must implement policies and procedures surrounding the functions and physical attributes of any workstation that can access ePHI. The importance of these policies and procedures is to limit exposure to viruses, compromisation of information systems, and breaches of confidential information.

 

  • Workstation Security: This standard differs from Workstation Use in that it refers specifically to how workstations are to be physically protected from unauthorized users. Under this standard, converted entities must implement physical safeguards for all workstations that access ePHI to restrict unauthorized users. Essentially, a covered entity must take precautions - such as locked doors/equipment – to prevent non-employees from physically accessing a workstation.

 

  • Device and Media Controls: Device and Media controls refer to electronic media- meaning electronic storage media devices in computers (hard drives) and any removable/transportable digital memory medium such as tapes, disks, or digital memory cards. The purpose of this standard is to have policies and procedures in place to govern the receipt and removal of hardware and electronic media that contains ePHI, into and out of a facility, and the movement of these items within the facility. Covered entities must be able to account for all ePHI as it is moved between electronic devices. They must be able to account for this ePHI, even if it is disposed of. This standard is broken down into the following implementations:
    • Disposal
    • Media Re-Use
    • Accountability
    • Data Backup and Storage

In order to comply with these standards related to HIPAA Physical Safeguards, here are some examples of basic practices that any covered entity can apply to its medical practice:

  • Keep access to any device that stores or processes ePHI restricted to authorized personnel only. Avoid having these devices in areas that can easily be accessed by patients or visitors.
  • Ensure that ePHI is disposed of properly. Hard drives and any other devices that store patient information must be destroyed in the proper manner, and a certificate of disposal should be obtained and kept as a record.
  • Keep an inventory of all devices in the office that store or process ePHI. Additionally, note down which staff have accesses to these devices and what roles they play in processing ePHI.

 

These are examples of general steps that will help covered entities comply with HIPAA.   It is important that the annual mandatory HIPAA risk assessments be comprehensive and should review all physical safeguards at your location, pinpoint specific vulnerabilities and determine the corresponding action items and additional physical safeguards that may need to be implemented.

In summary, the Physical Safeguards standard of the HIPAA Security Rule sets forth a comprehensive framework regarding the physical protection of ePHI. As covered entities continue to modernize and move away from traditional paper-based records keeping, they will need to keep these standards in mind for the privacy of their patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Five Steps to HIPAA Compliance for a Doctor's Office

Five Steps to HIPAA Compliance for a Doctor's Office | HIPAA Compliance for Medical Practices | Scoop.it

Why do you, as a doctor, dentist or any other medical provider, need to comply with HIPAA? HIPAA, the Health Insurance Portability and Accountability Act, was enacted by the US government to not only protect patient confidentiality and privacy but also to ensure that doctors and other medical practices protect their data to prevent unauthorized persons and criminals from getting access to patients' confidential, private and financial information.

 

Patient health records called PHI (Protected Health Information) are a valuable commodity for criminals and sell for high prices in the black market.   Medical professionals must therefore strictly abide by HIPAA rules in order to avoid monetary fines, damage to their reputation, loss of their license(s), and even imprisonment. Over the last few years, we have been hearing of multiple instances of doctors, nurses and healthcare workers being jailed or fined hefty sums for HIPAA violations. The Office of Civil Rights (OCR) has concentrated on education and outreach and has also focused on enforcement of HIPAA law especially when a healthcare organization suffers a breach or is in violation of HIPAA law.

 

Professionals in the medical field have the moral and ethical responsibility to abide by laws that govern them and to provide the utmost care, which includes protecting the health information of each and every patient. This requires the ability to make logical decisions minute by minute, plus a great deal of patience, professionalism, and high standards related to HIPAA compliance to ensure protection of ALL health information… which includes the following steps:

 

1. Exercise Privacy in Your Office Everywhere

  • Give patients the privacy they deserve in your office whether it’s in the lobby or their patient room.
  • Minimize references to patients; it is best to call patients by first or last name only when directing them to their patient room.
  • Allow for a quiet, private space when talking with patients individually so only those intended for the information are the ones who hear it.
  • Never leave patient documents/files unattended or unsecured.
  • Always knock before entering patient rooms.
  • While accessing electronic PHI (ePHI), make sure that no unauthorized person can see the data on your screen or device.
  • Continuously enforce this culture of privacy with your staff.

2. Post Notice of Privacy Practices

  • Print notice of privacy practices and place it in a common and clearly visible area in your office, so that patients are openly provided with the privacy laws and information that strives to keep their care confidential.
  • If you have a website for your practice, then be sure to post a copy of the Notice of Privacy Practices prominently on your website.
  • Keep copies of the Notice of Privacy Practices available in case any of your patients asks for a copy.

3. Maintain and Follow Written Policies and Procedures

  • Develop a written policies and procedures manual for everyone in your practice to follow, to ensure patient privacy and security. The manual should also contain forms, notices, disclosures and step-by-step procedures for patient privacy notification and overall HIPAA compliance.
  • Your policies and procedures should be accessible to all staff.  Get attestations from your staff that they have read and will abide by your written policies and procedures.
  • Review your policies and procedures annually to ensure that they are still current, and review them with your staff every year after this review.
  • Review, and if needed update, your policies and procedures whenever there is a major change in your practice, for instance, a change in your EHR or key software used like anti-virus, data backup service or anything similar.

4. Train Your Team on HIPAA Do’s and Don’ts

  • Ensure that your employees go through HIPAA training every year.
  • Your employees should sign and acknowledge their awareness of these HIPAA policies and procedures.
  • Document training dates and employee names as proof that all your employees have been trained.
  • All healthcare providers - doctors, nurses, and all staff - should undergo annual HIPAA training.
  • Ensure that your Business Associates also undergo annual HIPAA training.

5. Conduct the Mandatory Annual HIPAA Security Risk Assessment

  • This mandatory HIPAA security risk assessment should be completed in order to analyze risks within the practice. Typically, a security risk assessment will check your office for compliance with the HIPAA Security Rule and the HIPAA Privacy Rule.   Your security risk assessment would involve reviewing in detail your technical safeguards, physical safeguards and administrative safeguards which are all key elements of the HIPAA Security Rule.
  • You can either do this annual assessment internally or hire a HIPAA expert to perform the assessment.
  • If any evaluated areas require remediation or follow-up, plans of action will have to be developed with timelines to address them.
  • Be sure to address your follow-up action items within a reasonable period of time.  About 3-4 months is often considered a reasonable time for most doctors' offices.  For instance, if you are using a straight-cut shredder, your report might ask you to procure a cross-cut shredder or shredding service to make your document disposal process more secure.
  • Know where your patients' Protected Health Information is - where it is stored on your EHR, where your data backups are kept, on which employees you or your employees store any PHI, where printed versions of PHI may be kept.
  • If you don't already have Business Associate Agreements with your vendors, you should arrange to get them immediately.  These are important legal documents where you can specify the roles and responsibilities of your vendors or business associates when it comes to handle your patients' protected health information that you are ultimately responsible for.
  • While disposing of anything that has PHI on it - in any format - use secure disposal techniques. Your security consultant can guide you on how to securely dispose of PHI on different media. 
  • Some of the action items may be very technical, for instance, it may recommend that you implement secure email or encrypt your storage devices, or that you may need to get a vulnerability assessment done. Your IT vendor or security vendor should be able to guide you in these situations.

 

Ultimately, medical facilities that do not stray from complying with current rules and laws that govern their care and practice will continue to have the best reputation and the best rapport with their patients. Enforcing the highest level of HIPAA compliance within your facility means that you understand the importance of protecting health information and providing continuity of care across the medical spectrum to provide the best care outcomes for each and every patient in every way possible.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button? 

Is it Time for Your Organization to Hit the HIPAA Breach Panic Button?  | HIPAA Compliance for Medical Practices | Scoop.it

Indeed, it is. According to the latest statics from the HHS Office of Civil Rights (OCR), 43% of all reported breaches are now caused by hacking or other related information network discrepancies—not to mention those breaches that are the result of impermissible disclosures made by members of the work force.

 

Let’s face it, breaches will happen, especially those related to information systems. When it comes to breaches, most network security experts say it is “when” and not “if.” Regardless of whether the breach is related to the network or some other means such as lost or stolen devices containing ePHI, what is important is having a process in place to deal with it. This includes the ability to conduct an internal investigation to determine the basics such as how the breach was caused, the type of breach, and how many individuals were affected.

 

The HIPAA Breach Notification Rule states that a breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information. The exception is when the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

  1. The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  2. The unauthorized person who used the protected health information or to whom the disclosure was made;
  3. Whether the protected health information was actually acquired or viewed; and
  4. The extent to which the risk to the protected health information has been mitigated.

 

So, what is the best way to conduct the breach risk assessment to determine this probability? Start with some type of Breach Notification Risk Assessment Tool which is a decision tree-based process. This will help determine if the breach is reportable. Even if the determination is made that the breach is not reportable, documentation that this assessment was conducted must be maintained.

 

Having a comprehensive breach notification policy is critical. This will save a lot of headaches and layout a process to follow during the period of uncertainty associated with a breach. The policy should state the obvious such as who needs to be notified internally within the organization, who is responsible for conducting the assessment, and what specific notifications need to be made. What is even more important is the actual procedure to implement the policy. Procedures should cover how to undertake the investigation of the breach to cover the who, what, how, and when of the occurrence. If it is a reportable breach, this type of information is required for submitting “Notice of a Breach” to the Secretary of HHS (which technically is delegated to OCR.) When submitting the Notice, one should be prepared to answer a number of questions. This is why it is important that the internal investigation uncover as much information as possible.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Few Things Physicians are Not Doing to Comply with HIPAA.

