HIPAA Compliance for Medical Practices
77.0K views | +6 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

While HIPAA covers a broad scope of healthcare related items, its Security Rule specifically sets forth standards concerning the safety of electronic Protected Health Information or ePHI. Furthermore, the Security Rule can be broken down into three keys areas of implementation: Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In Part I of this blog series we will discuss the basics regarding HIPAA Physical Safeguards, or Section 164.310 of the Security Rule, and how they relate to ePHI (electronic Protected Health Information).

 

The Department of Health and Human Services defines HIPAA Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings from natural and environmental hazards, and unauthorized intrusion”. In short, a covered entity must have physical protocols in place to protect is ePHI from disaster and/or theft.

HIPAA Physical Safeguards can be broken down into the following standards:

  • Facility Access ControlThis standard requires covered entities to implement policies and procedures to limit physical access to information systems and the facilities in which they are stored. Proper authorization to access these systems should also be ensured. The Facility Access Control Standard also requires the following implementations:
    • Contingency Operations
    • Facility Security Plan
    • Access Control and Validation Procedures
    • Maintenance Records

 

  • Workstation Use: A workstation is defined as an electronic computing device and any electronic media stored in its immediate environment. According to this standard, covered entities must implement policies and procedures surrounding the functions and physical attributes of any workstation that can access ePHI. The importance of these policies and procedures is to limit exposure to viruses, compromisation of information systems, and breaches of confidential information.

 

  • Workstation Security: This standard differs from Workstation Use in that it refers specifically to how workstations are to be physically protected from unauthorized users. Under this standard, converted entities must implement physical safeguards for all workstations that access ePHI to restrict unauthorized users. Essentially, a covered entity must take precautions - such as locked doors/equipment – to prevent non-employees from physically accessing a workstation.

 

  • Device and Media Controls: Device and Media controls refer to electronic media- meaning electronic storage media devices in computers (hard drives) and any removable/transportable digital memory medium such as tapes, disks, or digital memory cards. The purpose of this standard is to have policies and procedures in place to govern the receipt and removal of hardware and electronic media that contains ePHI, into and out of a facility, and the movement of these items within the facility. Covered entities must be able to account for all ePHI as it is moved between electronic devices. They must be able to account for this ePHI, even if it is disposed of. This standard is broken down into the following implementations:
    • Disposal
    • Media Re-Use
    • Accountability
    • Data Backup and Storage

In order to comply with these standards related to HIPAA Physical Safeguards, here are some examples of basic practices that any covered entity can apply to its medical practice:

  • Keep access to any device that stores or processes ePHI restricted to authorized personnel only. Avoid having these devices in areas that can easily be accessed by patients or visitors.
  • Ensure that ePHI is disposed of properly. Hard drives and any other devices that store patient information must be destroyed in the proper manner, and a certificate of disposal should be obtained and kept as a record.
  • Keep an inventory of all devices in the office that store or process ePHI. Additionally, note down which staff have accesses to these devices and what roles they play in processing ePHI.

 

These are examples of general steps that will help covered entities comply with HIPAA.   It is important that the annual mandatory HIPAA risk assessments be comprehensive and should review all physical safeguards at your location, pinpoint specific vulnerabilities and determine the corresponding action items and additional physical safeguards that may need to be implemented.

In summary, the Physical Safeguards standard of the HIPAA Security Rule sets forth a comprehensive framework regarding the physical protection of ePHI. As covered entities continue to modernize and move away from traditional paper-based records keeping, they will need to keep these standards in mind for the privacy of their patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Do Dentists need to comply with HIPAA?

Do Dentists need to comply with HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

In April 2018, a dental office in New Jersey, Michael Gruber, DMD, PA reported that their computers were hacked and 4624 patient records were stolen.  Now, this incident appears on the “Wall of Shame” at the Department of Health and Human Services website. Yes, it can happen to anybody.

