HIPAA Compliance for Medical Practices
75.3K views | +10 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Do you know the HIPAA Technical Safeguards-Security Rule?

Do you know the HIPAA Technical Safeguards-Security Rule? | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Security Rule is broken down into three specific implementations – Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In this post, we will discuss the specific standards surrounding HIPAA Technical Safeguards, or section 164.312 of the HIPAA Security Rule.

 

The HIPAA Security Rule defines Technical Safeguards as “the technology and the policy and procedures for its use that protect electronically protected health information (ePHI) and control access to it”. Essentially, these safeguards provide a detailed overview of access and protection of ePHI.

 

Technical Safeguards can be broken down into the following standards:

  • Access Control: This standard requires a covered entity to implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights. The Access Control Standard is broken down into four specific implementations:
    • Unique User Identification
    • Emergency Access Procedure
    • Automatic Logoff
    • Encryption and Decryption

These implementations ensure that only the correct person is logging on to an electronic device and accessing information on that device in an appropriate manner.

 

  • Audit Controls: Under this standard, covered entities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. By implementing this standard, a covered entity can examine its information systems and determine if any security violations are taking place.
  • Integrity: The Integrity standard requires the covered entity to implement policies and procedures to protect ePHI from improper alteration or destruction. This standard has one specific implementation:
    • A mechanism to Authenticate Electronic Protected Health Information

Under this implementation, the covered entity must have mechanisms in place to ensure that ePHI has not been altered or destroyed in an unauthorized manner.

 

  • Person or Entity Authentication: Under this standard, covered entities must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
  • Transmission Security: The final standard requires covered entities to implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. This standard has two specific implementations:
    • Integrity Controls
    • Encryption

Much of the language surrounding the HIPAA Technical Safeguards can be a little overwhelming, but here are some example practices that covered entities can implement as they strive to get HIPAA compliant:

 

  • Ensure that all staff have unique user IDs/log-in credentials for all workstations and any programs that store or process ePHI. This will allow the HIPAA Security officer or IT administrator to determine exactly which staff member has accessed specific data.
  • Create defined roles for staff members within medical software/programs (EMR, scheduling, billing, etc.) based on their job status with the practice. For example, some staff members can be given read-only access, while others can change and edit data.
  • Avoid transmitting ePHI over unsecured electronic means such as email. If the covered entity maintains a website, a good practice would be to make sure it does not transmit or store any ePHI unless the website is protected with encryption.
  • Update/patch all technological devices that process ePHI regularly. The software can become quickly outdated, it is crucial to implement these updates to stay current with security needs.

 

These general steps are building blocks towards HIPAA compliance. Annual mandatory HIPAA risk assessments will help covered entities determine any additional vulnerabilities that need to be addressed regarding HIPAA Technical Safeguards.

 

The HIPAA Technical Safeguards are an integral part of the HIPAA Security Rule. Keeping in line with the standards mentioned above will allow a covered entity to ensure that it is doing all it can to secure the technology it uses to treat patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Is it time for your Annual HIPAA Risk Assessment?

Is it time for your Annual HIPAA Risk Assessment? | HIPAA Compliance for Medical Practices | Scoop.it

Top 5 actions you can take to prepare for your next HIPAA Compliance review or risk assessment:

  • Identify where all your Patient Health Information (PHI) is stored, received, maintained or transmitted.
  • Assess current security measures used to safeguard PHI.
  • Make a list of all vendors that may have access to your PHI.
  • Have all your written HIPAA Policies and Procedures in place.
  • Be ready to document the assessment and take action where necessary.

Identify where your PHI is stored:

On your Computer?

  • Electronic Health Records (EHR)
  • Shared network drives
  • Word documents
  • Faxes
  • Recycle bin
  • Emails

In your office?

  • Paper Charts or files
  • File rooms and closets
  • CDs and USB drives
  • Old computers/servers that are no longer in use
  • Shredders or shred bins
  • Tablets and other mobile devices
  • Diagnostic equipment such as ultrasound machines and scanners.

Within your network storage?

  • A database
  • Other folders on the hard drive
  • Unencrypted images on other folders
  • Remote servers
  • Documents on network shares

On the cloud?