Few Things Physicians are Not Doing to Comply with HIPAA. | HIPAA Compliance for Medical Practices | Scoop.it

Shortly after the Health Insurance Portability and Accountability Act (HIPAA) was implemented, David Zetter was at a doctor's office helping the group build a compliance plan. He was in the back of the practice training some of the staff when the receptionist walked in and handed him a piece of paper.

 

The note was from a patient saying she could see everyone's names and files at the front desk and she knew that was a HIPAA violation.

 

More than a decade later, HIPAA compliance has become ingrained: Files are not left out in the open, patient information is not improperly disclosed, and doctors do not leave health-related messages on answering machines. It is routine to have every patient sign a HIPAA release and go about your business.

 

But compliance is not a one-and-done activity as much as an evolution of rules and procedures. Compliance gurus bet there are at least a few things physicians are not doing to comply with HIPAA.

 

Make a plan
One main thing that practices should have is a compliance plan, but many do not, said Zetter, founder of Zetter Healthcare Management Consultants. “They buy a cheap manual off of the internet and think that works,” he said. “But it cannot be implemented that way; it wasn't set up for your practice.”

 

Even state medical societies sell how-to manuals, but Zetter said this is only a document meant to guide you through creating a compliance plan, not the plan itself.

 

Sample HIPAA compliance plans and instructions for completing one can be found online. The Massachusetts Medical Society provides a document with a checklist and tips to help doctors develop their own documents.

 

Analyzing compliance
The second thing that needs to be completed is a gap analysis. These are used to determine what the organization is doing and what they should be doing. Zetter said an office needs to take each section of the regulation, see what is required and compare it with what is being done. Detailed information on creating a gap analysis can be found at the North Carolina Department of Health and Human Services Website.

 

Once gaps are identified, it is important to find ways to mitigate the potential problem areas. Physicians can do this by performing a risk analysis, which provides the basis for developing ways to cover themselves if an information breach should occur.

 

A risk analysis can arrive at whether there is a low, medium, or high risk of a HIPAA violation occurring, Zetter said. The greater the risk, the more resources are needed for prevention. All of this should be documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Important HIPAA Compliance Issues in 2018

Important HIPAA Compliance Issues in 2018 | HIPAA Compliance for Medical Practices | Scoop.it

As 2018 gets underway, experts offer advice on some important issues related to HIPAA compliance. One issue is patient access to medical records. Kathy Downing, vice president of information governance and standards at the American Health Information Management Association, said her organization receives many complaints from patients who have issues receiving medical information even though right of access has been in place since 2003.This area is what Downing calls “super low-hanging fruit on the HIPAA tree.” If patients request records, there is no need to make them wait 30 days. If the records are stored electronically, practices should allow patients to receive their information in that format.

 

“The reason this is important is because in a lot of the cases, patients may be seeing multiple providers for chronic conditions, and having their chart allows them to be more engaged in their care,” she said. “It's an important patient right, and important for population health and patient engagement.”

 

By giving patients their records, providers are also allowing them to do a quality review to ensure their information is correct. Electronic medical records commonly contain errors, mainly because of copying and pasting of data, Downing said.

 

If physicians are uncomfortable talking with patients about information in their charts, she recommends that practices appoint a nurse who can deal with patient queries. Portals can also be a good resource to guide patients through their information. If someone has been diagnosed with prediabetes, for instance, a portal can provide links to trusted online sources that can answer patient questions.

 

Increased enforcement?


Another HIPAA-related question facing medical practices this year is the Office for Civil Rights (OCR) approach to HIPAA enforcement. Michael Bossenbroek, a partner at Wachler & Associates, P.C. in Royal Oak, Michigan, listened to remarks at a HIPAA conference last fall from the new OCR director. OCR might be striking a different tone as a new administration takes the reins. “How they balance the objectives of education and compliance with enforcement remains to be seen,” Bossenbroek said.

 

The OCR director gave no specifics, Bossenbroek said. Whatever approach emerges from OCR, as before, providers need to ensure they have the basics completed, with a risk analysis performed and solid policies and procedures in place.

 

Chris Apgar, CEO and president of Apgar & Associates LLC, in Portland, Oregon, said OCR has made it clear there will be continued enforcement activity in the coming years. No one is immune from them, he said. He recently worked with a small entity that had their wrists slapped by OCR. He helped them prepare a response, and when they failed to follow through with their plan, he had to mediate between the organization and OCR.

 

“If you respond to OCR in an appropriate and timely manner and follow through, they go away,” he said. “If you don't, they stick around. They are not going away.”

 

Shortage of security talent


Health care organizations will continue to face a shortage of information technology (IT) security talent in 2018, Apgar said. A report released this past summer by the US Department of Health and Human Services found that 3 out of 4 hospitals do not have a designated information technology (IT) security professional.

 

Larger organizations are better able than small groups to afford hiring IT talent, which can be expensive, Apgar said. But smaller organizations, which often delegate IT security to office staff who are already busy with other tasks, have options. Apgar recommends looking for students graduating from information security programs and bringing them on board as interns. Small groups do not require the same kinds of security setup that a Cleveland Clinic or Kaiser might need, and young individuals can help build and run systems. Organizations can grow a position with them when they are new in the field, although these individuals could leave when they become seasoned and expect a higher salary.


Vendors


With OCR increasingly scrutinizing and auditing business associates, it is important for practitioners to ensure their vendors are compliant. Apgar said the vendors he works with are increasingly motivated to do this for fear of losing customers. These customers – health care practitioners – are demanding proof of compliance.

 

To better understand a vendor's compliance, providers can request policies and procedures and ask to see their risk analysis and any other pertinent documentation. Some ask that vendors fill out a security questionnaire. Others go even further. Groups like Apgar's company can act as a third party to conduct a risk assessment, then attest in writing that a vendor has either mitigated or accepted risks found in the analysis.

 

New tools


It used to cost anywhere from $75,000 to $100,000 for a tool that would automatically monitor audit logs and send alerts if an anomaly is found for a hospital or larger clinic, Apgar said. Over the past couple of years, new options have hit the market that lowered the cost to $35,000 or less, which is a game changer for HIPAA compliance, he said.

 

“As more technology becomes affordable, there is a higher likelihood that regulatory bodies will push back and say providers have to use it,” Agar said. “If a hospital is generating and not regularly reviewing audit logs, they will look negligent to regulators.”

 

Technology tends to move with the needs of the market. For instance, as cyber crime has become increasingly prevalent, tools have been developed and marketed to prevent attacks. Some tools look both internally and externally in a network to see if unusual behavior is occurring, and sends an alert if any anomaly is found.

 

Keeping track of technology as it becomes more affordable is not always simple. Apgar said providers can look at IT newsletters and check with their state associations to stay atop of new and affordable tools coming on the market.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

more...
No comment yet.
Scoop.it!

HIPAA Compliance Tips for Mobile Data Security 

HIPAA Compliance Tips for Mobile Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance Tips for Mobile Data Security

Nearly 4 out of 5 healthcare providers use a mobile device for professional purposes. These numbers continue to rise as healthcare organizations place an increased focus on efficiency and productivity. (1) Although mobile devices are incredibly efficient and convenient, they also harbor measurable risks for data breach and the exposure of protected health information (PHI).

 

Mobile devices are often more susceptible to theft because they lack the appropriate security controls. In fact, mobile device malware infections have surged 96% from 2015 to 2016. (2)  To avoid hefty penalties and the risk of a data breach, healthcare organizations must develop and implement mobile device procedures and policies that will protect the patient’s health information.

 

Below are five recommendations from HHS (The Department of Health and Human Services) that organizations can take to help manage mobile devices in the healthcare setting:

 

  1. Understand the risks before allowing the use of mobile devices- Decide whether healthcare providers or medical staff will be permitted to use mobile devices to access, receive, transmit, or store patients’ health information or if they will be used as part of the organization’s internal network or systems, such as an electronic health record system.
  2. Conduct a risk analysis to identify threats and vulnerabilities- Consider the risks to your organization when permitting the use of mobile devices to transmit health information Solo providers may conduct the risk analysis on their practice, however, those working for a large provider, the organization may conduct it.
  3. Identify a mobile device risk management strategy, including privacy and security safeguards- A risk management strategy will help healthcare organizations develop and implement mobile device safeguards to reduce risks identified in the risk analysis. Include the evaluation and regular maintenance of the mobile device safeguards put in place.
  4. Develop, document, and implement mobile device policies and procedures to safeguard health information. Some topics to consider when developing mobile device policies and procedures are:
    1. Mobile device management
    2. Using your own device
    3. Restrictions on mobile device use
    4. Security or configuration settings for mobile devices
  5. Conduct mobile device privacy and security awareness and ongoing training/education for providers and professionals.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

9 keys to having a HIPAA-compliant cloud

9 keys to having a HIPAA-compliant cloud | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are increasingly open to the idea of using public cloud services, whether it be applications or infrastructure. But to do so requires thorough planning and vigilant execution of IT operations.

 

Chris Bowen, founder and chief privacy and security officer for ClearDATA, a company that helps healthcare organizations use public cloud services, provides nine examples of controls that can be put in place. 

 

  1. Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
  2. Review system activity: Leverage audit logs to enable the review of activity within your system.
  3. Identity and Access management control: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed. 
  4. Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
  5. Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scan on systems processing Personal Health Information (PHI).
  6. Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
  7. Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
  8. Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
  9. Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA as an umbrella for county/municipal cybersecurity

HIPAA as an umbrella for county/municipal cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Are you a covered entity?

Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.

 

How do you know if you have or are a CE? If some department or division within your organization is a health care provider, a health plan or a health care clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), health care clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.

Are you in compliance?

If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.

 

In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?

 

I suspect what often happens is that executives look at something like information security policy requirements and say:

This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.

 

What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.'

Trust but verify

There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances, and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.

Extend HIPAA to your enterprise

If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that level while also getting compliant with federal law.

 

Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted good practices.

Develop your policy with the HIPAA Security Rule

There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.

The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).

The security standards in HIPAA are broken down into three sections, each of which has multiple layers and subcomponents:

  • Administrative Safeguards (9 components)
  • Physical Safeguards (4 components)
  • Technical Safeguards (5 components)

 

These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.

 

Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.

 

These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.

Next Steps

1. Find out where your organization stands in terms of information security policies and procedures.

2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?

3. Meet with your IG committee to discuss your findings.

4. If you don’t have an IG committee — start one!

5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.

6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintaining continuous improvement.

7. Begin building a culture of security in your organization.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

A Doctors Guide to HIPAA Compliance in 2017

A Doctors Guide to HIPAA Compliance in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance in 2017 is a key issue that many doctors are focussed on.

Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for between $100 to $50,000 for each violation. The maximum HIPAA Violation is $1.5 million for identical provisions during a calendar year. Some HIPAA violations can lead to imprisonment in extreme circumstances. This is why HIPAA compliance in 2017 is such an important factor for doctors.

To ensure that your practice has effective HIPAA compliance in 2017, here are 5 steps to follow:

1) Correct Sharing of Patient Information

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Secured Paper Files

While paper charts are slowly becoming a relic, it is important that past files are stored securely.  Doctors who have moved to using an EHR for all patient records may still have old patient files that need to be transferred. Once converting from paper documents to electronic format is complete, be sure to shred any patient records before you dispose of them.

If your medical practice still uses paper documents, be sure not to leave them in unsecured or unattended areas. This includes charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

3) Encrypted Emails

Never underestimate the importance of email encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you should consider an encrypted email or file sharing service for pertinent patient information.

When sending bulk emails to patients, or many emails in a row, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient address or an email attachment.

This is one of those areas where slow, steady careful checking pays off.

4) HIPAA Secured Patient Portals

If you use or are considering creating a patient portal, ensure it has secure login compliance. Any personal patient information should not be easily accessible without a username and password.

If sharing information with family members of patients, be sure to get written authorization from the patient first. A good practice is to require identity verification for password reminders. You can also remind patients to access their patient portal when they have a secure internet connection (i.e. not in public places).

5) Ensure your Telemedicine platform is HIPAA compliant

Some doctors have considered using Skype or Facetime to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end.

Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. Having HIPAA Compliance in 2017 is as important as it has been for the past 20 years.

When doctors treating patient information caution they can and enjoy the peace of mind that comes with being HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Why HIPAA Compliance Need Security Risk Analysis?

Why HIPAA Compliance Need Security Risk Analysis? | HIPAA Compliance for Medical Practices | Scoop.it

There are many important elements to implementing an effective HIPAA Program, but none are more important than completing a security risk analysis. Conducting a risk analysis will give your practice an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of your electronic protected health information.

Completing a security risk analysis is a required element. This means that most specifications must be evaluated and if applicable, implemented, in order to achieve compliance with the Security Rule. It is important to remember that certain specifications in the risk analysis are considered addressable, meaning it is up to the covered entity to determine (in writing) if the specification is a “reasonable and appropriate” safeguard for its environment, taking into consideration how it will protect ePHI.

According to the Security Rule, your security risk analysis should be broken down into the implementation of 3 categories of electronic protected health information safeguards: Administrative, Physical and Technical. The following is an overview of each category, including differentiation between those specifications that are required and those that are addressable.

ADMINISTRATIVE SAFEGUARDS

Administrative safeguards are administrative actions and functions to manage the security measures in place that protect electronic protected health information. Administrative safeguards must state how the covered entity will conduct oversight and management of staff members who have access to, and handle ePHI. Administrative safeguards include:

  • Risk Assessment (R)
  • Sanctions Policy (R)
  • Information System Activity Review (R)
  • Security Officer Assignment (R)
  • Security Awareness and Training (A)
  • Security Incident Procedures (R)
  • Disaster Recovery and Data Backup Plan (R)
  • Periodic Security Evaluations (R)
  • Business Associate Contracts (R)

 

PHYSICAL SAFEGUARDS

Physical safeguards are the mechanisms required to protect electronic systems, equipment, and the data they hold from threats, environmental hazards and unauthorized intrusion. It includes restricted access to ePHI and retaining off-site computer backups. Applying physical safeguards means establishing:

  • Facility Access Controls (A)
  • Workstation Use and Controls (R)
  • Device and Media Controls (R)

 

           

TECHNICAL SAFEGUARDS

Technical safeguards are the automated processes used to protect and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that ePHI, or encrypting and decrypting data as it is being stored and/or transmitted. Technical Safeguards are:

  • Unique User Login (R)
  • Emergency Access Procedures (R)
  • Automatic Logoff (A)
  • Encryption and Decryption (A)
  • Audit Controls (R)
  • Authentication of Integrity of ePHI (A)
  • Authentication of Person or Entity (R)
  • Transmission Security (A)

Completing your security risk analysis is not only an essential component of your HIPAA program, but it will enable you to identify and rectify any risks and vulnerabilities to the access and confidentiality of your electronic protected health information. The results of your risk analysis will be used to determine the appropriate security measures to be taken. Be sure and revaluate your risk analysis periodically, especially if there have been any known or suspected threats to your security program.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Protecting PHI: Managing HIPAA Risk with Outside Consultants 

Protecting PHI: Managing HIPAA Risk with Outside Consultants  | HIPAA Compliance for Medical Practices | Scoop.it

The rising complexity of healthcare, particularly as it relates to providers’ growing technical needs, is increasingly prompting healthcare organizations to seek the help of outside consultants. In engagements with healthcare entities, thought IT consultants try to minimize interaction with patient data, they often have access to protected health information (PHI). When working with HIPAA Covered Entities, consultants are treated as “business associates” and are required to comply with Privacy Rules designed to protect PHI.

 

Managing HIPAA compliance when engaging outside consultants requires that consultants enter into a Business Associate Agreement (BAA). The BAA must:

  • Describe the permitted and required uses of PHI by the business associate in the context of their role
  • Provide that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided for by the contract

Here are several best practices to follow to ensure the protection of PHI in consulting arrangements.

 

FTE Mentality

During the contract period, the expectation is that consultants act as if they were an employee of the hospital or provider organization and therefore treat PHI in this manner. It is important to know that consultant business associates could be held liable or equally responsible for a PHI data breach in the same way a full-time employee could be.

 

Role-Based Access Rules

Limit access to PHI based on role to ensure that only the parties that need PHI have access to it. An IT strategist, for example, does not need to see live patient data. Associates leading implementation projects, on the other hand, may need access to live PHI. Typically, this occurs late in the implementation process, when the time comes to test a system with live, identifiable patient data.

 

Safeguard Access Points

If a hospital wants a consultant to have regular access to PHI, it would be preferable that the hospital provides the consultant with a computer or device with appropriate access authorizations and restrictions in place. Avoid the use of personal devices whenever possible. Make sure that only approved and authorized devices can be used inside the firewall and require multi-factor authentication during log-in. Avoid inappropriate access to PHI by way of shared or public data access points. Don’t allow private access to PHI where others could intervene.

 

Keep it Local

Don’t take PHI away from the source of use. Consultants should avoid storing PHI on personal devices, including smart phones, which are particularly susceptible to theft and loss. Devices used to store or access PHI must be registered. Best practices often include controls giving IT staff advance permission to remotely wipe or lock a stolen registered device. Avoid leaving registered devices in cars or unprotected areas.

 

Paper-based reports also pose threat of PHI leak. Documents you take home over the weekend, for example, could be accessed by family members, lost, or stolen. Electronic, paper, verbal and image-based PHI should all be confidently secured. Of course the regulations also relate to visual and verbal protections. When accessing PHI avoid allowing others to view your screen over your shoulder. When discussing PHI make sure only those who need to know and have appropriate authority can hear the conversation.

 

The healthcare industry is making great strides in establishing digital infrastructure, much of which is cloud-based, putting new onus on providers and their business partners to ensure the security of that information. No one wants to make headlines for the latest data breach, least of all the IT consultants hired by providers to help guide their data management efforts. Rigorous attention to HIPAA Privacy Rule guidelines is not only required – it’s imperative to maintaining trust in the healthcare ecosystem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Police –Are They Coming For You?

HIPAA Police –Are They Coming For You? | HIPAA Compliance for Medical Practices | Scoop.it

As reported by Health and Human Services (HHS) HIPAA fines and audits are significantly on the rise. 5% of practices are being audited against the HITECH Act and Omnibus Rule. Are you compliant?

 

“How do all these regulations affect me as a Healthcare Covered Entity or Business Associate?”

To answer that question, let’s first look at what the regulations are and get a brief description. Once we read and understand what we are facing, the steps to complying with the rules should be attainable. I would love to say attaining compliance is easy, but with anything in life, if you want success you will have to work for it.

 

HITECH ACT

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was created to motivate the implementation of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

 

The HITECH act specified that by the beginning of 2011, healthcare providers would be given monetary incentives for being able to demonstrate Meaningful Use (MU) of electronic health records (EHR). These monetary incentives, up to $44,000 per doctor, will be offered until 2016, after which time penalties will be levied for failing to demonstrate such use.

