HIPAA Compliance for Medical Practices
76.3K views | +7 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Understanding the HIPAA Security Rule: Administrative Safeguards

Understanding the HIPAA Security Rule: Administrative Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

The Administrative Safeguards are the most comprehensive standards, as they cover over half of the HIPAA Security Rule. These standards encompass many of the oversight aspects of managing a covered entity. The other two posts in this blog series covered Technical Safeguards and Physical Safeguards.

 

The Department of Health and Human Services defines these safeguards as “administrative” actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information”.

 

Administrative Safeguards are broken down into the following standards:

  • Security Management Process: A covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations. There are four required implementations for this standard:
    • Risk Analysis
    • Risk Management
    • Sanction Policy
    • Information System Activity Review
  • Assigned Security Responsibility: This standard requires the designation of a security official who is responsible for the development and implementation of policies and procedures.
  • Workforce Security: Under this standard, a covered entity must implement policies and procedures to ensure that all staff members have appropriate access to ePHI, and also to prevent those workforce members who do not have permission, from accessing it. There are three addressable implementations under this standard:
    • Authorization and/or Supervision
    • Workforce Clearance Procedure
    • Termination Procedures
  • Information Access Management: This standard relates to the implementation of policies and procedures regarding the authorization of access to ePHI. There are three addressable implementations under this standard:
    • Isolating Healthcare Clearinghouse Functions
    • Access Authorization
    • Access Establishment and Authorization
  • Security Awareness and Training: Under this standard, a covered entity must have a security awareness and training program for all members of its workforce, including physicians and management. There are four implementations for this standard:
    • Security Reminders
    • Protection of Malicious Software
    • Log-in Monitoring
    • Password Management
  • Security Incident Procedures: Covered entities must have policies and procedures in place to address security incidents. There is one implementation:
    • Response and Reporting
  • Contingency Plan: The purpose of this standard is for covered entities to establish policies and procedures for responding to emergencies or other occurrences (fire, vandalism, natural disasters, etc.) that may damage systems containing ePHI. There are five implementations for this standard:
    • Data Backup Plan
    • Disaster Recovery Plan
    • Emergency Mode Operation Plan
    • Testing and Revision Procedures
    • Applications and Data Criticality Analysis
  • Evaluation: This standard requires covered entities to perform periodic technical and nontechnical evaluations in response to environmental and operational changes affecting the security of ePHI.
  • Business Associate Contracts and Other Arrangements: The final standard relates to the relationship between a covered entity and the vendors it uses. It states that the covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf, only if the covered entity obtains the correct assurances. There is one implementation under this standard:
    • Written Contract or Other Arrangement

HIPAA Administrative standards provide a broad and wide-encompassing scope of administrative functions that a covered entity must implement regarding the security of ePHI. Here are some basic practices that a covered entity can put into place:

 

  • Perform a regular risk analysis of systems used by the office to determine any new vulnerabilities or weaknesses.
  • Appoint a HIPAA Security Officer who oversees the implementation of these standards and maintains all policies and procedures related to security measures.
  • Ensure that all staff members adhere to a policy of creating strong passwords to access workstations/software programs that access ePHI. These passwords should not be common words or phrases and should not be shared among employees.
  • Create regular backups of any servers or systems that process ePHI. This can be done via a cloud-based system or an encrypted backup tape/hard drive.
  • Immediately remove access to any programs that process ePHI (EMR, billing/scheduling software, etc.) for any employee that becomes no longer associated with the covered entity (termination or job change). This will help prevent improper access to patient data.
  • Obtain and maintain Business Associate Agreements (BAAs) with any third-party vendors that store or process PHI. These agreements must ensure that the vendor will appropriately safeguard patient information.

 

As with Physical and Technical Standards, Administrative Standards need to be reviewed for each covered entity through an annual HIPAA Security Risk Assessment. These assessments are not only mandatory, but they are essential to determine any risks that can lead to a breach of data.

 

In closing, the HIPAA Security Rule covers a wide range of standards and implementations that covered entities must employ to ensure HIPAA compliance. Failure to adhere to these policies can lead to OCR (Office of Civil Rights) sanctions in the forms of audits and even severe civil penalties.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

The Status Of HIPAA Compliance

The Status Of HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR), the agency within the U.S. Department of Health and Human Services tasked with HIPAA compliance enforcement, is about to start formally notifying various healthcare providers and plans that they have been selected for an audit. Those covered entities selected will be required to submit specific documentation to OCR that demonstrates how their respective organizations are complying with HIPAA compliance requirements. 

