HIPAA Compliance for Medical Practices
66.5K views | +2 today

What All Healthcare Companies Need to Know About HIPAA Compliance 

What All Healthcare Companies Need to Know About HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

Safeguarding protected health information is becoming more challenging every day—especially for companies operating in healthcare verticals who don’t always understand that compliance issues apply to them. Yet, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, companies operating in a variety of healthcare verticals are categorized collectively as “Business Associates” (BAs) and, as such, are required to act in accordance with the HIPPA regulations.


What kind of healthcare companies does this include? The short answer: More than you think. Healthcare companies and anyone operating in a healthcare vertical include anyone who has access to electronic patient health information (ePHI) and any organization that stores, transmits or receives ePHI.

Companies operating in the healthcare space who are subject to HIPAA rules can include (but are not limited to) organizations that provide the following services:

  • Revenue cycle management
  • Coding/Documentation services
  • Collection and A/R recovery services
  • EHR SW and solutions
  • Patient records management services
  • Document management services
  • Medical SW/SAAS services
  • Mobile healthcare services or applications
  • Healthcare IT services
  • Practice management services
  • Contract management services
  • Radiation document and image management services
  • Health plan administration and services

These are but some of the many companies operating in the above healthcare verticals who could be considered a Business Associate under HIPAA regulations. Any company that provides services to organizations defined by HIPAA as “Covered Entities” may well find itself subject to compliance regulations with which they are not familiar.


HIPAA defines “Covered Entities” as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit health information in connection with transactions for which HHS has adopted standards. The HIPAA Omnibus Final Rule goes into stipulations for Business Associates in greater detail. What BAs should take away from the Final Rule is that they may be held liable in the event of a HIPAA breach in many of the same ways that Covered Entities (CEs) may be.


The risks and costs of being found non-compliant can be steep. The Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) recently agreed to a settlement for potential HIPAA violations caused by the theft of a mobile device that contained the ePHI of 412 patients. According to the U.S. Department of Health and Human Services notification, the CHCS provided management and information technology services as a Business Associate to six skilled nursing facilities. The settlement included monetary payment of $650,000 and a corrective action plan.

In a statement relative to this case, U.S. Department of Health and Human Services Office for Civil Rights (OCR) Director Jocelyn Samuels said “Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health informationthey create, receive, maintain, or transmit from covered entities,” said “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”


Healthcare companies, vendors, or providers who qualify as Business Associates are required to sign a HIPAA Business Associate Agreement (BAA). The document is an integral part of any contractual agreement with any provider of services, products, or applications, and must provide detailed information explaining how the BA will respond to a breach of any kind, including one caused by any subcontractors used by the BA. The BAA must also describe how a BA will respond to an audit by the Office for Civil Rights (OCR).

HIPAA rules holds Covered Entities responsible for their own data breaches, as well as many of the things over which their BAs have direct control. If a CE is audited, their BAs may be required to provide certain files or documents in a very short amount of time, as prescribed by HIPAA. The BAA acts almost like a service level agreement (SLA) that ensures these and other needs will be promptly met.

For companies of all types and all sizes, this is serious business—and the regulatory authorities are intensifying their focus on any business operating in the healthcare space as it relates to compliance. Fines are being assessed with increasing regularity and all businesses operating in the healthcare space should take note.

To illustrate the importance of a having a BAA in place, a Raleigh, N.C. orthopedic clinic agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Ruleby handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

HHS provides a template for business associate agreement language on its website to help covered entities and business associates execute agreements that address the business associate contractual requirements.


Compliance with HIPAA regulations is a long-term process and at times can feel overwhelming. Yet, for companies operating in the healthcare industry, the risks associated with non-compliance are huge. Staying apprised of changes to HIPAA regulations can be a daunting task, but here are some actions you can take to make sure you know the latest.

  1. Know Where to Find Resources. The Office for Civil Rights (OCR) provides a wealth of online information about safeguarding ePHI including FAQs, guidance, and technical assistance materials. One easy way to stay updated is to sign up for the OCR announcement-only Privacy and Security Listservs.
  1. Ask Questions. It’s critical that you ensure any BAs with whom you work fully understand their responsibilities and obligations regarding compliance. Take the time to ask and answer questions and highlight the HIPAA compliance requirements for business associates. These questions can include:
  • What is your risk analysis plan?
  • Do you encrypt your devices?
  • What are your disclosure policies?
  • What are your IT practices?
  • How do you handle server maintenance and backup information?
  • Do you or your employees use personal devices for ePHI?
  • What are your password policies?
  • Describe company’s the physical security.
  • Do you do background checks o your employees?
  • What kind of training do you supply your employees?
  • What are your disclosure policies?
  • What is your breach mitigation plan?
  1. Explore HIPAA Compliant Hosting. HIPAA compliant hosting can alleviate some of the concerns that accompany being a business associate in a healthcare vertical. By working with a hosting provider that employs HIPAA compliance processes, healthcare-focused companies can construct a comprehensive plan that will, when combined with workplace safeguards and internal best practices, allow vendor partners to reach HIPAA compliance collaboratively. This collaboration of efforts is key, since HIPAA compliant hosting alone can’t eliminate risks that exist inside the workplace. However, it can help mitigate threats to ePHI and also afford easier access and management of a company’s IT infrastructure.

By taking action to evaluate your organization’s level of compliance with HIPAA rules—and that of any business associates with whom you work—and staying on top of HIPAA regulation changes and updates, you will ensure your company is maintaining the appropriate level of compliance and avoiding the risks and penalties of non-compliance.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility? 

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility?  | HIPAA Compliance for Medical Practices | Scoop.it

If your healthcare practice must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations, a breach of protected health information may require patient and government notifications.  

HIPAA provides data privacy and security provisions for safeguarding medical information, and if that information is compromised either through a breach of your information system or sheer carelessness on the part of an employee, you may be subject to heavy monetary penalties.

But what qualifies as a HIPAA breach, what happens if it affects a limited number of your patients, and what are you required to do?

Rules That Apply

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  Such impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least these factors:

1.     The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2.     The unauthorized person who used the protected health information or to whom the disclosure was made;

3.     Whether the protected health information was actually acquired or viewed; and

4.     The extent to which the risk to the protected health information has been mitigated.

Those affected by this rule have discretion to provide the required breach notifications without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first applies to “the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”

The second exception involves” the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.”

In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

The final exception applies “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”

In addition to notifying affected individuals and the media (when appropriate), you must notify the Office of Civil Rights (OCR) of breaches of unsecured protected health information. by visiting the Health and Human Services (HHS) web site and filling out and electronically submitting a breach report form. If the breach affects 500 or more individuals, covered entities must notify the OCR without unreasonable delay and no later than 60 days following the breach.

Deadline Approaching

If the breach affects fewer than 500 individuals, your practice has no later than 60 days after the end of the calendar year in which the breach is discovered.  This means that if your practice has experienced a breach of fewer than 500 individuals and it has not been reported yet, you have until March 1, only a few days away to file the notification.

If you experience a breach affecting more than 500 residents of your State or jurisdiction you must provide notice to media outlets serving the State or jurisdiction, as well as notifying the affected individuals.  This notification will likely be in the form of a press release to the appropriate media outlets and must be provided no later than 60 days following the discovery of the breach and must include the same information required for the individual notice.

