HIPAA Compliance for Medical Practices
69.8K views | +6 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Compliance Guidelines for Email & Social Media 

HIPAA Compliance Guidelines for Email & Social Media  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA applies to both the storage and transfer of electronic protected health information, so electronic communications that may include patient data must be handled with care. This includes email communication between patients and healthcare providers, as well as social posts from healthcare companies and their employees. As more patients adopt an email communication preference and more healthcare providers succumb to the pressures of maintaining a social presence, the possibilities of HIPAA violations grow.

 

To ensure you’re taking the necessary steps to uphold HIPAA compliance standards in your electronic communications, follow these guidelines:

#1: Validate Your Email Security

If you’re sharing sensitive patient data via email, you must use encryption to protect patient privacy. How do you ensure your emails are encrypted and fully HIPAA compliant? Here are a few tips:

  • Adopt a HIPAA compliant email service.
  • Check your current email client for an encryption security setting and request a signed business associate agreement.
  • Set up a secure patient portal for provider-patient communications.
  • Avoid including electronic protected health information (ePHI) in the body of your emails.
  • Manually encrypt any ePHI files sent via email.
  • Include a privacy statement at the bottom of every email.

#2: Get Proper Patient Consent

Consent is an important—and necessary—part of ensuring patient privacy. If you want to engage patients in any sort of electronic communication, you must get them to accept the inherent risks and provide documented consent. Here are some scenarios where this consent is a must:

  • Before communicating with your patient via email
  • Before transmitting any sensitive patient data via email
  • Before publishing a patient testimonial on your website
  • Before sharing a patient photograph on your social channels
  • Before posting details of a patient procedure on your social channels

#3: Create Detailed Office Policies

To ensure HIPAA data privacy remains a top priority for employees during email or social media exchanges, you should develop clear office policies for these types of communication. Here are some of the guidelines your policies should include:

  • When and where to share privacy statements
  • What types of information may or may not be sent via email
  • How to avoid HIPAA pitfalls when using social media
  • Which employees may or may not transmit ePHI
  • When to obtain patient consent

#4: Err on the Side of Caution

If you want to stay on the right side of HIPAA, the best policy is to be extremely cautious about the information you share electronically. Simply avoid any electronic communication that falls into a HIPAA compliance gray area. Here are a few best practices to get you started:

  • Don’t publish a social post that includes any details about a patient’s circumstances
  • Establish appropriate electronic boundaries with patients
  • Don’t give medical advice via email or social comment
  • Allow just one or two individuals to post to social media on your office’s behalf
  • Don’t address complaints on social media
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance and the HITECH Act in 2018

HIPAA Compliance and the HITECH Act in 2018 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is an essential part of running a medical practice. The current incarnation of the HIPAA regulations has been in place since 2003 and they haven’t changed much in the intervening years — until now, that is.

 

The HITECH Act (Health Information Technology for Economic and Clinical Health), which was signed into law in 2009, is expected to be fully adopted this year. What does the HITECH Act mean for HIPAA compliance, and what are the changes you need to make to your practice to ensure you’re in compliance with both HIPAA and HITECH?

 

Overview of the HITECH Act


The HITECH Act was designed to expand the types of businesses covered by HIPAA. It requires not only medical professionals to be HIPAA compliant, but any subcontractors, companies that cover the transmission of protected health information (PHI), electronic prescription gateways and patient safety organizations to also be in compliance with HIPAA regulations.

 

This doesn’t make any changes to the currently established exceptions to HIPAA’s business associate standard.

 

HITECH was also designed to focus more on the patient than HIPAA, allowing patients to more directly access their electronic health records (EHR). This also demands patients be informed by their provider if their health records are compromised in any way.

 

The act encouraged “meaningful use” of electronic health records, helping to improve communication between healthcare facilities in direct relation to patient care.

 

Universal Compliance


If your practice or facility has an IT security department, it’s probably entirely different than the ones that are part of other businesses surrounding you. Network security is usually managed by many different departments or even different businesses, making universal security compliance difficult to manage.

 

The new HIPAA/HITECH overlap mandates universal compliance. This makes security simpler and easier to maintain for workers while still ensuring the safety of patient PHI.

