HIPAA Compliance for Medical Practices
69.3K views | +8 today
Follow
 
Scoop.it!

Could the Anthem Lawsuits End Up Establishing De Facto Legal Standards for Data Protection?

Could the Anthem Lawsuits End Up Establishing De Facto Legal Standards for Data Protection? | HIPAA Compliance for Medical Practices | Scoop.it

Just this morning, USA Today reported the filing within the past few days of class-action lawsuits in four states—Indiana, California, Alabama, and Georgia, in response to the disclosure last week on the part of the Indianapolis-based Anthem Inc. of a massive data breach that may have affected as many as 80 million people, making it the biggest data breach in U.S. healthcare to date.

Of course, some of the more jaded in the healthcare industry might immediately sigh and express disdain for the litigiousness of American society here, as lawsuits over that massive data breach have been filed in courts nationwide within days of its public disclosure. But I have a different perspective here.

Let’s look at the text of the motion filed  last Friday in the U.S. District Court for the Southern District of Indiana, Indianapolis Division (and yes, that was the day after Anthem’s public disclosure of the data breach—the lawyers did indeed work fast there). In its opening statement, the suit included the following:  “Anthem’s conduct—failing to take adequate and reasonable  measures to ensure its data systems were protected, failing to take available steps to prevent and stop the breach from ever happening, failing to disclose to its customers the material facts that it did not have adequate computer systems and security practices to safeguard customers’ financial account and personal data, and failing to provide timely and adequate notice of the Anthem data breach—has caused substantial consumer harm and injuries to consumers across the United States.”

What’s more, the attorneys wrote this—and please bear with me here, this is long, and there is a bit of legalese in it, but the details are important:

“As a result of the Anthem data breach, 80 million Anthem customers have been exposed to fraud and these 80 million customers have been harmed. The injuries suffered by the proposed class as a direct result of the Anthem data breach include: theft of their personal and financial information; costs associated with the detection and prevention of identity theft and unauthorized use of their financial accounts; costs associated with time spent and the loss of productivity from taking time to address and attempt to ameliorate, mitigate, and deal with the actual and future consequences of the data breach, including finding fraudulent charges, cancelling and reissuing cards, purchasing credit monitoring and identity theft protection services, imposition of withdrawal and purchase limits on compromised accounts, and the stress, nuisance, and annoyance of dealing with all issues result from the Anthem data breach; the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others; money paid to anthem for health insurance during the period of the Anthem data breach in that Plaintiff and Class members would not have obtained insurance from Anthem had Anthem disclosed that it lacked adequate systems and procedures to reasonably safeguard customers’ financial and personal information had had Anthem provided timely and accurate notice of the Anthem data breach; overpayments paid to Anthem for health insurance purchased during the Anthem data breach in that a portion of the price for insurance paid by Plaintiff and the Class to Anthem was for the costs of Anthem providing reasonable and adequate safeguards and security measures to protect customers’ financial and personal data, which Anthem did not do, and as a result, Plaintiff and members of the Class did not receive what they paid for and were overcharged by Anthem; and continued risk to their financial and personal information, which remains in the possession of Anthem and which is subject to further breaches so long as Anthem fails to undertake appropriate and adequate measures to protect Plaintiff’s and Class members’ data in its possession.”

So why have I reiterated the core of the complaint against Anthem here, as presented in one of the class action lawsuits just recently filed against it? Because it contains the seeds of what could evolve into a functional legal standard on what will be required for health plans—and providers—to avoid being hit with multi-million-dollar judgments in breach cases.

In that regard, I think one of the key causes in the above complaint is this one: “the imminent and certainly impending injury flowing from potential fraud and identity theft posed by their personal and financial information being placed in the hands of hackers; damages to and diminution in value of their personal and financial information entrusted to Anthem for the sole purpose of obtaining health insurance from Anthem and with the mutual understanding that Anthem would safeguard Plaintiff’s and Class members’ data against theft and not allow access and misuse of their data by others.”

In other words, simply by signing up, or being signed up by their employers, with Anthem, for health insurance, health plan members are relying on Anthem to fully safeguard their data, and a significant data breach is essentially what is known in the law as a tort.

And here’s where things get really, really sticky for Anthem, and that has to do with encryption—or the lack of it. In his excellent blog last Friday, HCI Senior Editor Gabriel Perna wrote this:

“Do we know everything there is to know about the Anthem hack? Of course not. Something could come out that exonerates Anthem in some respect. I think they deserve admiration for coming forward quickly and working with the FBI. 

One thing we do know though is Anthem’s data was unencrypted. Like many of its healthcare peers, Anthem left its sensitive data exposed. As said by Trent Telford, CEO of Reston, Va.-based Covata and a member of Anthem, it is downright irresponsible to not protect sensitive data through encryption. McMillan added a pertinent observation, “The real question is how does information on 80 million people, which can’t be trivial, leave the enterprise without setting off any alarms?’”
 

And that  simple fact—the fact of keeping the health, demographic, and financial information of about 80 million people in unencrypted databases—could result in a truly massive judgment against Anthem in court.

And that would be absolutely precedent-setting, both legally and business-wise.

So these lawsuits against Anthem in this breach case are extremely important on a number of levels. And their outcomes could very well set practical legal precedents for all healthcare organizations—health insurers and providers—for decades.

So we’ll all need to track these suits as they move forward in the courts. And we’ll also need to learn from them—now, and over time.


more...
No comment yet.
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Compliance Guidelines for Email & Social Media 

HIPAA Compliance Guidelines for Email & Social Media  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA applies to both the storage and transfer of electronic protected health information, so electronic communications that may include patient data must be handled with care. This includes email communication between patients and healthcare providers, as well as social posts from healthcare companies and their employees. As more patients adopt an email communication preference and more healthcare providers succumb to the pressures of maintaining a social presence, the possibilities of HIPAA violations grow.

 

To ensure you’re taking the necessary steps to uphold HIPAA compliance standards in your electronic communications, follow these guidelines:

#1: Validate Your Email Security

If you’re sharing sensitive patient data via email, you must use encryption to protect patient privacy. How do you ensure your emails are encrypted and fully HIPAA compliant? Here are a few tips:

  • Adopt a HIPAA compliant email service.
  • Check your current email client for an encryption security setting and request a signed business associate agreement.
  • Set up a secure patient portal for provider-patient communications.
  • Avoid including electronic protected health information (ePHI) in the body of your emails.
  • Manually encrypt any ePHI files sent via email.
  • Include a privacy statement at the bottom of every email.

#2: Get Proper Patient Consent

Consent is an important—and necessary—part of ensuring patient privacy. If you want to engage patients in any sort of electronic communication, you must get them to accept the inherent risks and provide documented consent. Here are some scenarios where this consent is a must:

  • Before communicating with your patient via email
  • Before transmitting any sensitive patient data via email
  • Before publishing a patient testimonial on your website
  • Before sharing a patient photograph on your social channels
  • Before posting details of a patient procedure on your social channels

#3: Create Detailed Office Policies

To ensure HIPAA data privacy remains a top priority for employees during email or social media exchanges, you should develop clear office policies for these types of communication. Here are some of the guidelines your policies should include:

  • When and where to share privacy statements
  • What types of information may or may not be sent via email
  • How to avoid HIPAA pitfalls when using social media
  • Which employees may or may not transmit ePHI
  • When to obtain patient consent

#4: Err on the Side of Caution

If you want to stay on the right side of HIPAA, the best policy is to be extremely cautious about the information you share electronically. Simply avoid any electronic communication that falls into a HIPAA compliance gray area. Here are a few best practices to get you started:

  • Don’t publish a social post that includes any details about a patient’s circumstances
  • Establish appropriate electronic boundaries with patients
  • Don’t give medical advice via email or social comment
  • Allow just one or two individuals to post to social media on your office’s behalf
  • Don’t address complaints on social media
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance and the HITECH Act in 2018

HIPAA Compliance and the HITECH Act in 2018 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is an essential part of running a medical practice. The current incarnation of the HIPAA regulations has been in place since 2003 and they haven’t changed much in the intervening years — until now, that is.

 

The HITECH Act (Health Information Technology for Economic and Clinical Health), which was signed into law in 2009, is expected to be fully adopted this year. What does the HITECH Act mean for HIPAA compliance, and what are the changes you need to make to your practice to ensure you’re in compliance with both HIPAA and HITECH?

 

Overview of the HITECH Act


The HITECH Act was designed to expand the types of businesses covered by HIPAA. It requires not only medical professionals to be HIPAA compliant, but any subcontractors, companies that cover the transmission of protected health information (PHI), electronic prescription gateways and patient safety organizations to also be in compliance with HIPAA regulations.

 

This doesn’t make any changes to the currently established exceptions to HIPAA’s business associate standard.

 

HITECH was also designed to focus more on the patient than HIPAA, allowing patients to more directly access their electronic health records (EHR). This also demands patients be informed by their provider if their health records are compromised in any way.

 

The act encouraged “meaningful use” of electronic health records, helping to improve communication between healthcare facilities in direct relation to patient care.

 

Universal Compliance


If your practice or facility has an IT security department, it’s probably entirely different than the ones that are part of other businesses surrounding you. Network security is usually managed by many different departments or even different businesses, making universal security compliance difficult to manage.

 

The new HIPAA/HITECH overlap mandates universal compliance. This makes security simpler and easier to maintain for workers while still ensuring the safety of patient PHI.

 

One solution that is being suggested is the use of “smart cards” which will act as employee identification, a security access token, and authenticator, all in one simple card. This helps to keep the system more regulated because you don’t have to worry about carrying — and potentially losing — multiple cards or remembering long identification numbers.

 

Know Your Compliance
How can you determine if your practice is compliant with both HIPAA and the HITECH Act? You can go over the rules yourself, but these laws are so sweeping and expansive that it’s easy to miss something that could end up costing you thousands of dollars.

 

If you’re still concerned about your current HIPAA and HITECH Act compliance, hiring a professional Privacy Officer can help you evaluate your current practices and ensure that you are checking all the boxes when it comes to meeting your obligations.

 

Changes in Fines


HIPAA fines, until now, have been standard — unfortunately, they often weren’t costly enough to discourage HIPAA violations. Before HITECH was enacted, it was impossible to impose fines of more than $100 for individual offenses or $25,000 for all offenses at the same time.

 

The new overlap has changed the cost of violating the HIPAA or HITECH Act. These offenses are broken into three categories, based on the intent of violation.

 

Violations in the Did Not Know category are the only ones that may still generate a $100 fine. The change here is that the U.S. Department of Health and Human Services now has the option to charge between $100 and $50,000 for each violation, with a total fine of $1.5 million for identical offenses in a calendar year.

 

Reasonable Cause violations will start at $1,000 with the same $1.5 million caps for identical violations.