 

Many dentists seem to think that either they do not need to comply with HIPAA (Health Insurance Portability and Accountability Act) or that they are already compliant as they have taken HIPAA training provided by their EHR or by a consultant. While HIPAA training is indeed one of the annual requirements to be compliant with HIPAA law, it certainly is not the only requirement.

 

In the event of a breach like the one reported by Michael Gruber, DMD, PA, as it involved the loss or theft of more than 500 patient records, it became a reportable breach. Dentists, like any other covered entity, are required to comply with HIPAA breach notification rules that involve notifying OCR (Office of Civil Rights), the patients and in some cases, media.  This can become an expensive proposition as legal fees, penalties, media costs, postage costs, forensic investigation costs, and other related expenses are incurred during this breach notification and investigation phase.

 

Once a covered entity becomes a victim of a breach, OCR puts the case under investigation and more likely than not, conducts an audit of the practice.   One of the first documents requested in this case is a copy of the office’s HIPAA risk assessment or analysis which should be done annually.   

 

They would typically also ask to see your HIPAA policies and procedures.  Depending on the outcome of the investigation, OCR, as the enforcement arm of the Department of Health and Human Services, might also decide to impose monetary fines for HIPAA violations.  In severe cases of criminal negligence or impropriety, federal agencies such as the FBI or Department of Homeland Security or the Department of Justice get involved and there have been examples where a healthcare provider or an employee has been jailed.

Basic requirements for HIPAA compliance for a dental office:

  • Risk Assessment or Analysis:

    Conduct a risk analysis or risk assessment every year.

  • HIPAA Training:

    Train all your employees (including dentists, hygienists, assistants and all administrative/ office staff) every year on HIPAA privacy, security and breach notification rules.

  • Policies and Procedures:

    Create and maintain HIPAA policies and procedures and ensure that employees are familiar with them and follow them regularly.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

HIPAA regulatory actions on failure to comply with breach rules

HIPAA regulatory actions on failure to comply with breach rules | HIPAA Compliance for Medical Practices | Scoop.it

Caps on HIPAA penalties restrict OCR's ability to enforce proportionately

OCR Director Roger Severino said at the 2018 HIPAA NIST/ OCR conference, that it may be necessary for them to revisit the caps in HIPAA enforcement actions.  When asked about the inconsistency among different federal agencies on the amounts of penalties levied for data breaches, Director Severino said that having consistency or standard among agencies may not be easy to accomplish.  On the HIPAA side, there are caps on the penalties that can be levied.  He admitted that it may be necessary to take another look at these caps to ensure fairness and proportionality for judgments.  If a company is so large that a multi-million dollar fine may not be a big impact for them, then the caps may actually be hindering OCR’s ability to impose an appropriate enforcement action on such a company.

HIPAA enforcement highlights

The OCR Director highlighted their recent HIPAA enforcement highlights and provided some details behind those cases.  Some of the cases he discussed were how one covered entity left unprotected medical records on an open truck, one entity mentioned a patient’s name on a press release, insufficient monitoring of logs to detect incidents and how film crews were allowed into a medical center without prior authorization.

$45, 360, 383 is the total amount collected by OCR in HIPAA enforcement actions from January 1, 2017, to October 15, 2018.  They have exceeded $100 million in collection amounts from 2008 onwards.

Regulatory actions against entities that fail to report breaches

When asked about the future of the desk audit program, Director Severino indicated that while they are pleased with the number of entities coming forward to report their breaches, OCR may now focus some energy on entities who have not reported their breaches in accordance with the breach notification rule. They may look into taking regulatory action against entities who do not report breaches as required.  

A note to all healthcare entities – If you suffer from a reportable breach, make sure you adhere to breach notification rules and procedures in a timely manner as dictated by law.

 

Healthcare Information is a precious resource 

Director Severino closed his address by saying that healthcare information is like a bar of gold.  There are bad people who want access to it. 