 

The goal with the Phase 2 Audit program is to determine how well covered entities are implementing the correct policies and procedures for HIPAA compliance. If the results of the Phase 2 audits are anything like the first audit, OCR is probably going to see disappointing data indicating most organizations are not fully complying with all the requirements. 

 

There is an easier way to find out the status of current compliance with covered entities, not to mention a less costly way, in saving the taxpayers money in paying a contractor to gather the needed results.  Published reports showed that OCR paid about 9 million dollars to the global audit firm KPMG in 2012 to conduct the Phase 1 audits.

 

NueMD released the results of their follow-up survey to the original survey conducted in 2014, which looked at the status of HIPAA compliance. In the updated survey, 927 respondents, which included practices and billing companies, answered a number of revealing questions about the current status of HIPAA knowledge and compliance. For comparison purposes, OCR is looking to identify about 200 covered entities for the Phase 2 audit.

 

So what did NueMD find out in their updated survey? Overall HIPAA compliance is still not close to where it needs to be with most organizations. With so many HIPAA data breaches occurring on what seems like a daily basis, the survey clearly shows why this is occurring.

 

Here are some significant findings of the survey:

 

  • Regarding the annual requirement for HIPAA Security Awareness Training, the 2014 survey indicated 62% of owners, managers and administrators claimed they provided training for their staff annually — now that number has dropped to 58%.

 

  • Appointing HIPAA Security and Privacy Officers is another requirement for compliance. The survey found an actual decrease in these appointments. Although appointments were only a few percentages down, the study said, “These may not be extraordinary changes, but the numbers are moving in the wrong direction!”  Agreed.

 

  • On the positive side, the survey showed, “A region that suggests a correlation between increased awareness and improved compliance is that of Business Associate Agreements,” (BAA).  In 2014, 60% of the respondents were aware of the use of BAAs, where in 2016, 68% now claim to know more about these rules.  

 

  • Another positive finding was in the awareness of the HIPAA Omnibus updates. In 2014, respondents indicated 64% were aware of the updates in law. That percent increased to 69% this time around. There are many additional patient rights afforded by the Omnibus Rule that healthcare providers must be aware of. Although there was an increase, providers must do a better job in understanding their responsibilities under Omnibus. 

 

The NueMD updated survey is a great barometer to gauge overall HIPAA compliance efforts, but as the survey shows, covered entities still have a long way to go to make sure they fully understand all the requirements and just not some.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA compliance tips for small medical practices

HIPAA compliance tips for small medical practices | HIPAA Compliance for Medical Practices | Scoop.it

You’ve seen the headlines splashed on TV and across the internet: data breaches hit national businesses such as Target, Chipotle, and many large healthcare systems.

 

But data breaches don’t just affect large corporate entities, they affect small healthcare organizations as well. Take the case of Holland Eye Laser Surgery in March 2018. Their five-provider group practice saw a data breach which made available the patient records of 42,000 patients. Hackers were able to access Social Security numbers, birth records, and other sensitive protected health information (PHI).

 

In fact, some of the medical records of these patients were sold off by data hackers. Officials from the practice stated that they’re now working to strengthening their security system. But once patient trust is lost, sometimes it just cannot be restored.

 

Brief primer on HIPAA and data breaches

 

• The Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal

 

• Each entity must analyze the risks to e-PHI in its environment and create solutions appropriate for its own situation.

 

• The HIPAA Breach Notification Rule requires providers to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without delay and no later than 60 days following the discovery of a breach.

 

5 tips to help you and your medical staff to avoid data breaches

 

1. CMS requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Conduct a detailed risk analysis to evaluate the current staff and product deficiencies and create corrective measures.

 

2. Designate a staff member to train employees on your practice’s HIPAA policies and procedures and spend time going over typical breaches.

 

3. Hire an outside expert to help your organization with compliance support. Your outside organization should set up monthly meetings with the business owners to evaluate your company compliance program and work with your organization to identify cost-effective resources to keep your company compliant.

 

4. Customize your internet toolbars with anti-phishing protection. These applications can run website checks and compare them to lists of known phishing sites and alert users.

 

5. Be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself. Practice groups and or staff members should never reply to or click the links in such a messages.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.