Don’t Leave Anything to Chance

As you can see, HIPAA breach notification requirements are quite stringent and can be complex. If your practice has experienced a breach, the HIPAA compliance experts and former criminal investigators at Colington Consulting can rapidly respond on-site to assist your practice in conducting a HIPAA breach investigation.  Their investigative process uses systematic approach to quickly determine how the breach was caused. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.



What Exactly Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that took effect in 2003 to assure that patient’s medical records and other health information provided to health plans, hospitals, doctors and other health care providers is protected.  HIPAA is enforced by the U.S. Department of Health and Human Services, to provide nation-wide privacy and security standards for patient information, while allowing patients greater access to their medical records and more control over how their personal health information is used and disclosed.  HIPAA established national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity (medical provider).

The HIPAA Security Risk Assessment

There are over 50 HIPAA Security Standards and Implementation Specifications that must be addressed with policy and procedures. They are all applicable to Covered Entities and Business Associates. The HIPAA rule is very detailed, and it is important that you not miss any compliance requirements.

One of the best ways to ensure HIPAA compliance is to implement a HIPAA security risk assessment. This will tell you what areas of your practice are in compliance, and which areas need corrections to be made in order to become compliant. No matter what, you want to make certain you are following all the requirements of the HIPAA Security Rule, as there are steep fines resulting from non-compliance.

The Three Parts of the HIPAA Security Rule

The HIPAA Security Rule requires a healthcare facility and its staff to implement specific safeguards in these three areas:

•             Administrative

•             Physical

•             Technical Safeguards

These safeguards ensure the confidentiality, integrity, and security of protected health information (PHI). While “required implementation specifications” must be implemented, “addressable implementation specifications” must be implemented if it is appropriate and reasonable to do so. Your choice must be documented. Do not make the mistake of automatically thinking that “addressable implementation specifications” are optional. If you are unsure if any “addressable implementation specifications” apply to you, it is best to implement them, as most are considered to be standard “best practices” for a medical business.

The results of your HIPAA security risk assessment should provide you with a list of areas where you need improvement. This is where you will begin to work on policies and procedures to address the deficiencies by documenting and outlining all “required implementation specifications”, and all applicable “addressable implementation specifications” needed to become HIPAA compliant.

Just A Few Examples of HIPAA Policy Requirements

Here are a few examples of the types of HIPAA “required” controls you will need to implement.

One of the main requirements is controlling the access to patient’s records by your staff members. This requires a unique user identification login and logout for identifying and tracking each user, as well as comprehensive HIPAA training for your staff. Often, staff will find HIPAA compliance inconvenient, but they must recognize it is for their own protection.

You must have a secure procedure for accessing PHI during an emergency. Should the power go off, do you have a back-up power source? Are your records securely backed-up in compliance with HIPAA ? Healthcare organizations should have a contingency plan in place for emergency operations and disaster recovery.

It is advisable that all patient data be encrypted and decrypted. After a risk assessment, all laptops, computers, and mobile devices may need to be encrypted. Do you have firewall protection? Is your network accessible from outside your business? Do you have intrusion protection? Is your wireless network secured? Any company that handles sensitive patient data protected by HIPAA should run a cybersecurity assessment , to thoroughly check your network to determine how secure it is, and explain measures that must be taken to secure any holes in that system.

Audit controls, via hardware or software, must record and examine activity in information systems containing or using ePHI.

Transmission of all ePHI must be secure.

There are many other required and addressable specifications that need to be implemented. This is only a handful, to give you an idea of the types of issues you will need to address.

Once Your Are HIPAA Compliant, Then What?

Once you have achieved HIPAA compliance, it is then important that procedures and policies be put into place to maintain compliance. Employers must keep a record that all employees have received proper HIPAA training. They need to understand how HIPAA is implemented in your office. If you switch IT companies, you will need to make certain that the new company is HIPAA compliant, and they will need to provide you with a Business Associate Agreement. Yes, HIPAA compliance is a never ending task for businesses that handle patient health information.

If you are concerned about understanding and meeting all of the “required” and “addressable” security standards and implementation specifications your business must have in order to be HIPAA compliant, consider bringing in Colington Consulting to review the status of your HIPAA compliance program. Colington Consulting are experts in the field who know the HIPAA rules inside and out. They will help you avoid problems and steep fines by ensuring your business is meeting HIPAA compliance requirements,  relieving you from any doubt about the status of your business’s HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance When Selling Health Care Practice 

HIPAA Compliance When Selling Health Care Practice  | HIPAA Compliance for Medical Practices | Scoop.it

When considering the sale of your healthcare practice (regardless of whether you are a physician, physical therapist, dentist, optometrist, etc.), you will undoubtedly be confronted by a litany of questions:

  1. Valuation – how do I ensure I get a fair price?
  2. Type of Sale – am I selling assets or majority of stock/shares/membership interest in the entity?
  3. Due Diligence – how much research and risk assessment must I do in regards to existing liabilities (for both myself and the buyer) as well as the security/financing of the buyer?
  4. Verification of State, Federal Regulatory Compliance – who is responsible for verifying compliance with Fraud and Abuse laws, Stark Law, Anti-Kickback Statute, HIPAA, Tax Exempt Status, Anti-Trust laws, etc.?
  5. Restrictive Covenant – duration? location? key employees?
  6. Assumption of risk, indemnity – how is it expressed and covered?
  7. Holdover – how long should I remain onboard and accessible to the buyer – as an employee or an independent consultant?
  8. Termination – what will trigger cancellation of the transaction?


All of these questions warrant consultation with an attorney with experience in structuring such transactions. 

However, in addition to the traditional machinations of such a transaction, you will need to receive consultation from an attorney aware of additional aspects of the healthcare profession that make the sale of a practice more difficult. Namely, you need to be aware of the requirements for patient consent of the transfer of files and HIPAA Compliance.

Notification Requirement to Patients


Pursuant to state and federal regulations, patients must be given the option to choose another health care provider and/or have a copy of their medical records sent to the physician of their choice. Specifically, medical records and other personal health information should not be transferred to another health care practitioner or practice without the patient’s informed consent. As such, when moving forward with a contemplated sale of practice, it is important that the mechanics of informing patients of the contemplated sale and providing them the option to choose their own provider is incorporated into the timing of the transaction. 

Unfortunately, this often leads to the sale of the practice taking much longer than what might be within the parties' expectations. 

Sharing Patient Files and Medical Records through Business Associate Agreement

As the above transition is unavoidable, buyers and sellers can and should embrace it. This can be accomplished by ensuring there is either a holdover of the old practitioner within the new practice–as an employee or an independent contractor. Furthermore, the seller is permitted to then share his or her patient files and medical records (i.e. PHI) with the buyer pursuant to a HIPAA-compliant Business Associate Agreement. This is permitted because the buyer, as a business associate, is using the PHI from the seller for “health care operations”, a permitted use under HIPAA. “Health care operations” include business management and general administrative operations of the entity, including the sale, transfer, merger or consolidation of all or part of the covered entity with another covered entity.

The American Medical Association provides further guidance for the transfer of patient records upon the sale of a medical practice. Ethical Opinion 7.04 states, “The transfer of records of patients is subject, however, to the following: (1) All active patients should be notified that the physician (or the estate) is transferring the practice to another physician who will retain custody of their records and that at their written request, within a reasonable time specified in the notice, the records or copies will be sent to any other physician of their choice… (2) A reasonable charge may be made for the cost of duplicating records.”


Priming or Retaining Medical Records

Practitioners should also check state and federal regulations regarding recordkeeping requirements and/or retention. When selling or closing a practice, practitioners should review their medical records to ensure that the records contain all information and documentation as required by state and federal law.  

