HIPAA Compliance for Medical Practices
68.5K views | +0 today
Follow
 
Scoop.it!

Radiologist Arrested in Breach Case

Radiologist Arrested in Breach Case | HIPAA Compliance for Medical Practices | Scoop.it

A radiologist faces three misdemeanor charges for allegedly stealing the protected health information of nearly 97,000 current and former patients of NRAD Medical Associates, the Long Island, N.Y., medical practice where he worked.


Meanwhile, Nassau County District Attorney Kathleen Rice is advocating a change in state law to permit tougher charges in such cases. And a privacy attorney says federal charges for HIPAA violations might be appropriate in the case.


A spokesman for Rice tells Information Security Media Group that Richard Kessler, M.D., was arrested on Dec. 3 and charged with three misdemeanors under state statutes: unauthorized use of a computer; unlawful duplication of computer-related material and petty larceny.

Kessler told authorities that he accessed and copied the NRAD information because he was planning to start a competing medical practice, according to the DA spokesman.

The radiologist is scheduled to be arraigned in district court on Jan. 6. Kessler faces a maximum of one year of jail time if convicted of the steepest charge.

Kessler's arrest follows a law enforcement investigation related to a breach that NRAD reported in July. At that time, the medical practice disclosed in a statement that a radiologist on staff accessed and acquired without authorization about 97,000 records that included patient names and addresses, dates of birth, Social Security numbers, health insurance information and diagnosis and procedure codes.

How Data Was Taken

A statement issued by Rice says that between about Jan. 17 and April 24, Kessler allegedly connected an external hard drive to his workplace computer and copied onto it patient information from the NRAD network. A search warrant uncovered Kessler's hard drive containing the NRAD patient records, as well other information, including NRAD corporate credit card information, corporate marketing materials, and IT information, Rice says.

"Though there is no indication that Kessler used any of the information stolen to open accounts, make purchases, or obtain property in the names of NRAD patients, the victims of this identity theft were given the opportunity by NRAD to protect their credit" through credit monitoring, the statement noted.

Cinzia Lawrence, CEO of NRAD, tells ISMG that the medical practice is continuing to work with law enforcement authorities in the investigation, and declined to comment on whether NRAD will file a civil suit against Kessler. "Protecting the privacy of our patients' personal information is vitally important," she says. She also declined further comment about the steps NRAD is taking to bolster data security in the wake of the incident. The radiologist no longer works for NRAD.

State Statutes

The current New York state statute for "unlawful possession of personal identification in the third degree" doesn't allow for additional criminal charges against Kessler, the DA spokesman says.

"Current New York State personal identification information statutes - Penal Law § 190.81-83 - do not cover the information found to be in Kessler's possession," according to the Rice's statement.

As a result, Rice is calling for changes in the statute to allow tougher charges in cases such as Kessler's. "Physicians are regularly entrusted with the health and well-being of their patients, so the abuse of trust in this case is particularly outrageous," she says. "New York State's privacy and larceny statutes should be reformed so they can apply to more kinds of personally identifying information."

David Holtzman, a vice president at security consulting firm CynergisTek and a licensed attorney in New York, notes: "New York's criminal statutes do not make it a crime to steal or maliciously disclose health records. Legislation ... to close this loophole had been passed the New York State Senate [last year] but died without action in the state assembly."

Privacy attorney Adam Greene of law firm Davis Wright Tremaine notes, however, that federal prosecutors could consider filing HIPAA violation charges against Kessler.

"In addition to the charges that have been brought, the U.S. Department of Justice could bring criminal charges for knowingly obtaining PHI in violation of HIPAA," he says. "They would need to demonstrate that the doctor obtained the PHI without authorization. If they could demonstrate that the radiologist's actions were for commercial advantage or personal gain, then the penalty is up to $250,000 and up to 10 years imprisonment."

Preventive Measures

Other healthcare entities can take steps to avoid similar breaches involving employees, Holtzman says.

"Healthcare organizations should have security controls in place that prevent unauthorized devices, like thumb drives, hard drives and smart phones, from connecting to the information system that handles patient information by limiting access through the USB ports that are commonly found on a desktop workstation," he says. "Organizations [should] regularly scan their information networks to identify which devices are accessing or connected to the information system to identify any unauthorized devices or hardware that is getting access to the system."



more...
No comment yet.
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

9 keys to having a HIPAA-compliant cloud

9 keys to having a HIPAA-compliant cloud | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are increasingly open to the idea of using public cloud services, whether it be applications or infrastructure. But to do so requires thorough planning and vigilant execution of IT operations.

 

Chris Bowen, founder and chief privacy and security officer for ClearDATA, a company that helps healthcare organizations use public cloud services, provides nine examples of controls that can be put in place. 

 

  1. Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
  2. Review system activity: Leverage audit logs to enable the review of activity within your system.
  3. Identity and Access management control: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed. 
  4. Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
  5. Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scan on systems processing Personal Health Information (PHI).
  6. Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
  7. Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
  8. Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
  9. Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA as an umbrella for county/municipal cybersecurity

HIPAA as an umbrella for county/municipal cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Are you a covered entity?

Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.

 

How do you know if you have or are a CE? If some department or division within your organization is a health care provider, a health plan or a health care clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), health care clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.

Are you in compliance?

If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.

 

In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?

 

I suspect what often happens is that executives look at something like information security policy requirements and say:

This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.

 

What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.'

Trust but verify

There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances, and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.

Extend HIPAA to your enterprise

If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that level while also getting compliant with federal law.

 

Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted good practices.

Develop your policy with the HIPAA Security Rule

There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.

The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).

The security standards in HIPAA are broken down into three sections, each of which has multiple layers and subcomponents:

  • Administrative Safeguards (9 components)
  • Physical Safeguards (4 components)
  • Technical Safeguards (5 components)

 

These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.

 

Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.

 

These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.

Next Steps

1. Find out where your organization stands in terms of information security policies and procedures.

2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?

3. Meet with your IG committee to discuss your findings.

4. If you don’t have an IG committee — start one!

5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.

6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintaining continuous improvement.

7. Begin building a culture of security in your organization.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Easiest Complete HIPAA Compliance Checklist You'll Ever See

The Easiest Complete HIPAA Compliance Checklist You'll Ever See | HIPAA Compliance for Medical Practices | Scoop.it
The Best HIPAA Checklist Is…HIPAA Itself?

Yes, basically. First, let’s make sure we’re on the same page about what HIPAA is exactly. HIPAA is federal legislation, as is the HITECH act that updated parts of it. Title II of that legislation relates to the privacy and security of protected health information, and this is the meat of what most physicians need to care about when “HIPAA compliance” comes up.

 

Title II of HIPAA also requires HHS to create federal regulations that implement the ideas in the rest of the act. These regulations spell out exactly what healthcare providers must do, and they are now complete and published in the Code of Federal Regulations (CFR),

 

Luckily, HHS also grouped these regulations into six sections, called “rules,” and these are really the ultimate HIPAA compliance checklist. If you can understand and comply with each of these six rules, you’ll have a good claim to HIPAA compliance. So let’s do it; let’s count down the checklist that HHS gives us:

The Six Rules of the HIPAA Compliance Checklist:

#1: Standardize Your Coding and Electronic Transmissions

This one is easy. HIPAA seeks to make sure that everybody is communicating about healthcare issues in one unified way, and regulations in its “Transactions and Code Sets” rule accomplish this.

One part of this rule specifies what code sets are allowable for describing medical data, including ICD-CM for conditions, NDC for drug names, and CPT/HCPCS for procedures. Another part then defines and mandates the specific electronic transmission formats that can be used to convey the encoded data.

 HIPAA Checklist: How to Comply with Rule 1

  1. Use a compliant electronic health record (EHR).

Simply pick a modern EHR to use in your practice. They will typically use the correct encoding and transmission formats automatically, and you can confirm this with the vendor before you buy anything.

That’s it. Done. Check.

#2: Get Unique Identifiers for You and Your Organization

In the “Identifier Standards” rule, HIPAA mandates that every individual or organization that renders healthcare have a unique 10-digit National Provider Identifier (NPI). Type 1 NPIs are for individuals, and type 2 NPIs are for organizations. NPIs are used in encoding and transmitting healthcare data, and they help enforce clarity. Two doctors may have the same name and practice in the same city, but their differing NPIs will ensure that they are not mistaken for one another.

 HIPAA Checklist: How to Comply with Rule 2

  1. Make sure that all HIPAA-covered entities in your practice have an NPI.

You probably already have an NPI. If you don’t,  you can get one through the National Plan and Provider Enumeration System (NPPES) that HHS runs.

That’s it. Done. Check.

#3: Protect Your Patients’ Privacy

The HIPAA Privacy Rule, in conjunction with the HIPAA Security Rule, constitutes the most important part of HIPAA for most providers. Fundamentally, the Privacy Rule is all about individuals’ health information, termed “protected health information (PHI).” The rule spells out how healthcare entities may use PHI, and it also delineates patients’ rights to be informed of and control those uses.

HHS has written an important summary of the Privacy Rule, and it’s worth a read. High-level points from the summary to internalize:

  • The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “PHI.”
  • A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A [healthcare] entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish [an intended purpose].
  • Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI and any of its uses and disclosures. They may also demand corrections to it.
  • Each [healthcare] entity, with certain exceptions, must provide a notice of its privacy practices.