  • Store it in a safe place.
  • Put a perimeter of defenses.
  • Train your personnel.
  • Monitor your logs.
  • Do your risk analysis. 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why a HIPAA Manual Won’t Protect You from Audits

Why a HIPAA Manual Won’t Protect You from Audits | HIPAA Compliance for Medical Practices | Scoop.it

When the regulation was first released, HIPAA manuals were an effective way for health care professionals to address the law.

However, in the 21 years since HIPAA was first enacted, the regulatory requirements have changed significantly. These days, with all the new rules and guidance that the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released, a simple HIPAA manual is not considered an effective compliance solution for your behavioral health practice.

Protecting your practice in the 21st century takes more than a dusty HIPAA policy binder. To keep ahead of the $17.1 million in fines levied since the start of 2017 alone, healtha care professionals need to ensure that they have a HIPAA compliance program in place that addresses the full extent of the law.

Why Isn’t a HIPAA Manual Enough?

According to HIPAA regulation, HIPAA policies and procedures need to be reviewed and updated annually. Your practice goes through changes all year long–employees are hired and fired, you might open a new office, or maybe you’ve adopted a new EHR platform.

Policies and procedures must be tailored to the unique needs of your practice, so these yearly changes need to be reflected in your organization’s HIPAA policies and procedures.

If you’re utilizing a HIPAA manual, it doesn’t have the functionality you need to effectively review and update your policies and procedures. Instead, policy binders must be replaced every year in order to maintain your organization’s HIPAA compliance. HIPAA regulation also mandates that, in addition to policies being updated each year, all staff members must be trained on these new policies annually.

A HIPAA Compliance Program that Changes with Your Practice

HIPAA compliance solutions that automatically track the status of your organization’s compliance are a key way to ensure that you are keeping up with the regulatory requirements of the law.

When looking for a HIPAA compliance solution that suits the needs of your behavioral health practice, be sure to check if policies and procedures are included. These policies and procedures should be directly tied to HIPAA audits that you conduct within your own practice to expose areas where you aren’t in compliance with the law. These ‘gaps’ in compliance feed directly into your remediation plans, which then inform the extent of the policies and procedures you need to adopt in your practice.

Your potential HIPAA compliance solution should also include an employee training module based on the policies and procedures that you’ve customized and adopted in your practice. Again, make sure that the solution you’re considering sets these tasks up on an ongoing annual basis.

And of course, when it comes to HIPAA, documentation is king. The solution you’re looking at should include full documentation–preferably automated–so that you can pull yearly reports to demonstrate the status of your organization’s HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do you know the HIPAA Technical Safeguards-Security Rule?

Do you know the HIPAA Technical Safeguards-Security Rule? | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Security Rule is broken down into three specific implementations – Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In this post, we will discuss the specific standards surrounding HIPAA Technical Safeguards, or section 164.312 of the HIPAA Security Rule.

 

The HIPAA Security Rule defines Technical Safeguards as “the technology and the policy and procedures for its use that protect electronically protected health information (ePHI) and control access to it”. Essentially, these safeguards provide a detailed overview of access and protection of ePHI.

 

Technical Safeguards can be broken down into the following standards:

  • Access Control: This standard requires a covered entity to implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights. The Access Control Standard is broken down into four specific implementations:
    • Unique User Identification
    • Emergency Access Procedure
    • Automatic Logoff
    • Encryption and Decryption

These implementations ensure that only the correct person is logging on to an electronic device and accessing information on that device in an appropriate manner.

 

  • Audit Controls: Under this standard, covered entities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. By implementing this standard, a covered entity can examine its information systems and determine if any security violations are taking place.
  • Integrity: The Integrity standard requires the covered entity to implement policies and procedures to protect ePHI from improper alteration or destruction. This standard has one specific implementation:
    • A mechanism to Authenticate Electronic Protected Health Information

Under this implementation, the covered entity must have mechanisms in place to ensure that ePHI has not been altered or destroyed in an unauthorized manner.