 

FYI, the main failure that the centers for Medicare and Medicaid have discovered when auditing providers who have implemented an EHR system is their failure to perform a proper Risk Analysis.

 

OMNIBUS RULE

The United States Government’s requirement to implement Electronic Medical Records and Health IT compliance has prompted the US Government to adopt the long-awaited HIPAA Omnibus Rule http://compliancy-group.com/hipaa-omnibus-rule

The Omnibus Rule was finalized by the Office for Civil Rights (OCR). The Office of Management and Budget (OMB) approved the final rule and subsequently published it in the Federal Register.

 

The rule effectively merges four separate rulemakings, which are as follows:

  • Amendments to HIPAA Privacy and Security rules requirements;
  • HIPAA and HIPAA HITECH under one rule now
  • Further requirements for data breach notifications and penalty enforcements
  • Approving the regulations in regards to the HITECH Act’s breach notification rule

 

It is apparent for this new rule that the health care industry will need to educate patients with regards to their privacy and disclosure rights. Patients will need to know how their information is used and disclosed, and how to submit complaints pertaining to privacy violations. Health Care providers should also try to better understand HIPAA requirements so that they are aware of their risks and responsibilities towards their patients.

 

In addition, the Omnibus Rule includes provisions that would govern the use of patient information in marketing; eliminates and modifies the “harm threshold” provision that presently allows healthcare providers to refrain from reporting data breaches that are deemed not harmful; ensures that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA for the first time since HIPAA was first introduced. The rule also requires HIPAA privacy and security requirements to be employed by business associates and sub-contractors.

 

So, what does compliance with these rules look like? Is it a 3-ring binder on a shelf with some policies, is it an online training course, or is it my IT person telling me I am protected? Actually, it is a little of all three.

  1. RISK ANALYSIS– A true risk analysis covering Administrative, (Policies and Procedures), Technical, (How are your Network, Computers, Routers, protected), Physical, What safeguards have you put into place at your location? (Alarms, Shredding, Screen Protectors).
  2. RISK MANAGEMENT- The risk analysis is going to identify deficiencies. Risk Management is then put in place to track how your remediation plan will work to fix the deficiencies that were found during the Risk Analysis.
  3. VENDOR MANAGEMENT– Vendor Management tracks the companies and people that access your site where PHI or ePHI is stored and keeps track of who you share PHI or ePHI with. Depending on the relationship, you will want to have either a Business Associate Agreement (if they meet the requirements for being labeled a Business Associate) or a Confidentiality Agreement. Remember, for Business Associates, an agreement alone is not enough; you also need assurances that they are complying with the HIPAA Security Rule before you share or continue to share PHI or ePHI with them.
  4. DOCUMENT MANAGEMENT– It is hard to imagine compliance without a place to store policies, procedures, business associate agreements, or any other compliance documents. Why you ask? Because the rule specifically states that you must retain all compliance documents for a min of 6 years (depending on the state your business is in these rules may be more stringent).

5. TRAINING OF YOUR STAFF– One of the most important aspects of compliance is the tracking of not only HIPAA 101 training for your staff but also of your staff’s acknowledgment that they understand the HIPAA Privacy and Security Policies that you

 
 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Benefits of Performing a HIPAA Risk Assessment

The Benefits of Performing a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates that covered entities must conduct a risk assessment of their healthcare company.

 

 A wide range of organizations – from healthcare insurance providers to hospitals – fall into this covered entity group. While it may seem taxing and time-consuming to provide standardized training to your employees, there are many reasons doing so can behoove you. For one, it’s the law. Since 2009, Security Risk Assessments (SRAs) have been a required annual practice set forth by the HIPAA Security Rule.

 

Don’t wait to become a breach headline; nip breaches in bud by detecting security issues before they wreak havoc. You can’t be secure if you are not compliant; and a HIPAA Risk Assessment will safeguard your organization in more ways than one. Technology is a timesaver that has simplified the medical filing and billing processes, but it leaves the potential for leaks and hacking.

 

A risk analysis will identify and document potential threats and liabilities that can cause a breach of sensitive data. An IT security consulting company can check all portable media (laptops), desktops, and networks to ensure they’re ironclad. IT security measures, such as encryption and two-factor authentication2, will be addressed in order to make it challenging for unwanted eyes to get a glimpse of patient information.  

 

Employees are the greatest threat to HIPAA compliance, so it’s important to make sure they’re well informed on how to prevent breaches. Annual HIPAA Security Awareness Training Programs provide a thorough understanding of each person’s role in preventing breaches and protecting physical and electronic information.

 

HIPAA training is a regulatory requirement, many employee actions that go awry could easily be prevented. A consultant will offer tips and tricks for minimizing that risk; a few include never leaving work phones and laptops unattended, never sharing passwords or company credentials, choosing to shred files as opposed to trashing them, and overcoming the temptation to “snoop” on patient information without just cause.

 

While many of these suggestions seem like common sense, there are also many lesser known incidences that arise while working in the medical field. Did you know that you cannot access your own medical records using your login credentials? While it may seem innocent enough, everyone is required to submit a request to access medical materials. 

 

Don’t deter a Risk Assessment out of indolence. HIPAA Risk Assessments must be accurate and extremely thorough.  Questions about all the administrative, technical, and physical safeguards an organization has in place must be asked about.

 

If outsourcing your HIPAA Risk Assessment, choose a company that provides comprehensive training courses. No two companies are alike so cookie-cutter answers don’t exist for compliancy; a client-facing doctor’s office and corporate health insurance agency will require that different preventive measures be put into place.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA compliance tips for small medical practices

HIPAA compliance tips for small medical practices | HIPAA Compliance for Medical Practices | Scoop.it

But data breaches don’t just affect large corporate entities, they affect small healthcare organizations as well. Take the case of Holland Eye Laser Surgery in March 2018. Their five-provider group practice saw a data breach which made available the patient records of 42,000 patients. Hackers were able to access Social Security numbers, birth records, and other sensitive protected health information (PHI).

 

In fact, some of the medical records of these patients were sold off by data hackers. Officials from the practice stated that they’re now working to strengthening their security system. But once patient trust is lost, sometimes it just cannot be restored.

 

Brief primer on HIPAA and data breaches

• The Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal

• Each entity must analyze the risks to e-PHI in its environment and create solutions appropriate for its own situation.

• The HIPAA Breach Notification Rule requires providers to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without delay and no later than 60 days following the discovery of a breach.

 

5 tips to help you and your medical staff to avoid data breaches

1. CMS requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Conduct a detailed risk analysis to evaluate the current staff and product deficiencies and create corrective measures.

2. Designate a staff member to train employees on your practice’s HIPAA policies and procedures and spend time going over typical breaches.

3. Hire an outside expert to help your organization with compliance support. Your outside organization should set up monthly meetings with the business owners to evaluate your company compliance program and work with your organization to identify cost-effective resources to keep your company compliant.

4. Customize your internet toolbars with anti-phishing protection. These applications can run website checks and compare them to lists of known phishing sites and alert users.

5. Be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself.  Practice groups and or staff members should never reply to or click the links in such a messages.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How Do I Become HIPAA Compliant?

How Do I Become HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

For healthcare providers, HIPAA compliance is a must. HIPAA guidelines protect patients’ health information, ensuring that it is stored securely, and used correctly.

 

Sensitive data that can reveal a patient’s identity must be kept confidential to adhere to HIPAA rules. These rules work on multiple levels and require a specific organizational method to implement comprehensive privacy and security policies to achieve compliance.

 

Most organizations find this to be a daunting task. We have put together a HIPAA compliance checklist to make the process easier.

 

The first is to understand how HIPAA applies to your organization. The second is to learn how to implement an active process, technology, and training to prevent a HIPAA-related data breach or accidental disclosure. Finally, the third is to put physical and technical safeguards in place to protect patient data.

By the time you’re done with our list, you will know what you need to consider to have a better conversation with your compliance advisors.

What is HIPAA?

Before talking about compliance, let’s recap the basics of HIPAA.

Signed into law by President Bill Clinton in 1996, the Health Insurance Portability and Accountability Act provides rules and regulations for medical data protection.

HIPAA does several important things. It reduces health care abuse and fraud and sets security standards for electronic billing of healthcare. It also does the same for the storage of patients’ healthcare information. The Act mandates the protection and handling of medical data, ensuring that healthcare data is kept private.

The part of HIPAA we are concerned with relates to healthcare cybersecurity. To be compliant, you must protect patients’ confidential records.

HIPAA rules have evolved. When the law was first enacted, it did not mention specific technology. As the HIPAA compliant cloud has become commonplace, it has inspired additional solutions. For example, our Data Security Cloud (DSC) is being developed to create a base infrastructure for a HIPAA compliant solution. Providing a secure infrastructure platform to ride on top of, DSC makes creating a HIPAA-compliant environment easier.

Secure infrastructure handles things at the lowest technical level that creates data, providing the key features to keep data safe. These features include separation/segmentation, encryption at rest, a secure facility at the SOC2 level of compliance, and strict admin controls among other required security capabilities.

 
 

Why Is HIPAA Compliance Important?

HIPAA compliance guidelines are incredibly essential. Failure to comply can put patients’ health information at risk. Breaches can have a disastrous impact on a company’s reputation, and you could be subject to disciplinary action and strict violation fines and penalties by CMS/OCR.

Last year’s Wannacry ransomware attack affected more than 200,000 computers worldwide, including many healthcare organizations. Most notably, it affected Britain’s National Health Service, causing serious disruptions in the delivery of health services across the country.