 HIPAA Checklist: How to Comply with Rule 3

  1. Designate a “privacy official” in your organization who will be tasked with developing and implementing your privacy policies and procedures and ensure that this person is available to receive requests and complaints related to the Privacy Rule.
  2. Understand the definition of PHI and identify information in your practice that is PHI.
  3. Keep a record of all uses and disclosures of PHI in your practice.
  4. Understand the things your practice must do under the Privacy Rule, especially including those things that relate to your patients’ control over their own PHI.
  5. Understand the things your practice may do under the Privacy Rule, especially including those uses and disclosures of PHI that are allowable without explicit, written patient consent. Always use the concept of “minimum necessary” to guide your uses and disclosures.
  6. Identify your “business associates,” as defined by HIPAA. If another company interacts with PHI from your practice, they are likely a business associate, and you need to have a formal “business associate contract” with them that extends the duties of HIPAA to their operations.
  7. Create a Notice of Privacy Practices. This must contain specific items, and it’s best to start with a template that HHS provides. Know when, where, and to whom this notice must be made available.
  8. Implement administrative, technical, and physical safeguards to prevent impermissible intentional or unintentional use or disclosure of PHI. These should also act to limit incidental uses or disclosures.
  9. Ensure ongoing training of your practice’s workforce on your privacy policies and procedures.
  10. Have your privacy official create and maintain a written document of the policies and procedures that you have developed to accomplish the above items.

Well, this section was a bit longer than the first two, but that’s because the Privacy Rule is so crucial to HIPAA. It is, unfortunately, also critical that you review the Privacy Rule yourself. The checklist above is a good start on minimum necessary activities, but there is no perfect, comprehensive checklist that will work for every type of practice. HIPAA is about ensuring best practices in every type of healthcare provider, and there is no substitute for figuring out what that means for you and your exact practice.

HHS states that the Privacy Rule is comprised of 45 CFR Part 160 and Subparts A and E of 45 CFR Part 164, and you can refer to these directly or, at least, to the HHS Privacy Rule summary to make sure that you are creating and following all of the privacy policies and procedures that your specific practice needs.

#4: Secure Your Electronic Medical Information

The HIPAA Security Rule is a nitty-gritty rundown of “the technical and non-technical safeguards that organizations […] must put in place to secure individuals’ electronic PHI.” That quote comes directly from a Security Rule summary that HHS has written, in which they explain that the Security Rule takes the somewhat amorphous concepts of the Privacy Rule and lays out a more exact framework to implement them.

Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to PHI that your practice “receives, maintains or transmits in electronic form.” To comply with the Security Rule, your organization must adopt an ongoing process of risk analysis that has the following general form:

  1. Assess risks to electronic PHI in your organization, the current state of your security measures, and any gaps between the two
  2. Implement “administrative, technical, and physical safeguards” to address the gaps
  3. Document all of steps 1 and 2 and keep the records
  4. Repeat steps 1 to 3 on a periodic basis

That’s it, really. And continuing their pattern of being hugely helpful, HHS has created a seven-part educational paper series that will walk you through this. For the checklist in this section, we’ll lean on these papers heavily…since HHS literally provides checklists in them.

 HIPAA Checklist: How to Comply with Rule 4

  1. Perform a risk analysis for electronic PHI in your organization
  2. Implement safeguards to address security gaps identified by the risk analysis:
    1. Administrative
    2. Physical
    3. Technical
  3. Make sure everything is documented appropriately
  4. Repeat steps 1 to 3 on a periodic basis

Each HHS document linked above has a reproduction of Appendix A of the actual Security Rule, which is effectively a checklist of necessary items to consider for the administrative, physical, and technical safeguards that you need. Some of the documents extend this list with other items, such as the document linked in step 3 above.

As with the Privacy Rule, it’s important that you read the Security Rule yourself at least one time. HHS wrote the rules generally so that they could function for organizations of any size, from one person to thousands, and because of this, only you can decide exactly how your organization can best comply. Per HHS, “The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.” And again, they’ve also written a summary of it.

#5: Understand the Penalties for Violations

The HIPAA Enforcement Rule (codified at 45 CFR Part 160, Subparts C, D, and E) establish procedures for the investigation of possible HIPAA violations and sets civil fines for infractions. Fines can be up to $50,000 per violation per day, so it can add up quickly and is not a joke. Violations can also carry criminal penalties, including fines and jail time, but these are not covered by HHS regulation.

 HIPAA Checklist: How to Comply with Rule 5

  1. You don’t have to do anything ahead of time

If HHS investigates your practice, then this rule becomes relevant to you, but there’s nothing here that you need to do proactively.

#6: Learn How to Handle Information Breaches

The HIPAA Breach Notification Rule (codified at 45 CFR §§ 164.400-414) requires healthcare organizations to provide notification after breaches of PHI. A “breach” is, basically, an impermissible use or disclosure of PHI, as detailed in the HIPAA Privacy Rule. Depending on the type of breach, the notification might need to be made to the affected individuals, the media, or the HHS Secretary. HHS has further guidance available on the topic.

 HIPAA Checklist: How to Comply with Rule 6

  1. You don’t have to do anything ahead of time

Once again, you only need to worry about this rule if you identify a PHI breach, which you should be monitoring for as part of your compliance with the HIPAA Privacy Rule and Security Rule.

 

HIPAA compliance is all about adopting good processes in your organization, and HHS has laid out a path to compliance that is nearly a checklist. All you have to do is follow it.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Our Partners at Compliancy Group Help Client Pass HIPAA Audit

Our Partners at Compliancy Group Help Client Pass HIPAA Audit | HIPAA Compliance for Medical Practices | Scoop.it

Compliancy Group announced today that it has helped a long-time client pass a HIPAA audit. The Department of Health

and Human Services (HHS) Office for Civil Rights (OCR) investigation into a potential HIPAA violation resulted in no fine for a user of their web-based compliance solution, The Guard.

HIPAA audits target hundreds of healthcare professionals a year, according to the HHS Wall of Shame.

 

Compliance Group is the only HIPAA solution on the market today that gives clients access to a HIPAA Audit Response Program (ARP). The Compliance Group HIPAA Audit Response Program gives clients the ability to formulate all the necessary reports that OCR auditors are requesting in order to illustrate their compliance efforts. Compliance Group’s team of expert Compliance Coaches gather the reports and adhere to strict audit deadlines to ensure that clients stand their best chance at emerging from an audit without being fined.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Alliance Marketplace Connects CEs and BAs

HIPAA Alliance Marketplace Connects CEs and BAs | HIPAA Compliance for Medical Practices | Scoop.it

For many healthcare providers, finding HIPAA compliant business associates poses a significant challenge–one with implications on the security of their sensitive healthcare data. The newly launched HIPAA Alliance Marketplace is a platform that simplifies the process for covered entities to find HIPAA compliant business associates.

 

Health care providers can connect with healthcare vendors like never before with confidence that their prospective business partners will keep their data safe and secure.

 

Access to the marketplace is limited to vendors that have been verified by the Compliance Group HIPAA Seal of Compliance. The HIPAA Seal of Compliance is the industry standard, third-party HIPAA verification tool used by health care providers and vendors across the country. The Seal of Compliance demonstrates that the organization in question has executed all of the necessary standards mandated by HIPAA regulation.

 

Vendors can use the marketplace to break into the valuable healthcare market. Whether already HIPAA compliant, or just starting on their journey, vendors can speak with one of Compliance Group’s HIPAA experts to determine the status of their compliance and get listed on the marketplace today.

About the HIPAA Alliance:

 

The HIPAA Alliance Marketplace is a closed ecosystem that allows healthcare professionals (covered entities, CE) to find HIPAA compliant solution providers (business associates, BA). HIPAA compliant vendors in the HIPAA Alliance Marketplace are heavily vetted against the HIPAA rules and verified by the Compliance Group HIPAA Seal of Compliance

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Small Medical Practices Struggle with HIPAA Compliance 

Why Small Medical Practices Struggle with HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

Over the past couple of years, cybercriminals have increasingly targeted healthcare organizations for the volume of sensitive data they have on file. When stolen, medical records containing personally identifiable information (PII) can be used to create and sell false identities, contributing to high breach costs per record that can shut your clients’ practices down. To prevent this, it’s critical that all impacted organizations maintain HIPAA compliance, have safeguards in place and establish a disaster recovery (DR) plan.

Compliance starts with awareness, but many small practices aren’t aware that they’re falling short in this area. That’s where you come in. You’re in the unique position to help clients take the proper steps towards HIPAA compliance and ensure that all guidelines are being followed. So how can you relay that message in your next MSP sales presentation? To help you get started, we’ve pulled data from NueMD’s 2016 HIPAA Survey. Leverage this chart to show clients and prospects that you are the data security solution they need to stay HIPAA compliant!

 

When presenting this chart in your proposal, use these talking points to illustrate how you can help clients maintain HIPAA compliance:

 

  1. A surprising 60 percent of respondents aren’t even aware of the new HIPAA audits that were launched in phase two. This is a huge problem, especially if you’re part of that 60 percent because you could be fined up to $50,000 per violation for not even knowing you violated HIPAA regulations. To avoid this, rely on us to be your trusted resource. We’re always up-to-date on the current compliance standards, and we can even perform a HIPAA audit that not only assesses whether your practice is compliant, but provides corrective action and possibly uncovers security issues to help you avoid potential data breaches. (Continuum offers a HIPAA Assessment Tool, which allows you to expand your service portfolio, generate additional revenue and most importantly, helps your clients survive an OCR audit.)