  • Electronic Health Record systems
  • Online cloud backup service
  • e-Fax services
  • Online file storage and transmission services such as Box, Dropbox, Google Drive.
  • Email services

How to Safeguard your PHI?

  1. Administrative Safeguards are used to develop a formal security management process including having written HIPAA Policies and Procedures readily available for medical office staff. Require that all staff, including physicians undergo security training to stay current on the laws and guidelines. Develop policies and procedures for the transfer, removal, and reuse of PHI.  
  2. Physical Safeguards are used to secure location and workspaces for staff members limiting access to unauthorized people and potential intruders. Provide Physical Cameras and Alarm systems as needed. Lock all IT equipment and limit access to authorized personnel only.
  3. Technical Safeguards are used to secure and control access to ePHI.  This is done in many ways such as establishing passwords, PIN numbers, implementing automatic logoff control. Ensure that antivirus is updated on all PCs. The PCs/Laptops on which PHI data and Images are stored should be fully encrypted. Do not share passwords.

What are compensating controls?

Compensating controls or alternative controls are put in place to satisfy the requirement for a security measure that is impractical to implement at the present time.

Examples of compensating controls:

When a medical office has paper charts that are filed on open shelves in a storage room or behind the reception desk, it is recommended to lock the charts at the end of the day.  Many times it is not practical to put locks on all open shelves that are used to file charts.  A compensating security measure can be used to install cameras surrounding the premises to monitor and record all activities. It is important that you also have a process in place to monitor the video recordings periodically.

Or

If an Ultrasound Technician uses CDs, Tapes, and Disks to store images or uses a USB hard drive to transfer the images to PCs and the EHR, then these devices have to be encrypted.  Many times, the Technician is not sure if the Thumb drives are encrypted. A compensating control here would be to lock the CDs and flash drives in a cabinet when not in use.

The Health Insurance Portability and Accountability Act (HIPAA) is primarily concerned with the Privacy and Security of Patients' Protected Health Information.  All entities that come into contact with Protected Health Information on a regular basis are covered under the Act.  Has it been more than one year since your last HIPAA Risk Assessment?  Or have you never had a HIPAA Risk Assessment done before? Either way, be sure to schedule your 2018 HIPAA Risk Assessment and 2018 HIPAA Training right away - don't wait until its too late.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance for Medical Practices

HIPAA Compliance for Medical Practices | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance and Technology
HIPAA compliance is a vital part of any medical practice, especially as technology continues to advance. It is more important than ever that medical practices are safeguarding their protected patient health information (PHI). This is especially important for medical practices that work with partners to handle any of their sensitive information, such as billing or patient calls.

 

HIPAA Compliance Across the Care Continuum
New advances in technology allow the healthcare industry to be more efficient. Organizations can store and share data more easily through systems like electronic medical records (EMRs) software. Unfortunately, this created the side-effect of making patient data vulnerable in new ways.

 

Medical practices should be ready to look for HIPAA compliance anywhere their data goes. It’s important for medical practices to evaluate the risks to data exposure and take the appropriate documented steps to protect it. This includes vetting any partner exposed to or directly handling PHI.

 

What Information is Protected?
Under the Privacy Rule, all information that can be used to individually identify someone is protected. Protection occurs no matter what form the information takes. This information can include all historical data on a patient’s condition, what health care they’ve received, any billing information, and anything else that can reasonably be used to identify someone. This, of course, includes the expected information such as name, address, date of birth, etc.

 

The Privacy Rule leaves a little room for interpretation, so it’s best to protect all of the information you have on your patients to be safe.

 

Staying Adaptive and Vigilant
Technology continues to march forward with new innovations seemingly every day. It’s important to be able to understand how to utilize new security advances as well as the risks associated with new technology.

 

To stay HIPAA compliant you must always be vigilant to adapt and make changes in accordance with any new risks, whether from the technology you use or otherwise. This means it can be difficult to find a partner to trust for services such as an answering service, scheduling service, data storage, etc. Partners have to invest to become HIPAA compliant, with the right systems, training and more. Not every company is going to be able to, or willing to, make that investment.