 

One solution that is being suggested is the use of “smart cards” which will act as employee identification, a security access token, and authenticator, all in one simple card. This helps to keep the system more regulated because you don’t have to worry about carrying — and potentially losing — multiple cards or remembering long identification numbers.

 

Know Your Compliance
How can you determine if your practice is compliant with both HIPAA and the HITECH Act? You can go over the rules yourself, but these laws are so sweeping and expansive that it’s easy to miss something that could end up costing you thousands of dollars.

 

If you’re still concerned about your current HIPAA and HITECH Act compliance, hiring a professional Privacy Officer can help you evaluate your current practices and ensure that you are checking all the boxes when it comes to meeting your obligations.

 

Changes in Fines


HIPAA fines, until now, have been standard — unfortunately, they often weren’t costly enough to discourage HIPAA violations. Before HITECH was enacted, it was impossible to impose fines of more than $100 for individual offenses or $25,000 for all offenses at the same time.

 

The new overlap has changed the cost of violating the HIPAA or HITECH Act. These offenses are broken into three categories, based on the intent of violation.

 

Violations in the Did Not Know category are the only ones that may still generate a $100 fine. The change here is that the U.S. Department of Health and Human Services now has the option to charge between $100 and $50,000 for each violation, with a total fine of $1.5 million for identical offenses in a calendar year.

 

Reasonable Cause violations will start at $1,000 with the same $1.5 million caps for identical violations.

 

Willful Neglect fines fall into two categories — corrected and not corrected. Fines for corrected Willful Neglect charges will range from $10,000 to $50,000. Fines for not corrected violations start at a minimum $50,000 each.

 

HIPAA and the HITECH Act are both essential tools for ensuring the security of patient health information. Take the time to review alone or with a professional that you are in compliance with both acts so you can continue to serve your patients without the worry of massive fines for privacy violations.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility? 

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility?  | HIPAA Compliance for Medical Practices | Scoop.it

If your healthcare practice must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations, a breach of protected health information may require patient and government notifications.  

HIPAA provides data privacy and security provisions for safeguarding medical information, and if that information is compromised either through a breach of your information system or sheer carelessness on the part of an employee, you may be subject to heavy monetary penalties.

But what qualifies as a HIPAA breach, what happens if it affects a limited number of your patients, and what are you required to do?

Rules That Apply

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  Such impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least these factors:

1.     The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2.     The unauthorized person who used the protected health information or to whom the disclosure was made;

3.     Whether the protected health information was actually acquired or viewed; and

4.     The extent to which the risk to the protected health information has been mitigated.

Those affected by this rule have discretion to provide the required breach notifications without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first applies to “the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”

The second exception involves” the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.”

In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

The final exception applies “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”

In addition to notifying affected individuals and the media (when appropriate), you must notify the Office of Civil Rights (OCR) of breaches of unsecured protected health information. by visiting the Health and Human Services (HHS) web site and filling out and electronically submitting a breach report form. If the breach affects 500 or more individuals, covered entities must notify the OCR without unreasonable delay and no later than 60 days following the breach.

Deadline Approaching

If the breach affects fewer than 500 individuals, your practice has no later than 60 days after the end of the calendar year in which the breach is discovered.  This means that if your practice has experienced a breach of fewer than 500 individuals and it has not been reported yet, you have until March 1, only a few days away to file the notification.

If you experience a breach affecting more than 500 residents of your State or jurisdiction you must provide notice to media outlets serving the State or jurisdiction, as well as notifying the affected individuals.  This notification will likely be in the form of a press release to the appropriate media outlets and must be provided no later than 60 days following the discovery of the breach and must include the same information required for the individual notice.

