HIPAA Compliance for Medical Practices
82.6K views | +39 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Security Rule: Risk Analysis Review and Updating

HIPAA Security Rule: Risk Analysis Review and Updating | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI).

 

ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.

 

Performing a security risk analysis is the first step in identifying and implementing these safeguards.

 

A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.

 

Once the analysis has been completed, organizations should periodically conduct a risk analysis review.

What is the Scope of a Security Risk Analysis?

According to guidance issued by the Department of Health and Human Services (HHS), the scope of security risk analysis includes potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization:

  • Creates;
  • Receives;
  • Maintains; and
  • Transmits

Security risk analysis includes six elements:

  • Collecting Data
  • Identifying and Documenting Potential Threats and Vulnerabilities
  • Assessing Current Security Measures
  • Determining the Likelihood of Threat Occurrence
  • Determining the Potential Impact of Threat Occurrence
  • Determining the Level of Risk

What is a Security Rule Risk Analysis Review?

Once all of the above six elements have been addressed, all documentation should be finalized. In addition, the security risk assessment should be periodically reviewed, and updated, as needed

 

Continuous risk analysis review allows an organization to identify when updates to risk assessment policies and procedures are needed. 

 

The Security Rule does not specify how frequently to perform risk analysis review. According to risk analysis guidance provided by the Department of Health and Human Services (HHS), some covered entities may perform risk analysis review annually or as needed (e.g., twice a year, every 3 years), depending on the circumstances of their environment.

What Factors Influence Whether Risk Analysis Review Should be Performed? 

Factors to consider include:

  • Changes in technology and business operations. When an entity implements new technologies and plans new business operations, the entity should consider performing a security risk analysis assessment. Adopting new technologies and new business operations may pose potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; a risk analysis review can identify these risks and vulnerabilities.

 

  • An organization has experienced a recent security incident.  If a covered entity has recently experienced a security incident, such as a data breach, a risk analysis review should be conducted to determine whether and what additional security measures are needed.

 

  • An organization has experienced a change in ownership or turnover in key staff or management. An organization that undergoes a change in ownership or that experiences key staff turnover, should evaluate, in light of the expertise of the departed and incoming individuals, whether existing security measures are sufficient to protect against risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.  In addition, part of risk analysis consists of an assessment of current security measures. Important security measures include policies and procedures, contained in an employee handbook or similar document, that address data security and define staff obligations to protect ePHI. Before incoming workforce members begin their jobs, policies and procedures contained in the handbook should be evaluated for sufficiency and accuracy, so that when these policies and procedures are distributed, new employees have the most up-to-date information required for them to protect ePHI.

 

  • Regulatory and legislative changes. New legislation and regulations may impose additional or modified obligations under the Security Rule. If your risk assessment references a law or regulation, you should review that assessment to make sure it still complies with any changes made to the regulation. When new legislation is passed, or when new regulations become effective, the risk assessment should be reviewed and updated to incorporate the requirements of the new legislation or regulations.

 

Performing risk analysis review, and then making necessary updates to the risk analysis assessment, allows for your organization to reduce review identified risks to reasonable and appropriate levels.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Does Obama privacy push have oomph?

Does Obama privacy push have oomph? | HIPAA Compliance for Medical Practices | Scoop.it
President Barack Obama’s rollout of privacy and data security policies Monday offered big promises to protect consumer information online, but the reality is his legislative ideas are a long shot in Congress and his voluntary industry initiatives lack enforcement teeth.

The package of proposals — including a data-breach notification law and a privacy bill of rights — are mostly a rehash of previous administration proposals. While some lawmakers have expressed interest in data breach and student privacy bills, such legislation has made little progress in the past. Congress has even less enthusiasm for the base-line privacy bill that Obama says he will release in coming weeks.

The president’s announcement comes on the heels of the high-profile Sony hacking case and after a year of major retail hacks that compromised millions of Americans’ credit cards. But the glacial progress of privacy and data security legislation shows just how difficult it has been for Washington to come up with workable new laws in this area.

In a 15-minute speech at the Federal Trade Commission, Obama previewed proposals that will be part of his State of the Union address on Jan. 20. Pressing Congress to take action, the president led his speech with recent headlines from the Sony hack.

“This mission, protecting our information and privacy in the information age, this should not be a partisan issue,” Obama said. “It’s one of those new challenges in our modern society that crosses the old divides — transcends politics, transcends ideology. Liberal, conservative, Democrat, Republican, everybody is online, and everybody understands the risks and vulnerabilities as well as opportunities that are presented by this new world.”

White House press secretary Josh Earnest later put it more bluntly. “I do think that, certainly, in the aftermath of some of the more recent cyberattacks we’ve seen that have been carried out against a number of private companies, including most recently Sony, hopefully that got the attention of people on Capitol Hill,” he said.

Obama’s data-breach proposal would impose a national standard for companies to notify consumers, in the event their information is stolen or compromised, within 30 days of the discovery of an incident. His student privacy bill, modeled on a California measure, would impose new restrictions on companies that collect or store student data while providing products and services to K-12 schools.

The president also announced that JPMorgan Chase and Bank of America are joining a list of firms making credit scores available for free to consumers to combat identity theft, the top consumer complaint for 14 years running at the FTC.

Some privacy advocates, while bullish for laws that will tighten consumer privacy, remain skeptical that Obama’s push will have any oomph behind it, seeing it more as a public relations maneuver designed to reassure European privacy officials as they work to complete a trade deal by the end of the year.