 

What HIPAA Means for Your Partnerships
All authorized users of protected health information must be HIPAA compliant. This means that any of your partners that are authorized to handle your patient data must be compliant as well. They have to be just as vigilant as you and understand the intricacies of each regulation.

 

You need partners that don’t just offer HIPAA compliant services and products, but understand it and can help you proactively protect data and prevent fines. Establishing processes to vet your partners is key. Factors to account for in a partner can include but are not limited to: ensuring they provide a business-to-business agreement that outlines compliance measures, and that they place a concerted effort on mandatory, continuing education for all team members exposed to patient data, not just team members handling the data.

 

For additional information on HIPAA regulations HHS has provided a summary of the Security Rule.

 

HIPAA Compliance in Answering Services
An answering service is going to handle some of your patient’s most important data and be exposed to information such as their appointment types, personal/identifying information, diagnoses and more. They are also storing and conveying information to your practice, so it’s vital that they have the systems to meet the safety requirements and the ability to store data for the appropriate amount of time.

 

When looking for any partner, make sure that they have taken the steps required to be HIPAA compliant in advance so they don’t leave your patients’ data at risk and your organization accountable.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance and the HITECH Act in 2018

HIPAA Compliance and the HITECH Act in 2018 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is an essential part of running a medical practice. The current incarnation of the HIPAA regulations has been in place since 2003 and they haven’t changed much in the intervening years — until now, that is.

 

The HITECH Act (Health Information Technology for Economic and Clinical Health), which was signed into law in 2009, is expected to be fully adopted this year. What does the HITECH Act mean for HIPAA compliance, and what are the changes you need to make to your practice to ensure you’re in compliance with both HIPAA and HITECH?

 

Overview of the HITECH Act


The HITECH Act was designed to expand the types of businesses covered by HIPAA. It requires not only medical professionals to be HIPAA compliant, but any subcontractors, companies that cover the transmission of protected health information (PHI), electronic prescription gateways and patient safety organizations to also be in compliance with HIPAA regulations.

 

This doesn’t make any changes to the currently established exceptions to HIPAA’s business associate standard.

 

HITECH was also designed to focus more on the patient than HIPAA, allowing patients to more directly access their electronic health records (EHR). This also demands patients be informed by their provider if their health records are compromised in any way.

 

The act encouraged “meaningful use” of electronic health records, helping to improve communication between healthcare facilities in direct relation to patient care.

 

Universal Compliance


If your practice or facility has an IT security department, it’s probably entirely different than the ones that are part of other businesses surrounding you. Network security is usually managed by many different departments or even different businesses, making universal security compliance difficult to manage.

 

The new HIPAA/HITECH overlap mandates universal compliance. This makes security simpler and easier to maintain for workers while still ensuring the safety of patient PHI.

 

One solution that is being suggested is the use of “smart cards” which will act as employee identification, a security access token, and authenticator, all in one simple card. This helps to keep the system more regulated because you don’t have to worry about carrying — and potentially losing — multiple cards or remembering long identification numbers.

 

Know Your Compliance
How can you determine if your practice is compliant with both HIPAA and the HITECH Act? You can go over the rules yourself, but these laws are so sweeping and expansive that it’s easy to miss something that could end up costing you thousands of dollars.

 

If you’re still concerned about your current HIPAA and HITECH Act compliance, hiring a professional Privacy Officer can help you evaluate your current practices and ensure that you are checking all the boxes when it comes to meeting your obligations.

 

Changes in Fines


HIPAA fines, until now, have been standard — unfortunately, they often weren’t costly enough to discourage HIPAA violations. Before HITECH was enacted, it was impossible to impose fines of more than $100 for individual offenses or $25,000 for all offenses at the same time.

 

The new overlap has changed the cost of violating the HIPAA or HITECH Act. These offenses are broken into three categories, based on the intent of violation.

 

Violations in the Did Not Know category are the only ones that may still generate a $100 fine. The change here is that the U.S. Department of Health and Human Services now has the option to charge between $100 and $50,000 for each violation, with a total fine of $1.5 million for identical offenses in a calendar year.

 

Reasonable Cause violations will start at $1,000 with the same $1.5 million caps for identical violations.