 

Willful Neglect fines fall into two categories — corrected and not corrected. Fines for corrected Willful Neglect charges will range from $10,000 to $50,000. Fines for not corrected violations start at a minimum $50,000 each.

 

HIPAA and the HITECH Act are both essential tools for ensuring the security of patient health information. Take the time to review alone or with a professional that you are in compliance with both acts so you can continue to serve your patients without the worry of massive fines for privacy violations.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Keep Your ePHI Protected with HIPAA Compliance? 

How to Keep Your ePHI Protected with HIPAA Compliance?  | HIPAA Compliance for Medical Practices | Scoop.it

There has been quite a fuss lately over offering patients greater access to their health records, particularly with the introduction of Apple’s EHR app, which promises to bring electronic health records into patients’ pockets and introduce the era of bring-your-own-data in healthcare. But often that desire to bring patients into the fold gets quashed by a fear of cybersecurity and HIPAA compliance around health information.

 

Recently, for instance, a man was stopped from taking a photo of his own X-ray when a radiologist feared it might violate HIPAA regulations, which kicked off a discussion of similar incidents on Twitter. These incidents arise mainly because providers simply don’t understand the ramifications of HIPAA and other health IT laws — and where to draw the line with access.

 

Indeed, understanding the nuances of these regulations is particularly difficult now that technology affects all corners of healthcare: from telemedicine to remote patient monitoring to consumer glucose monitors to smartphones with thousands of health apps. This ubiquity has created new challenges for providers and patients, particularly when it comes to ensuring the privacy and security of patients’ protected health information (PHI) in accordance with regulations, such as HIPAA and the HITECH Act.

 

What Is the HITECH Act of 2009?


The Health Information Technology for Economic and Clinical Health Act, better known as the HITECH Act, was signed into law in February 2009 as part of the American Recovery and Reinvestment Act, which sought to address new needs as healthcare IT infrastructure began to expand and change exponentially. In particular, this legislation incentivized providers to adopt EHR systems, as well as expanded security and compliance requirements.

 

Moreover, it allowed the Health and Human Services Department to expand its enforcement of HIPAA requirements with the aim to increase provider vigilance and consumer confidence in how patient data is handled and secured. With this in mind, it can seem understandable that the waters around patients’ access to data can be quite murky.

 

New Data Privacy Challenges for Providers


Traditionally, healthcare providers have been held responsible for all aspects of privacy and security of patient data because they have created and controlled it. But boundaries shifted once electronic medical records came into play. The roles surrounding data privacy and ownership are now blurred.

 

One of the main challenges that come with this change in ownership involves the use of smartphones by patients — in particular, patients using those devices to capture elements of their own medical data. The story of the man who was stopped from taking a photo of his own X-ray is not unusual. Often providers are reluctant to grant certain types of access, claiming that it would violate HIPAA, but most of the time that’s not the case.

 

SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks!

 

What Are the Medical Records Release Laws?


In September 2015, the Office of Civil Rights, a division of HHS, issued guidance for consumers regarding medical record release laws that sought to encompass both HIPAA and HITECH guidance.

 

Patients have the right to:

 

  • See and get a copy of their medical records
  • Have errors and omissions in their medical records corrected (or their disagreements documented)
  • Get a paper or electronic copy of their medical records
  • Request the provider send their medical records to another party with permission


While there is fear from a provider’s point of view, the language in this guidance is clear and specific. It broadly provides patients access to their medical data and does not specifically limit patients’ methods of acquisition.

 

Patients have the right to see any single element of their record or the entire set of data, except for the few exclusions HIPAA has set aside (these exclusions are minimal and not relevant in this discussion). Diagnoses, lab results, a picture of a cut or an X-ray image are all part of the medical record.

 

If patients are legally permitted to see and obtain a copy of their records in their preferred form and format, then it follows that the patient should be able to take a picture of that information during an office visit or consultation with their provider.

 

While the story of the man who was stopped from taking a photo of his X-ray garnered plenty of attention, many times doctors do allow patients to take pictures. For example, a patient in an emergency department had a gash in her hand from a dropped glass. She asked the doctor if she could take a picture of her hand while the glass was being removed. The doctor said yes. The patient posted a few of the pictures on her social media site. The photos include the physician’s hands but no identification of the provider.

 

Provider Concerns in the Bring-Your-Own-Data Era


While there is some hesitation around protecting ePHI, HIPAA is clear: Patients have the right to their own medical data in any form or format. Although the provider traditionally owns the systems that record and manage that data, they don’t own the data itself. A patient can use technology (including a smartphone) to copy that data, even if it’s on a computer screen in a physician’s office. Some providers will ask for a signed release, but that is not specifically required.

 

Patients must also understand that once they are in possession of that data, whether it’s a photocopy, electronic copy or photograph, they are solely responsible for the privacy and security of that data.

 

Provider concerns are twofold. First, there is a concern they will still be held accountable for the privacy and security of patient data they no longer control. Second, providers have traditionally controlled access to medical records because, as the creators of the data, they were uniquely qualified to interpret and act upon that data. With the consumerization of healthcare, many patients are taking an active and informed role in their own care. This requires access to the entire medical record, not just limited portions decided by the provider.

 

Studies show that engaged and informed patients have better outcomes. Providing access to medical records through viable technologies, including web portals, apps or even smartphone cameras, is the new reality of care. Patients are now included as part of the care team and are responsible for the privacy and security of the data they handle — their own. The next step may be helping patients understand the importance of protecting that health data.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Tips for Mobile Data Security 

HIPAA Compliance Tips for Mobile Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance Tips for Mobile Data Security

Nearly 4 out of 5 healthcare providers use a mobile device for professional purposes. These numbers continue to rise as healthcare organizations place an increased focus on efficiency and productivity. (1) Although mobile devices are incredibly efficient and convenient, they also harbor measurable risks for data breach and the exposure of protected health information (PHI).

 

Mobile devices are often more susceptible to theft because they lack the appropriate security controls. In fact, mobile device malware infections have surged 96% from 2015 to 2016. (2)  To avoid hefty penalties and the risk of a data breach, healthcare organizations must develop and implement mobile device procedures and policies that will protect the patient’s health information.

 

Below are five recommendations from HHS (The Department of Health and Human Services) that organizations can take to help manage mobile devices in the healthcare setting:

 

  1. Understand the risks before allowing the use of mobile devices- Decide whether healthcare providers or medical staff will be permitted to use mobile devices to access, receive, transmit, or store patients’ health information or if they will be used as part of the organization’s internal network or systems, such as an electronic health record system.
  2. Conduct a risk analysis to identify threats and vulnerabilities- Consider the risks to your organization when permitting the use of mobile devices to transmit health information Solo providers may conduct the risk analysis on their practice, however, those working for a large provider, the organization may conduct it.
  3. Identify a mobile device risk management strategy, including privacy and security safeguards- A risk management strategy will help healthcare organizations develop and implement mobile device safeguards to reduce risks identified in the risk analysis. Include the evaluation and regular maintenance of the mobile device safeguards put in place.
  4. Develop, document, and implement mobile device policies and procedures to safeguard health information. Some topics to consider when developing mobile device policies and procedures are:
    1. Mobile device management
    2. Using your own device
    3. Restrictions on mobile device use
    4. Security or configuration settings for mobile devices
  5. Conduct mobile device privacy and security awareness and ongoing training/education for providers and professionals.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What's in Our 2018 SecurityMetrics HIPAA Guide?

What's in Our 2018 SecurityMetrics HIPAA Guide? | HIPAA Compliance for Medical Practices | Scoop.it
 We are thrilled to announce the release of our brand-new HIPAA Guide! No matter the size of your organization, you can use this guide to understand and handle the more challenging requirements of HIPAA. In fact, it's already coming in handy for many of our partners. See what some of them have to say:

"The HIPAA Guidebook is one of the best references. It's well-organized and easy for our medical office staff and providers to understand." -Hedy Haun, Sr. Process Analyst,  SHARP Medical Group

"Words cannot express what the HIPAA Guide represents to me and all of Curis. It's like an encyclopedia for us." -George Arnau,  Curis Practice Solutions

A better way to read and utilize our HIPAA guide


Just like many of our partners report back to us, our HIPAA Guide is best utilized as "desk-side reference." In order to increase the guide's usefulness to you, we've added a new section called "How to Read This Guide." It includes a color-coded system, with reading suggestions based on your familiarity with HIPAA: beginning, intermediate, and advanced. This section discusses the skill levels likely required for policy and procedure implementation.

We understand there are many job descriptions that require HIPAA understanding, so whether you're a brand-new employee or a seasoned systems administrator--our guide is meant for you.

 We also include a "Terms and Definitions" glossary at the end of the 135-page guide. This is meant to help familiarize you with data security and tech terms you may not already know.

Ultimately, we want to help you keep your patients' and customers' data safe and secure. By helping you address the most complicated aspects of data security and HIPAA , we aim to equip you with practical knowledge you can use in meetings and trainings, while drafting policies and procedures, and when making decisions about security at your practice.

Survey Data and HIPAA industry trends

This year, we conducted four surveys and received responses from over 300 healthcare professionals. These professionals are responsible for HIPAA compliance at their organizations, and work primarily at companies with less than 500 employees. And while larger organizations tend to have better HIPAA compliance, it's important that those larger organizations still take note of compliance trends at organizations of all sizes, since they will likely share data and interact with them (for instance, when a large hospital sends patient records to a smaller specialty clinic).

We asked respondents about security habits at their organizations. Training and encryption continue to challenge HIPAA teams, while many organizations fare well in the area of risk analysis. Here are just a few of our survey results:

  • 6% of organizations do not conduct a formal risk analysis
  • 16% of organizations report they send emails with unencrypted patient data
  • 34% of organizations train employees on the HIPAA Breach Notification Rule

Top Tips for Better Data Security 

As lead SecurityMetrics HIPAA auditor Brand Barney says, "Our guide was specifically created to help covered entities and business associates address the most problematic issues within HIPAA compliance.”

So, the guide focuses on commonly challenging aspects of the HIPAA Privacy, Breach Notification, and Security Rules, including:

•   Incident response plans
•   PHI encryption
•   Business associate agreements
•   Mobile device security
•   HIPAA-compliant emails
•   Remote access
•   Vulnerability scanning
•   Penetration testing

A proactive, offense-minded approach

Even with steep penalties in place, HIPAA compliance--particularly when it comes to security--is often not as complete as is thought or hoped for. In fact, according to the Identity Theft Resource Center , 24.7% of data breaches in 2017 were healthcare-related. Education is the first line of defense, so becoming familiar with the guide is one of the best ways you can proactively protect your organization from a potentially devastating data breach.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

6 things software vendors need to know about HIPAA compliance

6 things software vendors need to know about HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance

 

Many people are loosely familiar with the Health Insurance Portability and Accountability Act (HIPAA) and usually associate it with hospitals, clinics, and health insurance companies. However, it can be less clear how HIPAA compliance standards apply to countless other software vendors, SaaS providers that work with healthcare-related businesses or handle protected health information (PHI). In recent months, the Office for Civil Rights has been coming down hard on HIPAA violators, doling out some of the large fines – upwards of $5 million. So in order to ensure your business is protected and to maintain your brand reputation, it is vital to know the ins and outs of HIPAA compliance. With this in mind,

 

How do you know if you need to be HIPAA compliant?