To gain access to the systems, hackers exploited vulnerabilities in outdated versions of Windows that are still commonly used in many healthcare organizations. With medical software providers offering inadequate support for new OS’s and with medical devices such as MRIs lacking security controls, the attack was easy to carry out.

The attack demonstrated the strength of today’s hackers, highlighting the extent to which outdated technologies can pose a problem in modern organizations. This is precisely why HIPAA also regulates some aspects of technology systems used to store, manage, and transfer healthcare information.

The institutions that fail to implement adequate systems can suffer significant damage. If a breach takes place, the law requires affected organizations to submit various disclosure documents, which can include sending every subject a mailed letter. They may also be required to offer patients a year of identity protection services.  This can add up to significant dollars, even before confirming the extent of the breach.

 

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule creates national standards. Their goal is to protect medical records and other personally identifiable health information (PHI).

It applies to three types of companies: providers, supply chain (contractors, vendors, etc.) and now service providers (such as data centers and cloud services providers). All health plans and healthcare clearinghouses must be HIPAA compliant.

The rules also apply to healthcare providers who conduct electronic health-related transactions.

The Privacy Rule requires that providers put safeguards in place to protect their patients’ privacy. The safeguards must shield their PHI. The HIPAA Privacy Rule also sets limits on the disclosure of ePHI.

It’s because of the Privacy Rule that patients have legal rights over their health information.

These include three fundamental rights.

    • First, the right to authorize disclosure of their health information and records.
    • Second, the right to request and examine a copy of their health records at any time.
    • Third, patients have the right to request corrections to their records as needed.

The HIPAA Privacy Act requires providers to protect patients’ information. It also provides patients with rights regarding their health information.

 

What Is The HIPAA Security Rule

The HIPAA Security Rule is a subset of the HIPAA Privacy Rule. It applies to electronic protected health information (ePHI), which should be protected if it is created, maintained, received, or used by a covered entity.

The safeguards of the HIPAA Security Rule are broken down into three main sections. These include technical, physical, and administrative safeguards.

Entities affected by HIPAA must adhere to all safeguards to be compliant.

Technical Safeguards

The technical safeguards included in the HIPAA Security Rule break down into four categories.

    • First is access control. These controls are designed to limit access to ePHI. Only authorized persons may access confidential information.
    • Second is audit control. Covered entities must use hardware, software, and procedures to record ePHI. Audit controls also ensure that they are monitoring access and activity in all systems that use ePHI.
    • Third are integrity controls. Entities must have procedures in place to make sure that ePHI is not destroyed or altered improperly. These must include electronic measures to confirm compliance.
    • Finally, there must be transmission security. Covered entities must protect ePHI whenever they transmit or receive it over an electronic network.

The technical safeguards require HIPAA-compliant entities to put policies and procedures in place to make sure that ePHI is secure. They apply whether the ePHI is being stored, used, or transmitted.

Physical Safeguards

Covered entities must also implement physical safeguards to protect ePHI. The physical safeguards cover the facilities where data is stored, and the devices used to access them.

Facility access must be limited to authorized personnel. Many companies already have security measures in place. If you don’t, you’ll be required to add them. Anybody who is not considered an authorized will be prohibited from entry.

Workstation and device security are also essential. Only authorized personnel should have access to and use of electronic media and workstations.

Security of electronic media must also include policies for the disposal of these items. The removal, transfer, destruction, or re-use of such devices must be processed in a way that protects ePHI.

Administrative Safeguards

The third type of required safeguard is administrative. These include five different specifics.

    • First, there must be a security management process. The covered entity must identify all potential security risks to ePHI. It must analyze them. Then, it must implement security measures to reduce the risks to an appropriate level.
    • Second, there must be security personnel in place. Covered entities must have a designated security official. The official’s job is to develop and implement HIPAA-related security policies and procedures.
    • Third, covered entities must have an information access management system. The Privacy Rule limits the uses and disclosures of ePHI. Covered entities must put procedures in place that restrict access to ePHI to when it is appropriate based on the user’s role.
    • Fourth, covered entities must provide workforce training and management. They must authorize and supervise any employees who work with ePHI. These employees must get training in the entity’s security policies. Likewise, the entity must sanction employees who violate these policies.
    • Fifth, there must be an evaluation system in place. Covered entities must periodically assess their security policies and procedures.

Who Must Be HIPAA complaint?

There are four classes of business that must adhere to HIPAA rules. If your company fits one of them, you must take steps to comply.

The first class is health plans. These include HMOs, employer health plans, and health maintenance companies. This class contains schools who handle PHI for students and teachers. It also covers both Medicare and Medicaid.

The second class is healthcare clearinghouses. These include healthcare billing services and community, health management information systems. Also included are any entities that collect information from healthcare entities and process it into an industry-standard format.

The third class is healthcare providers. That means any individual or organization that treats patients. Examples include doctors, surgeons, dentists, podiatrists, and optometrists. It also includes lab technicians, hospitals, group practices, pharmacies, and clinics.

The final class is for business associates of the other three levels. It covers any company that handles ePHI such as contractors, and infrastructure services providers. Most companies’ HR departments also fall into this category because they handle ePHI of their employees. Additional examples include data processing firms and data transmission providers. This class also includes companies that store or shred documents. Medical equipment companies, transcription services, accountants, and auditors must also comply.

If your entity fits one of these descriptions, then you must take steps to comply with HIPAA rules.

What is the HIPAA Breach Notification Rule?

Even when security measures are in place, it’s possible that a breach may occur. If it does, the HIPAA Breach Notification Rule specifies how covered entities should deal with it.

The first thing you need to know is how to define a breach. A breach is a use or disclosure of PHI forbidden by the Privacy Rule.

The covered entity must assess the risk using these criteria:

    1. The nature of the PHI involved, including identifying information and the likelihood of re-identification;
    2. The identity of the unauthorized person who received or used the PHI;
    3. Whether the PHI was viewed or acquired; and
    4. The extent to which the risk to the PHI has been mitigated.

Sometimes, PHI may be acquired or disclosed without a breach.

The HIPAA rules specify three examples.

  • The first is when PHI is unintentionally acquired by an employee or person who acted in good faith and within the scope of their authority.
  • The second is inadvertent disclosure of PHI by one authorized person to another. The information must not be further disclosed or used in a way not covered by the Privacy Rule.
  • The third occurs if the covered entity determines that the unauthorized person who received the disclosure would not be able to retain the PHI.

 

If there is a breach as defined above, the entity must disclose it. The disclosures advise individuals and HHS that the breach has occurred.

 

Personal disclosures must be mailed or emailed to those affected by the breach. A media disclosure must be made in some circumstances. If more than 500 people in one area are affected, the media must be notified.

 

Finally, there must also be a disclosure to the HHS Secretary.

The HIPAA Breach Notification Rule protects PHI by holding covered entities accountable. It also ensures that patients are notified if their personal health information has been compromised.

 

What Are The HIPAA Requirements for Compliance

The common question is, how to become HIPAA compliant?

The key to HIPAA compliance certification is to take a systematic approach. If your entity is covered by HIPAA rules, you must be compliant. You must also perform regular audits and updates as needed.

 

With that in mind, we’ve compiled a comprehensive checklist for use in creating your HIPAA compliance policy.

HIPAA Compliance Checklist

These questions cover the components to make you are HIPAA-compliant. You can use the checklist to mark each task as you accomplish it. The list is intended to be used for self-evaluation.

Have you conducted the necessary audits and assessments according to National Institutes of Standards and Technology (NIST) Guidelines?

 

The audits in question involve security risk assessments, privacy assessments, and administrative assessments.

Have you identified all the deficiencies and issues discovered during the three audits?

 

There are several things to consider before doing the self-audit checklist. You need to ensure that all security, privacy, and administrative deficiencies and issues are appropriately addressed.

 

Have you created thorough remediation plans to address the deficiencies you have identified?

After covering the deficiencies and issues mentioned above, you need to provide remediation for each group.

Do you have policies and procedures in place that are relevant to the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule?

 

You must be aware of these three critical aspects of a HIPAA compliance program and ensure each is adequately addressed.

    • Have you distributed the policies and procedures specified to all staff members?
      • Have all staff members read and attested to the HIPAA policies and procedures you have put in place?
      • Have you documented their attestation, so you can prove that you have distributed the rules?
      • Do you have documentation for annual reviews of your HIPAA policies and procedures?
    • Have all your staff members gone through basic HIPAA compliance training?
      • Have all staff members completed HIPAA training for employees?
      • Do you have documentation of their training?
      • Have you designated a staff member as the HIPAA Compliance, Privacy, or Security Officer as required by law?
    • Have you identified all business associates as defined under HIPAA rules?
      • Have you identified all associates who may receive, transmit, maintain, process, or have access to ePHI?
      • Do you have a Business Associate Agreement (Business Associate Contract) in place with each identify you have identified as a Business Associate?
      • Have you audited your Business Associates to make sure they are compliant with HIPAA rules?
      • Do you have written reports to prove your due diligence regarding your Business Associates?
    • Do you have a management system in place to handle security incidents or breaches?
      • Do you have systems in place to allow you to track and manage investigations of any incidents that impact the security of PHI?
      • Can you demonstrate that you have investigated each incident?
      • Can you provide reporting of all breaches and incidents, whether they are minor or meaningful?
      • Is there a system in place so staff members may anonymously report an incident if the need arises?

As you work your way through this checklist, remember to be thorough. You must be able to provide proper documentation of your audits, procedures, policies, training, and breaches.