 

Willful Neglect fines fall into two categories — corrected and not corrected. Fines for corrected Willful Neglect charges will range from $10,000 to $50,000. Fines for not corrected violations start at a minimum $50,000 each.

 

HIPAA and the HITECH Act are both essential tools for ensuring the security of patient health information. Take the time to review alone or with a professional that you are in compliance with both acts so you can continue to serve your patients without the worry of massive fines for privacy violations.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA & Texting

HIPAA & Texting | HIPAA Compliance for Medical Practices | Scoop.it

In recent years, a great number of medical practices have embraced text messaging as a popular means for communicating to both patients and their internal staff members. Despite the convenience and time saving benefits, healthcare providers and staff must be aware of potential consequences when texting Electronic Protected Health Information (ePHI). Text messaging includes any communication service or application that enables the transmission of electronic written messages between two or more mobile devices. This includes both Short Message Service (“SMS”) text messaging and other service providers like iMessage, WhatsApp, etc.

The Challenges

Under HIPAA healthcare providers must maintain the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by a covered entity. Unfortunately, text messaging presents multiple threats for meeting some of those requirements. Including:

  • Standard SMS messages are not encrypted
  • Sender does not have the ability to “control” if/when the message is discarded upon viewing
  • No clear path to verify the reader’s identity which opens the door to unintended recipients, AKA a HIPAA breach

Even well intended providers who find ways to implement and oversee texting security measures must also think about documentation. Any exchange between providers regarding a patient’s condition, must also make its way onto the patient’s medical record. Unless the provider integrates text messaging with their EMR, it can be difficult to ensure appropriate documentation.

What Does HIPAA Say?

Unfortunately the HIPAA laws and Office for Civil Rights (OCR) do not have anything specific outlined regarding texting requirements. Any and all forms of communication present some level of risk and it is the healthcare providers’ responsibility to ensure privacy and security while data is being exchanged.

Despite the lack of HIPAA specifications regarding texting, providers should keep in mind a general adherence to the HIPAA Privacy and Security Rules. Both have different objectives and controls for navigating the secure sending of ePHI:

  • HIPAA Privacy Rule – Limits provider disclosure of ePHI only to authorized individuals or entities.
  • HIPAA Security Rule – Requires that providers protect patient’s sensitive data from any threats to access or disclose PHI to unauthorized individuals or entities and should a breach or unauthorized disclosure occur, have a remediation plan.

Best Practices

Despite the risks, a provider can take steps to reduce the likelihood of a breach or HIPAA violation while utilizing text messaging. When texting any sensitive ePHI information that might be locally stored in a device, encryption should be applied in the event of a loss, disposal or theft. Additionally, the text might be stored at the server level (phone carrier).

The following safeguards can help protect PHI along with establishing compliant communication:


Security Risk Analysis (SRA)
– While conducting an SRA, a healthcare provider will identify where ePHI is created, received, maintained, and transmitted. For texts, ePHI will primarily be created, received, and maintained on mobile phones.

Limit PHI – Whenever possible it is best to text with limited or no PHI included in the message, examples: appointment confirmations, instructions to call the office to receive test results, etc.

Policies and Procedures – Ensure texting is included in the policies and procedures, specifically Administrative and Technical policies. It is important to outline what is acceptable to text along with an outline of steps should a text be sent to the wrong patient/incorrect recipient.

Workforce Training – A well trained workforce is any healthcare provider’s best defense against undisclosed PHI exposure. Workforce training should include the sharing of information, securing authorized devices and using secure third party apps that might permit sharing information in a secure way.

Waivers and Intake Forms – Ensure all patient forms are up-to-date with all the current HIPAA requirements. The forms should plainly state which methods the patient allows the provider to contact him/her. Additionally, forms should include who outside the patient can receive their information and what can be sent.

Notice of Privacy Practice – A Notice of Privacy should be standard operating procedure for providers and distributed to all patients. If the provider has included text messaging as part of their communication model, ensure the Notice of Privacy includes texting.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Understanding the HIPAA Security Rule: Administrative Safeguards

Understanding the HIPAA Security Rule: Administrative Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

The Administrative Safeguards are the most comprehensive standards, as they cover over half of the HIPAA Security Rule. These standards encompass many of the oversight aspects of managing a covered entity. The other two posts in this blog series covered Technical Safeguards and Physical Safeguards.