 

In short, HIPAA rules apply to both Covered Entities (health insurance companies, HMOs, company health plans, etc.) and their business associates (a vendor or subcontractor who has access to PHI). What this means for business associates is that even if you’re a service provider or vendor who isn’t in the healthcare industry - like an all-flash storage company - you may still need to be HIPAA compliant indirectly due to the fact that your organization stores PHI. The first step here is to determine whether your organization handles PHI. If you do, your next step is to look through the

 

Look to your current vendors for guidance

 

Once you determine that you need to be compliant, there’s no need to go on a hiring spree to ensure you have the necessary resources in-house. Many of your existing vendors may already cover key HIPAA compliance requirements. Any good service provider should be able to tell you whether they are HIPAA compliant and what controls they can cover. If so, it is important that they are also willing to sign a Business Associate Agreement (BAA) - a negotiation between Covered Entities and any third-party vendors that have access to their PHI.

 

Look for specific types of technology that can help to streamline the process

 

If none of your existing vendors can help with HIPAA compliance, turn to a managed service provider to do the heavy lifting and help your business attain and maintain compliance, so you can focus resources on driving business. Additionally, they can strengthen the security technology, processes, and controls they use to keep customer information secure. For example, if you’re looking for a secure way to continue work-from-home programs at your organization through remote desktops, HIPAA compliant Desktop-as-a-Service (DaaS) vendors are a great option to both fill specific needs for your business and drastically simplify compliance.

 

Don’t forget about maintenance

 

A key stumbling block for many organizations tends to be maintaining a constantly evolving set of compliance standards. HIPAA compliance certification is valid only at that moment – it is then up to the company to maintain compliance which is easier said than done. Some important things to keep the top of mind for maintenance include 1) completing a HIPAA Risk Analysis document and audit at least once a year, and 2) assessing employees year-round to make sure they are doing their jobs in a HIPAA compliant manner, following all stated company policies and procedures.

 

Know who is responsible for HIPAA compliance

 

Another challenge accompanying HIPAA compliance may sound simple, but is one that oftentimes goes overlooked - precisely who internally is responsible for compliance? For non-healthcare organizations, a company is unlikely to have a designated in-house role such as a Privacy and Security Officer, and therefore the responsibility often falls on security or operations departments. However, it’s likely that neither of these departments has a full understanding or stake in HIPAA compliance. Regardless of who is taking the reins, it is important that the role is clearly demarcated and that person or department knows what is expected of them. Additionally, it’s critical that they work together with other departments as needed to ensure a well-rounded HIPAA strategy. Case in point - a recent

 

Keep HIPAA compliance top of mind for staff

 

Regardless of who is in charge, it is important that all your staff be mindful of maintaining HIPAA compliance. Human error can become one of the biggest obstacles to maintaining compliance, especially when employees may not even realize their company deals with PHI. For example, the same NueMD survey also found that only 58% of respondents were providing training for their staff annually. HR teams can proactively assist with this by reminding staff of regular HIPAA training, updates on compliance standards changes and keeping visible HIPAA compliance checklists posted in work areas.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Keep Your Practice’s Communication HIPAA-Compliant

How to Keep Your Practice’s Communication HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is a top concern for medical practices, and for good reason–violations can result in serious consequences, including large fines and potentially even jail time. To make things more complicated, the laws themselves tend to be rather vague on what actions practices need to take to become HIPAA-compliant.

Medical practices need to protect private patient data, but they also need to be able to go about the daily business of running a practice as efficiently as possible. Technology can certainly make day-to-day operations more efficient, but new technologies also bring about new concerns with HIPAA compliance. Many practices are hesitant to adopt new technology for that very reason.

When practices do decide that they want to use technology to communicate with patients and other practices, it can be difficult to figure out where to begin because HIPAA laws can be quite vague. Practices don’t want to slip up and have to pay the price (often, quite literally) for a violation.

 

So, what can you do to keep your practice’s communications on the right side of HIPAA guidelines? We highly recommend working with an expert on HIPAA laws to make sure your communication is always compliant.

 

If you’d like to learn more on what HIPAA-compliant communication entails throughout your practice, including marketing efforts, emails, appointment reminders, patient portals, and communication with other practices, we have put together this list of helpful resources to help you stay up to date on the latest recommended best practices for HIPAA-compliant communication.

Emailing Patients

Patients who are always on-the-go may prefer to communicate with you via email. If patients request email communication, you must make that option available to them, but you still need to take the proper precautions to protect your patients and your practice from HIPAA violations.

Appointment Reminders

Even appointment reminders can be considered private health information if done improperly. You may wish to use technology to automate this routine process and free up your employees’ time for other tasks, but you need to make sure that you aren’t inadvertently giving away private patient information in the process.

Patient Portals

Practices are required to implement and use a patient portal to meet Meaningful Use requirements. However, patient portals are still subject to HIPAA laws and may, in fact, pose the greatest security risk of all practice communications because of the amount of information they contain. Always do your research before choosing a vendor for your patient portal to make sure they will keep you covered.

 

Communicating with Other Practices

It’s important for your practice to be able to communicate with your patients’ other health care providers to be able to provide the most comprehensive care possible. However, it can be quite challenging to communicate with other practices in a manner that is both efficient and HIPAA-compliant. These resources include suggestions on improving your communication strategies while protecting private information.

 

The Dangers of Sharing Patient Information via Text/IM

As a healthcare provider, your days are usually very busy, and it’s likely that the doctors you need to communicate with are equally as busy. When you need to share information, whether it’s a quick update on a patient or a request for a consult, it can be tempting to just send a quick text or instant message. If texting/instant messaging is your preferred form of communication with other doctors, you need to approach with caution.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 FAQs on HIPAA Compliance In The Cloud

5 FAQs on HIPAA Compliance In The Cloud | HIPAA Compliance for Medical Practices | Scoop.it

The Cloud Is Viable For HIPAA Applications
To ensure the protection of patient data, the Health Insurance Portability and Accountability Act (HIPAA) lays out guidelines that all companies in the health industry must follow—from primary care providers to data-handling agencies and third-party vendors. HIPAA rules often are complex, however. As a result, some companies inadvertently make mistakes, and others simply remain noncompliant for a variety of other reasons, leaving them subject to penalties that could add up to millions of dollars. Here’s a look at five key FAQs about HIPAA compliance and cloud computing.

 

FAQ 1: What’s Covered Under HIPAA?
The short answer: just about everything. Any piece of data that contains personally identifiable information about a patient, any type of treatment plan, or even aggregate data samples that could be traced back to individuals is covered by HIPAA. Your best bet: Assume everything falls under the scope of the law rather than trying to pick and choose.

 

FAQ 2: Is Cloud Storage Acceptable?
Absolutely. There’s no requirement for HIPAA data to be stored on-site or handled by a specific agency. In fact, it’s not the cloud itself that’s the problem when there is a problem—it’s how data is transmitted, handled, and stored in the cloud that often lands companies in hot water.

 

FAQ 3: What’s the Difference Between Covered Entities and Business Associates?
A covered entity is effectively the “owner” of a health record—for example, the primary care facility that first creates a patient profile or enters test results into its electronic health records system. Business associates, meanwhile, include any other company that handles this data. This means that cloud providers, third parties that offer on-site IT services, or other health agencies that access this data all qualify as business associates.

 

FAQ 4: Who Is Responsible for Health Data in the Cloud?
Ultimately, the covered entity bears responsibility for HIPAA-compliant handling. While business associates also can come under fire for not properly storing or encrypting data in their care, it’s up to the covered entity to ensure they’re able to audit the movement, storage and use of their HIPAA data over time.

 

FAQ 5: What Does “HIPAA Compliant” Really Mean?
While there is no official “HIPAA compliance” standard or certification that providers can obtain, it’s worth looking for other certifications that indicate good data-handling practices, such as PCI-DSS, SSAE 16, ISO 27001 and FIPS 140.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The HIPAA Privacy and HIPAA Security Rules

The HIPAA Privacy and HIPAA Security Rules | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for sensitive patient data protection. Companies that deal with protected health information (PHI) must have physical, network, and process security measures in place and follow them to ensure HIPAA Compliance. Covered entities (anyone providing treatment, payment, and operations in healthcare) and business associates (anyone who has access to patient information and provides support in treatment, payment, or operations) must meet HIPAA Compliance. Other entities, such as subcontractors and any other related business associates must also be in compliance.

THE HIPAA PRIVACY AND HIPAA SECURITY RULES

According to the U.S. Department of Health and Human Services (HHS), the HIPAA Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. Additionally, the Security Rule establishes a national set of security standards for protecting specific health information that is held or transferred in electronic form. The Security Rule operationalizes the Privacy Rule’s protections by addressing the technical and nontechnical safeguards that covered entities must put in place to secure individuals’ electronic PHI (e-PHI). Within HHS, the Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties.

THE NEED FOR HIPAA COMPLIANCE

As HHS points out, as health care providers and other entities dealing with PHI move to computerized operations, including computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems, HIPAA compliance is more important than ever. Similarly, health plans provide access to claims as well as care management and self-service applications. While all of these electronic methods provide increased efficiency and mobility, they also drastically increase the security risks facing healthcare data. The Security Rule is in place to protect the privacy of individuals’ health information, while at the same time allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. The Security Rule, by design, is flexible enough to allow a covered entity to implement policies, procedures, and technologies that are suited to the entity’s size, organizational structure, and risks to patients’ and consumers’ e-PHI.

PHYSICAL AND TECHNICAL SAFEGUARDS, POLICIES, AND HIPAA COMPLIANCE

The HHS requires physical and technical safeguards for organizations hosting sensitive patient data. These physical safeguards include…

  • Limited facility access and control with authorized access in place
  • Policies about use and access to workstations and electronic media
  • Restrictions for transferring, removing, disposing, and re-using electronic media and ePHI

Along the same lines, the technical safeguards of HIPAA require access control allowing only for authorized personnel to access ePHI. Access control includes…

  • Using unique user IDS, emergency access procedures, automatic log off, and encryption and decryption
  • Audit reports or tracking logs that record activity on hardware and software

Other technical policies for HIPAA compliance need to cover integrity controls, or measures put in place to confirm that ePHI is not altered or destroyed. IT disaster recovery and offsite backup are key components that ensure that electronic media errors and failures are quickly remedied so that patient health information is recovered accurately and intact. One final technical safeguard is a network or transmission security that ensures HIPAA compliant hosts protect against unauthorized access to ePHI. This safeguard addresses all methods of data transmission, including email, internet, or private network, such as a private cloud.