Medical record ownership is established by state law, licensing regulations, and judicial decisions.  Generally, the practitioner's patient file and medical record is owned by the practitioner or corporate entity responsible for compiling and maintaining it, who also serve as the custodian of its contents. The Health Insurance and Portability Act of 1996 (“HIPAA”) expanded patients’ right to access, audit and amend their protected health information (“PHI”) pursuant to the HIPAA Privacy Standards. As custodian, the practitioner is responsible for providing their patient with informed written consent regarding their role as well as how the patient may access and transfer its contents at will to desired third-party practitioners.  Practitioners, in this dual role as custodian and owner, must take special care regarding the destruction, retention, or transfer of medical records when their practice is sold or closed.

Practitioners who are selling or closing their practice should ensure that the control, ownership and patient’s right to access their medical records is specifically addressed prior to transferring or storing any medical records in order to be in compliance with the applicable state law. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Keeping Your Online Medical Marketing HIPAA-Compliant

Keeping Your Online Medical Marketing HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

Medical marketing is at least three years behind any other industry for two reasons: First, HIPAA laws determine how patient information is gathered, stored and used. Second, the FDA imposes regulations on how medical practices can market their products and services.

Each day, millions of Americans search for health information online. Because online search is a major part of healthcare consumers’ decision-making, there is a risk that their protected health information (PHI) could be accidentally exposed by a medical facility, causing a HIPAA violation.

As a medical practitioner, it is your responsibility to ensure that any protected health information (PHI) you are collecting for your patients is safe and protected. Technological advancements can certainly add more efficiency to routine operations, but new technologies may bring new concerns with HIPAA compliance.

HIPAA compliance is one of the biggest concerns for medical practitioners, and for a good reason: Privacy violations can result in severe consequences, including hefty penalties and even jail time. To make matters more complicated, the HIPAA law is vague on what actions medical practices must take to make their digital marketing efforts HIPAA-compliant.


So, what best practices can you follow to keep your online marketing efforts HIPAA-compliant?

HIPAA compliance and digital marketing

Online marketing is vital for the growth of medical practices, as many patients turn to online sources to learn more about symptoms and treatment options and to search for nearby medical practices. Most medical practices have a website, and many use email marketing and social media to reach out to the target audience. Security is the biggest concern in these media. The following guidelines will help you stay HIPAA-compliant.


1. A HIPAA-compliant website: If you want potential patients to find your practice online, it is critical for you to have an active online presence. However, HIPAA laws are a concern. While it can be challenging to have a HIPAA-compliant website, it is not impossible. However, you must ensure your practice website has these elements to comply with HIPAA laws:


  • Patient data must be encrypted: Patient-related information contained in contact forms, appointment request forms and online check-in forms is at risk and must be encrypted. You can protect the private information by using an SSL certificate on your website. SSL complies with HIPAA’s data encryption standards and keeps private patient information safe.
  • Store data on a HIPAA-compliant server: Your server should have an antivirus, offsite backup, firewall and OS patch management in order to stay HIPAA-compliant. Also, make sure data is encrypted when you are storing it on the server.
  • Use a secure network to transmit HIPAA-protected information: You should never send HIPAA-protected information through an unencrypted network to an insecure email account. If you want to send or receive HIPAA-protected information by email, it must be encrypted end-to-end. A good alternative would be to store private information on your HIPAA-compliant server and set up email alerts to notify you any time new data is submitted.
  • Properly dispose of patient-related information: Practices are legally required to retain patient records for a particular period. When you are finally disposing of private information, it is recommended to delete all backups, archives as well as history stored on your server.
  • Regularly update privacy policy on your practice website: Your privacy policy must be regularly updated to keep up with any changes in your practice’s privacy policy to stay HIPAA-compliant.


2. HIPAA-compliant email marketing: It is important to design an email marketing strategy that will keep your practice on the right side of HIPAA compliance. Follow these basic tips:

  • An email containing PHI must be encrypted: Even basic information as simple as a name and email address of a patient can be considered PHI. So the best practice is to encrypt all professional emails. You can either choose to manually encrypt each professional email before sending it out or use a HIPAA-compliant automated service.
  • Make sure email marketing services are HIPAA-compliant: Just because you are paying for a service, do not make the mistake of assuming it is HIPAA-compliant. In fact, many email marketing services are designed for corporate use. When choosing an email marketing service, ensure that it offers HIPAA-compliant emails.
  • Never send email communication to patients who did not request it: Most practices ask for patients’ email addresses on their sign-in forms. However, unless the patient has indicated that he or she wishes to receive emails from your practice, you should avoid sending any email. You can simplify this process by adding a question about the patient’s communication preferences on your sign-in forms. However, even when the patient requests email communication, you must ensure appropriate safety measures.
  • Inform patients about the potential risks of email communication: Despite taking all security measures on your end, there is a good chance that your patients’ email services are not secure enough to prevent potential breaches. It is important that your patients understand this risk before agreeing to email communication with your practice.


3. HIPAA-compliant social media marketing: Social media can be a great way for practices to reach out to potential and current patients. However, staying HIPAA-compliant is a major concern. A slip-up will not only make your practice look bad, but it can also put you in trouble with the law. With some effort and knowledge, your practice can be active on social media without violating HIPAA. Follow these guidelines:

  • Stay up-to-date: Laws may change, so it is sage advice to regularly check for updates and make sure your social media efforts are in line with the current laws. You can look up the U.S. Department of Health and Human Services website for the most up-to-date information.
  • Create a social media policy for your practice: A social media policy will let your employees know what is allowed to post, and what is not allowed. In your social media policy, you can also establish roles and responsibilities for staff members who will be posting on your practice’s behalf.
  • Never include any identifiers in posts: With so much of the information available online, even an insignificant detail could help users identify your patient. Basic details such as date, time and location can give away a patient’s identity. When positing on social media, you must make sure to remove the following identifiers:
    • Name
    • Location
    • Dates
    • Contact numbers
    • E-mail addresses
    • Social security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle serial numbers and license plate numbers
    • Device identifiers and serial numbers
    • URLs
    • IP address numbers
    • Biometric identifiers such as finger and voice prints
    • Full-face photographs
    • Other unique identifying numbers, characteristics or codes
  • Keep separate social media profiles for personal and professional use: Even if you are an individual physician, you should have a separate personal profile for discussing anything outside of healthcare. The same goes for your employees. Your employees should be instructed not to accept a friend request from a patient as that could lead to conversations that may violate HIPAA guidelines.

Staff training: An integral part of HIPAA compliance

According to industry reports, of the 268 breach incidents reported to the Department of Health and Human Services in 2015, nearly 73 percent of the incidents occurred at providers’ sites. While network security at the providers’ sites is a vital concern, the vast majority of incidents have more human causes.

Nearly four of every five breach incidents at the providers’ sites have nothing to do with server-network hacking. They are mistakes rooted in human behavior. These events could have been prevented by staff, had they been trained on HIPAA laws.

The most basic requirement of HIPAA is training. The law requires appropriate training for every employee on his or her responsibilities to protect patient information. Training should aim at engaging employees through case studies of actual breaches. Training programs should include real-life exercises in which staff members are presented situations and choices that have led others into privacy breaches. During the training sessions, decisions should be discussed, situations should be simulated, new and more efficient processes should be established, and a sense of responsibility should be fostered.