  2. While we help you remain HIPAA compliant through proactive and preventative IT management services and support, you also have to be prepared when disaster strikes. Sometimes cyber attacks are successful or data is compromised internally by accident. To mitigate the damage (both to your finances and reputation) and remain HIPAA compliant, you need a comprehensive DR plan. However, as this chart shows, 30 percent of respondents have yet to create a said plan – meaning they could be found in violation of HIPAA law. Rather than assume the same risk with our backup and disaster recovery (BDR) solution and services, we’ll ensure patient data is securely backed-up and easily restorable.

  3. HIPAA compliance is an organization-wide responsibility. You need to ensure that your staff knows how to handle sensitive data and understand the need to secure it. Partner with us to prevent yourself from becoming like the other 42 percent of respondents who do not provide annual compliance training for their employees. We regularly help conduct training courses and seminars with your employees so they can better understand how their behavior impacts data security. With our ongoing education, we help your employees do their part in maintaining HIPAA compliance, explaining best practices when creating login credentials, sending emails, receiving unknown links or seemingly harmless attachments and more. 

  4. With 80 percent of respondents being unconfident that their mobile devices are HIPAA compliant, there’s a clear need to protect those endpoints that have access to patient data. With a service such as mobile device management (MDM), you'll be able to remotely lock down and wipe the device, should it be compromised. MDM is an added security measure that ensures you’re doing all you can to keep sensitive data protected.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is Your Medical HIPAA Compliant Website Protected? 

Is Your Medical HIPAA Compliant Website Protected?  | HIPAA Compliance for Medical Practices | Scoop.it

Every physician and medical administrator that we know is intimately—often, intensely—aware of HIPAA’s privacy and security rules. There isn’t a policy, procedure or process that isn’t carefully scrutinized as HIPAA compliant.

 

This isn’t legal advice, but healthcare professionals know that protected health information (PHI) and electronic protected health information (ePHI) need to be on the safe side of the Health Insurance Portability and Accountability Act and the Department of Health and Human Services.

 

But, physicians and medical administrators also realize that, in an Internet-driven world, confidentiality, privacy, and data security are vastly larger, dangerous and more complex issues. What’s more, hospital data and medical records are attractive targets for cyber theft and ransomware attacks.

 

If regulations, compliance and digital security issues aren’t compelling enough to keep you awake at night, consider this: What if your website and digital presence are not HIPAA compliant? Many ordinary, and innocent appearing, healthcare websites are not secure, or inadvertently fail to safeguard all “individually identifiable health information.”

 

Being HIPAA compliant is vital to every medical website…

Check with your own legal advisor, but here are some of the ways that medical websites, and HIPAA compliance, can be at risk:

Are files, storage, and transmissions secure? Data that is “in the open” (without encryption or SSL/Secure Socket Layer) is at risk. An important compliance checkpoint is having all sensitive material encrypted and secure, particularly when transmitted over the Internet.

 

Some forms can put you at risk. Generally, when a patient or prospective patient completes an online form—even elementary info such as name, phone number, email—it may be advisable to provide the data with the same level of protection as ePHI. More specifically, “individually identifiable” and “protected health information” is likely to meet the definition of electronic protected health information.

 

Social media can be a danger zone. Social media is a useful tool to talk about many things under the broad medical umbrella. That said, anything that is specific to an individual patient or identifiable info—even photographs—can violate personal privacy.

 

Use caution responding to online comments and review sites. It can be tempting to use specific, “he-said-she-said” replies to Internet-posted comments—especially negative mentions. It’s OK to be responsive, but a provider’s reply must avoid reference to a specific, identifiable or individual patient. Even acknowledging that someone is a patient would be inappropriate.

 

Your favorite iPhone or Blackberry is a target for theft. Mobile devices—a favorite among doctors—are compact and easily “snatch-able,” and that opens the door to cyber theft of stored or access information. What’s more, mobile devices themselves that are used to exchange doctor-patient communications may not be secure or HIPAA compliant.

Look for additional articles in this series…

There’s no question that compliance is vitally important for hospitals, group practices, and healthcare providers. In addition, medical websites are an important connection between the professional and the public. HIPAA’s privacy and security rules are a critical consideration. Check with your legal advisor and avoid compliance issues online.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Are You Feeling Confident About Your HIPAA Compliance? 

Are You Feeling Confident About Your HIPAA Compliance?  | HIPAA Compliance for Medical Practices | Scoop.it

A friendly reminder that, with the recent HHS Office of Civil Rights announcement, covered entities may soon be facing some unwelcome audits. Now’s the time to review compliance.

 

HIPAA compliance can sometimes feel like changing the oil in your car: inarguably necessary, a serious problem when left unchecked, yet tedious enough that some are willing to let the task slide. The difference, of course, is that one is bad for your engine while the other is a federally mandated and legally enforceable standard.

Friendly reminder: the HHS Office of Civil Rights (OCR) recently announced the Phase II launch of its HIPAA audit program, part of the 2009 HITECH Act. And with their finalized Audit Protocol published on April 8th, all signs point to the OCR soon getting down to brass tacks.

 

This needn’t be cause for alarm. But if covered entities or their business associates haven’t recently ensured that their compliance is watertight — especially regarding the measurement of referral and appointment activity — there’s definitely no time like the present.

There’s No Reason for Panic — Just Preparation

Audits are tentatively set to begin sometime in May, according to OCR official Devin McGraw via Politico, at which point randomly selected covered entities will receive an email announcing their fates (they recommend checking spam folders).

Business associates, who are also subject to individual audits, will be subject to audits in June or July. The agency plans to conduct roughly 200 remote desk audits, to be completed by December 2016, and anywhere from 10-25 “full scale” field audits thereafter, according to Healthcare Info Security. If you’re uncomfortable with the vagueness of this plan, you’re not alone.

The good news is that the majority of organizations will not be audited. However, if selected, entities will have a mere ten business days to prepare and submit all relevant documents via a secure online portal. Desk audits may (or may not) entail just a review of policies, or pertain to only one of the three HIPAA Rules: Privacy, Security, or Breach Notification. However, certain charmed organizations may, in fact, get to experience the unique joy of both desk and on-site audits.

Possibility for Consequences?

Officially, Phase II OCR audits are relatively benign, designed to “develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.” Nevertheless, they will open a formal investigation, should they find a “serious compliance issue,” however defined. And while OCR won’t publish the audit results (or even list which companies are audited), the whole process is subject to the Freedom of Information Act (FOIA), which means that journalists or other public agents can legally publish results. 

 

You may recall that 115 covered entities were audited in 2011 during Phase 1 of program, unearthing major compliance breaches; 89% were found to have compliance issues, and smaller organizations tended to struggle in multiple areas. 

Given the involvement of business associates — many of whom are not primarily dedicated to healthcare — one of the most difficult compliance aspects to cover will be Protected Health Information (PHI) and ePHI (electronic PHI). For instance, if your marketing agency measures referral and appointment activity, they’re likely in the domain of PHI and will need to be in solid compliance.

 

The bottom line is that if you haven’t implemented HIPAA privacy and security policies and procedures, recently conducted an inventory of relevant assets, or regularly completed risk assessments, then now is probably your last chance to do so before the audit process begins.

 

In the end, however, integrating a comprehensive HIPAA compliance program will keep you from running afoul of any regulatory standards that may come down the pipeline. The HHS is only conducting these audits in order to better enforce compliance standards in the future. So while you may or may not be audited this year, you and your digital marketing vendors must be prepared to stand up to scrutiny at any time.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Social Media and HIPAA Compliance: What Medical Professionals Should Know 

Social Media and HIPAA Compliance: What Medical Professionals Should Know  | HIPAA Compliance for Medical Practices | Scoop.it

Social media is fast becoming one of the most impactful marketing channels for medical professionals; however, HIPAA regulations must be taken into account.

More than ever before, medical professionals are using social media every day in both their personal and professional lives. And of course this isn’t a bad thing: physicians, nurses, and other practitioners are in a unique position to engage and educate current patients and others in search of treatment. However, when used incorrectly, social media can be a veritable minefield in regards to HIPAA regulations for patient confidentiality. So in the interest of keeping those tweets flowing, let’s run through four easy ways to maintain compliance with these regulations.

1) Don’t Talk About Patients (Even When it’s Subtle)

HIPAA regulations for patient confidentiality may seem complicated, but they all essentially boil down to one key point: don’t share your patients’ personal information. Few medical professionals would post something as obviously problematic as “John Smith from Cherry Street came in last night with such-and-such medical condition,” but that’s far from the only way to incur a violation. Rather than taking the risk of accidentally broadcasting protected information like specific appointment times and diagnoses, avoid the issue altogether by never referring to an actual case or visit.

That said, medical professionals should absolutely post interesting and relevant information on their professional social media accounts. Just be sure to always keep things in broad terms — talk about specific conditions or treatment options, not specific patients.

2) Don’t Like, Share, Retweet, or Regram Your Patients’ Posts

Even if you don’t share the information yourself, it’s still possible for a physician to breach his or her patient’s confidentiality. One way to do so is by engaging with a specific patient on any social platform. Even if your patient chooses to post his or her medical information in a public forum, sharing this post with your own network could land you in hot water.