To help ensure HIPAA compliance, the U.S. government passed a supplemental act, The Health Information Technology for Economic and Clinical Health (HITECH) Act, which raises penalties for health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was put into place due to the development of health technology and the increased use, storage, and transmission of electronic health information.

DATA PROTECTION FOR HEALTHCARE ORGANIZATIONS AND MEETING HIPAA COMPLIANCE

Clearly, the need for data security has grown as the proliferation of electronic patient data grows. High-quality care today requires healthcare organizations to meet the accelerated demand for data; yet, they must ensure HIPAA compliance and protect PHI. Make sure that you have a data protection strategy in place that allows your organization to:

  • Ensure the security and availability of PHI to maintain the trust of practitioners and patients
  • Meet HIPAA and HITECH regulations for access, audit, and integrity controls as well as for data transmission and device security
  • Maintain greater visibility and control of sensitive data throughout the organization

The best data protection solutions recognize and protect patient data in all forms, including structured and unstructured data, emails, documents, and scans while allowing healthcare providers to share data securely to ensure the best possible patient care. Patients entrust their health care to your organization; you need to take care of their protected health information as well.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Keeping Medical Records Private 

HIPAA Compliance Keeping Medical Records Private  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA (the Health Insurance Portability and Accountability Act) became law in 1996 and revolutionized requirements and practices ensuring patient rights, privacy, and security. Instead of laws that were unclear or insufficient in some cases, HIPAAbecame federally mandated and regulated. However, the healthcare businesses that must comply have to navigate complex rules and make sure regulations are being followed. 

Who needs to follow HIPAA?

The first question is, do you need to comply with HIPAA? A “Covered Entity” under HIPAA includes any person or company that provides medical, dental, or other healthcare services that transmit the protected health information (PHI) of patients electronically. That could mean sending prescriptions to pharmacies, bills to insurance companies, or emails to patients. It also includes any vendors that create, transmit, receive or store PHI for a Covered Entity.  These vendors are known as “Business Associates” and include services like EMR/EHR, information technology support, data analytics, health app developers, and in some cases, website hosting companies. Those organizations that interact or send PHI in electronic form must comply with HIPAA.

What steps do I need to take?

If you or your company is a covered entity or a business associate under HIPAA, it is your responsibility to keep protected health information secure following the HIPAA Security Standards and Implementation Specifications.  These include:

·       Developing written privacy policies – or even before this step, become familiar with the laws so that comprehensive privacy and security policies can be developed.

·       Designating a privacy and security officer – no matter how small the organization, these officers must be appointed and are responsible for HIPAA compliance.

·       Annual risk assessments – conduct a risk assessment each year and record findings. Assessments must be documented, accurate, and comprehensive in identifying vulnerabilities and threats to PHI.

·       Developing information assurance policies regarding electronic transmission of communications. This includes email and the use of mobile devices with access to PHI.

·       If you are a covered health care provider, distribute a notice of privacy practices to all new patients.

·       Using Business Associate Agreements with any outside company that will have access to PHI.

·       Developing and implementing steps to take in case of a data breach, including how to determine the timing and extent.

Demonstrating HIPAA compliance

Your organization must be able to provide proof that you and your employees are following the rules outlined by HIPAA. If there is a breach of security and PHI is improperly handled or disclosed, the investigation may determine that a penalty could be assessed or the need to enter into a settlement agreement which will include a required corrective action plan. It is important to understand the burden to demonstrate compliance will the responsibility of the organization to prove. 

You will have to show that your organization has conducted a HIPAA risk assessment, provided annual training for the whole workforce, and have a policy and procedures for protecting PHI in writing.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 Steps for Implementing a Successful HIPAA Compliance Plan 

5 Steps for Implementing a Successful HIPAA Compliance Plan  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance is key to thwarting cyber attacks, but more importantly, this Plan will tell your employees, Business Associates and patients (and HHS, if they should come calling) how you secure Protected Health Information (PHI). Just as important is effectively communicating the plan to your staff.  

So, where do you begin? The purpose of this blog is to highlight what goes into making your plan. 

Five Key Steps

Step 1 – Choose a Privacy and Security Officer

We will be talking in later blogs about what to consider when selecting these HIPAA leaders.

For a smaller practice, your Privacy and Security Officer may be the same person. For larger practices, these duties will probably be split between two people. These are the folks who are going to be spearheading your Compliance Plan.  If you don’t have someone designated to fill this role, you are not compliant.

Step 2 – Risk Assessment

This step requires you to review your workplace and electronic devices to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the Covered Entity or Business Associate. According to Atlanta healthcare attorney Daniel Brown, “a Risk Assessment extends not only to the accessibility of ePHI -- such as passwords -- but also to threats to your access of ePHI caused by natural risks, such as hurricanes and tornadoes, and even human risks, such as malicious hacking.”

You can perform the Assessment yourself or hire an outside contractor to come in and complete the process for you. If you're thinking about performing the assessment yourself, HHS has developed a Risk Assessment tool to help you get started.

The first option is obviously the cheapest and the second can be costly, or you can use a combination of the two. The key is to be very detailed and identify where all your potential Privacy and Security issues may lie. This will include listing all computing and mobile devices, where paper files are stored, how you will secure your offices when you are closed, etc. This is not a one-time event and will change over time as technology and risks change. You will want to revisit your Risk Assessment anytime you have a Breach, theft, or major change in hardware or software, but at a minimum every 2-3 years.

Step 3 – Privacy and Security Policies and Procedures

After completing your Risk Assessment, it’s time to create your blueprint for achieving HIPAA Compliance. The Compliance Plan should include Policies and Procedures - ensuring the Privacy of Protected Health Information and the Security of such information. The Security Policies and Procedures deal with ePHI (electronic PHI) and how you will protect that information.

Policies and Procedures need to be updated regularly and any changes need to be clearly documented and communicated to your staff. As you saw in the Penalties Section of our last blog, “I didn’t know” isn’t an acceptable defense!

Step 4 – Business Associate Agreements

Most of you use vendors or contractors to help run your practice or business. Under HIPAA, persons or entities outside your workforce who use or have access to your patient’s PHI or ePHI in performing service on your behalf are “Business Associates” and hold a special status in the Privacy equation. Some examples of Business Associates include third-party billing agents, attorneys, laboratories, cloud storage companies, IT vendors, email encryption companies, web hosts, etc. This list can get pretty long, and should be documented in your Risk Assessment.

Make sure you do an audit of your Business Associates before you accept a signed Agreement from them. We’ve seen a lot of folks sign these Agreements, and have no clue what they’ve agreed to. Auditing means looking at their Compliance Plan. They have to have one, or you can’t do business with them. Your legal counsel should have an Agreement you can use, or you can use a third party Agreement from a HIPAA compliance company.

Step 5 – Training Employees

You’ve got your Risk Assessment, Privacy and Security Policies and Procedures and Business Associate Agreements in hand. You’re all good, right? NO! Employees are many times your weakest link.

You need to annually train your employees on the HIPAA Rule and communicate information about your Privacy and Security Policies and Procedures that you’ve worked so hard to create. What good is all the work you’ve done on a Compliance Plan when no one knows about it, or how to use it? Train employees both on the HIPAA Law and your specific plan. In addition, you must keep records that they have been trained.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’ 

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’  | HIPAA Compliance for Medical Practices | Scoop.it

The recent Sony Pictures hack exposed embarrassing emails, unreleased intellectual property and plenty of passwords, social security numbers and financial data — but it was also a giant HIPAA violation. In addition to unencrypted spreadsheets full of sensitive medical data, the hackers leaked an HR exec’s memo about the special needs and diagnosis of an employee’s child.

While we don’t yet know the cost of Sony’s myriad of security failures, the medical details of many Sony employees and their families now exist on the Internet, where it will likely stay available for the foreseeable future.

 

The Sony hack has taught us plenty of information security lessons, but one of the stickiest is the importance of protecting protected health information (PHI). We’ve already written about the reasons Sony should have used client-side email encryption, but HIPAA compliance is yet another compelling reason to encrypt your email messages.

The Need for HIPAA Compliant Email

If you’re new to the world of HIPAA compliant email, the idea of safely sending messages and files to your patients, other health providers and business associates can seem overwhelming at first. While any professional email should be approached with mindfulness of data security and awareness of the threats to your email privacy, from hacking to phishing, businesses that deal with PHI must be extra vigilant to make sure their communications are compliant with HIPAA and HITECH. After all, a HIPAA violation is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of hundreds of thousands of dollars.

While HIPAA compliant email doesn’t need to be rocket science, the stakes facing the medical community are pretty high. Consumers want more and easier access to their personal health data, but have greater demands when it comes to privacy.

Protecting Patient Privacy In the Digital Age

Any organization that handles PHI (known as a “covered entity”), from health providers such as doctors, nurses, chiropractors, pharmacies and nursing homes to businesses that provide health plans like HMOs, company health benefits and government programs like Medicare — as well as all of their business associates — needs to ensure that their email solutions are HIPAA compliant. And it’s not just corporate organizations – state and local governments, universities, and non-profits also fall under HIPAA and must protect PHI.

 

Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it seems that the demand for greater digital access to health data is at odds with the HIPAA Privacy Rule, which demands that a patient’s past, present and future PHI be accessible only to authorized recipients. One of the goals of HITECH was to spur adoption electronic health records (EHRs) for patients and health information exchanges (HIEs) to help doctors share patient data. If your ophthalmologist recently asked you to sign up for an online patient portal, that’s HITECH in action.

 

But another HITECH provision put many covered entities on notice: where prior to HITECH, $250,000 was the maximum annual penalty for a HIPAA violation, that threshold has moved up to $1.5 million. This presents the medical community with the puzzle of how to increase digital access to data without compromising patient privacy.

The Importance of Encryption in HIPAA Compliant Email

The challenges facing healthcare data security, from data thieves and “hacktivists” targeting hospitals to user error and technology adoption, make HIPAA compliant email more important than ever. But what makes an email HIPAA compliant?

 

One of the most important steps any business handling PHI should take is enabling email encryption. Encryption uses a complex cipher algorithm to render your data unreadable to anyone without the necessary credentials (or the encryption key). In short, if a cybercriminal cracks into an email you send to a patient or insurance company, they won’t be able to use that data unless they also get ahold of your encryption key.