Even with safety measures in place to protect your patients’ private information, it is still possible for a violation to occur if employees are not informed. You should provide HIPAA compliance training to employees when they start working at your practice. This training should include information about the HIPAA privacy rules, violations and monitoring patient record requests.

In order for your medical practice to be HIPAA-compliant, each staff member must be HIPAA-compliant. It is your responsibility to educate, inform and train your employees on HIPAA regulations and the consequences of non-compliance.


At Practice Builders, our team of online marketing and HIPAA-compliance experts will work closely with you to ensure an optimum patient experience. Through content marketing, HIPAA-compliant emails, social media and strategic SEO, we help you grow your medical practice while you focus on providing top-notch care for your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

The Fifth Discipline: A Metaphor for 21st Century HIPAA Compliance

The Fifth Discipline: A Metaphor for 21st Century HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

This month's HIPAA Survival Guide Newsletter article uses the metaphor from the Fifth Discipline, a book written by Professor Peter Senge circa 1990, to describe the system approach required if organizations what to change their compliance DNA. Senge's book contemplates what's required for a "learning organization." This article contemplates what 21st century compliance DNA looks like and why it matters that "systems thinking" underpins all compliance initiatives. First, we address what Senge calls the "learning disabilities." 

Subscribe to our FREE HITECH / HIPAA Compliance Newsletter here.
1. I am My Position

In the 24/7/365 online world that all knowledge workers now inhabit it is hard to predict who within an organization will be the compliance (specifically in the case "cybersecurity") change agent. It's important that knowledge workers do not get caught up in the organization pecking order because it generally only serves to constrain where innovative ideas may come from. This is especially true with respect to the kind of comprehensive systemic approach to cybersecurity required to reduce risks to levels that are reasonable and appropriate pursuant to the regulatory regime targeted.
One thing is certain, the functional group where the cybersecurity change agent ("CA") may emerge is an unknown unknown. The CA may not emerge from the "usual suspects" (e.g. information technology). Why is that? Because a cybersecurity vision and the resources to get it implemented requires much more than technical acumen. It also requires communication skills necessary to transform an organization's cybersecurity initiative into something that it does as part of the value it delivers to customers/patients, and not some "bolt on" necessary evil activity.

2. The Enemy is Out There

Compliance in the 21st century is not about reacting to Big Brother looking over your shoulder but rather delivering value to customers. There are no regulatory agencies "out there" that you should be at war with. You are at war with the increasing sophisticated "bad guys" that want access to your customer's sensitive data to monetize it, or to perform other nefarious activities, that customers are obviously interested in avoiding. For example, the public policy that underpins our respective customers interest in privacy will only increase over time. 
The more we are surveilled, watched, tracked, etc. the more our desire for privacy will increase. A desire for privacy is a visceral reaction to some semblance of quietude and repose that all human beings need when we are bombarded with thousands of messages each day demanding our attention. The organizations that can seamlessly provide us with privacy as part of their value proposition are likely to attract our loyalty-all other things being equal.

3. Illusion of Taking Charge

Unfortunately, although we all understand that a successful HIPAA Compliance Initiative ("HCI") cannot proceed without the executive management team's ("EMT") participation, the latter cannot take the lead role in running the initiative. The reason for this may not be obvious on its face. Compliance officers quickly realize the dilemma of having been thrust into "the belly of the whale." An HCI is much more complex and time consuming than almost everyone expects, even when you expect it to be a full time job. This is especially true when your organization is trying to launch its HCI. The EMT, if they are busy doing what they should be doing, they generally do not have the bandwidth to take on this job; no matter how good their intentions. This is a job for professional compliance officers.
That said, there are always exceptions. Where we tend to find these exceptions the most are small boutique business associates where HIPAA compliance is the difference between winning a piece of business or not even being included in the game. Here the EMT clearly understands what HIPAA compliance means to their value proposition and embrace compliance as they would any other revenue generation opportunity.
4. Fixation on Events

We are too focused on the short term, which prevents us from seeing long-term patterns of change that are the cause of the immediate events. This is especially true when an organization experiences a breach. The focus tends to be on "responding to the event" instead of focusing on root causes and systemic failures. In addition, this event focus often precludes any real change in the organization's compliance DNA, reverting back to business as usual as soon as the event has been "handled."

5. Delusion of Learning from Experience

People seldom directly experience consequences of their decisions. For example, breaches generally don't happen often enough for an organization to develop deep institutional knowledge from the lessons learned. Further, often the lessons learned are not the right ones. Blame is generally assigned to individuals instead of the organization's HCI writ large. The bottom line is that systemic risks require systemic solutions. We are not convinced that "systems thinking" has permeated the business culture to the extent required to manage systemic risks. Remember, "systems thinking" is not the same thing as "throwing technology at a problem." A system is much broader in scope than the technology that underpins it. As non-trivial as that technology may be, it is usually the "people" part of the system that poses the most difficulty. Problems that encompass systemic risk are by definition wicked problems, because they inherently contain more organizational complexity than technical complexity.
The anecdotal evidence is that the healthcare industry, writ large, appears to have learned little from the historic breaches that have already occurred and from reputation damage from being listed on HHS' Wall of Shame. Many reasons have been posited for healthcare's learning disability. The one that we have settled on is that for historical reasons (in no small part due to academic training), the industry views itself more as a group of "clinicians" rather than as "business people." In part this dichotomy has persisted because healthcare, as practiced in the U.S., is a business like none other. 
  • Pricing transparency does not exist. 
  • There is no easy way to compare quality between providers. 
  • Very little accountability to patients (i.e. primarily because the latter are generally not the "payers") for quality outcomes (fee-for-service is still king). 

We could go on but you get the picture. For good reason, almost all senior healthcare executives are doctors. Therefore, there is very little mixing of business DNA from other industries. The healthcare industry is a beast unto itself.

6. Myth of the Management Team 

We tend not to work together but rather fight over turfs and avoid doing anything that risks looking bad. We are not competent to discuss whether there is more turf wars in healthcare than in other industries. However, we can say that the management team's that we have interacted with understand very little with respect to how privacy and security should be incorporated into the organization DNA. Most tend to view compliance as this "bolt on" necessary evil that simply needs to be managed. Few management teams understand that in the 21st century cybersecurity (i.e. both privacy and security combined) must be an inherent part of the organization's value proposition done on behalf of patients. Ah, but therein lies the problem, ask any healthcare management team who their customers are and they may say "patients" out of political correctness, but the reality on the ground is far different. Their "customers" are generally insurance companies or large employers. Why? Because the latter pay the $$ that keep the wheels of healthcare turning.

7. Parable of the Boiling Frog 

We tend not to notice or are unwilling to notice threats that rise gradually which results in an inability to react until it's too late. The healthcare frog has been boiling since the HITECH Act was promulgated in 2009. There have been hundreds of high profile breaches and thousands more that don't make frontpage news. Yet it is clear that the industry has failed to take any significant action en masse. The prevailing feeling appears to be "breaches are things that happen somewhere else." Privacy and security are simply not top of mind for clinicians. Nursing schools and medical schools barely teach students enough to allow them to spell HIPAA (mostly) but not much more. The water keeps getting hotter but the frog remains mostly oblivious. As we all know, this story does not end well for the frog. One day something really bad, but otherwise utterly preventable happens. This fails to move the needle for the practice next door. In that practice another frog is starting to boil.