 

The Department of Health and Human Services defines these safeguards as “administrative” actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information”.

 

Administrative Safeguards are broken down into the following standards:

  • Security Management Process: A covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations. There are four required implementations for this standard:
    • Risk Analysis
    • Risk Management
    • Sanction Policy
    • Information System Activity Review
  • Assigned Security Responsibility: This standard requires the designation of a security official who is responsible for the development and implementation of policies and procedures.
  • Workforce Security: Under this standard, a covered entity must implement policies and procedures to ensure that all staff members have appropriate access to ePHI, and also to prevent those workforce members who do not have permission, from accessing it. There are three addressable implementations under this standard:
    • Authorization and/or Supervision
    • Workforce Clearance Procedure
    • Termination Procedures
  • Information Access Management: This standard relates to the implementation of policies and procedures regarding the authorization of access to ePHI. There are three addressable implementations under this standard:
    • Isolating Healthcare Clearinghouse Functions
    • Access Authorization
    • Access Establishment and Authorization
  • Security Awareness and Training: Under this standard, a covered entity must have a security awareness and training program for all members of its workforce, including physicians and management. There are four implementations for this standard:
    • Security Reminders
    • Protection of Malicious Software
    • Log-in Monitoring
    • Password Management
  • Security Incident Procedures: Covered entities must have policies and procedures in place to address security incidents. There is one implementation:
    • Response and Reporting
  • Contingency Plan: The purpose of this standard is for covered entities to establish policies and procedures for responding to emergencies or other occurrences (fire, vandalism, natural disasters, etc.) that may damage systems containing ePHI. There are five implementations for this standard:
    • Data Backup Plan
    • Disaster Recovery Plan
    • Emergency Mode Operation Plan
    • Testing and Revision Procedures
    • Applications and Data Criticality Analysis
  • Evaluation: This standard requires covered entities to perform periodic technical and nontechnical evaluations in response to environmental and operational changes affecting the security of ePHI.
  • Business Associate Contracts and Other Arrangements: The final standard relates to the relationship between a covered entity and the vendors it uses. It states that the covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf, only if the covered entity obtains the correct assurances. There is one implementation under this standard:
    • Written Contract or Other Arrangement

HIPAA Administrative standards provide a broad and wide-encompassing scope of administrative functions that a covered entity must implement regarding the security of ePHI. Here are some basic practices that a covered entity can put into place:

 

  • Perform a regular risk analysis of systems used by the office to determine any new vulnerabilities or weaknesses.
  • Appoint a HIPAA Security Officer who oversees the implementation of these standards and maintains all policies and procedures related to security measures.
  • Ensure that all staff members adhere to a policy of creating strong passwords to access workstations/software programs that access ePHI. These passwords should not be common words or phrases and should not be shared among employees.
  • Create regular backups of any servers or systems that process ePHI. This can be done via a cloud-based system or an encrypted backup tape/hard drive.
  • Immediately remove access to any programs that process ePHI (EMR, billing/scheduling software, etc.) for any employee that becomes no longer associated with the covered entity (termination or job change). This will help prevent improper access to patient data.
  • Obtain and maintain Business Associate Agreements (BAAs) with any third-party vendors that store or process PHI. These agreements must ensure that the vendor will appropriately safeguard patient information.

 

As with Physical and Technical Standards, Administrative Standards need to be reviewed for each covered entity through an annual HIPAA Security Risk Assessment. These assessments are not only mandatory, but they are essential to determine any risks that can lead to a breach of data.

 

In closing, the HIPAA Security Rule covers a wide range of standards and implementations that covered entities must employ to ensure HIPAA compliance. Failure to adhere to these policies can lead to OCR (Office of Civil Rights) sanctions in the forms of audits and even severe civil penalties.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

What you should know about HIPAA PRIVACY RULE

What you should know about HIPAA PRIVACY RULE | HIPAA Compliance for Medical Practices | Scoop.it

Does the HIPAA Privacy rule affect you?  