The easiest way to avoid this issue is by doing something that’s fairly intuitive: create separate accounts for your professional and personal activities.

3) Don’t Post Pictures of Patients or Their Documentation

When to comes to HIPAA compliance, one key mistake that should always be avoided is posting pictures of real-life patients. Even if you’re celebrating something as meaningful as a patient’s recovery from a serious illness or injury, sharing a photo of their likeness still counts in HIPAA’s eyes as a forbidden personal identifier. Another thing to keep in mind when posting photos from around the office or clinic: a patient’s files can accidentally get caught in the background. Always triple-check that your image is free of any potentially confidential paperwork or other materials.

It may sound easier to rule out photos of your workplace altogether, but warm, engaging imagery bolsters patient trust in your medical brand — in some cases increasing conversion rates by as much as 95%. Just be smart about the photos you share with your network.

4) Don’t Send Confidential Information Through Direct Messages

Switching over to direct messages might seem like an easy loophole in all of the regulations outlined above, as the interface of any social media platform would have you think that such messages are private and confidential. However, doing so would risk violating another one of HIPAA’s major tenets: the Security Rule, which mandates that all electronic protected health information (ePHI) is stored in such a way that it is secure from potential data breaches, leaks, or any other form of unwanted disclosure. Most social media messaging services do not meet HIPAA’s standard for compliance with this rule, and thus they should never be used to share patient data or health records with colleagues or even the patients themselves.

Luckily, a number of medical industry apps — such as DrFirst’s Backline — offer secure messaging platforms that are in compliance with HIPAA’s Security Rule. So keep the sharing away from Twitter DMs and Facebook Messenger and stick to the software and services that guarantee both compliance and conversions.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA & Email

HIPAA & Email | HIPAA Compliance for Medical Practices | Scoop.it

Is it possible to email patients in a HIPAA compliant manner? What can and cannot be included in an email to patients? What does HIPAA have to say about it? These questions have long been on the minds of providers as they attempt to navigate towards greater messaging options without opening themselves up to breaches, penalties or fines. Before determining if HIPAA and email can effectively coexist, let’s take a step back and understand what the HIPAA Privacy and Security rules allow.

HIPAA Privacy Rule

Per the Office for Civil Rights (OCR) of the Department of Health and Human Services webpage, “The HIPAA Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

OCR then goes on to state if the patient reaches out to a healthcare provider using email, the provider can assume that email communication is acceptable. If the provider feels the patient does not understand the possible risks of using un-encrypted email, the provider should alert the patient and ensure that they want to continue with email communications.

Additionally, the Privacy Rule states that patients have the right to request a provider communicate with them by alternative means if reasonable; “For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.” See 45 C.F.R. § 164.522(b).

HIPAA Security Rule

The HIPAA Security Rule does not prohibit the use of e-mail to send ePHI, however, it does outline some standards to protect and guard the integrity of unauthorized access to ePHI. Sited from the OCR website, “However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

Recap of the Privacy and Security Standards:

Providers may e-mail patients but they must take precautions.

Should the patient request his/her provider use e-email, the provider must take the necessary steps to ensure the ePHI is protected.

As a standard practice, providers should warn patients about the risks of e-mail communications.

Information shared over an open network increases the likelihood of unauthorized access. 

Best Practices for HIPAA Compliant Email

Below is a list of some best practices to ensure compliant e-mail along with adhering to the Privacy and Security Rules:

  • Encrypt e-mail messages – If the provider is not using a patient portal or e-mail application, encrypt any/all sent e-mail messages and avoid sending any PHI. Additionally, any attachments (specifically those including PHI) should be encrypted as well.
  • Capture each patient’s consent to receive communication by email – Include a communication consent form within the patient on-boarding forms to verify communication preferences and allow patients to opt in or out of e-mail correspondence.
  • Utilize a secure, HIPAA compliant email application – There are many email applications and servers designed to offer providers a HIPAA compliant e-mail offering.
  • Message patients through an EMR portal – A secure EMR portal is the perfect place to send HIPAA compliant messages to patients. Patients may log in to view appointment reminders, test results and physician/nurse messages without the threat of unsecured e-mail.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Consequences for HIPAA Violations

Consequences for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before, another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 in order to settle potential violations of the HIPAA Privacy Rule. Once a medical records storage company for covered entities, Filefax shut their doors during the OCR investigation yet could not escape additional fines and penalties that followed after their doors were closed. The bottom line, HIPAA violations do not stop just because a business closes.

 

The consequences of HIPAA violations are significant and far reaching. Beyond the financial ramifications, organizations stand to lose their good standing reputation, client/patient trust and their ability to operate a business. It can take organizations months, even years to recover from penalties if they ever do, so why have so many of us read the headlines but not heeded the warnings?

What Qualifies as a HIPAA Violation?

A HIPAA violation occurs when either a covered entity (CE) or business associate (BA) fails to comply with one of more provisions of the HIPAA Security, Privacy or Breach Notification Rules. Violations may result for a number of reasons and may be deliberate or unintentional.

  • Example of a Deliberate Violation – Inadequate Privacy training for clinical staff which results in a patient complaint regarding disclosing their full identity through a verbal announcement in a waiting area or hospital emergency room.
  • Example of a Unintentional Violation – Commonly this is a symptom of negligence such as: failure to complete a Security Risk Analysis, failure to employ encryption for laptops/electronic media resulting in loss/theft or failure to maintain policies and procedures instructing staff members on how to appropriately handle protected health information (PHI.)
Penalties and Fines

The penalties and/or fines administered by OCR are based on the severity of each HIPAA violation. Some HIPAA violations can be expensive and vary greatly in cost based on the level of negligence displayed. Contrary to what the headlines may lead you to believe, OCR will first strive to resolve violations using non-punitive measures such as issuing guidance to help the provider fix the areas without issuing a fine however that is not always possible.

If a penalty is issued, it can range in cost from $100 to $50,000 per violation (or record) with a maximum penalty of $1.5 million per year of violations of an identical provision. OCR takes many different factors into account when determining what is the appropriate financial penalty and uses a four tiered approach as shown in the image below. A few of these factors include: number of patients affected, what specific data was exposed and for how long, etc. Along with the financial ramifications, HIPAA violations can also carry criminal charges that may result in jail time if warranted.

 

Avoidance is Key

Being that the stakes are high and much is on the line, how does a practice or organization protect themselves against HIPAA violations? Show due-diligence.  The best task to start with is complete a comprehensive, organization wide HIPAA risk analysis to determine any gaps in compliance. Without a baseline knowledge about their security, privacy and breach-notification posture, both CE’s and BA’s operate day to day unaware of their security vulnerabilities which can directly lead to HIPAA violations and data breaches.

 

Unsure where your organization stands? Take our short 5-minute HIPAA compliance quiz designed to quickly outline your organization’s basic level of compliance.

 

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility? 

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility?  | HIPAA Compliance for Medical Practices | Scoop.it

If your healthcare practice must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations, a breach of protected health information may require patient and government notifications.  

HIPAA provides data privacy and security provisions for safeguarding medical information, and if that information is compromised either through a breach of your information system or sheer carelessness on the part of an employee, you may be subject to heavy monetary penalties.

But what qualifies as a HIPAA breach, what happens if it affects a limited number of your patients, and what are you required to do?

Rules That Apply

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  Such impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least these factors:

1.     The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2.     The unauthorized person who used the protected health information or to whom the disclosure was made;

3.     Whether the protected health information was actually acquired or viewed; and

4.     The extent to which the risk to the protected health information has been mitigated.

Those affected by this rule have discretion to provide the required breach notifications without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first applies to “the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”

The second exception involves” the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.”

In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

The final exception applies “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”

In addition to notifying affected individuals and the media (when appropriate), you must notify the Office of Civil Rights (OCR) of breaches of unsecured protected health information. by visiting the Health and Human Services (HHS) web site and filling out and electronically submitting a breach report form. If the breach affects 500 or more individuals, covered entities must notify the OCR without unreasonable delay and no later than 60 days following the breach.

Deadline Approaching

If the breach affects fewer than 500 individuals, your practice has no later than 60 days after the end of the calendar year in which the breach is discovered.  This means that if your practice has experienced a breach of fewer than 500 individuals and it has not been reported yet, you have until March 1, only a few days away to file the notification.

If you experience a breach affecting more than 500 residents of your State or jurisdiction you must provide notice to media outlets serving the State or jurisdiction, as well as notifying the affected individuals.  This notification will likely be in the form of a press release to the appropriate media outlets and must be provided no later than 60 days following the discovery of the breach and must include the same information required for the individual notice.

Don’t Leave Anything to Chance

As you can see, HIPAA breach notification requirements are quite stringent and can be complex. If your practice has experienced a breach, the HIPAA compliance experts and former criminal investigators at Colington Consulting can rapidly respond on-site to assist your practice in conducting a HIPAA breach investigation.  Their investigative process uses systematic approach to quickly determine how the breach was caused. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

ARE YOU SURE YOUR MEDICAL BUSINESS IS HIPAA COMPLIANT? 

ARE YOU SURE YOUR MEDICAL BUSINESS IS HIPAA COMPLIANT?  | HIPAA Compliance for Medical Practices | Scoop.it

What Exactly Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that took effect in 2003 to assure that patient’s medical records and other health information provided to health plans, hospitals, doctors and other health care providers is protected.  HIPAA is enforced by the U.S. Department of Health and Human Services, to provide nation-wide privacy and security standards for patient information, while allowing patients greater access to their medical records and more control over how their personal health information is used and disclosed.  HIPAA established national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity (medical provider).