Don’t Leave Anything to Chance

As you can see, HIPAA breach notification requirements are quite stringent and can be complex. If your practice has experienced a breach, the HIPAA compliance experts and former criminal investigators at Colington Consulting can rapidly respond on-site to assist your practice in conducting a HIPAA breach investigation.  Their investigative process uses systematic approach to quickly determine how the breach was caused. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Top 5 HIPAA Compliant Cloud Storage and File Sharing Services

Top 5 HIPAA Compliant Cloud Storage and File Sharing Services | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are embracing the many advantages of cloud computing, including its scalability, cost-efficiency, and flexibility. While the cloud makes file storage and sharing easy and convenient, its security risks are numerous enough to have given rise to the CASBcategory. Before implementing a solution, however, it’s important to understand how industry regulations impact cloud adoption — and what to look for when selecting a cloud-storage service provider. For healthcare organizations, HIPAA-HITECH compliance can be a major deciding factor.

 

We’ve compiled the top 5 most popular cloud storage services that are HIPAA compliant. Before we go into those, let’s first take a look at how HIPAA-HITECH applies to cloud storage software.

Why HIPAA applies to cloud storage

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the goal of protecting the privacy of sensitive patient information. Covered entities under the law include healthcare plans, health care clearinghouses and certain types of healthcare providers.

 

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA’s requirements to business associates. A business associate is any service provider who has access to the protected health information (PHI) of a covered entity. This also includes subcontractors who create, receive, maintain or transmit PHI on behalf of a business associate, including cloud providers.

 

In addition to extending the law to cover business associates, the HITECH Act dramatically increased HIPAA penalties. Pre-HITECH penalties were limited to $100 per violation and a maximum of $25,000 for “identical violations of the same provision” in the same calendar year. The new penalties have a tiered structure between $100 and $50,000 per violation based on “increasing levels of culpability” and a maximum of $1.5 million for identical violations per year.

 

The Department of Health and Human Services’ Office of Civil Rights Management (OCR), which is responsible for HIPAA enforcement, has stepped up its efforts once HITECH amplified the consequences of HIPAA non-compliance. Both the number of settlements and the average fines have been growing since 2012.

 

The number of OCR settlements in the first eight months of 2016 are already double those of 2014, even with four months still left in the year. Of the 10 settlements announced through the end of August, six were larger than $1 million, and the average of the 10 was over $2 million. OCR also settled the largest fine to date, $5.5 million, with Advocate Health Care, in 2016. The fine stemmed from three separate breach incidents affecting a total of 4 million people.

 

In addition, in 2016 OCR levied its first fine against a business associate. Catholic Health Care Services, which provides management and information technology services to skilled nursing facilities, paid a $650,000 fine after PHI was compromised when a company-issued iPhone was stolen. The iPhone was not encrypted and did not have a password lock.

HIPAA’s impact on cloud adoption

The HITECH Act added a notification requirement — covered entities and business associates must notify OCR after a breach of unsecured PHI affecting more than 500 individuals. OCR’s breach database shows that a large number of the reported breaches stem from stolen or lost laptops, mobile devices, and portable media such as thumb drives. A properly executed cloud environment can solve the challenge of securing those endpoints.

 

A cloud storage service becomes a business associate if they stores PHI on behalf of a healthcare organization, and thus the service must be HIPAA-compliant. The law protects not only the privacy of the data but also its integrity and accessibility. HIPAA’s Security Rule, which addresses electronic PHI, includes physical and technical safeguards such as audit controls and access controls, as well as administrative safeguards such as data backups and security incident procedures.

 

In addition, cloud-storage services must sign a business associate agreement (BAA) with the healthcare organization that stipulates the vendor’s compliance with HIPAA requirements. Many of OCR’s settlements include lack of properly executed BAAs among the violations.

 

In 2015, OCR settled with St. Elizabeth’s Medical Center for $218,400 after investigating a complaint that the organization’s employees used an internet-based document sharing application to store ePHI without analyzing the risk of that practice. “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” OCR Director Jocelyn Samuels said in announcing the settlement.

5 cloud storage services that are HIPAA-compliant

HIPAA does not prescribe specific methods or tools for how to secure data; however, encryption is encouraged as a best practice. Breached data is not considered unsecured if the PHI “is rendered unusable, unreadable or indecipherable to unauthorized individuals.” According to HIPAA guidance by the Department of Health and Human Services (DHHS), encryption processes that follow NIST (National Institute of Standards and Technology) criteria meet the above requirement.

 

Some cloud services, including iCloud, don’t provide BAAs, while others don’t encrypt data both at rest and in transit. Some services, such as Amazon S3, are not HIPAA compliant out-of-the-box but can be configured with some customization.