You should be familiar with the Health Insurance Portability and Accountability Act also known as HIPAA, but do you know how the privacy rule affects you? The U.S Department of Health and Human Services (HHS) has worked diligently since establishing HIPAA law to regulate privacy standards in the healthcare industry. When you think of the word privacy many things may come to mind, such as closing the door during a patient’s consultation or ensuring confidentiality while discussing patient treatments with fellow staff members. As a covered entity it is your responsibility to protect the privacy of your patients. 

 

6 ways in which you can implement a Culture of Privacy:

During your day to day operations, you need to be aware of how to implement the culture of privacy in your practice and comply with the law. Across all roles, every employee in your practice needs to be exercising compliance with HIPAA. Here are six ways in which you can implement a culture of privacy.

  • Provide HIPAA training to all your employees and maintain documentation that your entire staff has completed HIPAA training.
  • Ensure that your entire staff knows what patient information can be shared and not shared outside and inside of the workplace.
  • Get your patients to sign consent forms regarding sharing any form of PHI for any purpose including your own marketing purposes.
  • Stay updated on changes in the law on new disclosure restrictions and Update your patient authorization forms updated regularly on any such new disclosure restrictions.
  • Educate your patients and give them a clear outline of how they can request or obtain a copy of their medical records.
  • Ensure that you are giving your staff only the minimum necessary access to PHI to perform quality healthcare.

 

It is your responsibility to maintain professional top-quality healthcare for all parties involved while maintaining compliance with the law. Exercising the privacy culture is the way your practice stays current and minimizes the potential of a data breach. As a covered entity you need to be aware of the potential consequences that come with non- compliance. Consequences range from significant monetary fines to criminal penalties like jail time and a damaged reputation.  In addition, there are strict breach notification requirements outlined in the law.

 

In the event of a breach, you may be investigated by the appropriate federal agency like Office of Civil Rights (OCR) or the Department of Homeland Security or the Department of Justice, or other federal agencies who may be involved.  Depending on the results of the investigation, you may face penalties. Here are some penalties for data breaches that may apply. 

 

  • 100 dollars per record per day under HIPAA law with the maximum annual penalty being 1.5 million dollars per violation.
  • Loss of patient trust and repeat business due to damage to your reputation.

 

Millions of dollars in fines could potentially cause you to lose your livelihood and business. A bad reputation would stop repeat business and new customers from coming. These top penalties and consequences are avoidable and quality healthcare is attainable if you are complying with the law and practicing the culture of privacy every day. Remember to instill a culture of privacy in your office and follow the Five Steps to HIPAA Compliance every year.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Guidelines for Email & Social Media 

HIPAA Compliance Guidelines for Email & Social Media  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA applies to both the storage and transfer of electronic protected health information, so electronic communications that may include patient data must be handled with care. This includes email communication between patients and healthcare providers, as well as social posts from healthcare companies and their employees. As more patients adopt an email communication preference and more healthcare providers succumb to the pressures of maintaining a social presence, the possibilities of HIPAA violations grow.

 

To ensure you’re taking the necessary steps to uphold HIPAA compliance standards in your electronic communications, follow these guidelines:

#1: Validate Your Email Security

If you’re sharing sensitive patient data via email, you must use encryption to protect patient privacy. How do you ensure your emails are encrypted and fully HIPAA compliant? Here are a few tips:

  • Adopt a HIPAA compliant email service.
  • Check your current email client for an encryption security setting and request a signed business associate agreement.
  • Set up a secure patient portal for provider-patient communications.
  • Avoid including electronic protected health information (ePHI) in the body of your emails.
  • Manually encrypt any ePHI files sent via email.
  • Include a privacy statement at the bottom of every email.