As a final addition to our checklist, here is a review of the general instructions regarding a HIPAA compliance audit.

    • If a document refers to an entity, it means both the covered entity and all business associates unless otherwise specified
    • Management refers to the appropriate officials designated by the covered entity to implement policies, procedures, and standards under HIPAA rules.
    • The covered entity must provide all specified documents to the auditor. A compendium of all entity policies is not acceptable. It is not the auditor’s job to search for the requested information.
    • Any documents provided must be the versions in use as of the audit notification and document request unless otherwise specified.
    • Covered entities or business associates must submit all documents via OCR’s secure online web portal in PDF, MS Word, or MS Excel.
    • If the appropriate documentation of implementation is not available, the covered entity must provide examples from “equivalent previous time periods” to complete the sample. If no such documentation is available, a written statement must be provided.
    • Workforce members include:
      • Entity employees
      • On-site contractors
      • Students
      • Volunteers
    • Information systems include:
      • Hardware
      • Software
      • Information
      • Data
      • Applications
      • Communications
      • People

Proper adherence to audit rules is necessary. A lack of compliance will impact your ability to do business.

In Closing, HIPAA Questions and Answers

HIPAA rules are designed to ensure that any entity that collects, maintains, or uses confidential patient information handles it appropriately. It may be time-consuming to work your way through this free HIPAA self-audit checklist. However, it is essential that you cover every single aspect of it. Your compliance is mandated by law and is also the right thing to do to ensure that patients can trust you with their personal health information.

One thing to understand is that it is an incredible challenge to try to do this by yourself. You need professional help such as a HIPAA technology consultant. Gone are the days you can have a server in your closet at the office, along with your office supplies. The cleaning personnel seeing a print out of a patient’s file constitutes a ‘disclosable’ event.

Screen servers, privacy screens, and professionally-managed technology solutions are a must. Just because you use a SAS-based MR (Medical Records) solution, does not mean you are no longer responsible for the privacy of that data. If they have lax security, it is still the providers’ responsibility to protect that data. Therefore the burden of due diligence is still on the provider.

Phoenix NAP’s HIPAA compliant hosting solutions have safeguards in place, as audited in its SOC2 certifications. We provide 100% uptime guarantees and compliance-ready platform that you can use to build secure healthcare infrastructure.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What is required for HIPAA Compliance?

What is required for HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

Lots of our visitors ask us “what is required for HIPAA compliance?” Because this is such an important question, we try to direct our visitors to the most trusted sources for HIPAA education. The most important aspect to remember is that a checklist based “solution” is my no means affective. What we do endorse is the ability to use a checklist to understand what aspect of HIPAA you are doing, and to recognize ones you may have looked over or need to address in further detail. We recommend taking a look at Compliancy Group who has two resources for your organization, whether you’re a Covered Entity or a Business Associate. First, we recommend reading and downloading their HIPAA compliance checklist. Or you can register for their HIPAA compliance checklist webinar!

 

Some of the key findings in the checklist highlight Business Associate Agreements, and also help point out the need for more than just a security risk assessment. As many are familiar with there is a need for HIPAA training, but we do appreciate how it points out the need for documentation of training and other attestations.

 

HIPAA Compliance Checklist: What You Need to Know

The divide between what is required for compliance under HIPAA regulation and the misconceptions that healthcare professionals have about being compliant is more extensive than ever. When she was appointed in late 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) announced her plan to start on a new wave of audits. Extensively reported upon, these Phase 2 audits are reaffirming that the over $10 million in fines levied against non-compliant Covered Entities (CE’s) and Business Associates (BA’s) seen in 2015 alone is set to become the norm, and perhaps even grow over the coming months.

 

Compliancy Group is here to make sure that you’re not the one being hit with these fines. We’ve compiled this HIPAA checklist to help guide you through some of the most often overlooked components of total HIPAA compliance, and to help ready you for this sweeping new series of audits that OCR has lined up.

 

The HIPAA Compliance Checklist: The Privacy Rule

The HIPAA Privacy & Security Rule is a series of national regulations concerned with safeguarding patients’ PHI and medical records from unauthorized access. It gives patients the primary rights over their own health information. The rule applies to health plans, healthcare clearinghouses, and health care providers that make certain electronic healthcare transactions. These groups are required to have appropriate limitations and conditions on the use and disclosure of PHI.

  • Implement written policies, procedures, and standards of conduct: Ensure that you have written training standards as well as written penalties that employees are informed of in the case of a violation.
  • Have BA agreements in place: When conducting business with a BA, you need to ensure that you have comprehensive, up-to-date agreements in place to protect your firm from liability in the event that a BA breaches HIPAA regulation.
  • Data safeguards: Maintain administrative, technical, and physical safeguards to monitor use or disclosure of PHI.
  • Complaints procedures: Implement procedures where patients can file a complaint to the CE about its HIPAA compliance, and patients must be informed that complaints may also be submitted to HHS.
  • Retaliation and waiver: Retaliation can’t be taken out against a patient who exercises their rights under the Privacy Rule. Patients cannot be made to waive their Privacy Rule rights as a means of obtaining treatment, payment, or enrollment.
  • Documentation and record retention: Records of all privacy policies, privacy practice notices, complaints, remediation plans, and other documentation must be stored and accessible for six years after their initial creation.
  • Privacy personnel: Ensure that an appointed privacy officer is in place to develop and implement the rest of these privacy policies.

 

The HIPAA Compliance Checklist: The Security Rule

The HIPAA Security Rule outlines specific regulations that are meant to prevent breaches in the creation, sharing, storage, and disposal of ePHI. Since its adoption, the rule has been used to manage patients’ confidentiality alongside changing technology. And now, with the growing trends of cloud computing and online and remote document sharing, the protection of ePHI is becoming more important than ever.

 

These safeguards each require different standards that need to be implemented in order to be deemed fully compliant. The legal jargon that surrounds each safeguard and standard can be confusing, so we’ve broken them down into a simple, but comprehensive list below.

 

The HIPAA Security Rule Checklist: Administrative Safeguards

Administrative safeguards should be in place to establish policies and procedures that employees can reference and follow to ensure that they’re maintaining compliance. Each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Security Management Process

 

  • Risk Analysis should be done to assess confidentiality of ePHI
  • Risk Management measures should be implemented to assess potential breaches in ePHI
  • Sanction Policies should be extended to employees who fail to comply with policies and procedures
  • Information System Activity Reviews should be in place so that system activity is regularly monitored

Standard 2. Assigned Security Responsibility

  • Security Responsibility should be assigned to an employee who can regularly monitor, develop, and maintain privacy policies and procedures

Standard 3. Workforce Security

  • Employees who are meant to deal with ePHI should undergo Authorization and Supervision
  • Workforce Clearance Procedures should govern who is and isn’t allowed access to ePHI
  • Termination Procedures should be in place so that employees who have left a practice can no longer have access to ePHI that they’ve previously had access to

Standard 4. Information Access Management

  • Clearinghouses that are part of larger organizations need to have properly Isolated Access to ePHI
  • Employees should be given Access Authorization depending on whether or not their role requires that they handle ePHI
  • Access to ePHI should be governed by strict rules for when and how it is granted, Established, or Modified

Standard 5. Security Awareness and Training

  • Security Reminders should be regularly communicated
  • Protection from Malicious Software should be a priority to prevent ePHI from being compromised
  • Log-in Monitoring should be in place to detect any unauthorized access to ePHI
  • Password Management should be implemented for creating, changing, and protecting employees’ passwords

Standard 6. Security Incident Procedures

  • Breaches and their ramifications need to have documented Response and Reporting procedures

Standard 7. Contingency Plan

  • Data Backup Plan is required to ensure that there are ways to retrieve ePHI that has been lost because of a malfunction or a breach
  • Disaster Recovery Plans should be in place to ensure that any lost ePHI can be fully restored
  • Emergency Mode Operation Plans should be established so that employees can properly access and handle ePHI, while maintaining privacy, in the event of an emergency
  • Contingency procedures should be Tested and Revised on an ongoing basis to address faults or flaws
  • Contingency procedures should be go through Applications and Data Criticality Analysis to ensure that contingency plans are as streamlined as possible

Standard 8. Evaluation

  • The technical and non-technical elements of ePHI security should be regularly Evaluated, particularly when moving offices or changing operations

Standard 9. Business Associate Contracts and Other Arrangements

  • Written Contracts or Other Arrangements need to document that BAs will comply with all ePHI security measures.

 

The HIPAA Security Rule Checklist: Physical Safeguards

Physical safeguards should guide the creation of policies and procedures that focus on protecting electronic systems and ePHI from potential threats, environmental hazards, and unauthorized intrusion. And as is the case with administrative safeguards, each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Facility Access Controls

  • Procedures should be in place to establish Contingency Operations plans that allow access to the physical office and stored data in the event of an emergency
  • Facility Security Plan needs to be well established to protect equipment that stores ePHI from unauthorized access and theft
  • Access Controls and Validation Procedures should govern when, how, and to whom access to equipment is granted
  • Maintenance Records should document modifications to the physical facility such as renovations or changing doors or locks

Standard 2. Workstation Use

  • Workstation Use policies need to specify the use, performance, and physical attributes of equipment and workstations where ePHI is accessed

Standard 3. Workstation Security

  • Workstation Security should entail physical safeguards that govern who can access workstations and equipment where ePHI is accessible

Standard 4. Device and Media Controls

  • Disposal of hardware or equipment where ePHI has been stored needs to be strictly managed
  • Policies should be in place to determine how and when ePHI should be removed from equipment or electronic media before Re-use
  • Hardware and equipment that has access to ePHI should be Accountable and, if necessary, tracked
  • Data Backup and Storage procedures should entail the creation of exact copies of ePHI

 

The HIPAA Security Rule Checklist: Technical Safeguards

Technical safeguards are the last piece of the Security Rule. They’re meant to provide written, accessible, policies and procedures that monitor user access to systems that store ePHI.