According to the book, it is no longer sufficient for an organization to rely upon just one person to learn for the organization (if it ever was). A successful business is one that can effectively develop the capacity for members to learn at all levels of the organization. A learning organization requires its members to be open to new ideas, be able to communicate effectively with each other, understand the organization, form a vision shared by all members and work together to achieve that vision.
Although, the book's conclusions sound like yet more platitudes, given that we all become somewhat jaded by the "vision thing;" it certainly rings true with what's required to change an organization's DNA pursuant to privacy & security. If not, it is likely to continue "raining breaches" for the foreseeable future.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Email Compliance: 6 Best Practices for Medical Data Security 

HIPAA Email Compliance: 6 Best Practices for Medical Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

As technology advances and legislation changes, HIPAA email compliance can seem like a constantly moving target. With the challenges facing today’s healthcare landscape, including the proliferation of electronic health records (EHRs) and health information exchanges (HIEs), hackers and “hacktivists” targeting hospitals and the adoption of cloud and mobile technology in healthcare, HIPAA compliance is becoming more challenging — and more important — than ever.

Much has changed since 1996, when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. The World Wide Web was still relatively new, mobile phones were relatively rare (and great for your biceps!) and your health data was divided into thick manila folders stuffed with paperwork. Now, all that stands between patients and the entirety of their medical histories is a username and a password, and a startling number of those passwords is “password.”

The Challenge of Protecting Patient Data

When most of us think about HIPAA compliance, we think about its access control aspect — that is, who gets access to protected health information (PHI), and when. A leak of PHI can be as simple as a medical professional forgetting to log out of their portal, and leaving patient data open on the desktop to be viewed by anyone walking by (this is why automatic logout is one of the “technical safeguards” required to maintain HIPAA compliance).

When it comes to protecting PHI, the penalties add up fast — and since the passing of the 2009 Recovery Act, violating HIPAA has only grown more expensive. Each individual violation will run your business anywhere from $100 to $50,000, if it’s a first offense (and a lack of due diligence, as opposed to willful neglect). Violations due to willful neglect, however, cost a covered entity a minimum of $50,000 per violation. And when you consider how many patients have their data stored on a single server, those $50,000 violations stack up fast.

Doctors, hospital administrators, insurance professionals and anyone who deals with PHI need to be aware of the growing threats to patient privacy and be proactive with their information security. Here are six ways to lock down patient data and stay ahead of the threat.

1. Use strong data encryption.

Any PHI data you’re storing, whether it be on your desktop, on a server or in the cloud, should be encrypted. Encryption obscures your data, making it unintelligible to anyone who doesn’t have the key to decrypt it. As proven by the 2014 CHS Heartbleed attack, which resulted in the theft of 4.5 million social security numbers from one of the largest hospital groups in the United States, cybercriminals have both the desire and the means to crack into hospital servers and steal sensitive data. With encryption, that data is still protected even after hackers get their hands on it, provided they weren’t able to also steal the encryption key.Data encryption isn’t just best practice for information security, though — it’s a written requirement to maintain HIPAA compliance. Established in 2009, the HIPAA Breach Notification Rule gives businesses 60 days to notify all parties who may be affected by a leak of “unsecured protected health information.” Here, “unsecured” is another way of saying “unencrypted.”The HHS actually goes into detail about its encryption standards for data at rest and data in motion. For data at rest (data that sits in storage), for example, the HHS’ standards are consistent with those of the National Institute of Standards and Technology (NIST), and include centrally managing all storage encryption, using multi-factor authentication for encryption solutions and using the Advanced Encryption Standard (AES) for encryption algorithms.

2. Encrypt your emails, as well.

A tremendous amount of PHI is exchanged over email, and HIPAA compliant email requires encryption, too. In a post-HITECH (Health Information Technology for Economic and Clinical Health) world, the data shared digitally between doctors and their patients can be extremely useful for enterprising hackers, and email is a particularly vulnerable vector of attack.The traditional route hospitals and providers take for HIPAA compliant email is a portal solution that uses Transport Layer Security (TLS) to encrypt messages. While these legacy portal solutions do provide for HIPAA email compliance, they are certainly not easy for either the providers or patients who use them. Webmail portals tend to be inconvenient to use, requiring separate usernames and passwords for each and every system and creating information silos for medical information.Newer email encryption solutions bypass the annoyance of email portals by integrating seamlessly with more popular email services, like Gmail. Virtru Pro, for example, works with the service you’re already using to provide client-side encryption for HIPAA compliant email. In this case, encrypted PHI can be delivered safely and securely directly to the inbox, with no need for separate accounts or credentials. This allows for both HIPAA compliant email and convenience. (To learn more, read our FAQ about how Virtru Pro enables HITECH and HIPAA compliance for Gmail, or download our free guide)

3. Use multi-factor authentication wherever possible.

If a hacker steals your password, can they access your data? If you’re using multi-factor authentication, you may still be safe. Without multi-factor authentication, your password is a single point of failure, the only gatekeeper separating you from the data thieves.To help satisfy the Person or Entity Authentication component of HIPAA compliance, the HHS recommends that businesses handling PHI require, in addition to a password or PIN, either something the individual possesses (like a token or smart card) or a biometric (for example, a fingerprint or iris scan) for identity verification. These are both examples of multi-factor authentication, which requires a combination of something a user knows with something a user has.Anyone who has used a debit card is familiar with multi-factor authentication. Even if someone gets a hold of your card, that person can’t withdraw money at an ATM without your PIN. Requiring two separate steps to verify your identity makes it doubly hard for someone to gain access to your money (or your data) by posing as you.

4. Make all of your employees HIPAA compliance experts.

One of the standards HIPAA lists among its Administrative Safeguards is Security and Awareness Training. Any business is only as secure as its least vigilant employee. All it takes is one tired worker uploading notes to their personal cloud, or leaving handwritten passwords in open spaces, to violate HIPAA compliance laws. It’s essential to make sure that every employee is thoroughly trained and refreshed in HIPAA and HITECH regulations, as well as your company’s security policies.While many of the technical safeguards that protect HIPAA compliance are automated, like timed session logouts and password complexity requirements, nothing can replace thorough training and adequate knowledge sharing when it comes to strengthening your security posture.

5. Review the compliance and security practices of business associates.

When it comes to HIPAA compliance, you can’t just tidy up shop internally. As with its employees, a company is also only as compliant as its least secure partner/vendor/contractor, and every business your hospital, private practice or insurance company partners with is a potential vector for attack or HIPAA violation.There are a few precautions any HIPAA-covered entity should take when it enters into a business associate agreement, including securing the right to audit the associate for compliance. Lay down ground rules for HIPAA compliance best practices, including a mutual obligation to encrypt any shared PHI, and ensure that your business associate can’t pass PHI from your patients on to subcontractors without your approval. This includes using only HIPAA compliant email to exchange PHI.

6. Be aware of social engineering and inside threats.

While usually, the leak of PHI is simply an act of user error or negligence, many data leaks are caused by malice — both from the outside and within. While many infosec efforts are directed at the stereotypical hacker, hiding in the shadows in a musty basement cracking into a distant server, 28 percent of security incidents come from within the organization, and 66 percent of malicious hacks are acts of social engineering, a method of intrusion that relies on social manipulation.Social engineering can be as simple as someone walking into a hospital dressed like a convincing repair person, sneaking in a thumb drive and leaving with sensitive PHI. Make sure your internal security audits address these scenarios, as well as insider data threats.