#2: Get Proper Patient Consent

Consent is an important—and necessary—part of ensuring patient privacy. If you want to engage patients in any sort of electronic communication, you must get them to accept the inherent risks and provide documented consent. Here are some scenarios where this consent is a must:

  • Before communicating with your patient via email
  • Before transmitting any sensitive patient data via email
  • Before publishing a patient testimonial on your website
  • Before sharing a patient photograph on your social channels
  • Before posting details of a patient procedure on your social channels

#3: Create Detailed Office Policies

To ensure HIPAA data privacy remains a top priority for employees during email or social media exchanges, you should develop clear office policies for these types of communication. Here are some of the guidelines your policies should include:

  • When and where to share privacy statements
  • What types of information may or may not be sent via email
  • How to avoid HIPAA pitfalls when using social media
  • Which employees may or may not transmit ePHI
  • When to obtain patient consent

#4: Err on the Side of Caution

If you want to stay on the right side of HIPAA, the best policy is to be extremely cautious about the information you share electronically. Simply avoid any electronic communication that falls into a HIPAA compliance gray area. Here are a few best practices to get you started:

  • Don’t publish a social post that includes any details about a patient’s circumstances
  • Establish appropriate electronic boundaries with patients
  • Don’t give medical advice via email or social comment
  • Allow just one or two individuals to post to social media on your office’s behalf
  • Don’t address complaints on social media
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Keep Your ePHI Protected with HIPAA Compliance? 

How to Keep Your ePHI Protected with HIPAA Compliance?  | HIPAA Compliance for Medical Practices | Scoop.it

There has been quite a fuss lately over offering patients greater access to their health records, particularly with the introduction of Apple’s EHR app, which promises to bring electronic health records into patients’ pockets and introduce the era of bring-your-own-data in healthcare. But often that desire to bring patients into the fold gets quashed by a fear of cybersecurity and HIPAA compliance around health information.

 

Recently, for instance, a man was stopped from taking a photo of his own X-ray when a radiologist feared it might violate HIPAA regulations, which kicked off a discussion of similar incidents on Twitter. These incidents arise mainly because providers simply don’t understand the ramifications of HIPAA and other health IT laws — and where to draw the line with access.

 

Indeed, understanding the nuances of these regulations is particularly difficult now that technology affects all corners of healthcare: from telemedicine to remote patient monitoring to consumer glucose monitors to smartphones with thousands of health apps. This ubiquity has created new challenges for providers and patients, particularly when it comes to ensuring the privacy and security of patients’ protected health information (PHI) in accordance with regulations, such as HIPAA and the HITECH Act.

 

What Is the HITECH Act of 2009?


The Health Information Technology for Economic and Clinical Health Act, better known as the HITECH Act, was signed into law in February 2009 as part of the American Recovery and Reinvestment Act, which sought to address new needs as healthcare IT infrastructure began to expand and change exponentially. In particular, this legislation incentivized providers to adopt EHR systems, as well as expanded security and compliance requirements.

 

Moreover, it allowed the Health and Human Services Department to expand its enforcement of HIPAA requirements with the aim to increase provider vigilance and consumer confidence in how patient data is handled and secured. With this in mind, it can seem understandable that the waters around patients’ access to data can be quite murky.

 

New Data Privacy Challenges for Providers


Traditionally, healthcare providers have been held responsible for all aspects of privacy and security of patient data because they have created and controlled it. But boundaries shifted once electronic medical records came into play. The roles surrounding data privacy and ownership are now blurred.

 

One of the main challenges that come with this change in ownership involves the use of smartphones by patients — in particular, patients using those devices to capture elements of their own medical data. The story of the man who was stopped from taking a photo of his own X-ray is not unusual. Often providers are reluctant to grant certain types of access, claiming that it would violate HIPAA, but most of the time that’s not the case.

 

SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks!

 

What Are the Medical Records Release Laws?


In September 2015, the Office of Civil Rights, a division of HHS, issued guidance for consumers regarding medical record release laws that sought to encompass both HIPAA and HITECH guidance.

 

Patients have the right to:

 

  • See and get a copy of their medical records
  • Have errors and omissions in their medical records corrected (or their disagreements documented)
  • Get a paper or electronic copy of their medical records
  • Request the provider send their medical records to another party with permission


While there is fear from a provider’s point of view, the language in this guidance is clear and specific. It broadly provides patients access to their medical data and does not specifically limit patients’ methods of acquisition.