Standard 1. Access Control

  • Employees should be granted Unique User Identification in the form of a username or ID number that can be used to identify and track system usage
  • Procedures should be in place that determine Emergency Access protocols and authorization
  • Systems that store ePHI should be built with an Automatic Logoff function after inactivity
  • Encryption and Decryption methods should be built into systems that store ePHI

Standard 2. Audit Controls

  • Audit Controls must regularly monitor, record, and store system usage and ePHI access

Standard 3. Integrity

  • In order to ensure that ePHI hasn’t been accessed, altered, or destroyed without authorization, a Mechanism to Authenticate ePHI should be built into the system

Standard 4. Person or Entity Authentication

  • Person or Entity Authentication needs to be in place to ensure that only authorized employees or users have access to certain data and ePHI

Standard 5. Transmission Security

  • Any ePHI that is transmitted electronically needs to be protected by Integrity Controls to ensure that it hasn’t been modified in the process
  • Any stored ePHI should be Encrypted
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

No Exception to HIPAA Privacy Rules, Nurse Learns

No Exception to HIPAA Privacy Rules, Nurse Learns | HIPAA Compliance for Medical Practices | Scoop.it

Ms. P, 45, was a nurse working in the cardiology department of a large hospital. Her duties were varied, and included, among other things, accessing patient medical records to review lab values and other diagnostic tests ordered by physicians, and writing progress notes in patients' charts.

When she was originally hired by the hospital, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient that was required to perform her duties.

Later, when the U.S. Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human resources seminar and sign a revised confidentiality agreement.

 

The revised agreement stated that she would not access or view information other than what was required to do her job, and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job.

 

Finally, the agreement contained a section saying that Ms. P acknowledged that violation of the facility's confidentially policy could result in disciplinary action up to and including termination.

Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers—with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.

 

Ms. P's mother had Parkinson's disease, was on numerous medications, and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this because it was her own family.

 

One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation that revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions.

 

When the human resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.

 

“Did you need to access information from their medical records in order to do your job as a clinical affiliate in the cardiology department?” the human resources director asked sternly.

“No,” Ms. P replied. “They were not cardiology patients.”

She was fired that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to see if she could sue the hospital for wrongful termination. The attorney was skeptical.

“HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”

 

Ms. P admitted that she'd had training.

“Were you asked to sign anything?” the attorney inquired.

“Well, yes,” Ms. P said. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”

 

“That's irrelevant,” the attorney said. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.

 

“How old are you?” he suddenly asked.

When she told him, he smiled. “I think we may have an angle. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you – a higher paid experienced nurse – and replace you with a less expensive junior person.”

 

The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Navigating Mobile Devices and HIPAA

Navigating Mobile Devices and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The mobile technology revolution has impacted nearly every industry across the globe, with healthcare being no exception. Hospitals, clinics, and providers have all quickly embraced the use of smartphones and other mobile devices along with the convenience of accessing important medical information quickly.  

Many healthcare organizations are capitalizing on the benefits that mobile devices provide by permitting physicians, nurses, and other healthcare staff to bring their own personal devices (BYOD) to use at work. Other organizations choose to provide their staff with company-owned mobile devices, finding it easier to maintain control and protect their networks. 

 

Although the convenience of mobile technology provides many advantages, it also comes with risks. If mobile data security measures are inadequate, covered entities are at risk of violating HIPAA regulations that can incur heavy fines. HIPAA fines of up to $1.5 million per violation category, per year that the violation has been allowed to persist can be issued by the HHS. In addition, other federal agencies can issue fines, such as the state attorneys general. There is also the considerable cost of a breach response to cover if data is potentially exposed. 

 

The majority of mobile devices do not have robust security controls which can allow devices to be easily compromised. For example, if an unprotected device connects to a network via public Wi-Fi, there is an increased risk of theft. Cybercriminals view mobile devices as an accessible entry point into healthcare networks allowing them to access valuable electronic Protected Health Information.

 

As mobile devices are rapidly becoming an integral part of daily healthcare operations, it is important that organizations fully comprehend healthcare mobile security. (1) HIPAA covered entities that choose to use mobile devices in the workplace must implement controls to protect patient health data.  (2) It is also necessary they review and address all potential mobile data security risks.

 

The HIPAA Security Rule does not require specific technology solutions when it comes to technical safeguards for mobile devices. However, HHS does require organizations to implement reasonable and appropriate security measures for standard operating procedures. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What's in Our 2018 SecurityMetrics HIPAA Guide?

What's in Our 2018 SecurityMetrics HIPAA Guide? | HIPAA Compliance for Medical Practices | Scoop.it
 We are thrilled to announce the release of our brand-new HIPAA Guide! No matter the size of your organization, you can use this guide to understand and handle the more challenging requirements of HIPAA. In fact, it's already coming in handy for many of our partners. See what some of them have to say:

"The HIPAA Guidebook is one of the best references. It's well-organized and easy for our medical office staff and providers to understand." -Hedy Haun, Sr. Process Analyst,  SHARP Medical Group

"Words cannot express what the HIPAA Guide represents to me and all of Curis. It's like an encyclopedia for us." -George Arnau,  Curis Practice Solutions

A better way to read and utilize our HIPAA guide


Just like many of our partners report back to us, our HIPAA Guide is best utilized as "desk-side reference." In order to increase the guide's usefulness to you, we've added a new section called "How to Read This Guide." It includes a color-coded system, with reading suggestions based on your familiarity with HIPAA: beginning, intermediate, and advanced. This section discusses the skill levels likely required for policy and procedure implementation.

We understand there are many job descriptions that require HIPAA understanding, so whether you're a brand-new employee or a seasoned systems administrator--our guide is meant for you.

 We also include a "Terms and Definitions" glossary at the end of the 135-page guide. This is meant to help familiarize you with data security and tech terms you may not already know.

Ultimately, we want to help you keep your patients' and customers' data safe and secure. By helping you address the most complicated aspects of data security and HIPAA , we aim to equip you with practical knowledge you can use in meetings and trainings, while drafting policies and procedures, and when making decisions about security at your practice.

Survey Data and HIPAA industry trends

This year, we conducted four surveys and received responses from over 300 healthcare professionals. These professionals are responsible for HIPAA compliance at their organizations, and work primarily at companies with less than 500 employees. And while larger organizations tend to have better HIPAA compliance, it's important that those larger organizations still take note of compliance trends at organizations of all sizes, since they will likely share data and interact with them (for instance, when a large hospital sends patient records to a smaller specialty clinic).

We asked respondents about security habits at their organizations. Training and encryption continue to challenge HIPAA teams, while many organizations fare well in the area of risk analysis. Here are just a few of our survey results:

  • 6% of organizations do not conduct a formal risk analysis
  • 16% of organizations report they send emails with unencrypted patient data
  • 34% of organizations train employees on the HIPAA Breach Notification Rule

Top Tips for Better Data Security 

As lead SecurityMetrics HIPAA auditor Brand Barney says, "Our guide was specifically created to help covered entities and business associates address the most problematic issues within HIPAA compliance.”

So, the guide focuses on commonly challenging aspects of the HIPAA Privacy, Breach Notification, and Security Rules, including:

•   Incident response plans
•   PHI encryption
•   Business associate agreements
•   Mobile device security
•   HIPAA-compliant emails
•   Remote access
•   Vulnerability scanning
•   Penetration testing

A proactive, offense-minded approach

Even with steep penalties in place, HIPAA compliance--particularly when it comes to security--is often not as complete as is thought or hoped for. In fact, according to the Identity Theft Resource Center , 24.7% of data breaches in 2017 were healthcare-related. Education is the first line of defense, so becoming familiar with the guide is one of the best ways you can proactively protect your organization from a potentially devastating data breach.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

6 things software vendors need to know about HIPAA compliance

6 things software vendors need to know about HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance

 

Many people are loosely familiar with the Health Insurance Portability and Accountability Act (HIPAA) and usually associate it with hospitals, clinics, and health insurance companies. However, it can be less clear how HIPAA compliance standards apply to countless other software vendors, SaaS providers that work with healthcare-related businesses or handle protected health information (PHI). In recent months, the Office for Civil Rights has been coming down hard on HIPAA violators, doling out some of the large fines – upwards of $5 million. So in order to ensure your business is protected and to maintain your brand reputation, it is vital to know the ins and outs of HIPAA compliance. With this in mind,

 

How do you know if you need to be HIPAA compliant?

 

In short, HIPAA rules apply to both Covered Entities (health insurance companies, HMOs, company health plans, etc.) and their business associates (a vendor or subcontractor who has access to PHI). What this means for business associates is that even if you’re a service provider or vendor who isn’t in the healthcare industry - like an all-flash storage company - you may still need to be HIPAA compliant indirectly due to the fact that your organization stores PHI. The first step here is to determine whether your organization handles PHI. If you do, your next step is to look through the

 

Look to your current vendors for guidance

 

Once you determine that you need to be compliant, there’s no need to go on a hiring spree to ensure you have the necessary resources in-house. Many of your existing vendors may already cover key HIPAA compliance requirements. Any good service provider should be able to tell you whether they are HIPAA compliant and what controls they can cover. If so, it is important that they are also willing to sign a Business Associate Agreement (BAA) - a negotiation between Covered Entities and any third-party vendors that have access to their PHI.