 

  • Person or Entity Authentication: Under this standard, covered entities must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
  • Transmission Security: The final standard requires covered entities to implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. This standard has two specific implementations:
    • Integrity Controls
    • Encryption

Much of the language surrounding the HIPAA Technical Safeguards can be a little overwhelming, but here are some example practices that covered entities can implement as they strive to get HIPAA compliant:

 

  • Ensure that all staff have unique user IDs/log-in credentials for all workstations and any programs that store or process ePHI. This will allow the HIPAA Security officer or IT administrator to determine exactly which staff member has accessed specific data.
  • Create defined roles for staff members within medical software/programs (EMR, scheduling, billing, etc.) based on their job status with the practice. For example, some staff members can be given read-only access, while others can change and edit data.
  • Avoid transmitting ePHI over unsecured electronic means such as email. If the covered entity maintains a website, a good practice would be to make sure it does not transmit or store any ePHI unless the website is protected with encryption.
  • Update/patch all technological devices that process ePHI regularly. The software can become quickly outdated, it is crucial to implement these updates to stay current with security needs.

 

These general steps are building blocks towards HIPAA compliance. Annual mandatory HIPAA risk assessments will help covered entities determine any additional vulnerabilities that need to be addressed regarding HIPAA Technical Safeguards.

 

The HIPAA Technical Safeguards are an integral part of the HIPAA Security Rule. Keeping in line with the standards mentioned above will allow a covered entity to ensure that it is doing all it can to secure the technology it uses to treat patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Is it time for your Annual HIPAA Risk Assessment?

Is it time for your Annual HIPAA Risk Assessment? | HIPAA Compliance for Medical Practices | Scoop.it

Top 5 actions you can take to prepare for your next HIPAA Compliance review or risk assessment:

  • Identify where all your Patient Health Information (PHI) is stored, received, maintained or transmitted.
  • Assess current security measures used to safeguard PHI.
  • Make a list of all vendors that may have access to your PHI.
  • Have all your written HIPAA Policies and Procedures in place.
  • Be ready to document the assessment and take action where necessary.

Identify where your PHI is stored:

On your Computer?

  • Electronic Health Records (EHR)
  • Shared network drives
  • Word documents
  • Faxes
  • Recycle bin
  • Emails

In your office?

  • Paper Charts or files
  • File rooms and closets
  • CDs and USB drives
  • Old computers/servers that are no longer in use
  • Shredders or shred bins
  • Tablets and other mobile devices
  • Diagnostic equipment such as ultrasound machines and scanners.

Within your network storage?

  • A database
  • Other folders on the hard drive
  • Unencrypted images on other folders
  • Remote servers
  • Documents on network shares

On the cloud?

  • Electronic Health Record systems
  • Online cloud backup service
  • e-Fax services
  • Online file storage and transmission services such as Box, Dropbox, Google Drive.
  • Email services

How to Safeguard your PHI?

  1. Administrative Safeguards are used to develop a formal security management process including having written HIPAA Policies and Procedures readily available for medical office staff. Require that all staff, including physicians undergo security training to stay current on the laws and guidelines. Develop policies and procedures for the transfer, removal, and reuse of PHI.  
  2. Physical Safeguards are used to secure location and workspaces for staff members limiting access to unauthorized people and potential intruders. Provide Physical Cameras and Alarm systems as needed. Lock all IT equipment and limit access to authorized personnel only.
  3. Technical Safeguards are used to secure and control access to ePHI.  This is done in many ways such as establishing passwords, PIN numbers, implementing automatic logoff control. Ensure that antivirus is updated on all PCs. The PCs/Laptops on which PHI data and Images are stored should be fully encrypted. Do not share passwords.

What are compensating controls?

Compensating controls or alternative controls are put in place to satisfy the requirement for a security measure that is impractical to implement at the present time.

Examples of compensating controls:

When a medical office has paper charts that are filed on open shelves in a storage room or behind the reception desk, it is recommended to lock the charts at the end of the day.  Many times it is not practical to put locks on all open shelves that are used to file charts.  A compensating security measure can be used to install cameras surrounding the premises to monitor and record all activities. It is important that you also have a process in place to monitor the video recordings periodically.