 

There are a few options when it comes to email encryption. Many hospitals, healthcare providers and insurance companies deploy portal solutions that use Transport Layer Security (TLS) to encrypt messages. In these scenarios, patients and other providers establish and maintain a separate account for a portal where they can exchange sensitive information. While these solutions do provide for HIPAA compliance, their user experience tends to be clunky and frustrating. At one time or another we’ve all forgotten our username or password and been locked out of our health or financial data.

 

At the end of the day, employees prefer to use the applications they’re used to — including their email service providers. Newer email encryption solutions are able to integrate with the email service you’re already using to provide a seamless, easy-to-use user experience with powerful client-side encryption.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Juan Carlos Moreno Angulo's curator insight, May 20, 3:57 PM
Before clicking send, do even think twice about it? What happens when hackers leak sensitive information under the name of famous companies/corporations such as the case of SONY is something common? In recent times, the Sony hack showed and taught us plenty of information security lessons, but one of the stickiest is the importance of protecting protected health information (PHI). What this article expose us to a violation that is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of a lot money. While we do not know about the security measures taken by the institution we put out trust in, there are medical details of many employees and their families on the Internet before you even know, a giant violation to your life. Protecting patient privacy in the digital age can be a really hard to do, especially when the world is just a click far from you. However, a positive thing to highlight such organization handles PHI which is known as a “covered entity” that allow companies to keep track of the user info. Opposite to that, the introduction of what happened with hacking patients; it seems that organizations demand for greater level of security when accessing health data and more. Moreover, just remember that every message, image, and video you send everything you do will be recorded and stored in a data collection base.
Scoop.it!

Is Your Digital Ad Campaign HIPAA Compliant? 

Is Your Digital Ad Campaign HIPAA Compliant?  | HIPAA Compliance for Medical Practices | Scoop.it

As the importance of digital advertising continues to grow within the medical industry, marketers must ensure that their campaigns remain in compliance with HIPAA regulations.

In light of the evolving patient path to treatment, digital advertising is fast becoming the marketing tactic of choice for medical professionals across the industry. But as hospitals and medical practices scramble to keep pace with their competitors and roll out digital campaigns, there are a number of important considerations that must be taken into account — namely, marketers must ensure that their ads are in compliance with HIPAA regulations.

Staying in the Clear

HIPAA provisions for digital marketing are designed to protect patient confidentiality and satisfy the Privacy Rule, according to the HHS. As CEO of Futures of Palm Beach told Forbes, “Complete patient anonymity is key. Once marketers understand that, they can plan their campaigns accordingly.” Marketers must either avoid using information that could identify a patient, known as protected health information (PHI); obtain written authorization for its use from the patient; or completely anonymize such data by removing identifiers from 18 categories, as UC Berkley describes, including:

  • Names
  • Geographic Identifiers (county, city, addresses, zip code, etc.)
  • Dates (admission date, birth year, etc.)
  • Administrative Details (health plan numbers, driver's license number, etc.)
  • Biometric Identifiers (photos, fingerprints, voice prints, etc.)

Naturally, there are a multitude of ways that patients can be identified online (which may not be covered by these 18 categories), so marketers must exercise caution when developing patient-generated marketing initiatives, such as a real-life success story or endorsement, for example.

Of course, privacy violations are not the only opportunity for medical marketers to run afoul of HIPAA regulations. As Digital Guardian notes, providers and marketers must also comply with the Security Rule, which mandates that electronically stored or sent PHI is protected from data breaches, leaks, and unwanted disclosures. While this provision is primarily aimed at providers, marketers must also ensure that any protected information stored in their systems is secured at all times.

Cover Your Bases

While some hospitals, physicians, and medical marketers try to tiptoe around specific HIPAA provisions, such as PHI, it’s often easiest to avoid the issue altogether by drafting content that attracts patients without introducing potentially fraught information. For instance, marketers can provide generic health advice or tips, comment on the state of the industry, or provide educational resources, without the inclusion of patient-specific information. Taking this safer route may be preferable to the punishment for violating HIPAA — a potential fine of $50,000 per violation, as WebPT notes.

Equally important is that every member of your marketing team be thoroughly trained in HIPAA regulations, with specific guidelines in place for your individual medical organization. Likewise, if you’re interested in enlisting the services of a third-party marketing vendor, make sure that they’re HIPAA certified. Most commonly, violations stem from a lack of experience or confusion surrounding the nuanced rules and regulations. So while HIPAA may seem daunting, a well-informed approach is the key to avoiding compliance issues.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Top 5 HIPAA Compliant Cloud Storage and File Sharing Services

Top 5 HIPAA Compliant Cloud Storage and File Sharing Services | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are embracing the many advantages of cloud computing, including its scalability, cost-efficiency, and flexibility. While the cloud makes file storage and sharing easy and convenient, its security risks are numerous enough to have given rise to the CASBcategory. Before implementing a solution, however, it’s important to understand how industry regulations impact cloud adoption — and what to look for when selecting a cloud-storage service provider. For healthcare organizations, HIPAA-HITECH compliance can be a major deciding factor.

 

We’ve compiled the top 5 most popular cloud storage services that are HIPAA compliant. Before we go into those, let’s first take a look at how HIPAA-HITECH applies to cloud storage software.

Why HIPAA applies to cloud storage

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 with the goal of protecting the privacy of sensitive patient information. Covered entities under the law include healthcare plans, health care clearinghouses and certain types of healthcare providers.

 

In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA’s requirements to business associates. A business associate is any service provider who has access to the protected health information (PHI) of a covered entity. This also includes subcontractors who create, receive, maintain or transmit PHI on behalf of a business associate, including cloud providers.

 

In addition to extending the law to cover business associates, the HITECH Act dramatically increased HIPAA penalties. Pre-HITECH penalties were limited to $100 per violation and a maximum of $25,000 for “identical violations of the same provision” in the same calendar year. The new penalties have a tiered structure between $100 and $50,000 per violation based on “increasing levels of culpability” and a maximum of $1.5 million for identical violations per year.

 

The Department of Health and Human Services’ Office of Civil Rights Management (OCR), which is responsible for HIPAA enforcement, has stepped up its efforts once HITECH amplified the consequences of HIPAA non-compliance. Both the number of settlements and the average fines have been growing since 2012.

 

The number of OCR settlements in the first eight months of 2016 are already double those of 2014, even with four months still left in the year. Of the 10 settlements announced through the end of August, six were larger than $1 million, and the average of the 10 was over $2 million. OCR also settled the largest fine to date, $5.5 million, with Advocate Health Care, in 2016. The fine stemmed from three separate breach incidents affecting a total of 4 million people.

 

In addition, in 2016 OCR levied its first fine against a business associate. Catholic Health Care Services, which provides management and information technology services to skilled nursing facilities, paid a $650,000 fine after PHI was compromised when a company-issued iPhone was stolen. The iPhone was not encrypted and did not have a password lock.

HIPAA’s impact on cloud adoption

The HITECH Act added a notification requirement — covered entities and business associates must notify OCR after a breach of unsecured PHI affecting more than 500 individuals. OCR’s breach database shows that a large number of the reported breaches stem from stolen or lost laptops, mobile devices, and portable media such as thumb drives. A properly executed cloud environment can solve the challenge of securing those endpoints.

 

A cloud storage service becomes a business associate if they stores PHI on behalf of a healthcare organization, and thus the service must be HIPAA-compliant. The law protects not only the privacy of the data but also its integrity and accessibility. HIPAA’s Security Rule, which addresses electronic PHI, includes physical and technical safeguards such as audit controls and access controls, as well as administrative safeguards such as data backups and security incident procedures.

 

In addition, cloud-storage services must sign a business associate agreement (BAA) with the healthcare organization that stipulates the vendor’s compliance with HIPAA requirements. Many of OCR’s settlements include lack of properly executed BAAs among the violations.

 

In 2015, OCR settled with St. Elizabeth’s Medical Center for $218,400 after investigating a complaint that the organization’s employees used an internet-based document sharing application to store ePHI without analyzing the risk of that practice. “Organizations must pay particular attention to HIPAA’s requirements when using internet-based document sharing applications,” OCR Director Jocelyn Samuels said in announcing the settlement.

5 cloud storage services that are HIPAA-compliant

HIPAA does not prescribe specific methods or tools for how to secure data; however, encryption is encouraged as a best practice. Breached data is not considered unsecured if the PHI “is rendered unusable, unreadable or indecipherable to unauthorized individuals.” According to HIPAA guidance by the Department of Health and Human Services (DHHS), encryption processes that follow NIST (National Institute of Standards and Technology) criteria meet the above requirement.

 

Some cloud services, including iCloud, don’t provide BAAs, while others don’t encrypt data both at rest and in transit. Some services, such as Amazon S3, are not HIPAA compliant out-of-the-box but can be configured with some customization.

 

The following cloud storage services offer HIPAA support that include BAAs and encryption of data in transit and at rest:'

 

Dropbox (Business)

The company announced support of HIPAA and HITECH Act compliance in November 2015. It now provides BAAs for Dropbox Business customers. Administrative controls include review and removal of linked devices, user access, user activity reports, and enabling two-step authentication.

 

The business version costs $12.50 per month per user, starting with five users. It includes unlimited storage and file recovery, Office 365 integration, advanced collaboration tools, system alerts and granular permissions.

Box

Having added HIPAA/HITECH support in 2013, Box has been actively marketing to healthcare customers. BAAs are provided for enterprise accounts. Features include access monitoring, reporting and audit trail for users and content, and granular file authorizations.

 

Box integrations include Office 365, DocuSign, Salesforce, and Google, among others. It also allows for securely viewing DICOM files (for X-rays, CT scans and ultrasounds) and for securely sharing data through a direct messaging protocol.

Google Drive

Google offers a BAA for Google Apps for Work customers. Covered apps include Docs, Sheets, Slides, and Forms as well as several other services such as Gmail. (Some core and all non-core apps from the Google App family are excluded.) Administrative controls include account activity and app activity tracking, audits, and file-sharing permissions.

 

Google Apps for Work offers two plans. At $5 per user per month, it includes 30GB of storage space. The $10 per user per month plan has unlimited storage (or 1TB per user if fewer than five users) and several advanced features such as additional administrative controls, audit and reporting for Drive, and Google Vault for eDiscovery.

Microsoft OneDrive

Microsoft supports HIPAA/HITECH by offering BAAs for enterprise cloud services, and it has some of the best security practices in the industry. The security features are the most robust at the Enterprise E5 level, which costs $35 per user per month.

 

Enterprise E5 includes 1TB of file storage and sharing, advanced security management for assessing risk and gaining insights into threats and advance eDiscovery.