 

Look for specific types of technology that can help to streamline the process

 

If none of your existing vendors can help with HIPAA compliance, turn to a managed service provider to do the heavy lifting and help your business attain and maintain compliance, so you can focus resources on driving business. Additionally, they can strengthen the security technology, processes, and controls they use to keep customer information secure. For example, if you’re looking for a secure way to continue work-from-home programs at your organization through remote desktops, HIPAA compliant Desktop-as-a-Service (DaaS) vendors are a great option to both fill specific needs for your business and drastically simplify compliance.

 

Don’t forget about maintenance

 

A key stumbling block for many organizations tends to be maintaining a constantly evolving set of compliance standards. HIPAA compliance certification is valid only at that moment – it is then up to the company to maintain compliance which is easier said than done. Some important things to keep the top of mind for maintenance include 1) completing a HIPAA Risk Analysis document and audit at least once a year, and 2) assessing employees year-round to make sure they are doing their jobs in a HIPAA compliant manner, following all stated company policies and procedures.

 

Know who is responsible for HIPAA compliance

 

Another challenge accompanying HIPAA compliance may sound simple, but is one that oftentimes goes overlooked - precisely who internally is responsible for compliance? For non-healthcare organizations, a company is unlikely to have a designated in-house role such as a Privacy and Security Officer, and therefore the responsibility often falls on security or operations departments. However, it’s likely that neither of these departments has a full understanding or stake in HIPAA compliance. Regardless of who is taking the reins, it is important that the role is clearly demarcated and that person or department knows what is expected of them. Additionally, it’s critical that they work together with other departments as needed to ensure a well-rounded HIPAA strategy. Case in point - a recent

 

Keep HIPAA compliance top of mind for staff

 

Regardless of who is in charge, it is important that all your staff be mindful of maintaining HIPAA compliance. Human error can become one of the biggest obstacles to maintaining compliance, especially when employees may not even realize their company deals with PHI. For example, the same NueMD survey also found that only 58% of respondents were providing training for their staff annually. HR teams can proactively assist with this by reminding staff of regular HIPAA training, updates on compliance standards changes and keeping visible HIPAA compliance checklists posted in work areas.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The HIPAA Privacy and HIPAA Security Rules

The HIPAA Privacy and HIPAA Security Rules | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

THE HIPAA PRIVACY AND HIPAA SECURITY RULES

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-PHI). Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

THE NEED FOR HIPAA COMPLIANCE

As HHS points out, as health care providers and other entities dealing with PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever. Similarly, health plans provide access to claims as well as care management and self-service applications. While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data. The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI.

PHYSICAL AND TECHNICAL SAFEGUARDS, POLICIES, AND HIPAA COMPLIANCE

The HHS requires physical and technical safeguards for organizations hosting sensitive patient data. These physical safeguards include…

  • Limited facility access and control with authorized access in place
  • Policies about use and access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI. Access control includes…

  • Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
  • Audit reports or tracking logs that record activity on hardware and software

Other technical policies for HIPAA compliance need to cover integrity controls, or measures put in place to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact. One final technical safeguard is a network or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private network, such as a private cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health Information Technology for Economic and Clinical Health (HITECH) Act, which raises penalties for health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to the development of health technology and the increased use, storage, and transmission of electronic health information.

DATA PROTECTION FOR HEALTHCARE ORGANIZATIONS AND MEETING HIPAA COMPLIANCE

Clearly, the need for data security has grown as the proliferation of electronic patient data grows. High-quality care today requires healthcare organizations to meet the accelerated demand for data; yet, they must ensure HIPAA compliance and protect PHI. Make sure that you have a data protection strategy in place that allows your organization to:

  • Ensure the security and availability of PHI to maintain the trust of practitioners and patients
  • Meet HIPAA and HITECH regulations for access, audit, and integrity controls as well as for data transmission and device security
  • Maintain greater visibility and control of sensitive data throughout the organization

The best data protection solutions recognize and protect patient data in all forms, including structured and unstructured data, emails, documents, and scans while allowing healthcare providers to share data securely to ensure the best possible patient care. Patients entrust their health care to your organization; you need to take care of their protected health information as well.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Where Is HIPAA Taking Physician Practices?

Where Is HIPAA Taking Physician Practices? | HIPAA Compliance for Medical Practices | Scoop.it

Introduction:

Several provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, were intended to encourage electronic data interchange (EDI) and safeguard the security, privacy, and confidentiality of patient health information In the context of this act, security is the means by which confidentiality and privacy are insured. Confidentially defines how patient data can be protected from inappropriate access, while privacy is concerned with who should have access to the patient data. This article explores how the policies stipulated by HIPAA are shaping the practice of medicine and will likely affect your practice in the future.

 

HIPAA Security vs Innovation:

If you're a typical small-practice physician, odds are that you view HIPAA as simply another federally mandated cost of practising medicine, regardless of the intended outcome of the act. This position is understandable, given the cost of mandated training for you and your office staff. Furthermore, if your practice is computerised, then you'll need to spend even more money on software upgrades and possibly additional training from the vendor.

HIPAA rules and regulations are complex, in part because much of compliance is open to interpretation. For example, security issues, which are predominantly in the domain of software and hardware vendors, are based on “risk assessment,” not specific technology standards. The act doesn't stipulate specific technologies or endorse nationally recognised procedures, but leaves it up to the physician practice or medical enterprise to ensure that patient health data are secure. (HIPAA's security standards take effect on April 20, 2005, for all “covered entities” except small health plans However, because HIPAA enforcement is complaint-driven – there are no “HIPAA Police” checking to see that your practice meets the law's requirements – differences in interpretation of the act are likely to end up in a courtroom at some point. For this reason, some experts recommend assessment of HIPAA compliance by outside counsel.

Most physicians are understandably concerned with the immediate compliance issues surrounding HIPAA and privacy and confidentiality of patient data. Even though the security standards were designed to be “technology-neutral,” the vagaries of these requirements are having a direct impact on medicine beyond the acute phase of compliance, especially in the introduction of new technologies in the clinical arena. New technologies, from wireless to tablet PCs, bring with them added functionality, potential workflow enhancements, and efficiencies – as well as new HIPAA security compliance issues.

Consider, for example, the effect of HIPAA's privacy rules on a physician contemplating the purchase of a Palm Pilot or other PDA. Even late adopters have probably observed the benefit of PDAs. Need to share patient data? Just beam it across the infrared link from one PDA to the next. Need to review patient lab data? Just touch the screen and the data are only a second away.

But it isn't that simple once HIPAA enters into the picture. Now a PDA carrying patient data is a compliance concern, as HIPAA's privacy rule applies to all mediums of a patient's protected health information, whether it's print, verbal, or electronic. Does your PDA have a login and auto logout feature? If not, then anyone could take your PDA and look up patient data. Consider the liability issues if you forgot your PDA at a coffee shop and someone picked it up and scanned through your list of patients. But with a login screen, one of the major benefits of a PDA – instant access to data – is lost.

If you use one of the wireless PDAs, such as the BlackBerry, then there are additional HIPAA-related issues: Does your PDA support the encryption of email and patient data it sends over the Internet? Is the encryption enabled? Is the level of encryption good enough for HIPAA?

Perhaps you've been considering adding a wireless (WiFi) LAN to your clinic or practice. You may have good reason to; wireless will allow you to carry a laptop into examining rooms for decision support and not have to worry about Ethernet cords. But considering HIPAA, is your WiFi system secure? Is the data encryption good enough? If not, will you have to buy new PCs and PDAs, or simply upgrade the operating systems? Do you need to hire a consultant? Maybe it's easier to simply string cables to each office and forget about the laptop this year. Or maybe it would be better to hold off on the computer-assisted decision support project altogether.

Paradoxically, although proponents of HIPAA once thought that it would enhance the move toward the electronic medical record (EMR), I believe that it is having the opposite effect. Because of the uncertainty surrounding HIPAA compliance and whether the legal system will be swamped with cases alleging violations of privacy, it's simply safer for small practices to stay with paper charts, and let the big medical practices deal with the inevitable lawsuits.

This brings up another cost issue: Does your insurance cover a patient suit over HIPAA? If so, how inclusive is the insurance? For example, let's say your practice regularly sends digital audio files overseas for transcription. You send the audio files and receive text documents a day later. Do you know how the patient data are handled at the transcription service? If a transcriptionist overseas decides to protest his or her low wages by posting a transcription of your patient's clinic visit openly on the Web, are you liable? Will your insurer pay? This example isn't as far-fetched as it might seem. In October 2003, a disgruntled Pakistani transcriber threatened the University of California-San Francisco over back pay.[3] She threatened to post patients' confidential files on the Internet unless she was paid more money. To show that she was serious, she sent UCSF an unencrypted email with a patient record attached.

 

HIPAA, Privacy, and the Physician:

Whereas compliance with HIPAA's upcoming security requirements is largely in the purview of vendors and the information services department in most larger medical centres, privacy concerns are usually addressed at the physician level. Consider the major privacy provisions of the act, most of which took effect in April 2003, listed in the Table.

Major Privacy Components of HIPAA, Based on Data From the DHHS.

Implementing each of these privacy components falls squarely on you and your office staff. You, your office manager, or someone else in your practice must be designated the Privacy Officer and given the responsibility of ensuring compliance with the act. If you haven't already had at least 1 practice walk-through with the major privacy provisions, make sure you do so.

 

 

 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.