 

The following cloud storage services offer HIPAA support that include BAAs and encryption of data in transit and at rest:'

 

Dropbox (Business)

The company announced support of HIPAA and HITECH Act compliance in November 2015. It now provides BAAs for Dropbox Business customers. Administrative controls include review and removal of linked devices, user access, user activity reports, and enabling two-step authentication.

 

The business version costs $12.50 per month per user, starting with five users. It includes unlimited storage and file recovery, Office 365 integration, advanced collaboration tools, system alerts and granular permissions.

Box

Having added HIPAA/HITECH support in 2013, Box has been actively marketing to healthcare customers. BAAs are provided for enterprise accounts. Features include access monitoring, reporting and audit trail for users and content, and granular file authorizations.

 

Box integrations include Office 365, DocuSign, Salesforce, and Google, among others. It also allows for securely viewing DICOM files (for X-rays, CT scans and ultrasounds) and for securely sharing data through a direct messaging protocol.

Google Drive

Google offers a BAA for Google Apps for Work customers. Covered apps include Docs, Sheets, Slides, and Forms as well as several other services such as Gmail. (Some core and all non-core apps from the Google App family are excluded.) Administrative controls include account activity and app activity tracking, audits, and file-sharing permissions.

 

Google Apps for Work offers two plans. At $5 per user per month, it includes 30GB of storage space. The $10 per user per month plan has unlimited storage (or 1TB per user if fewer than five users) and several advanced features such as additional administrative controls, audit and reporting for Drive, and Google Vault for eDiscovery.

Microsoft OneDrive

Microsoft supports HIPAA/HITECH by offering BAAs for enterprise cloud services, and it has some of the best security practices in the industry. The security features are the most robust at the Enterprise E5 level, which costs $35 per user per month.

 

Enterprise E5 includes 1TB of file storage and sharing, advanced security management for assessing risk and gaining insights into threats and advance eDiscovery.

Carbonite

BAAs are provided for Carbonite for Office customers. Safeguards include offsite backup for disaster recovery; compliance with the Massachusetts Data Security Regulation, which the company says is widely accepted as the most stringent data protection in the country; and data encryption both in the cloud and on the local endpoint (as well as in transition).

 

Three office plans are offered, ranging from $269.99 to $1,299.99 per year. The first two tiers include 250GB of storage and the ultimate version has 500GB; additional storage packs can be purchased with all plans.

Your vendor’s HIPAA certification is not enough

The fact that a cloud storage provider offers BAAs, specific administrative and security controls, and encryption may not, in and of itself, make a healthcare organization HIPAA compliant by default.

 

This is how Microsoft explains it: “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

 

HIPAA covered entities and business associates must carefully examine the cloud vendor’s specific provisions and policies before using a service for PHI. Ultimately, the covered entity or business associate is the one responsible for making sure all it’s regulatory mandates are being followed.

 

Making sure the PHI is encrypted in the cloud is only the first basic step. OCR also places an emphasis on risk assessment and management. Prior to adopting any new cloud service, organizations should conduct a comprehensive risk assessment and ensure policies, processes, and technology are in place to mitigate risks. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Keep Your ePHI Protected with HIPAA Compliance? 

How to Keep Your ePHI Protected with HIPAA Compliance?  | HIPAA Compliance for Medical Practices | Scoop.it

There has been quite a fuss lately over offering patients greater access to their health records, particularly with the introduction of Apple’s EHR app, which promises to bring electronic health records into patients’ pockets and introduce the era of bring-your-own-data in healthcare. But often that desire to bring patients into the fold gets quashed by a fear of cybersecurity and HIPAA compliance around health information.

 

Recently, for instance, a man was stopped from taking a photo of his own X-ray when a radiologist feared it might violate HIPAA regulations, which kicked off a discussion of similar incidents on Twitter. These incidents arise mainly because providers simply don’t understand the ramifications of HIPAA and other health IT laws — and where to draw the line with access.