Carbonite

BAAs are provided for Carbonite for Office customers. Safeguards include offsite backup for disaster recovery; compliance with the Massachusetts Data Security Regulation, which the company says is widely accepted as the most stringent data protection in the country; and data encryption both in the cloud and on the local endpoint (as well as in transition).

 

Three office plans are offered, ranging from $269.99 to $1,299.99 per year. The first two tiers include 250GB of storage and the ultimate version has 500GB; additional storage packs can be purchased with all plans.

Your vendor’s HIPAA certification is not enough

The fact that a cloud storage provider offers BAAs, specific administrative and security controls, and encryption may not, in and of itself, make a healthcare organization HIPAA compliant by default.

 

This is how Microsoft explains it: “By offering a BAA, Microsoft helps support your HIPAA compliance, but using Microsoft services does not on its own achieve it. Your organization is responsible for ensuring that you have an adequate compliance program and internal processes in place, and that your particular use of Microsoft services aligns with HIPAA and the HITECH Act.”

 

HIPAA covered entities and business associates must carefully examine the cloud vendor’s specific provisions and policies before using a service for PHI. Ultimately, the covered entity or business associate is the one responsible for making sure all it’s regulatory mandates are being followed.

 

Making sure the PHI is encrypted in the cloud is only the first basic step. OCR also places an emphasis on risk assessment and management. Prior to adopting any new cloud service, organizations should conduct a comprehensive risk assessment and ensure policies, processes, and technology are in place to mitigate risks. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is Your Practice HIPAA Compliant?

Is Your Practice HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

Is Your Practice HIPAA Compliant?

With considerations and requirements that can be somewhat overwhelming, achieving HIPAA compliance can be quite challenging for medical practices. Even for those well acquainted with HIPAA provisions, there’s always the possibility of gaps and weaknesses. According to the Department of Health & Human Services (HHS), an average of 1,445 complaints has been submitted each day during the calendar year 2018. This staggering statistic means there is much cause for concern.

 

Often, the missteps in HIPAA compliance aren’t deliberate or due to lackadaisical procedures, but rather the result of insufficient documentation and/or inefficient tools. The first step in determining where your vulnerabilities lie is through a Security Risk Analysis. However, a Risk Analysis is often considered the Achilles heel for practices, requiring substantial documentation on multiple processes and contingencies. While the many complex layers of a Risk Analysis present multiple opportunities for errors to occur, its importance in passing audits and being prepared is invaluable.

 

Security Risk Analysis

The Office of Civil Rights (OCR) has determined that the Risk Analysis, which is derived from the Security Rule, to be the foundation of a HIPAA-compliant program. The Risk Analysis and its significance in HIPAA compliance impacts every part of the healthcare ecosystem. There are no opt-outs of HIPAA compliance, no matter the size of an organization or any other influencing factors. Every organization that transmits any Personal Health Information (PHI) in an electronic format or in data content in connection with a transaction for which HHS has adopted a standard, must be HIPAA-compliant. This includes providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, HMOs, company health plans, government and military/veteran health care programs, health care clearinghouses, and/or MACRA/MIPS participants.

 

In straightforward terms, per the HHS site, the purpose of the Risk Analysis is to “conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].” To ensure that information is protected and safeguarded by HIPAA standards, the Risk Assessment takes into account three separate organizational areas: physical, technical, and administrative. Each division must have its own plan for compliance, detailing both strengths and possible weaknesses. It’s also not a one and done type of exercise–plans must evolve throughout a healthcare organization’s lifespan.

 

Risk Analysis and Meaningful Use

In today’s medical profession, failing a Meaningful Use (MU) audit isn’t as uncommon as one would hope. In fact, the Morning eHealth section of Politico magazine reported that according to Centers for Medicare & Medicaid Services (CMS) data, 209,000 doctors and providers were penalized for failure to meet MU standards in 2014, which is approximately two in five physicians practicing in the U.S. Failing a Meaningful Use audit often comes down to the same weak link—either the lack of, or the insufficiency of, a practice’s Risk Analysis. And further reports on 2016 HIPAA audits by HHS.gov have found that organizations did not have an adequate Risk Analysis 83% of the time. As the foundation for HIPAA compliance, it’s simple to see that Risk Analysis deficiencies can impact many other components of the compliance network as well.

Risk Analysis: The Center Piece of a Much Bigger Compliance Puzzle

Risk Analysis sets the tone for HIPAA compliance and having a sound plan that details strategies in all three areas are essential. However, many other pieces must fit together to complete the puzzle. Remaining compliant is an ongoing act of vigilance. Policies and procedures must be drafted that define processes to safeguard PHI, and should include Disaster Recovery and Business Continuity Plans—compliance must continue even when the worst scenario occurs. In addition, everyday operating initiatives must be supported, such as password protocols and staff training. In fact, staff should be trained in PHI security within 90 days of hire, with continued education scheduled on an annual basis.

 

Furthermore, organizations should set in place routine procedures to ensure patients sign required HIPAA-related notices and forms, during both new patient onboarding, and on an annual basis going forward. It is also essential to regularly verify that vendors and other providers that interact with a patient’s PHI are not only HIPAA-compliant but have executed Business Associate Agreements to offset any liability in the case of a breach. Lastly, retaining HIPAA documentation in both hard copy and digital means practices have information readily accessible to confirm compliance.

Ensure Compliance: Join ChartLogic’s Webinar “Are You HIPAA-Compliant?”

In today’s modern electronic healthcare world, HIPAA compliance is mandatory, crossing all sectors of the healthcare industry. To avoid costly penalties, data violations, and breaches in doctor-patient trust, small practices, and large organizations alike must keep current with the HIPAA landscape and ensure that weaknesses in their systems are turned to strengths.

Join a free webinar hosted by Abyde & ChartLogic to learn more about Security Risk Analysis and other related HIPAA requirements. In this complimentary educational HIPAA compliance webinar, other topics covered will include:

  •  HIPAA Privacy & Security Rules simplified
  •  MACRA/MIPS & Meaningful Use HIPAA Compliance requirements explained
  •  Statistics from the most recent HIPAA audits
  •  Passing an audit
  •  Software solutions for HIPAA compliance

 

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Navigating Mobile Devices and HIPAA

Navigating Mobile Devices and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The mobile technology revolution has impacted nearly every industry across the globe, with healthcare being no exception. Hospitals, clinics, and providers have all quickly embraced the use of smartphones and other mobile devices along with the convenience of accessing important medical information quickly.  

Many healthcare organizations are capitalizing on the benefits that mobile devices provide by permitting physicians, nurses, and other healthcare staff to bring their own personal devices (BYOD) to use at work. Other organizations choose to provide their staff with company-owned mobile devices, finding it easier to maintain control and protect their networks. 

 

Although the convenience of mobile technology provides many advantages, it also comes with risks. If mobile data security measures are inadequate, covered entities are at risk of violating HIPAA regulations that can incur heavy fines. HIPAA fines of up to $1.5 million per violation category, per year that the violation has been allowed to persist can be issued by the HHS. In addition, other federal agencies can issue fines, such as the state attorneys general. There is also the considerable cost of a breach response to cover if data is potentially exposed. 

 

The majority of mobile devices do not have robust security controls which can allow devices to be easily compromised. For example, if an unprotected device connects to a network via public Wi-Fi, there is an increased risk of theft. Cybercriminals view mobile devices as an accessible entry point into healthcare networks allowing them to access valuable electronic Protected Health Information.

 

As mobile devices are rapidly becoming an integral part of daily healthcare operations, it is important that organizations fully comprehend healthcare mobile security. (1) HIPAA covered entities that choose to use mobile devices in the workplace must implement controls to protect patient health data.  (2) It is also necessary they review and address all potential mobile data security risks.

 

The HIPAA Security Rule does not require specific technology solutions when it comes to technical safeguards for mobile devices. However, HHS does require organizations to implement reasonable and appropriate security measures for standard operating procedures. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Your Dental or Medical Website Needs To Be HIPAA Compliant?

Why Your Dental or Medical Website Needs To Be HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

As the digital world becomes ever more entrenched in our lives, so does crime and information gathering start becoming more advanced. Patient privacy is a serious issue, and while the majority of websites can safely be hosted on the internet without special considerations regarding safety and security, healthcare has no such luxury. In fact, it is vital that all healthcare websites take extra steps to secure their site to be HIPAA compliant.

 

HIPAA And You, What Is It Exactly?

Developed some years ago, HIPAA stands for the Health Insurance Portability and Accountability Act (HIPAA) and was established to provides guidelines and regulations on the security of the personal information of patients. Two elements of this rule create conditions that must be met to be found in compliance with HIPAA rules. These rules are the Privacy Rule, outlining the protection of your patient’s private health information, and the security rule describing the requirements for data security measures.

 

How Can I Make My Website HIPAA Compliant?

It begins with going beyond basic encryption, websites that seek to be HIPAA compliant have to invest in higher level security measures. The only way you can avoid this as part of the medical industry would be if your site doesn’t do any collection or providing of personal information, and avoiding any third-party transactions of data.

 

The first step to securing your website is to utilize SSL security or Secure Sockets Layer. You’ve likely noticed sites like this when they contain the https:// prefix instead of http://. Those sites that have an SSL certificate encrypts communication between the web browser and the server. This is required to be found in compliant with HIPAA laws.

 

You can also make sure that your site is HIPAA compliant by using high security data collection forms that provide additional protection. The basic CMS (Content Management System) provided with most web hosts don’t provide that level of security, so it’s often wise to select a third party form builder that meets the requirements of HIPAA. 

 

Healthcare Website Design

HIPAA compliance is a vital element of your design for a healthcare website, especially as access to technology increases and becomes further integrated with our day to day lives. It is your responsibility as the owner of the website to ensure that your security system meets the strident requirements of this act. Whether you’re a public institution or serve the community as a private practice, your website design company can aid you in providing a secure website that will be approachable and informative for your clientele while maintaining the necessary security protocols.

 

Don’t put your practice at risk with a site that doesn’t protect your patients information appropriately,  To begin designing an attractive website that will serve your patients with the security and peace of mind they deserve. Violations of HIPAA are a serious concern and can result in costly fines and, more importantly, the compromising of your patients privacy.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

9 keys to having a HIPAA-compliant cloud

9 keys to having a HIPAA-compliant cloud | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are increasingly open to the idea of using public cloud services, whether it be applications or infrastructure. But to do so requires thorough planning and vigilant execution of IT operations.

 

Chris Bowen, founder and chief privacy and security officer for ClearDATA, a company that helps healthcare organizations use public cloud services, provides nine examples of controls that can be put in place. 