Or

If an Ultrasound Technician uses CDs, Tapes, and Disks to store images or uses a USB hard drive to transfer the images to PCs and the EHR, then these devices have to be encrypted.  Many times, the Technician is not sure if the Thumb drives are encrypted. A compensating control here would be to lock the CDs and flash drives in a cabinet when not in use.

The Health Insurance Portability and Accountability Act (HIPAA) is primarily concerned with the Privacy and Security of Patients' Protected Health Information.  All entities that come into contact with Protected Health Information on a regular basis are covered under the Act.  Has it been more than one year since your last HIPAA Risk Assessment?  Or have you never had a HIPAA Risk Assessment done before? Either way, be sure to schedule your 2018 HIPAA Risk Assessment and 2018 HIPAA Training right away - don't wait until its too late.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Proposed HIPAA Law Changes

Proposed HIPAA Law Changes | HIPAA Compliance for Medical Practices | Scoop.it

Upcoming proposed changes to HIPAA law from the Office for Civil Rights (OCR)

Roger Severino, Director of the Office for Civil Rights (OCR), in his keynote address at the 11th Annual OCR/ NIST conference “Safeguarding Health Information: Building Assurance through HIPAA Security”, informed of some proposed policy changes in HIPAA law that OCR is in the process of working through.  Be on the lookout for upcoming policy enhancements. 

 

These proposed changes to legislation are provoked by input from covered entities, business associates and experts on what issues they currently face due to HIPAA regulations.   

Here are some of the proposed changes that Director Roger Severino talked about.

Good faith disclosures by health care providers

Often people say “I didn’t know” when it comes to either their own health records or those of their loved ones.  Sometimes, especially regarding public health emergencies like the opioid crisis, parents don’t know what is happening with the health of their children until it is too late. In those cases, good faith disclosures may be the right way to go.   Should OCR pursue action against a provider who disclosed patient health information when the patient’s or someone else’s life was at risk?  There should also be a provision for providers to inform the patient’s emergency contacts listed on the consent form when there is a true emergency. 

Improving care coordination and reducing regulatory burden

Notice of Privacy Practices

  • Providers make the Notice of Privacy Practices available to patients and often ask patients to sign the notice as part of the patient package of documents.  Patients sometimes do not know what this is for, what the notice provides them.  It raises several questions like “is this a contract”, “what exactly am I signing here”, “am I giving up my privacy”, etc.  OCR is looking into the notice of privacy practices to see how the process can be improved.

Required Provider to Provider Information Sharing

  • When patients go from doctor to doctor, the patient’s information should follow seamlessly to provide the best possible coordinated care to the patient. Providers are allowed to share information about patients with each other as part of the treatment process.
  • However, today there is no guarantee of receiving the information requested from one provider to another.   OCR is looking at the possibility of changing the law to make this provider-to-provider information sharing mandatory upon information request.

Accounting of Disclosures

  • Another area of review is the Accounting of Disclosures.   Should the TPO (Treatment Payment Operations) provision be revoked or modified?
  • Today, TPO allows for the sharing of protected health information among entities for the purpose of treatment, payment of operations related to a patient.  

OCR is keen on reducing the burden in the healthcare process. Director Severino stated that we definitely do not want a situation where a doctor is treating a computer screen instead of the patient in front of the doctor.

Civil Monetary Penalties or Monetary Settlements to harmed individuals

  • OCR is also looking at the patient compensation process.  Congress wants OCR to compensate patients for breach of privacy. 
  • This can be very complicated as the gravity of breaches could differ greatly from one breach to another.  For instance, the risks vary depending on if patient name and address are stolen, or if a name, address and social security number are stolen, or worse, if sensitive health or disease information is stolen. What level of privacy breach should be compensated?

HIPAA/ FERPA

There is joint guidance available between HIPAA and FERPA for educational institutions.  FERPA is all-encompassing for educational institutions.  However, after a string of recent school shootings, some rules may have to change in terms of communication to psychologists to handle the trauma related to these incidents.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.