Between legislation and technological advances, healthcare in the United States has recently undergone a dramatic transformation. It’s vital that healthcare providers and other covered entities keep pace with these changes. While it isn’t necessary to be an infosec expert or a white hat hacker, doctors, nurses and administrators should know the law, know the threats and keep vigilant to protect the privacy of their patients and the HIPAA compliance of their practices.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Is Gmail HIPAA Compliant?

Is Gmail HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

What is a HIPAA compliant email?


Before discussing the unique case of Gmail, we should first understand what makes an email HIPAA compliant. If you’re looking for a way to prove HIPAA compliance, read this blog post first.

The Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA, is a set of compliance rules in the Healthcare industry. HIPAA consists of 3 main parts; The Privacy Rule, The Security Rule and The Breach Notification Rule.

The Privacy Rule protects individually identifiable health information. The Security Rule provides standards for electronic Protected Health Information (PHI).  The Breach Notification Rule stipulates the way and timeliness individuals affected by the breach have to be contacted.

PHI should be looked at as an equation:  Identifiers + Health Information. Identifiers can include Name, SSN, and Email, whereas health Information includes attributes medications, clinical notes and insurance.

Since traditional email was merely meant to connect people, it was built with message delivery as the top priority, in some respects leaving security as an afterthought.  While this was beneficial in the early days of email, it means that the first generation of email systems were ill-equipped to protect sensitive patient information.

In most cases, making an email HIPAA compliant means making sure that the message is encrypted from one inbox to another and not delivered in clear text. Unencrypted emails is not only a security risk but, also a risk for a HIPAA violation fine for healthcare providers.


The Difference Between G Suite (Google Apps) and Gmail for HIPAA Compliance

When it comes down to compliance capabilities,  it is important to note that Google offers two separate email products: Gmail and G Suite. Gmail targets personal email addresses. G Suite (formerly Google Apps) targets business email accounts and is meant to be used alongside an owned domain. Gmail is a free service and is associated with the @gmail.com email addresses. G Suite is a paid service.

Another very important distinction is the ability to acquire a Business Associate Agreement (BAA) for an email account. Google is willing to sign a BAA with your organization if you are using G Suite. However, if you are using a gmail account Google does not offer BAAs.

But even if you use G Suite becoming compliant doesn’t stop at a BAA. Google is willing to sign a BAA for some, but not all of their services. Additionally, G Suite only encrypts email at rest and in transit, but not necessarily all of the way to the recipient’s inbox. This means in the last step an email may still be delivered as clear text, leaving it vulnerable to be stolen. This is certainly not ideal for any emails transmitting PHI.


Your Patients

Google, by far, is the most utilized personal email option. Because of this, it is safe to assume that the majority of your patients are using gmail for their personal emails. Google has admitted that users’ emails are “subject to automated processing.” Or in other words, Google scans your emails for keywords for advertising retargeting to you and your contacts. If you are corresponding with a patient via their gmail account, how do you think they would feel realizing Gmail is exposing their health information to Google?


To Put It Simply

Gmail is not a HIPAA compliant solution.

If your organization needs to meet HIPAA regulations, using Gmail for work is not compliant. You are leaving yourself vulnerable to fines because your patients’ PHI is being scanned by a third party without your patient's’ consent or knowledge.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

The Bottom Line on HIPAA Compliance and Your Email 

The Bottom Line on HIPAA Compliance and Your Email  | HIPAA Compliance for Medical Practices | Scoop.it

Email is everywhere, and it’s not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable rise recently, but about half of the world now uses email, and that figure is increasing. In medicine, approximately 50% of patients either use or want to use email to contact their healthcare providers, and about a third of clinics are actually making it possible for them to do so.


Email, however, was invented well before either HIPAA or our society’s modern appreciation for the importance of strong online security. Because of this, in its most basic and typical form, email has no credible controls to ensure sender and recipient identity, to protect message integrity, or, perhaps most importantly, to prevent third-party snooping. These deficiencies intersect particularly poorly with the legal and ethical demands on healthcare communication, which turns the situation into a powder keg.

In short, email in medicine can be a HIPAA disaster. But it doesn’t have to be.

Let’s talk about the problem and what you can do to solve it.

What HIPAA Compliance Demands from Email

If your healthcare activities are covered by HIPAA and you want to use email to store or transmit protected health information (PHI), then two important sections of the HIPAA regulations will apply to you: the Privacy Rule and the Security Rule.

We’ve discussed these rules before in more detail, but the one-sentence summary is that the Privacy Rule governs how all PHI must be treated, while the Security Rule provides additional regulations for PHI that is in electronic form (ePHI).

The HIPAA Privacy Rule and email

When it comes to email and the HIPAA Privacy rule, the U.S. Department of Health and Human Services (HHS), which administers HIPAA, has actually weighed in with specific guidance. Here’s a snippet of their position:


Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?


Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).

Sounds like great news! For reference, the 45 CFR § 164.530(c) that they referenced is just a citation for a section of the actual HIPAA regulations, and it simply requires that you “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

Of course, when it comes to email, the definition of an “appropriate technical safeguard” becomes important. HHS weighs in on this, as well:

Covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

So that brings us to the Security Rule…

The HIPAA Security Rule and email

The 45 CFR Part 164, Subpart C, which HHS referenced above is actually quite long and contains many of the foundational aspects of the HIPAA Security Rule. Instead of going through all of it, we’re going to assume that you already have a functioning HIPAA compliance program in place, and we’ll spend this section highlighting just a few key regulations that are especially important when it comes to email. If you need a more thorough rundown on the Security Rule first, check out our earlier complete guide to HIPAA compliance.

Within the Security Rule, much of the important technical guidance shows up in 45 CFR § 164.312, a section on “technical safeguards.” Let’s take an abridged look at some of this section’s requirements as they apply to email:

  • Access control
    Only those people with appropriate access rights should be able to access ePHI. This means that you should use strict security measures for your email account, including a strong password and two-factor authentication. However, you should also consider this requirement as it applies to emails once they leave your email provider’s server and travel across the Internet; if they are unencrypted, then you can’t control access to them as they pass through other servers.
  • Unique user identification and identity verification
    Users on systems with ePHI must be uniquely identified, and their identities must be verifiable. This means no shared logins for email accounts, and it also means that the identity of every person sending or receiving ePHI should be verifiable. Basic email does not have sender or recipient identity verification capabilities.
  • Data integrity
    Systems must protect ePHI from improper alteration or destruction, both at rest and in transit. Technical measures to guard against data loss or corruption need to be in place, and basic email does not include integrity controls.
  • Encryption and decryption
    A mechanism should be used to encrypt and decrypt ePHI. Basic email does not employ encryption.
  • Transmission security
    Technical measures must guard against unauthorized access to ePHI that is being transmitted. Basic email transmission protocols include no guarantee of secure transit.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Breach Disclosure Requirements

HIPAA Breach Disclosure Requirements | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Breach Disclosure Letter

In the event of a HIPAA breach, the disclosure letter to the person(s) affected must include the following information:

  • Brief description of what happened and when it happened, to include the date of the breach and the date it was discovered;
  • Description of the types of unsecured PHI involved in the breach (e.g., date of birth, diagnosis, address, social security number);
  • Steps individuals should take to protect themselves from potential harm as a result of the breach;
  • Brief description of what the involved covered entity is doing to investigate the breach, mitigate losses, and protect against any further breaches;
  • Contact procedures for individuals to ask questions or learn additional information.