 

  1. Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
  2. Review system activity: Leverage audit logs to enable the review of activity within your system.
  3. Identity and Access management control: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed. 
  4. Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
  5. Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scan on systems processing Personal Health Information (PHI).
  6. Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
  7. Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
  8. Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
  9. Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA as an umbrella for county/municipal cybersecurity

HIPAA as an umbrella for county/municipal cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Are you a covered entity?

Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.

 

How do you know if you have or are a CE? If some department or division within your organization is a health care provider, a health plan or a health care clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), health care clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.

Are you in compliance?

If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.

 

In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?

 

I suspect what often happens is that executives look at something like information security policy requirements and say:

This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.

 

What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.'

Trust but verify

There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances, and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.

Extend HIPAA to your enterprise

If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that level while also getting compliant with federal law.

 

Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted good practices.

Develop your policy with the HIPAA Security Rule

There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.

The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).

The security standards in HIPAA are broken down into three sections, each of which has multiple layers and subcomponents:

  • Administrative Safeguards (9 components)
  • Physical Safeguards (4 components)
  • Technical Safeguards (5 components)

 

These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.

 

Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.

 

These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.

Next Steps

1. Find out where your organization stands in terms of information security policies and procedures.

2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?

3. Meet with your IG committee to discuss your findings.

4. If you don’t have an IG committee — start one!

5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.

6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintaining continuous improvement.

7. Begin building a culture of security in your organization.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Easiest Complete HIPAA Compliance Checklist You'll Ever See

The Easiest Complete HIPAA Compliance Checklist You'll Ever See | HIPAA Compliance for Medical Practices | Scoop.it
The Best HIPAA Checklist Is…HIPAA Itself?

Yes, basically. First, let’s make sure we’re on the same page about what HIPAA is exactly. HIPAA is federal legislation, as is the HITECH act that updated parts of it. Title II of that legislation relates to the privacy and security of protected health information, and this is the meat of what most physicians need to care about when “HIPAA compliance” comes up.

 

Title II of HIPAA also requires HHS to create federal regulations that implement the ideas in the rest of the act. These regulations spell out exactly what healthcare providers must do, and they are now complete and published in the Code of Federal Regulations (CFR),

 

Luckily, HHS also grouped these regulations into six sections, called “rules,” and these are really the ultimate HIPAA compliance checklist. If you can understand and comply with each of these six rules, you’ll have a good claim to HIPAA compliance. So let’s do it; let’s count down the checklist that HHS gives us:

The Six Rules of the HIPAA Compliance Checklist:

#1: Standardize Your Coding and Electronic Transmissions

This one is easy. HIPAA seeks to make sure that everybody is communicating about healthcare issues in one unified way, and regulations in its “Transactions and Code Sets” rule accomplish this.

One part of this rule specifies what code sets are allowable for describing medical data, including ICD-CM for conditions, NDC for drug names, and CPT/HCPCS for procedures. Another part then defines and mandates the specific electronic transmission formats that can be used to convey the encoded data.

 HIPAA Checklist: How to Comply with Rule 1

  1. Use a compliant electronic health record (EHR).

Simply pick a modern EHR to use in your practice. They will typically use the correct encoding and transmission formats automatically, and you can confirm this with the vendor before you buy anything.

That’s it. Done. Check.

#2: Get Unique Identifiers for You and Your Organization

In the “Identifier Standards” rule, HIPAA mandates that every individual or organization that renders healthcare have a unique 10-digit National Provider Identifier (NPI). Type 1 NPIs are for individuals, and type 2 NPIs are for organizations. NPIs are used in encoding and transmitting healthcare data, and they help enforce clarity. Two doctors may have the same name and practice in the same city, but their differing NPIs will ensure that they are not mistaken for one another.

 HIPAA Checklist: How to Comply with Rule 2

  1. Make sure that all HIPAA-covered entities in your practice have an NPI.

You probably already have an NPI. If you don’t,  you can get one through the National Plan and Provider Enumeration System (NPPES) that HHS runs.

That’s it. Done. Check.

#3: Protect Your Patients’ Privacy

The HIPAA Privacy Rule, in conjunction with the HIPAA Security Rule, constitutes the most important part of HIPAA for most providers. Fundamentally, the Privacy Rule is all about individuals’ health information, termed “protected health information (PHI).” The rule spells out how healthcare entities may use PHI, and it also delineates patients’ rights to be informed of and control those uses.

HHS has written an important summary of the Privacy Rule, and it’s worth a read. High-level points from the summary to internalize:

  • The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “PHI.”
  • A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A [healthcare] entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish [an intended purpose].
  • Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI and any of its uses and disclosures. They may also demand corrections to it.
  • Each [healthcare] entity, with certain exceptions, must provide a notice of its privacy practices.

 HIPAA Checklist: How to Comply with Rule 3

  1. Designate a “privacy official” in your organization who will be tasked with developing and implementing your privacy policies and procedures and ensure that this person is available to receive requests and complaints related to the Privacy Rule.
  2. Understand the definition of PHI and identify information in your practice that is PHI.
  3. Keep a record of all uses and disclosures of PHI in your practice.
  4. Understand the things your practice must do under the Privacy Rule, especially including those things that relate to your patients’ control over their own PHI.
  5. Understand the things your practice may do under the Privacy Rule, especially including those uses and disclosures of PHI that are allowable without explicit, written patient consent. Always use the concept of “minimum necessary” to guide your uses and disclosures.
  6. Identify your “business associates,” as defined by HIPAA. If another company interacts with PHI from your practice, they are likely a business associate, and you need to have a formal “business associate contract” with them that extends the duties of HIPAA to their operations.
  7. Create a Notice of Privacy Practices. This must contain specific items, and it’s best to start with a template that HHS provides. Know when, where, and to whom this notice must be made available.
  8. Implement administrative, technical, and physical safeguards to prevent impermissible intentional or unintentional use or disclosure of PHI. These should also act to limit incidental uses or disclosures.
  9. Ensure ongoing training of your practice’s workforce on your privacy policies and procedures.
  10. Have your privacy official create and maintain a written document of the policies and procedures that you have developed to accomplish the above items.

Well, this section was a bit longer than the first two, but that’s because the Privacy Rule is so crucial to HIPAA. It is, unfortunately, also critical that you review the Privacy Rule yourself. The checklist above is a good start on minimum necessary activities, but there is no perfect, comprehensive checklist that will work for every type of practice. HIPAA is about ensuring best practices in every type of healthcare provider, and there is no substitute for figuring out what that means for you and your exact practice.

HHS states that the Privacy Rule is comprised of 45 CFR Part 160 and Subparts A and E of 45 CFR Part 164, and you can refer to these directly or, at least, to the HHS Privacy Rule summary to make sure that you are creating and following all of the privacy policies and procedures that your specific practice needs.

#4: Secure Your Electronic Medical Information

The HIPAA Security Rule is a nitty-gritty rundown of “the technical and non-technical safeguards that organizations […] must put in place to secure individuals’ electronic PHI.” That quote comes directly from a Security Rule summary that HHS has written, in which they explain that the Security Rule takes the somewhat amorphous concepts of the Privacy Rule and lays out a more exact framework to implement them.

Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to PHI that your practice “receives, maintains or transmits in electronic form.” To comply with the Security Rule, your organization must adopt an ongoing process of risk analysis that has the following general form:

  1. Assess risks to electronic PHI in your organization, the current state of your security measures, and any gaps between the two
  2. Implement “administrative, technical, and physical safeguards” to address the gaps
  3. Document all of steps 1 and 2 and keep the records
  4. Repeat steps 1 to 3 on a periodic basis

That’s it, really. And continuing their pattern of being hugely helpful, HHS has created a seven-part educational paper series that will walk you through this. For the checklist in this section, we’ll lean on these papers heavily…since HHS literally provides checklists in them.

 HIPAA Checklist: How to Comply with Rule 4

  1. Perform a risk analysis for electronic PHI in your organization
  2. Implement safeguards to address security gaps identified by the risk analysis:
    1. Administrative
    2. Physical
    3. Technical
  3. Make sure everything is documented appropriately
  4. Repeat steps 1 to 3 on a periodic basis

Each HHS document linked above has a reproduction of Appendix A of the actual Security Rule, which is effectively a checklist of necessary items to consider for the administrative, physical, and technical safeguards that you need. Some of the documents extend this list with other items, such as the document linked in step 3 above.

As with the Privacy Rule, it’s important that you read the Security Rule yourself at least one time. HHS wrote the rules generally so that they could function for organizations of any size, from one person to thousands, and because of this, only you can decide exactly how your organization can best comply. Per HHS, “The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.” And again, they’ve also written a summary of it.

#5: Understand the Penalties for Violations

The HIPAA Enforcement Rule (codified at 45 CFR Part 160, Subparts C, D, and E) establish procedures for the investigation of possible HIPAA violations and sets civil fines for infractions. Fines can be up to $50,000 per violation per day, so it can add up quickly and is not a joke. Violations can also carry criminal penalties, including fines and jail time, but these are not covered by HHS regulation.

 HIPAA Checklist: How to Comply with Rule 5

  1. You don’t have to do anything ahead of time

If HHS investigates your practice, then this rule becomes relevant to you, but there’s nothing here that you need to do proactively.

#6: Learn How to Handle Information Breaches

The HIPAA Breach Notification Rule (codified at 45 CFR §§ 164.400-414) requires healthcare organizations to provide notification after breaches of PHI. A “breach” is, basically, an impermissible use or disclosure of PHI, as detailed in the HIPAA Privacy Rule. Depending on the type of breach, the notification might need to be made to the affected individuals, the media, or the HHS Secretary. HHS has further guidance available on the topic.

 HIPAA Checklist: How to Comply with Rule 6

  1. You don’t have to do anything ahead of time

Once again, you only need to worry about this rule if you identify a PHI breach, which you should be monitoring for as part of your compliance with the HIPAA Privacy Rule and Security Rule.

 

HIPAA compliance is all about adopting good processes in your organization, and HHS has laid out a path to compliance that is nearly a checklist. All you have to do is follow it.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Our Partners at Compliancy Group Help Client Pass HIPAA Audit

Our Partners at Compliancy Group Help Client Pass HIPAA Audit | HIPAA Compliance for Medical Practices | Scoop.it

Compliancy Group announced today that it has helped a long-time client pass a HIPAA audit. The Department of Health

and Human Services (HHS) Office for Civil Rights (OCR) investigation into a potential HIPAA violation resulted in no fine for a user of their web-based compliance solution, The Guard.

HIPAA audits target hundreds of healthcare professionals a year, according to the HHS Wall of Shame.