The HIPAA Security Risk Assessment

There are over 50 HIPAA Security Standards and Implementation Specifications that must be addressed with policy and procedures. They are all applicable to Covered Entities and Business Associates. The HIPAA rule is very detailed, and it is important that you not miss any compliance requirements.

One of the best ways to ensure HIPAA compliance is to implement a HIPAA security risk assessment. This will tell you what areas of your practice are in compliance, and which areas need corrections to be made in order to become compliant. No matter what, you want to make certain you are following all the requirements of the HIPAA Security Rule, as there are steep fines resulting from non-compliance.

The Three Parts of the HIPAA Security Rule

The HIPAA Security Rule requires a healthcare facility and its staff to implement specific safeguards in these three areas:

•             Administrative

•             Physical

•             Technical Safeguards

These safeguards ensure the confidentiality, integrity, and security of protected health information (PHI). While “required implementation specifications” must be implemented, “addressable implementation specifications” must be implemented if it is appropriate and reasonable to do so. Your choice must be documented. Do not make the mistake of automatically thinking that “addressable implementation specifications” are optional. If you are unsure if any “addressable implementation specifications” apply to you, it is best to implement them, as most are considered to be standard “best practices” for a medical business.

The results of your HIPAA security risk assessment should provide you with a list of areas where you need improvement. This is where you will begin to work on policies and procedures to address the deficiencies by documenting and outlining all “required implementation specifications”, and all applicable “addressable implementation specifications” needed to become HIPAA compliant.

Just A Few Examples of HIPAA Policy Requirements

Here are a few examples of the types of HIPAA “required” controls you will need to implement.

One of the main requirements is controlling the access to patient’s records by your staff members. This requires a unique user identification login and logout for identifying and tracking each user, as well as comprehensive HIPAA training for your staff. Often, staff will find HIPAA compliance inconvenient, but they must recognize it is for their own protection.

You must have a secure procedure for accessing PHI during an emergency. Should the power go off, do you have a back-up power source? Are your records securely backed-up in compliance with HIPAA ? Healthcare organizations should have a contingency plan in place for emergency operations and disaster recovery.

It is advisable that all patient data be encrypted and decrypted. After a risk assessment, all laptops, computers, and mobile devices may need to be encrypted. Do you have firewall protection? Is your network accessible from outside your business? Do you have intrusion protection? Is your wireless network secured? Any company that handles sensitive patient data protected by HIPAA should run a cybersecurity assessment , to thoroughly check your network to determine how secure it is, and explain measures that must be taken to secure any holes in that system.

Audit controls, via hardware or software, must record and examine activity in information systems containing or using ePHI.

Transmission of all ePHI must be secure.

There are many other required and addressable specifications that need to be implemented. This is only a handful, to give you an idea of the types of issues you will need to address.

Once Your Are HIPAA Compliant, Then What?

Once you have achieved HIPAA compliance, it is then important that procedures and policies be put into place to maintain compliance. Employers must keep a record that all employees have received proper HIPAA training. They need to understand how HIPAA is implemented in your office. If you switch IT companies, you will need to make certain that the new company is HIPAA compliant, and they will need to provide you with a Business Associate Agreement. Yes, HIPAA compliance is a never ending task for businesses that handle patient health information.

If you are concerned about understanding and meeting all of the “required” and “addressable” security standards and implementation specifications your business must have in order to be HIPAA compliant, consider bringing in Colington Consulting to review the status of your HIPAA compliance program. Colington Consulting are experts in the field who know the HIPAA rules inside and out. They will help you avoid problems and steep fines by ensuring your business is meeting HIPAA compliance requirements,  relieving you from any doubt about the status of your business’s HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

6 things software vendors need to know about HIPAA compliance

6 things software vendors need to know about HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance

 

Many people are loosely familiar with the Health Insurance Portability and Accountability Act (HIPAA) and usually associate it with hospitals, clinics, and health insurance companies. However, it can be less clear how HIPAA compliance standards apply to countless other software vendors, SaaS providers that work with healthcare-related businesses or handle protected health information (PHI). In recent months, the Office for Civil Rights has been coming down hard on HIPAA violators, doling out some of the large fines – upwards of $5 million. So in order to ensure your business is protected and to maintain your brand reputation, it is vital to know the ins and outs of HIPAA compliance. With this in mind,

 

How do you know if you need to be HIPAA compliant?

 

In short, HIPAA rules apply to both Covered Entities (health insurance companies, HMOs, company health plans, etc.) and their business associates (a vendor or subcontractor who has access to PHI). What this means for business associates is that even if you’re a service provider or vendor who isn’t in the healthcare industry - like an all-flash storage company - you may still need to be HIPAA compliant indirectly due to the fact that your organization stores PHI. The first step here is to determine whether your organization handles PHI. If you do, your next step is to look through the

 

Look to your current vendors for guidance

 

Once you determine that you need to be compliant, there’s no need to go on a hiring spree to ensure you have the necessary resources in-house. Many of your existing vendors may already cover key HIPAA compliance requirements. Any good service provider should be able to tell you whether they are HIPAA compliant and what controls they can cover. If so, it is important that they are also willing to sign a Business Associate Agreement (BAA) - a negotiation between Covered Entities and any third-party vendors that have access to their PHI.

 

Look for specific types of technology that can help to streamline the process

 

If none of your existing vendors can help with HIPAA compliance, turn to a managed service provider to do the heavy lifting and help your business attain and maintain compliance, so you can focus resources on driving business. Additionally, they can strengthen the security technology, processes, and controls they use to keep customer information secure. For example, if you’re looking for a secure way to continue work-from-home programs at your organization through remote desktops, HIPAA compliant Desktop-as-a-Service (DaaS) vendors are a great option to both fill specific needs for your business and drastically simplify compliance.

 

Don’t forget about maintenance

 

A key stumbling block for many organizations tends to be maintaining a constantly evolving set of compliance standards. HIPAA compliance certification is valid only at that moment – it is then up to the company to maintain compliance which is easier said than done. Some important things to keep the top of mind for maintenance include 1) completing a HIPAA Risk Analysis document and audit at least once a year, and 2) assessing employees year-round to make sure they are doing their jobs in a HIPAA compliant manner, following all stated company policies and procedures.

 

Know who is responsible for HIPAA compliance

 

Another challenge accompanying HIPAA compliance may sound simple, but is one that oftentimes goes overlooked - precisely who internally is responsible for compliance? For non-healthcare organizations, a company is unlikely to have a designated in-house role such as a Privacy and Security Officer, and therefore the responsibility often falls on security or operations departments. However, it’s likely that neither of these departments has a full understanding or stake in HIPAA compliance. Regardless of who is taking the reins, it is important that the role is clearly demarcated and that person or department knows what is expected of them. Additionally, it’s critical that they work together with other departments as needed to ensure a well-rounded HIPAA strategy. Case in point - a recent

 

Keep HIPAA compliance top of mind for staff

 

Regardless of who is in charge, it is important that all your staff be mindful of maintaining HIPAA compliance. Human error can become one of the biggest obstacles to maintaining compliance, especially when employees may not even realize their company deals with PHI. For example, the same NueMD survey also found that only 58% of respondents were providing training for their staff annually. HR teams can proactively assist with this by reminding staff of regular HIPAA training, updates on compliance standards changes and keeping visible HIPAA compliance checklists posted in work areas.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Keep Your Practice’s Communication HIPAA-Compliant

How to Keep Your Practice’s Communication HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is a top concern for medical practices, and for good reason–violations can result in serious consequences, including large fines and potentially even jail time. To make things more complicated, the laws themselves tend to be rather vague on what actions practices need to take to become HIPAA-compliant.

Medical practices need to protect private patient data, but they also need to be able to go about the daily business of running a practice as efficiently as possible. Technology can certainly make day-to-day operations more efficient, but new technologies also bring about new concerns with HIPAA compliance. Many practices are hesitant to adopt new technology for that very reason.

When practices do decide that they want to use technology to communicate with patients and other practices, it can be difficult to figure out where to begin because HIPAA laws can be quite vague. Practices don’t want to slip up and have to pay the price (often, quite literally) for a violation.

 

So, what can you do to keep your practice’s communications on the right side of HIPAA guidelines? We highly recommend working with an expert on HIPAA laws to make sure your communication is always compliant.

 

If you’d like to learn more on what HIPAA-compliant communication entails throughout your practice, including marketing efforts, emails, appointment reminders, patient portals, and communication with other practices, we have put together this list of helpful resources to help you stay up to date on the latest recommended best practices for HIPAA-compliant communication.

Emailing Patients

Patients who are always on-the-go may prefer to communicate with you via email. If patients request email communication, you must make that option available to them, but you still need to take the proper precautions to protect your patients and your practice from HIPAA violations.

Appointment Reminders

Even appointment reminders can be considered private health information if done improperly. You may wish to use technology to automate this routine process and free up your employees’ time for other tasks, but you need to make sure that you aren’t inadvertently giving away private patient information in the process.

Patient Portals

Practices are required to implement and use a patient portal to meet Meaningful Use requirements. However, patient portals are still subject to HIPAA laws and may, in fact, pose the greatest security risk of all practice communications because of the amount of information they contain. Always do your research before choosing a vendor for your patient portal to make sure they will keep you covered.