HIPAA Breach Media Notices

If the HIPAA breach affects more than 500 residents of a State or jurisdiction, in addition to notifying the affected individuals, a press release must be provided by the covered entity (CE) to appropriate media outlets serving the affected area.  Media notices must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.  The media notice must include the same information required for the individual notices.

HIPAA Breach Disclosure to the HHS Secretary

The HIPAA Breach Notification Final Rule requires covered entities to provide the Secretary of HHS with notice of breaches of unsecured protected health information (45 CFR 164.408). The number of individuals affected by the breach determines when the notification must be submitted to the Secretary. Covered entities must notify the Secretary by visiting the HHS website filling out and electronically submitting a breach report form.


HIPAA Breach affecting 500 or more Individuals

If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach.  This notice must be submitted electronically.


HIPAA Breach affecting fewer than 500 Individuals

For breaches that affect fewer than 500 individuals, a CE must provide the Secretary with a report annually.  All disclosure notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred. The notice must be submitted electronically. A separate form must be completed for every breach that has occurred during the calendar year.

When a covered entity has submitted a breach notification form to the Secretary and discovers that there is additional information to report, the CE can submit an additional form, checking the appropriate box for an updated submission.

The Burden of Proof

CEs and BAs have the burden of proof to demonstrate that all required HIPAA Breach disclosures have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.  The covered entity must also comply with several other provisions of the Privacy Rule with respect to breach notification. For instance, CEs must have written policies and procedures, and must develop and apply sanctions against workforce members who do not comply with these policies and procedures.

There are HIPAA Breach Exceptions

There are three exceptions to the definition of “breach:”

  • Unintentional acquisition, access, or use of protected health information by  a workforce member or a person acting under the authority of a CE or BA, if such acquisition, access, or use was made in good faith and within the scope of the person’s authority.
  • Inadvertent disclosure of protected health information by a person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA, or at an organized health care arrangement in which the covered entity participates.  In both cases the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
  • If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

CEs must be prepared to defend their decision to claim an exception to the breach definition, so keep the documentation that supports your decision!

The Takeaways

Avoiding breaches require constant vigilance.  Employees lose laptops, visit websites that contain malware, and sometimes just forget the rules.  Whenever the Office of Civil Rights comes to investigate a HIPAA breach at your organization, it will look for 4 things: (1) Your Policies and Procedures, (2) Your recent HIPPA Risk Assessment, (3) Your evidence of training of employees, and (4) Your HIPAA Breach Disclosure documentation.

Plan to have all four available!

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA and Email: there are rules

HIPAA and Email: there are rules | HIPAA Compliance for Medical Practices | Scoop.it

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

HIPAA Privacy and Security rules are concerned with email and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then it bears repeating that the Internet, and things like an email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”


What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”


Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.


The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance for Email

HIPAA Compliance for Email | HIPAA Compliance for Medical Practices | Scoop.it

Are Emails HIPAA Compliant?

HIPAA compliance for email has been a hotly debated topic since changes were enacted in the Health Insurance Portability and Accountability Act (HIPAA) in 2013. Of particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant(*).

HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security have to be fulfilled in order to:

  • Restrict access to PHI
  • Monitor how PHI is communicated
  • Ensure the integrity of PHI at rest
  • Ensure 100% message accountability, and
  • Protect PHI from unauthorized access during transit

Some HIPAA covered entities have put forward the argument that encryption is sufficient to ensure HIPAA compliance for email. However, HIPAA email rules do not just cover encryption. Encryption alone does not fulfill the audit control requirement of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.

Furthermore, some required functions – such as the creation of an audit trail and preventing the improper modification of PHI – are complex to resolve. So, although emails can be HIPAA compliant, it requires significant IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email.

(*) HIPAA compliance for email is not always necessary if a covered entity has an internal email network protected by an appropriate firewall.

HIPAA Email Encryption Requirements

HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.

As previously mentioned, encryption is only one element of HIPAA compliance for email, but it will ensure that in the event of a message being intercepted, the contents of that message cannot be read, thus preventing an impermissible disclosure of ePHI.

It should be noted that encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. That means encryption is not ‘required,’ but that does not mean encryption can be ignored. Covered entities must consider encryption and implement an alternative, equivalent safeguard if the decision is taken not to use encryption. That applies to data and rest and data in transit.

A covered entity must decide on whether encryption is appropriate based on the level of risk involved. It is therefore necessary to conduct a risk analysis to determine the threat to the confidentiality, integrity, and availability of ePHI sent via email. A risk management plan must then be developed, and encryption or an alternative measure implemented to reduce that risk to an appropriate and acceptable level. The decision must also be documented. OCR will want to see that encryption has been considered, why it has not been used, and that the alternative safeguard that has been implemented in its place offers an equivalent level of protection.

Encryption is an important element of HIPAA compliance for email, but not all forms of encryption offer the same level of security. Just as the method of encryption is not specified in HIPAA to take into account advances in technology, it would not be appropriate to recommend a form of encryption on this page for the same reason. For example, a covered entity could have used the Data Encryption Standard (DES) encryption algorithm to ensure HIPAA compliance for email, but now that algorithm is known to he highly insecure.

HIPAA-covered entities can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could naturally change, so it is important to check NISTs latest guidance before implementing encryption for email. NIST has published SP 800-45 Version 2 – which will help organizations secure their email communications.

How Secure Messaging Resolves Issues with HIPAA Compliance for Email

Secure messaging is an appropriate substitute for emails as it fulfills all the requirements of the HIPAA Security Rule without sacrificing the speed and convenience of mobile technology. The solution to HIPAA compliance for email uses secure messaging apps that can be downloaded onto any desktop computer or mobile device.

Authorized users have to log into the apps using a unique, centrally-issued username and PIN number that then allows their activity to be monitored and audit trails created. All messages containing PHI are encrypted, while security mechanisms exist to ensure that PHI cannot be sent outside of an organization´s network of authorized users.

Administrative controls prevent unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoffs when an app has not been used for a predetermined period of time, and allowing the remote deletion of messages from a user´s device if the device is lost, stolen or otherwise disposed of.

The Benefits of Secure Messaging

The primary benefit of secure messaging when compared to email is the speed at which people respond to text messages. Studies have determined that 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unopened for forty-eight hours.

The communications cycle is further accelerated by the mechanisms to enforce message accountability. These significantly reduce phone tag, allowing employees more time to attend to their duties. In a healthcare environment, this means less time waiting by a phone and more time providing healthcare for patients.

This acceleration of the communications cycle also reduces the time it takes to admit or discharge a patient, how long it takes for prescription errors to be resolved, and the length of time it may take for invoices to get paid. Ultimately, secure messaging is a lot more effective than email, and less trouble to implement than resolving HIPAA compliance for email.

Encrypted Email Archiving for PHI

Inasmuch as the implementation of a secure messaging solution is an appropriate alternative to email, covered entities are required to retain past communications containing PHI for a period of six years. Depending on the size of the covered entity, and the volume of emails that have been sent and received during this period, the retention of PHI can create a storage issue for many organizations. The solution to this potential problem is encrypted email archiving for PHI.

Vendors providing an email archiving service are regarded as Business Associates, and have to adhere to the same requirements of the HIPAA Security Rule as covered entities. Therefore, their service has to have access controls, audit controls, integrity controls, and ID authentication in order to ensure the integrity of PHI. In order to comply with HIPAA email rules on transmission security, all emails should be encrypted at source before being sent to the service provider’s secure storage facility for archiving.