“An unannounced but intended audience for the administration’s plan is to remove a serious obstacle to its plans for a U.S.-EU trade deal, known as TTIP,” or the Transatlantic Trade and Investment Partnership, said Jeff Chester, executive director of the Center for Digital Democracy. Consumer privacy has been one of the sticking points with EU officials who worry that the U.S. doesn’t have a comprehensive privacy framework.

There is some support for a data-breach bill in the new Congress, and industry groups and the FTC have long pressed for a federal law to streamline the 49 different state breach rules they have to follow. Reps. Marsha Blackburn (R-Tenn.) and Peter Welch (D-Vt.) say they are already working on a data-breach bill.

“There has been consensus and a call from many in the business community several years running for data-breach legislation,” said Stu Ingis, a partner at Venable and counsel to the Digital Advertising Alliance, which represents several marketing and advertising groups.

But such legislation has repeatedly run into fears that a federal standard would weaken stricter rules enacted by states — a theme some privacy advocates hit again Monday.

“The Personal Data Notification and Protection Act would pre-empt stronger state laws and contains no private right of action,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center. He said the president’s student privacy plan “looks promising,” adding the country ultimately needs a more comprehensive approach to online privacy issues.

“The White House announcement is a step in that direction. But more needs to be done,” Rotenberg said.

Obama touted the 75 education tech companies that have voluntarily committed to keeping student data private, including Microsoft. Apple, which did not sign on initially, has now committed to the pledge. But other major players in the ed tech market, including Google and Pearson, are still not listed as signatories.

Concerns over student privacy have grown steadily as the use of online tools has exploded in classrooms. Ed tech companies can scoop up millions of data points on each child by monitoring them as they click through digital textbooks, educational games and online homework assignments. They can build detailed profiles of students’ academic ability — and also of their cognitive skills, including their learning styles.

The prospect of such intimate information being mined for possible commercial gain has mobilized parent privacy activists from across the political spectrum.

The administration has eyed privacy and data security measures since the president’s first term and proposed a national data-breach standard as part of a cybersecurity proposal in 2011. It unveiled a blueprint for a consumer privacy bill of rights in 2012.

Some parts of the tech industry said the president should have broadened his proposal to include surveillance reform, a key issue for Internet companies following Edward Snowden’s leaks about the National Security Agency.

“The president missed an opportunity to address the continued push by law enforcement and intelligence agencies to weaken security for the purpose of surveillance,” said Daniel Castro, senior analyst for the Information Technology and Innovation Foundation. “These actions threaten the competitiveness of the U.S. tech sector and discourage consumer confidence in digital products and services.”
No comment yet.
Scoop.it!

HIPAA Requirements for Sending PHI

HIPAA Requirements for Sending PHI | HIPAA Compliance for Medical Practices | Scoop.it
HIPAA Requirements for Sending PHI

Healthcare entities require a means to easily share protected health information (PHI). When sending PHI it is imperative to keep HIPAA requirements in mind. The Health Insurance Portability and Accountability Act (HIPAA) set forth industry standards for creating, storing, and maintaining of PHI, including proper procedures for sending PHI.

  • Email

The most convenient means of sending PHI is via email, however when sending PHI through email, organizations must have proper protections in place.

 

The best way to protect email communications is through encryption. Encryption masks data by translating it into text that is unreadable without a decryption key.

 

Most professional versions of email services offer encryption as part of their package. However, encrypting PHI is not enough.

 

Before sending PHI using email, it is essential to verify the identity of the person receiving the email to ensure that they are permitted to receive the PHI.

 

In addition, there must be means to revoke access to the PHI if the email was sent to the wrong person, or if access to PHI data is no longer necessary.

 

  • Fax

Faxing PHI is permitted under certain circumstances. Sending PHI via fax is a similarly easy way to share patient data quickly. 

 

HIPAA law requires that access to PHI is only given to authorized individuals that need access to perform a job function. As such, fax machines must be kept in a locked area, limiting the risk of access by unauthorized individuals.

 

Additionally, faxes should not be automatically printed. Faxes that automatically print pose the risk of being viewed by individuals that are not permitted to view PHI.

 

Faxes containing PHI should be stored in the memory of the fax machine until it can be printed by an authorized user. 

  • U.S. Mail

When sending PHI via U.S. mail, it is not permitted to use the regular mailing service. At a minimum PHI must be sent through first class mail.

 

However, under some circumstances PHI must be sent using certified mail. Certified mail requires recipients to sign for it, as such it can only be delivered to the intended recipient.

 

Certified mail can also be tracked ensuring that PHI is not accessed by unauthorized individuals.

Sending PHI: Business Associate Agreement

Before it is permitted to fax or email PHI, healthcare organizations must have a signed business associate agreement(BAA) with their providers. When using email or fax to send PHI, the data is stored on their servers, which gives them the means to access the data.

 

A BAA limits the liability for both parties as it states that each organization agrees to be HIPAA compliant, and each are responsible for their own compliance. 

Sending PHI: HIPAA Conduit Exception Rule

When sending PHI through U.S. mail, a BAA is not required. Mail couriers are considered conduits under HIPAA law as they do not have means to access PHI sent through their service.

HIPAA Requirements for Sending PHI

When choosing a method to send PHI, healthcare entities must look to HIPAA requirements to ensure that they are sending PHI in a HIPAA compliant manner.

 

Email must be encrypted, faxes must be stored in the machines memory, and U.S. mail must be sent through first class mail. Lastly, there must be signed BAAs with email and fax machine vendors. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.