 

Communicating with Other Practices

It’s important for your practice to be able to communicate with your patients’ other health care providers to be able to provide the most comprehensive care possible. However, it can be quite challenging to communicate with other practices in a manner that is both efficient and HIPAA-compliant. These resources include suggestions on improving your communication strategies while protecting private information.

 

The Dangers of Sharing Patient Information via Text/IM

As a healthcare provider, your days are usually very busy, and it’s likely that the doctors you need to communicate with are equally as busy. When you need to share information, whether it’s a quick update on a patient or a request for a consult, it can be tempting to just send a quick text or instant message. If texting/instant messaging is your preferred form of communication with other doctors, you need to approach with caution.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 FAQs on HIPAA Compliance In The Cloud

5 FAQs on HIPAA Compliance In The Cloud | HIPAA Compliance for Medical Practices | Scoop.it

The Cloud Is Viable For HIPAA Applications
To ensure the protection of patient data, the Health Insurance Portability and Accountability Act (HIPAA) lays out guidelines that all companies in the health industry must follow—from primary care providers to data-handling agencies and third-party vendors. HIPAA rules often are complex, however. As a result, some companies inadvertently make mistakes, and others simply remain noncompliant for a variety of other reasons, leaving them subject to penalties that could add up to millions of dollars. Here’s a look at five key FAQs about HIPAA compliance and cloud computing.

 

FAQ 1: What’s Covered Under HIPAA?
The short answer: just about everything. Any piece of data that contains personally identifiable information about a patient, any type of treatment plan, or even aggregate data samples that could be traced back to individuals is covered by HIPAA. Your best bet: Assume everything falls under the scope of the law rather than trying to pick and choose.

 

FAQ 2: Is Cloud Storage Acceptable?
Absolutely. There’s no requirement for HIPAA data to be stored on-site or handled by a specific agency. In fact, it’s not the cloud itself that’s the problem when there is a problem—it’s how data is transmitted, handled, and stored in the cloud that often lands companies in hot water.

 

FAQ 3: What’s the Difference Between Covered Entities and Business Associates?
A covered entity is effectively the “owner” of a health record—for example, the primary care facility that first creates a patient profile or enters test results into its electronic health records system. Business associates, meanwhile, include any other company that handles this data. This means that cloud providers, third parties that offer on-site IT services, or other health agencies that access this data all qualify as business associates.

 

FAQ 4: Who Is Responsible for Health Data in the Cloud?
Ultimately, the covered entity bears responsibility for HIPAA-compliant handling. While business associates also can come under fire for not properly storing or encrypting data in their care, it’s up to the covered entity to ensure they’re able to audit the movement, storage and use of their HIPAA data over time.

 

FAQ 5: What Does “HIPAA Compliant” Really Mean?
While there is no official “HIPAA compliance” standard or certification that providers can obtain, it’s worth looking for other certifications that indicate good data-handling practices, such as PCI-DSS, SSAE 16, ISO 27001 and FIPS 140.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The HIPAA Privacy and HIPAA Security Rules

The HIPAA Privacy and HIPAA Security Rules | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

THE HIPAA PRIVACY AND HIPAA SECURITY RULES

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-PHI). Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

THE NEED FOR HIPAA COMPLIANCE

As HHS points out, as health care providers and other entities dealing with PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever. Similarly, health plans provide access to claims as well as care management and self-service applications. While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data. The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI.

PHYSICAL AND TECHNICAL SAFEGUARDS, POLICIES, AND HIPAA COMPLIANCE

The HHS requires physical and technical safeguards for organizations hosting sensitive patient data. These physical safeguards include…

  • Limited facility access and control with authorized access in place
  • Policies about use and access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI. Access control includes…

  • Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
  • Audit reports or tracking logs that record activity on hardware and software

Other technical policies for HIPAA compliance need to cover integrity controls, or measures put in place to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact. One final technical safeguard is a network or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private network, such as a private cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health Information Technology for Economic and Clinical Health (HITECH) Act, which raises penalties for health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to the development of health technology and the increased use, storage, and transmission of electronic health information.

DATA PROTECTION FOR HEALTHCARE ORGANIZATIONS AND MEETING HIPAA COMPLIANCE

Clearly, the need for data security has grown as the proliferation of electronic patient data grows. High-quality care today requires healthcare organizations to meet the accelerated demand for data; yet, they must ensure HIPAA compliance and protect PHI. Make sure that you have a data protection strategy in place that allows your organization to:

  • Ensure the security and availability of PHI to maintain the trust of practitioners and patients
  • Meet HIPAA and HITECH regulations for access, audit, and integrity controls as well as for data transmission and device security
  • Maintain greater visibility and control of sensitive data throughout the organization

The best data protection solutions recognize and protect patient data in all forms, including structured and unstructured data, emails, documents, and scans while allowing healthcare providers to share data securely to ensure the best possible patient care. Patients entrust their health care to your organization; you need to take care of their protected health information as well.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Keeping Medical Records Private 

HIPAA Compliance Keeping Medical Records Private  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA (the Health Insurance Portability and Accountability Act) became law in 1996 and revolutionized requirements and practices ensuring patient rights, privacy, and security. Instead of laws that were unclear or insufficient in some cases, HIPAAbecame federally mandated and regulated. However, the healthcare businesses that must comply have to navigate complex rules and make sure regulations are being followed. 

Who needs to follow HIPAA?

The first question is, do you need to comply with HIPAA? A “Covered Entity” under HIPAA includes any person or company that provides medical, dental, or other healthcare services that transmit the protected health information (PHI) of patients electronically. That could mean sending prescriptions to pharmacies, bills to insurance companies, or emails to patients. It also includes any vendors that create, transmit, receive or store PHI for a Covered Entity.  These vendors are known as “Business Associates” and include services like EMR/EHR, information technology support, data analytics, health app developers, and in some cases, website hosting companies. Those organizations that interact or send PHI in electronic form must comply with HIPAA.

What steps do I need to take?

If you or your company is a covered entity or a business associate under HIPAA, it is your responsibility to keep protected health information secure following the HIPAA Security Standards and Implementation Specifications.  These include:

·       Developing written privacy policies – or even before this step, become familiar with the laws so that comprehensive privacy and security policies can be developed.

·       Designating a privacy and security officer – no matter how small the organization, these officers must be appointed and are responsible for HIPAA compliance.

·       Annual risk assessments – conduct a risk assessment each year and record findings. Assessments must be documented, accurate, and comprehensive in identifying vulnerabilities and threats to PHI.

·       Developing information assurance policies regarding electronic transmission of communications. This includes email and the use of mobile devices with access to PHI.

·       If you are a covered health care provider, distribute a notice of privacy practices to all new patients.

·       Using Business Associate Agreements with any outside company that will have access to PHI.

·       Developing and implementing steps to take in case of a data breach, including how to determine the timing and extent.

Demonstrating HIPAA compliance

Your organization must be able to provide proof that you and your employees are following the rules outlined by HIPAA. If there is a breach of security and PHI is improperly handled or disclosed, the investigation may determine that a penalty could be assessed or the need to enter into a settlement agreement which will include a required corrective action plan. It is important to understand the burden to demonstrate compliance will the responsibility of the organization to prove. 

You will have to show that your organization has conducted a HIPAA risk assessment, provided annual training for the whole workforce, and have a policy and procedures for protecting PHI in writing.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 Steps for Implementing a Successful HIPAA Compliance Plan 

5 Steps for Implementing a Successful HIPAA Compliance Plan  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance is key to thwarting cyber attacks, but more importantly, this Plan will tell your employees, Business Associates and patients (and HHS, if they should come calling) how you secure Protected Health Information (PHI). Just as important is effectively communicating the plan to your staff.  

So, where do you begin? The purpose of this blog is to highlight what goes into making your plan. 

Five Key Steps

Step 1 – Choose a Privacy and Security Officer

We will be talking in later blogs about what to consider when selecting these HIPAA leaders.

For a smaller practice, your Privacy and Security Officer may be the same person. For larger practices, these duties will probably be split between two people. These are the folks who are going to be spearheading your Compliance Plan.  If you don’t have someone designated to fill this role, you are not compliant.

Step 2 – Risk Assessment

This step requires you to review your workplace and electronic devices to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the Covered Entity or Business Associate. According to Atlanta healthcare attorney Daniel Brown, “a Risk Assessment extends not only to the accessibility of ePHI -- such as passwords -- but also to threats to your access of ePHI caused by natural risks, such as hurricanes and tornadoes, and even human risks, such as malicious hacking.”

You can perform the Assessment yourself or hire an outside contractor to come in and complete the process for you. If you're thinking about performing the assessment yourself, HHS has developed a Risk Assessment tool to help you get started.

The first option is obviously the cheapest and the second can be costly, or you can use a combination of the two. The key is to be very detailed and identify where all your potential Privacy and Security issues may lie. This will include listing all computing and mobile devices, where paper files are stored, how you will secure your offices when you are closed, etc. This is not a one-time event and will change over time as technology and risks change. You will want to revisit your Risk Assessment anytime you have a Breach, theft, or major change in hardware or software, but at a minimum every 2-3 years.