 

Indeed, understanding the nuances of these regulations is particularly difficult now that technology affects all corners of healthcare: from telemedicine to remote patient monitoring to consumer glucose monitors to smartphones with thousands of health apps. This ubiquity has created new challenges for providers and patients, particularly when it comes to ensuring the privacy and security of patients’ protected health information (PHI) in accordance with regulations, such as HIPAA and the HITECH Act.

 

What Is the HITECH Act of 2009?


The Health Information Technology for Economic and Clinical Health Act, better known as the HITECH Act, was signed into law in February 2009 as part of the American Recovery and Reinvestment Act, which sought to address new needs as healthcare IT infrastructure began to expand and change exponentially. In particular, this legislation incentivized providers to adopt EHR systems, as well as expanded security and compliance requirements.

 

Moreover, it allowed the Health and Human Services Department to expand its enforcement of HIPAA requirements with the aim to increase provider vigilance and consumer confidence in how patient data is handled and secured. With this in mind, it can seem understandable that the waters around patients’ access to data can be quite murky.

 

New Data Privacy Challenges for Providers


Traditionally, healthcare providers have been held responsible for all aspects of privacy and security of patient data because they have created and controlled it. But boundaries shifted once electronic medical records came into play. The roles surrounding data privacy and ownership are now blurred.

 

One of the main challenges that come with this change in ownership involves the use of smartphones by patients — in particular, patients using those devices to capture elements of their own medical data. The story of the man who was stopped from taking a photo of his own X-ray is not unusual. Often providers are reluctant to grant certain types of access, claiming that it would violate HIPAA, but most of the time that’s not the case.

 

SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks!

 

What Are the Medical Records Release Laws?


In September 2015, the Office of Civil Rights, a division of HHS, issued guidance for consumers regarding medical record release laws that sought to encompass both HIPAA and HITECH guidance.

 

Patients have the right to:

 

  • See and get a copy of their medical records
  • Have errors and omissions in their medical records corrected (or their disagreements documented)
  • Get a paper or electronic copy of their medical records
  • Request the provider send their medical records to another party with permission


While there is fear from a provider’s point of view, the language in this guidance is clear and specific. It broadly provides patients access to their medical data and does not specifically limit patients’ methods of acquisition.

 

Patients have the right to see any single element of their record or the entire set of data, except for the few exclusions HIPAA has set aside (these exclusions are minimal and not relevant in this discussion). Diagnoses, lab results, a picture of a cut or an X-ray image are all part of the medical record.

 

If patients are legally permitted to see and obtain a copy of their records in their preferred form and format, then it follows that the patient should be able to take a picture of that information during an office visit or consultation with their provider.

 

While the story of the man who was stopped from taking a photo of his X-ray garnered plenty of attention, many times doctors do allow patients to take pictures. For example, a patient in an emergency department had a gash in her hand from a dropped glass. She asked the doctor if she could take a picture of her hand while the glass was being removed. The doctor said yes. The patient posted a few of the pictures on her social media site. The photos include the physician’s hands but no identification of the provider.

 

Provider Concerns in the Bring-Your-Own-Data Era


While there is some hesitation around protecting ePHI, HIPAA is clear: Patients have the right to their own medical data in any form or format. Although the provider traditionally owns the systems that record and manage that data, they don’t own the data itself. A patient can use technology (including a smartphone) to copy that data, even if it’s on a computer screen in a physician’s office. Some providers will ask for a signed release, but that is not specifically required.

 

Patients must also understand that once they are in possession of that data, whether it’s a photocopy, electronic copy or photograph, they are solely responsible for the privacy and security of that data.

 

Provider concerns are twofold. First, there is a concern they will still be held accountable for the privacy and security of patient data they no longer control. Second, providers have traditionally controlled access to medical records because, as the creators of the data, they were uniquely qualified to interpret and act upon that data. With the consumerization of healthcare, many patients are taking an active and informed role in their own care. This requires access to the entire medical record, not just limited portions decided by the provider.

 

Studies show that engaged and informed patients have better outcomes. Providing access to medical records through viable technologies, including web portals, apps or even smartphone cameras, is the new reality of care. Patients are now included as part of the care team and are responsible for the privacy and security of the data they handle — their own. The next step may be helping patients understand the importance of protecting that health data.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.