 

Compliance Group is the only HIPAA solution on the market today that gives clients access to a HIPAA Audit Response Program (ARP). The Compliance Group HIPAA Audit Response Program gives clients the ability to formulate all the necessary reports that OCR auditors are requesting in order to illustrate their compliance efforts. Compliance Group’s team of expert Compliance Coaches gather the reports and adhere to strict audit deadlines to ensure that clients stand their best chance at emerging from an audit without being fined.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Alliance Marketplace Connects CEs and BAs

HIPAA Alliance Marketplace Connects CEs and BAs | HIPAA Compliance for Medical Practices | Scoop.it

For many healthcare providers, finding HIPAA compliant business associates poses a significant challenge–one with implications on the security of their sensitive healthcare data. The newly launched HIPAA Alliance Marketplace is a platform that simplifies the process for covered entities to find HIPAA compliant business associates.

 

Health care providers can connect with healthcare vendors like never before with confidence that their prospective business partners will keep their data safe and secure.

 

Access to the marketplace is limited to vendors that have been verified by the Compliance Group HIPAA Seal of Compliance. The HIPAA Seal of Compliance is the industry standard, third-party HIPAA verification tool used by health care providers and vendors across the country. The Seal of Compliance demonstrates that the organization in question has executed all of the necessary standards mandated by HIPAA regulation.

 

Vendors can use the marketplace to break into the valuable healthcare market. Whether already HIPAA compliant, or just starting on their journey, vendors can speak with one of Compliance Group’s HIPAA experts to determine the status of their compliance and get listed on the marketplace today.

About the HIPAA Alliance:

 

The HIPAA Alliance Marketplace is a closed ecosystem that allows healthcare professionals (covered entities, CE) to find HIPAA compliant solution providers (business associates, BA). HIPAA compliant vendors in the HIPAA Alliance Marketplace are heavily vetted against the HIPAA rules and verified by the Compliance Group HIPAA Seal of Compliance

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Small Medical Practices Struggle with HIPAA Compliance 

Why Small Medical Practices Struggle with HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

Over the past couple of years, cybercriminals have increasingly targeted healthcare organizations for the volume of sensitive data they have on file. When stolen, medical records containing personally identifiable information (PII) can be used to create and sell false identities, contributing to high breach costs per record that can shut your clients’ practices down. To prevent this, it’s critical that all impacted organizations maintain HIPAA compliance, have safeguards in place and establish a disaster recovery (DR) plan.

Compliance starts with awareness, but many small practices aren’t aware that they’re falling short in this area. That’s where you come in. You’re in the unique position to help clients take the proper steps towards HIPAA compliance and ensure that all guidelines are being followed. So how can you relay that message in your next MSP sales presentation? To help you get started, we’ve pulled data from NueMD’s 2016 HIPAA Survey. Leverage this chart to show clients and prospects that you are the data security solution they need to stay HIPAA compliant!

 

When presenting this chart in your proposal, use these talking points to illustrate how you can help clients maintain HIPAA compliance:

 

  1. A surprising 60 percent of respondents aren’t even aware of the new HIPAA audits that were launched in phase two. This is a huge problem, especially if you’re part of that 60 percent because you could be fined up to $50,000 per violation for not even knowing you violated HIPAA regulations. To avoid this, rely on us to be your trusted resource. We’re always up-to-date on the current compliance standards, and we can even perform a HIPAA audit that not only assesses whether your practice is compliant, but provides corrective action and possibly uncovers security issues to help you avoid potential data breaches. (Continuum offers a HIPAA Assessment Tool, which allows you to expand your service portfolio, generate additional revenue and most importantly, helps your clients survive an OCR audit.)

  2. While we help you remain HIPAA compliant through proactive and preventative IT management services and support, you also have to be prepared when disaster strikes. Sometimes cyber attacks are successful or data is compromised internally by accident. To mitigate the damage (both to your finances and reputation) and remain HIPAA compliant, you need a comprehensive DR plan. However, as this chart shows, 30 percent of respondents have yet to create a said plan – meaning they could be found in violation of HIPAA law. Rather than assume the same risk with our backup and disaster recovery (BDR) solution and services, we’ll ensure patient data is securely backed-up and easily restorable.

  3. HIPAA compliance is an organization-wide responsibility. You need to ensure that your staff knows how to handle sensitive data and understand the need to secure it. Partner with us to prevent yourself from becoming like the other 42 percent of respondents who do not provide annual compliance training for their employees. We regularly help conduct training courses and seminars with your employees so they can better understand how their behavior impacts data security. With our ongoing education, we help your employees do their part in maintaining HIPAA compliance, explaining best practices when creating login credentials, sending emails, receiving unknown links or seemingly harmless attachments and more. 

  4. With 80 percent of respondents being unconfident that their mobile devices are HIPAA compliant, there’s a clear need to protect those endpoints that have access to patient data. With a service such as mobile device management (MDM), you'll be able to remotely lock down and wipe the device, should it be compromised. MDM is an added security measure that ensures you’re doing all you can to keep sensitive data protected.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is Your Medical HIPAA Compliant Website Protected? 

Is Your Medical HIPAA Compliant Website Protected?  | HIPAA Compliance for Medical Practices | Scoop.it

Every physician and medical administrator that we know is intimately—often, intensely—aware of HIPAA’s privacy and security rules. There isn’t a policy, procedure or process that isn’t carefully scrutinized as HIPAA compliant.

 

This isn’t legal advice, but healthcare professionals know that protected health information (PHI) and electronic protected health information (ePHI) need to be on the safe side of the Health Insurance Portability and Accountability Act and the Department of Health and Human Services.

 

But, physicians and medical administrators also realize that, in an Internet-driven world, confidentiality, privacy, and data security are vastly larger, dangerous and more complex issues. What’s more, hospital data and medical records are attractive targets for cyber theft and ransomware attacks.

 

If regulations, compliance and digital security issues aren’t compelling enough to keep you awake at night, consider this: What if your website and digital presence are not HIPAA compliant? Many ordinary, and innocent appearing, healthcare websites are not secure, or inadvertently fail to safeguard all “individually identifiable health information.”

 

Being HIPAA compliant is vital to every medical website…

Check with your own legal advisor, but here are some of the ways that medical websites, and HIPAA compliance, can be at risk:

Are files, storage, and transmissions secure? Data that is “in the open” (without encryption or SSL/Secure Socket Layer) is at risk. An important compliance checkpoint is having all sensitive material encrypted and secure, particularly when transmitted over the Internet.

 

Some forms can put you at risk. Generally, when a patient or prospective patient completes an online form—even elementary info such as name, phone number, email—it may be advisable to provide the data with the same level of protection as ePHI. More specifically, “individually identifiable” and “protected health information” is likely to meet the definition of electronic protected health information.

 

Social media can be a danger zone. Social media is a useful tool to talk about many things under the broad medical umbrella. That said, anything that is specific to an individual patient or identifiable info—even photographs—can violate personal privacy.

 

Use caution responding to online comments and review sites. It can be tempting to use specific, “he-said-she-said” replies to Internet-posted comments—especially negative mentions. It’s OK to be responsive, but a provider’s reply must avoid reference to a specific, identifiable or individual patient. Even acknowledging that someone is a patient would be inappropriate.

 

Your favorite iPhone or Blackberry is a target for theft. Mobile devices—a favorite among doctors—are compact and easily “snatch-able,” and that opens the door to cyber theft of stored or access information. What’s more, mobile devices themselves that are used to exchange doctor-patient communications may not be secure or HIPAA compliant.

Look for additional articles in this series…

There’s no question that compliance is vitally important for hospitals, group practices, and healthcare providers. In addition, medical websites are an important connection between the professional and the public. HIPAA’s privacy and security rules are a critical consideration. Check with your legal advisor and avoid compliance issues online.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Are You Feeling Confident About Your HIPAA Compliance? 

Are You Feeling Confident About Your HIPAA Compliance?  | HIPAA Compliance for Medical Practices | Scoop.it

A friendly reminder that, with the recent HHS Office of Civil Rights announcement, covered entities may soon be facing some unwelcome audits. Now’s the time to review compliance.

 

HIPAA compliance can sometimes feel like changing the oil in your car: inarguably necessary, a serious problem when left unchecked, yet tedious enough that some are willing to let the task slide. The difference, of course, is that one is bad for your engine while the other is a federally mandated and legally enforceable standard.

Friendly reminder: the HHS Office of Civil Rights (OCR) recently announced the Phase II launch of its HIPAA audit program, part of the 2009 HITECH Act. And with their finalized Audit Protocol published on April 8th, all signs point to the OCR soon getting down to brass tacks.

 

This needn’t be cause for alarm. But if covered entities or their business associates haven’t recently ensured that their compliance is watertight — especially regarding the measurement of referral and appointment activity — there’s definitely no time like the present.

There’s No Reason for Panic — Just Preparation

Audits are tentatively set to begin sometime in May, according to OCR official Devin McGraw via Politico, at which point randomly selected covered entities will receive an email announcing their fates (they recommend checking spam folders).

Business associates, who are also subject to individual audits, will be subject to audits in June or July. The agency plans to conduct roughly 200 remote desk audits, to be completed by December 2016, and anywhere from 10-25 “full scale” field audits thereafter, according to Healthcare Info Security. If you’re uncomfortable with the vagueness of this plan, you’re not alone.

The good news is that the majority of organizations will not be audited. However, if selected, entities will have a mere ten business days to prepare and submit all relevant documents via a secure online portal. Desk audits may (or may not) entail just a review of policies, or pertain to only one of the three HIPAA Rules: Privacy, Security, or Breach Notification. However, certain charmed organizations may, in fact, get to experience the unique joy of both desk and on-site audits.

Possibility for Consequences?

Officially, Phase II OCR audits are relatively benign, designed to “develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.” Nevertheless, they will open a formal investigation, should they find a “serious compliance issue,” however defined. And while OCR won’t publish the audit results (or even list which companies are audited), the whole process is subject to the Freedom of Information Act (FOIA), which means that journalists or other public agents can legally publish results. 

 

You may recall that 115 covered entities were audited in 2011 during Phase 1 of program, unearthing major compliance breaches; 89% were found to have compliance issues, and smaller organizations tended to struggle in multiple areas. 

Given the involvement of business associates — many of whom are not primarily dedicated to healthcare — one of the most difficult compliance aspects to cover will be Protected Health Information (PHI) and ePHI (electronic PHI). For instance, if your marketing agency measures referral and appointment activity, they’re likely in the domain of PHI and will need to be in solid compliance.

 

The bottom line is that if you haven’t implemented HIPAA privacy and security policies and procedures, recently conducted an inventory of relevant assets, or regularly completed risk assessments, then now is probably your last chance to do so before the audit process begins.

 

In the end, however, integrating a comprehensive HIPAA compliance program will keep you from running afoul of any regulatory standards that may come down the pipeline. The HHS is only conducting these audits in order to better enforce compliance standards in the future. So while you may or may not be audited this year, you and your digital marketing vendors must be prepared to stand up to scrutiny at any time.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.