Step 3 – Privacy and Security Policies and Procedures

After completing your Risk Assessment, it’s time to create your blueprint for achieving HIPAA Compliance. The Compliance Plan should include Policies and Procedures - ensuring the Privacy of Protected Health Information and the Security of such information. The Security Policies and Procedures deal with ePHI (electronic PHI) and how you will protect that information.

Policies and Procedures need to be updated regularly and any changes need to be clearly documented and communicated to your staff. As you saw in the Penalties Section of our last blog, “I didn’t know” isn’t an acceptable defense!

Step 4 – Business Associate Agreements

Most of you use vendors or contractors to help run your practice or business. Under HIPAA, persons or entities outside your workforce who use or have access to your patient’s PHI or ePHI in performing service on your behalf are “Business Associates” and hold a special status in the Privacy equation. Some examples of Business Associates include third-party billing agents, attorneys, laboratories, cloud storage companies, IT vendors, email encryption companies, web hosts, etc. This list can get pretty long, and should be documented in your Risk Assessment.

Make sure you do an audit of your Business Associates before you accept a signed Agreement from them. We’ve seen a lot of folks sign these Agreements, and have no clue what they’ve agreed to. Auditing means looking at their Compliance Plan. They have to have one, or you can’t do business with them. Your legal counsel should have an Agreement you can use, or you can use a third party Agreement from a HIPAA compliance company.

Step 5 – Training Employees

You’ve got your Risk Assessment, Privacy and Security Policies and Procedures and Business Associate Agreements in hand. You’re all good, right? NO! Employees are many times your weakest link.

You need to annually train your employees on the HIPAA Rule and communicate information about your Privacy and Security Policies and Procedures that you’ve worked so hard to create. What good is all the work you’ve done on a Compliance Plan when no one knows about it, or how to use it? Train employees both on the HIPAA Law and your specific plan. In addition, you must keep records that they have been trained.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’ 

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’  | HIPAA Compliance for Medical Practices | Scoop.it

The recent Sony Pictures hack exposed embarrassing emails, unreleased intellectual property and plenty of passwords, social security numbers and financial data — but it was also a giant HIPAA violation. In addition to unencrypted spreadsheets full of sensitive medical data, the hackers leaked an HR exec’s memo about the special needs and diagnosis of an employee’s child.

While we don’t yet know the cost of Sony’s myriad of security failures, the medical details of many Sony employees and their families now exist on the Internet, where it will likely stay available for the foreseeable future.

 

The Sony hack has taught us plenty of information security lessons, but one of the stickiest is the importance of protecting protected health information (PHI). We’ve already written about the reasons Sony should have used client-side email encryption, but HIPAA compliance is yet another compelling reason to encrypt your email messages.

The Need for HIPAA Compliant Email

If you’re new to the world of HIPAA compliant email, the idea of safely sending messages and files to your patients, other health providers and business associates can seem overwhelming at first. While any professional email should be approached with mindfulness of data security and awareness of the threats to your email privacy, from hacking to phishing, businesses that deal with PHI must be extra vigilant to make sure their communications are compliant with HIPAA and HITECH. After all, a HIPAA violation is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of hundreds of thousands of dollars.

While HIPAA compliant email doesn’t need to be rocket science, the stakes facing the medical community are pretty high. Consumers want more and easier access to their personal health data, but have greater demands when it comes to privacy.

Protecting Patient Privacy In the Digital Age

Any organization that handles PHI (known as a “covered entity”), from health providers such as doctors, nurses, chiropractors, pharmacies and nursing homes to businesses that provide health plans like HMOs, company health benefits and government programs like Medicare — as well as all of their business associates — needs to ensure that their email solutions are HIPAA compliant. And it’s not just corporate organizations – state and local governments, universities, and non-profits also fall under HIPAA and must protect PHI.

 

Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it seems that the demand for greater digital access to health data is at odds with the HIPAA Privacy Rule, which demands that a patient’s past, present and future PHI be accessible only to authorized recipients. One of the goals of HITECH was to spur adoption electronic health records (EHRs) for patients and health information exchanges (HIEs) to help doctors share patient data. If your ophthalmologist recently asked you to sign up for an online patient portal, that’s HITECH in action.

 

But another HITECH provision put many covered entities on notice: where prior to HITECH, $250,000 was the maximum annual penalty for a HIPAA violation, that threshold has moved up to $1.5 million. This presents the medical community with the puzzle of how to increase digital access to data without compromising patient privacy.

The Importance of Encryption in HIPAA Compliant Email

The challenges facing healthcare data security, from data thieves and “hacktivists” targeting hospitals to user error and technology adoption, make HIPAA compliant email more important than ever. But what makes an email HIPAA compliant?

 

One of the most important steps any business handling PHI should take is enabling email encryption. Encryption uses a complex cipher algorithm to render your data unreadable to anyone without the necessary credentials (or the encryption key). In short, if a cybercriminal cracks into an email you send to a patient or insurance company, they won’t be able to use that data unless they also get ahold of your encryption key.

 

There are a few options when it comes to email encryption. Many hospitals, healthcare providers and insurance companies deploy portal solutions that use Transport Layer Security (TLS) to encrypt messages. In these scenarios, patients and other providers establish and maintain a separate account for a portal where they can exchange sensitive information. While these solutions do provide for HIPAA compliance, their user experience tends to be clunky and frustrating. At one time or another we’ve all forgotten our username or password and been locked out of our health or financial data.

 

At the end of the day, employees prefer to use the applications they’re used to — including their email service providers. Newer email encryption solutions are able to integrate with the email service you’re already using to provide a seamless, easy-to-use user experience with powerful client-side encryption.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Juan Carlos Moreno Angulo's curator insight, May 20, 3:57 PM
Before clicking send, do even think twice about it? What happens when hackers leak sensitive information under the name of famous companies/corporations such as the case of SONY is something common? In recent times, the Sony hack showed and taught us plenty of information security lessons, but one of the stickiest is the importance of protecting protected health information (PHI). What this article expose us to a violation that is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of a lot money. While we do not know about the security measures taken by the institution we put out trust in, there are medical details of many employees and their families on the Internet before you even know, a giant violation to your life. Protecting patient privacy in the digital age can be a really hard to do, especially when the world is just a click far from you. However, a positive thing to highlight such organization handles PHI which is known as a “covered entity” that allow companies to keep track of the user info. Opposite to that, the introduction of what happened with hacking patients; it seems that organizations demand for greater level of security when accessing health data and more. Moreover, just remember that every message, image, and video you send everything you do will be recorded and stored in a data collection base.
Scoop.it!

Is Your Digital Ad Campaign HIPAA Compliant? 

Is Your Digital Ad Campaign HIPAA Compliant?  | HIPAA Compliance for Medical Practices | Scoop.it

As the importance of digital advertising continues to grow within the medical industry, marketers must ensure that their campaigns remain in compliance with HIPAA regulations.

In light of the evolving patient path to treatment, digital advertising is fast becoming the marketing tactic of choice for medical professionals across the industry. But as hospitals and medical practices scramble to keep pace with their competitors and roll out digital campaigns, there are a number of important considerations that must be taken into account — namely, marketers must ensure that their ads are in compliance with HIPAA regulations.

Staying in the Clear

HIPAA provisions for digital marketing are designed to protect patient confidentiality and satisfy the Privacy Rule, according to the HHS. As CEO of Futures of Palm Beach told Forbes, “Complete patient anonymity is key. Once marketers understand that, they can plan their campaigns accordingly.” Marketers must either avoid using information that could identify a patient, known as protected health information (PHI); obtain written authorization for its use from the patient; or completely anonymize such data by removing identifiers from 18 categories, as UC Berkley describes, including:

  • Names
  • Geographic Identifiers (county, city, addresses, zip code, etc.)
  • Dates (admission date, birth year, etc.)
  • Administrative Details (health plan numbers, driver's license number, etc.)
  • Biometric Identifiers (photos, fingerprints, voice prints, etc.)

Naturally, there are a multitude of ways that patients can be identified online (which may not be covered by these 18 categories), so marketers must exercise caution when developing patient-generated marketing initiatives, such as a real-life success story or endorsement, for example.

Of course, privacy violations are not the only opportunity for medical marketers to run afoul of HIPAA regulations. As Digital Guardian notes, providers and marketers must also comply with the Security Rule, which mandates that electronically stored or sent PHI is protected from data breaches, leaks, and unwanted disclosures. While this provision is primarily aimed at providers, marketers must also ensure that any protected information stored in their systems is secured at all times.

Cover Your Bases

While some hospitals, physicians, and medical marketers try to tiptoe around specific HIPAA provisions, such as PHI, it’s often easiest to avoid the issue altogether by drafting content that attracts patients without introducing potentially fraught information. For instance, marketers can provide generic health advice or tips, comment on the state of the industry, or provide educational resources, without the inclusion of patient-specific information. Taking this safer route may be preferable to the punishment for violating HIPAA — a potential fine of $50,000 per violation, as WebPT notes.