 

Patients have the right to see any single element of their record or the entire set of data, except for the few exclusions HIPAA has set aside (these exclusions are minimal and not relevant in this discussion). Diagnoses, lab results, a picture of a cut or an X-ray image are all part of the medical record.

 

If patients are legally permitted to see and obtain a copy of their records in their preferred form and format, then it follows that the patient should be able to take a picture of that information during an office visit or consultation with their provider.

 

While the story of the man who was stopped from taking a photo of his X-ray garnered plenty of attention, many times doctors do allow patients to take pictures. For example, a patient in an emergency department had a gash in her hand from a dropped glass. She asked the doctor if she could take a picture of her hand while the glass was being removed. The doctor said yes. The patient posted a few of the pictures on her social media site. The photos include the physician’s hands but no identification of the provider.

 

Provider Concerns in the Bring-Your-Own-Data Era


While there is some hesitation around protecting ePHI, HIPAA is clear: Patients have the right to their own medical data in any form or format. Although the provider traditionally owns the systems that record and manage that data, they don’t own the data itself. A patient can use technology (including a smartphone) to copy that data, even if it’s on a computer screen in a physician’s office. Some providers will ask for a signed release, but that is not specifically required.

 

Patients must also understand that once they are in possession of that data, whether it’s a photocopy, electronic copy or photograph, they are solely responsible for the privacy and security of that data.

 

Provider concerns are twofold. First, there is a concern they will still be held accountable for the privacy and security of patient data they no longer control. Second, providers have traditionally controlled access to medical records because, as the creators of the data, they were uniquely qualified to interpret and act upon that data. With the consumerization of healthcare, many patients are taking an active and informed role in their own care. This requires access to the entire medical record, not just limited portions decided by the provider.

 

Studies show that engaged and informed patients have better outcomes. Providing access to medical records through viable technologies, including web portals, apps or even smartphone cameras, is the new reality of care. Patients are now included as part of the care team and are responsible for the privacy and security of the data they handle — their own. The next step may be helping patients understand the importance of protecting that health data.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility? 

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility?  | HIPAA Compliance for Medical Practices | Scoop.it

If your healthcare practice must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations, a breach of protected health information may require patient and government notifications.  

HIPAA provides data privacy and security provisions for safeguarding medical information, and if that information is compromised either through a breach of your information system or sheer carelessness on the part of an employee, you may be subject to heavy monetary penalties.

But what qualifies as a HIPAA breach, what happens if it affects a limited number of your patients, and what are you required to do?

Rules That Apply

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  Such impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least these factors:

1.     The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2.     The unauthorized person who used the protected health information or to whom the disclosure was made;

3.     Whether the protected health information was actually acquired or viewed; and

4.     The extent to which the risk to the protected health information has been mitigated.

Those affected by this rule have discretion to provide the required breach notifications without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first applies to “the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”

The second exception involves” the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.”

In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

The final exception applies “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”

In addition to notifying affected individuals and the media (when appropriate), you must notify the Office of Civil Rights (OCR) of breaches of unsecured protected health information. by visiting the Health and Human Services (HHS) web site and filling out and electronically submitting a breach report form. If the breach affects 500 or more individuals, covered entities must notify the OCR without unreasonable delay and no later than 60 days following the breach.

Deadline Approaching

If the breach affects fewer than 500 individuals, your practice has no later than 60 days after the end of the calendar year in which the breach is discovered.  This means that if your practice has experienced a breach of fewer than 500 individuals and it has not been reported yet, you have until March 1, only a few days away to file the notification.

If you experience a breach affecting more than 500 residents of your State or jurisdiction you must provide notice to media outlets serving the State or jurisdiction, as well as notifying the affected individuals.  This notification will likely be in the form of a press release to the appropriate media outlets and must be provided no later than 60 days following the discovery of the breach and must include the same information required for the individual notice.

Don’t Leave Anything to Chance

As you can see, HIPAA breach notification requirements are quite stringent and can be complex. If your practice has experienced a breach, the HIPAA compliance experts and former criminal investigators at Colington Consulting can rapidly respond on-site to assist your practice in conducting a HIPAA breach investigation.  Their investigative process uses systematic approach to quickly determine how the breach was caused. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.