HIPAA Compliance for Medical Practices
84.6K views | +3 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

ONC Updates its Privacy and Security Guide

ONC Updates its Privacy and Security Guide | HIPAA Compliance for Medical Practices | Scoop.it

Last week during the annual Healthcare Information and Management Systems Society (HIMSS) conference, the Office of the National Coordinator for Health IT (ONC) published a revised version of its “Guide to Privacy and Security of Electronic Health Information.”

In the foreword of the guide, ONC says that its intent is to help healthcare providers ―especially Health Insurance Portability and Accountability Act (HIPAA) covered entities (CEs) and Medicare eligible professionals (EPs) from smaller organizations―better understand how to integrate federal health information privacy and security requirements into their practices. The new version of the guide provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, security, and breach notification rules, says ONC.

In a blog post from Lucia Savage, chief privacy officer, ONC, she says that this is the first step towards fulfilling the commitment the federal agency made in its Interoperability Roadmap— helping individuals, providers, and the health and health IT community better understand how existing federal law, HIPAA, supports interoperable exchange of information for health.

According to Savage’s post, “the guide includes practical information on issues like cybersecurity, patient access through certified electronic health record technology (CEHRT), and other EHR technology features available under the 2014 Edition Certification rule. The guide also includes new, practical examples of the HIPAA privacy and security rules in action, to help everyone understand how those rules may impact their businesses and the people they serve.”

The guide additionally offers: many scenarios for anyone who has struggled to understand when someone is or is not a business associate; provides information about when a provider (or any HIPAA-covered entity) is permitted to exchange information about an individual for treatment, payment, or healthcare operations without being required to have the individual sign a piece of paper before the exchange occurs; and provides practical tips and information about security, Savage said.

No comment yet.

Why health groups should make use of cyberthreat intelligence

Why health groups should make use of cyberthreat intelligence | HIPAA Compliance for Medical Practices | Scoop.it

As cyberattacks grow in number and organizations find more ways to access private data, the healthcare industry should make use of cyberthreat intelligence, according to Jeff Bell, HIMSS privacy and security committee chair.

Cyberthreat intelligence, Bell writes in a recent blog post, is actionable data about threats, malware and vulnerabilities that organizations can use to increase their security systems.

There are numerous sources for this kind of intelligence, including non-commercial entities like the U.S. Computer Emergency Readiness Team, the U.S. Department of Homeland Security National Cybersecurity and Communications Integration Center and the National Cyber-Forensics & Training Alliance, Bell says.

Vendors of security products also often have their own intelligence feeds, he adds.

This kind of intelligence is increasingly necessary as cyberattacks become more sophisticated, Bell says. Today there are advanced persistent threats, which he says are instances where hackers gain access to information without being detected for long periods of time. Operating system vulnerabilities, such as Shellshock and the Heartbleed bug, also are causing problems in the industry. 

"[H]ealthcare organizations should evaluate the effectiveness of their cybersecurity program and make improvements where appropriate," Bell writes. "Consider how cyberthreat intelligence can help your healthcare organization to improve the ability to prevent, detect, respond and recover from cyberattacks."

Throughout all industries, cyberattacks made headlines last year, with healthcare information one of the top targets.

One of the most recent attacks was on Sony Pictures, where documents obtained by the hackers include health information on dozens of employees, their children or spouses, FierceHealthIT previously reported.

For 2015, particular challenges to the healthcare industry could include an increase of phishing emails that try to lure recipients into giving out information such as usernames, passwords or credit card numbers. They also can give attackers ways to infiltrate the enterprise network.

No comment yet.

HIMSS15 Leaders Focus on Healthcare Privacy, HIPAA Rules

HIMSS15 Leaders Focus on Healthcare Privacy, HIPAA Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIMSS15 took place this week in Chicago, and some of the highly discussed topics included healthcare privacy and security issues, such as HIPAA regulations. With more providers implementing EHRs, HIEs, and other forms of technology, ensuring that patient data remains secure whether in storage or transport is essential. Moreover, covered entities need to remain compliant with all federal, state, and local regulations as well.

Proving this point, 40 educational sessions over the five-day conference touched on everything from understanding HIPAA rules, to cybersecurity measures, to ensuring medical device security. HealthITSecurity.com spoke with several leaders in the industry who provided further insight on these topics.

Greg Slattery, CIO of Community Hospitals and Wellness Centers (CHWC), talked about how CHWC replaced its pagers with secure messaging options.

“Yes there were some security concerns [at first],” Slattery said. “However, once we talked to Imprivata and once we had a device in house and saw the encryption and how you can age the message, we have more control over it. And the auditing capabilities allow us are helpful.”

Greater Houston HealthConnect CTO and Privacy and Security Officer Phil Beckett, PhD, said in an interview how his facility has been using a secure cloud medical image exchange through DICOM Grid.

HealthConnect also has a federated model, which helps to keep information secure, Beckett said. Essentially, information is not moved unless it is requested, and that data is also encrypted and transferred through VPN tunnels. The two end points are both certified, Beckett explained, and the HIE’s web services have transport layer security (TLS).

“It’s critical that there is encryption both when the data is static and when it is in transport,” Beckett said.

Several educational sessions centered around HIPAA rules, and discussed best practices for covered entities when it comes to protecting patient data and remaining compliant. Marion Jenkins, PhD, FHIMSS, led the session HIPAA Security: A Decade of Breaches, which explained that understanding HIPAA regulations is a continuous process for facilities of all sizes.

“You don’t have to be a huge organization to end up on the [HHS reported breaches] list,” Jenkins said.

It is also important to see what the HIPAA rules do not outline, Jenkins explained. For example, HIPAA does not actually specify how long passwords must be, or say that employees must change their passwords after a certain amount of time. A timeout or logout interval, as well as the type of encryption used by an organization, are also not specified in HIPAA regulations.

Adam Greene, JD, MPH, partner at Davis Wright Tremaine LLP led a session titled Preparing for a New Level of HIPAA Enforcement. Greene discussed prior HHS data breach settlements, and what the agency’s top privacy and security enforcement issues have become.

Even though the OCR HIPAA audits continue to be delayed, Greene underlined the importance of covered entities being prepared. For example, the pilot audit program found that approximately 80 percent of providers and nearly 57 percent of health plans did not have a complete or accurate risk analysis, Green explained.

Currently, OCR data breach settlement trends show that there is an increased focus on risk analysis, the encryption of media, and security configurations. Moreover, the settlement size is more related to an entity’s size or to the number of affected individuals.

Looking ahead, Greene said that the audit program will likely focus on those trends, as well as the notice of privacy practices and breach notification policies and notification. Business associate relationships and vendor management will also be held to higher scrutiny, he said, and the Federal Trade Commission (FTC) even indicated that it will expect monitoring of vendors’ information security programs.

Healthcare privacy and security issues are not going to disappear anytime soon, especially as technology continues to evolve and be further integrated into covered entities workflow. Staying educated on the latest trends and data breach prevention measures is key, as is ensuring that a facility is HIPAA compliant. HIMSS15 pushed important information to the forefront, providing attendees with the means to find the necessary privacy and security options for their needs.

No comment yet.