Equally important is that every member of your marketing team be thoroughly trained in HIPAA regulations, with specific guidelines in place for your individual medical organization. Likewise, if you’re interested in enlisting the services of a third-party marketing vendor, make sure that they’re HIPAA certified. Most commonly, violations stem from a lack of experience or confusion surrounding the nuanced rules and regulations. So while HIPAA may seem daunting, a well-informed approach is the key to avoiding compliance issues.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Importance of HIPAA Compliance When Choosing Telemedicine Solutions 

The Importance of HIPAA Compliance When Choosing Telemedicine Solutions  | HIPAA Compliance for Medical Practices | Scoop.it

While the rise of telemedicine technologies is benefiting the health care industry, it may come with an intimidating effect. On one hand, health care professionals are able to provide better quality care more conveniently, improve patient outcomes and increase engagement. On the other hand, because they're sending, retrieving and analyzing privacy information via digital technology, there's a higher risk for data breach. That's what makes Health Insurance Portability and Accountability Act (HIPAA) compliance so important. HIPAA is a set of provisions designed to improve the efficiency and effectiveness of health insurance coverage by eliminated waste, fraud and abuse through health care delivery.

Let's take a closer look at what it means to be HIPAA-compliant and how telemedicine equipment distributors are prioritizing safety and security via telemedicine

Secure communications through telemedicine

Securing personal health information is more critical than ever before, because telemedicine systems make regularly assessing, discussing and sharing information a normal process nowadays. According to HIT Consultant, the Security Rule requires that technical safeguards are put into such systems to keep parties with unauthorized access out of private information. That's why discussing personal medical matters with physicians and caregivers via text and email may be frowned upon - these channels are not HIPAA compliant, which could encourage a data breach. Additionally, communication outlets such as Skype or FaceTime are also an issue - covered entities are required to have a Business Associate Agreement in order to be HIPAA compliant. Communicating through telemedicine, however, is safe because the information is sealed by the Security Rule.Ensure your telemedicine technology is HIPAA compliant.

Factors to consider when evaluating telemedicine technology

When evaluating potential telemedicine for your organization, make sure to consider the following factors:

  1. Access - Access to the communication of medical data should be restricted to a user database system. This can be self-contained or monitored through an external mechanism.
  2. Log user access - Ensure you can document user entry points to ensure HIPAA policies and procedures are being respected.
  3. Data in transit encryption - Data transferred between authenticated users must be fully secured.
  4. Data at rest encryption - Never permanently store data at rest within the platform - it should never be available outside of the
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA & Texting

HIPAA & Texting | HIPAA Compliance for Medical Practices | Scoop.it

In recent years, a great number of medical practices have embraced text messaging as a popular means for communicating to both patients and their internal staff members. Despite the convenience and time saving benefits, healthcare providers and staff must be aware of potential consequences when texting Electronic Protected Health Information (ePHI). Text messaging includes any communication service or application that enables the transmission of electronic written messages between two or more mobile devices. This includes both Short Message Service (“SMS”) text messaging and other service providers like iMessage, WhatsApp, etc.

The Challenges

Under HIPAA healthcare providers must maintain the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by a covered entity. Unfortunately, text messaging presents multiple threats for meeting some of those requirements. Including:

  • Standard SMS messages are not encrypted
  • Sender does not have the ability to “control” if/when the message is discarded upon viewing
  • No clear path to verify the reader’s identity which opens the door to unintended recipients, AKA a HIPAA breach

Even well intended providers who find ways to implement and oversee texting security measures must also think about documentation. Any exchange between providers regarding a patient’s condition, must also make its way onto the patient’s medical record. Unless the provider integrates text messaging with their EMR, it can be difficult to ensure appropriate documentation.

What Does HIPAA Say?

Unfortunately the HIPAA laws and Office for Civil Rights (OCR) do not have anything specific outlined regarding texting requirements. Any and all forms of communication present some level of risk and it is the healthcare providers’ responsibility to ensure privacy and security while data is being exchanged.

Despite the lack of HIPAA specifications regarding texting, providers should keep in mind a general adherence to the HIPAA Privacy and Security Rules. Both have different objectives and controls for navigating the secure sending of ePHI:

  • HIPAA Privacy Rule – Limits provider disclosure of ePHI only to authorized individuals or entities.
  • HIPAA Security Rule – Requires that providers protect patient’s sensitive data from any threats to access or disclose PHI to unauthorized individuals or entities and should a breach or unauthorized disclosure occur, have a remediation plan.

Best Practices

Despite the risks, a provider can take steps to reduce the likelihood of a breach or HIPAA violation while utilizing text messaging. When texting any sensitive ePHI information that might be locally stored in a device, encryption should be applied in the event of a loss, disposal or theft. Additionally, the text might be stored at the server level (phone carrier).

The following safeguards can help protect PHI along with establishing compliant communication:


Security Risk Analysis (SRA)
– While conducting an SRA, a healthcare provider will identify where ePHI is created, received, maintained, and transmitted. For texts, ePHI will primarily be created, received, and maintained on mobile phones.

Limit PHI – Whenever possible it is best to text with limited or no PHI included in the message, examples: appointment confirmations, instructions to call the office to receive test results, etc.

Policies and Procedures – Ensure texting is included in the policies and procedures, specifically Administrative and Technical policies. It is important to outline what is acceptable to text along with an outline of steps should a text be sent to the wrong patient/incorrect recipient.

Workforce Training – A well trained workforce is any healthcare provider’s best defense against undisclosed PHI exposure. Workforce training should include the sharing of information, securing authorized devices and using secure third party apps that might permit sharing information in a secure way.

Waivers and Intake Forms – Ensure all patient forms are up-to-date with all the current HIPAA requirements. The forms should plainly state which methods the patient allows the provider to contact him/her. Additionally, forms should include who outside the patient can receive their information and what can be sent.

Notice of Privacy Practice – A Notice of Privacy should be standard operating procedure for providers and distributed to all patients. If the provider has included text messaging as part of their communication model, ensure the Notice of Privacy includes texting.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

A Doctors Guide to HIPAA Compliance in 2017

A Doctors Guide to HIPAA Compliance in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance in 2017 is a key issue that many doctors are focussed on.

Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for between $100 to $50,000 for each violation. The maximum HIPAA Violation is $1.5 million for identical provisions during a calendar year. Some HIPAA violations can lead to imprisonment in extreme circumstances. This is why HIPAA compliance in 2017 is such an important factor for doctors.

To ensure that your practice has effective HIPAA compliance in 2017, here are 5 steps to follow:

1) Correct Sharing of Patient Information

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Secured Paper Files

While paper charts are slowly becoming a relic, it is important that past files are stored securely.  Doctors who have moved to using an EHR for all patient records may still have old patient files that need to be transferred. Once converting from paper documents to electronic format is complete, be sure to shred any patient records before you dispose of them.

If your medical practice still uses paper documents, be sure not to leave them in unsecured or unattended areas. This includes charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

3) Encrypted Emails

Never underestimate the importance of email encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you should consider an encrypted email or file sharing service for pertinent patient information.

When sending bulk emails to patients, or many emails in a row, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient address or an email attachment.

This is one of those areas where slow, steady careful checking pays off.

4) HIPAA Secured Patient Portals

If you use or are considering creating a patient portal, ensure it has secure login compliance. Any personal patient information should not be easily accessible without a username and password.

If sharing information with family members of patients, be sure to get written authorization from the patient first. A good practice is to require identity verification for password reminders. You can also remind patients to access their patient portal when they have a secure internet connection (i.e. not in public places).

5) Ensure your Telemedicine platform is HIPAA compliant

Some doctors have considered using Skype or Facetime to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end.

Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. Having HIPAA Compliance in 2017 is as important as it has been for the past 20 years.

When doctors treating patient information caution they can and enjoy the peace of mind that comes with being HIPAA compliant.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Trends to Watch in 2018 

HIPAA Trends to Watch in 2018  | HIPAA Compliance for Medical Practices | Scoop.it

Although the Trump Administration has a $6.194 million budget cut slated for the Office of Civil Rights (OCR), the office which administers HIPAA, compliance will still be enthusiastically enforced, according to OCR director Roger Severino. The Congressional Justification for FY2018 predicts a shift from routine HIPAA investigations to larger actions with sizable fines.

Here’s more on what to expect for HIPAA in 2018:

Fewer, but larger enforcement actions
Director Severino’s goal is to find a “big, juicy, egregious” breach case which could mean they will seek out more complex issues with a broad impact for enforcement. At a conference in 2017, Severino said he hasn’t decided yet on a particular area for increased investigations, but he did mention cybersecurity, ransomware and physical security as possibilities.

OCR plans to mitigate their budget decrease with increased enforcement settlement fines. So, while the department is leaner, it also may be meaner.

Possible new guidelines for medical records fees Current OCR guidance regarding patients’ access to and fees for medical records has garnered concern from businesses. The current method gives HIPAA-covered entities the ability to charge “reasonable, cost-based fees” for records, which has been interpreted as restrictive and adding to the cost of HIPAA compliance. Plus, on top of federal regulations, HIPAA entities also contend with a patchwork of state laws regarding medical record fees. The business-sympathetic Congress may require OCR to provide additional clarification regarding medical records fees to allay business concerns.

States may become more involved With OCR reducing its number of HIPAA enforcements, state attorneys generals have begun to step up enforcement activities to ensure privacy for their constituents. Privacy issues in the medical sector and other areas regarding personal information are increasingly important to the public and state AGs may lead the way to protecting citizens.

CompuTech City remains poised to facilitate medical practices’ efforts to be HIPAA compliant. We take a proactive approach to keeping your data secure and are experts in ensuring your network meets stringent HIPAA standards with device encryption, network security, intrusion prevention, gateway anti-virus, anti-spyware, content/URL filtering.

Let us know if you are interested in learning more about 2018 HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.