The biggest advantage of encrypted email archiving for PHI is that, as the emails and their attachments are being encrypted, the content of each email is indexed. This makes for easy retrieval should a covered entity need to access an email quickly to comply with an audit request or to advance discovery. Other advantages include the releasing of storage space on a covered entities servers and that encrypted email arching for PHI can be used as part of a disaster recovery plan.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA: It’s not as black and white as you first thought

HIPAA: It’s not as black and white as you first thought | HIPAA Compliance for Medical Practices | Scoop.it

2016 was a record-breaking year for healthcare data breaches affecting 500 individuals or more, with the Office for Civil Rights (OCR) reporting a 22% increase year-on-year. Compared with five years ago, this increase is more significant still at 66%. It’s too early to tell whether 2017 will be better or worse for data breaches, but it remains a fact that HIPAA compliance issues will always be high on healthcare organizations’ agendas – regardless of size or stature.

With OCR’s phase 2 audits currently in full swing, there’s no better time for healthcare professionals to reassess their organization’s HIPAA policies in accordance with its privacy and security rules. Maintaining a HIPAA compliant organization is a challenge at the best of times – particularly with the rapid growth of mobile and BYOD in recent years – but as the following points demonstrate, there’s more to HIPAA than meets the eye.

1. HIPAA goes beyond healthcare industry

The definition of a covered entity as defined by HIPAA is somewhat ambiguous and therefore open to misinterpretation. It’s often assumed the rules only apply to businesses that directly provide health services – such as hospitals, physician practices, clearinghouses etc. – when in reality, many other industries are affected too.

Complications are likely to arise if an organization believes it doesn’t need to concern itself with HIPAA compliance, as illustrated in the 2015 Verizon Protected Health Information Data Breach Report. It  linked around 20 different industries to a protected health information (PHI) data breach, including manufacturing, retail and education.

2. Business Associates and conduit exception rule

Any organization or individual that creates, receives, maintains or transmits PHI on behalf of its service delivery to a covered entity is classed as a Business Associate (BA). Covered entities should have a Business Associate Agreement (BAA) in place with each of their BAs, and if a BA uses subcontractors for their services, a BAA should be executed with them, too.

Complications emerge when a BA claims to be a “conduit for information”, citing the conduit exception rule, to get out of signing a BAA. It’s vital covered entities understand the conduit exception rule only applies to a few organizations, such as the United States Postal Service, internet service providers (ISPS) and couriers. If any organization that creates, receives, maintains or stores PHI won’t sign a BAA, questions should be asked about their commitments to HIPAA compliance.

3. When PHI isn’t PHI

In a process known as de-identification, health information that has particular identifiers removed in accordance with Section 164.514(a) of the HIPAA Privacy Rule is no longer classed as PHI and can therefore be made publicly available. The National Center of Health Statistics is one such example of a data source that publishes de-identified health information.

Complete de-identification of PHI is a mammoth task to carry out. Any organization that wishes to make health information publicly available should appoint an expert to manage the process for them, as getting it wrong would likely have grave consequences. Even if managed properly, there is an overarching risk the data in question could be found to link back to the individual it relates to.

4. Addressable isn’t the same as optional

To help ensure the confidentiality of patient information and prevent a data breach, HIPAA outlines physical, administrative and technical safeguards. The technical safeguards are broken down into six standards focused on the technology that protects and controls access to PHI. Under these six standards, there are nine key areas organizations are required to implement.

However, the classification of these standards are split into two categories “required” and “addressable”. Any covered entity or BA that doesn’t pay attention to the addressable standards is opening itself up to fines for noncompliance and an increased risk for breaches. To confirm, addressable doesn’t mean optional.

5. HIPAA penalties

Failure to comply with HIPAA can result in both civil and criminal penalties. Civil penalties are monetary, varying from $100 to $1.5 million, and enforced by OCR. Criminal penalties can result in imprisonment for 10 years or more, as enforced by the U.S. Department of Justice.

With laws differing from state to state, there’s often confusion around the criminal charges, fines and prison sentences an individual might be up against for noncompliance. These discrepancies are heightened by the fact some, but not all state and federal laws, allow individuals to sue in court for privacy violations, which can lead to additional fines or damages awards.

For covered entities and their BAs, particularly those who operate across multiple states, understanding the rules of HIPAA is just the tip of the iceberg. The consequences of noncompliance that lie below this surface can be crippling.

6. Digital and electronic signatures

An electronic signature is the action of signing electronically during a digital transaction, while a digital signature is the underlying technology that helps verify the authenticity of the transaction.

Used correctly, the security benefits of these technologies can help organizations to maintain compliance of the Security Rule through:

  • protecting the integrity of messages throughout their entire lifecycle, through digital encryption
  • providing user authentication, helping to ensure sensitive information doesn’t end up in the wrong hands, and
  • ensuring non-repudiation (assurances that a person who signs something cannot later deny that they furnished the signature) by providing digital audit trails.

However, OCR offers very little guidance on the topic of digital and electronic signatures and their use certainly doesn’t ensure HIPAA compliance. Organizations should assess every situation with caution, and use digital signatures as an additional security measure where appropriate.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

10 Steps for Ensuring HIPAA Compliance 

10 Steps for Ensuring HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

1. Development of privacy policies. Healthcare organizations must develop, adopt and implement privacy and security policies and procedures. They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.

2. Appointment of privacy and security officers. Healthcare organizations should appoint a privacy and security officer. This could either be the same or different individuals. This person should be conversant in all HIPAA regulations and policies.

3. Conducting regular risk assessments. Healthcare organizations should regularly conduct risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of protected health information. It is important to remediate any identified risks and revise policies, if necessary, to minimize risk.

4. Adoption of email policies. Healthcare organizations should adopt policies regarding the use of e-mail. "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication," HIPAA does not prohibit the use of email for transmitting protected health information and it does not require that the email be encrypted. But, it is best to encrypt email if possible. If your organization can't encrypt email, make sure that your patients are aware of the risks they are facing if they ask for their health information over email. 

5. Adoption of mobile device policies. Healthcare organizations should adopt strict policies regarding the storage of protected health information on portable electronic devices, and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices, and healthcare organizations should be familiar with it.

6. Training. Training all employees who use or disclose protected health information and documenting that training, is an essential step to ensuring HIPAA compliance. Healthcare organizations should also conduct refresher courses and train the employees in new policies and procedures.

7. Notice of Privacy Practices. A Notice of Privacy Practices should be correctly published and distributed to all patients. It should also be displayed on the organization's website, and the organization should obtain acknowledgement of receipt from all their patients,that the notice should be updated whenever policies are revised. It will need to be updated now to reflect the provisions of the Omnibus Final Rule. 

8. Entering into valid agreements. Healthcare organizations should ensure that they are entering into valid business associate agreements with all business associates and subcontractors. Any existing business associate agreements will have to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of liability of business associates.

9. Adoption of potential breach protocols. A protocol for investigating potential breaches of protected health information is a must. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.

10. Implementation of privacy policies. Privacy and security policies must be properly implemented by healthcare organizations, and they should sanction employees who violate them.


These 10 steps will help healthcare organizations ensure that they remain HIPAA compliant, but organizations are also encouraged to check the resources available on the Office of Civil Rights website, such as sample business associate agreements and audit protocols.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Trends to Watch in 2018 

HIPAA Trends to Watch in 2018  | HIPAA Compliance for Medical Practices | Scoop.it

Although the Trump Administration has a $6.194 million budget cut slated for the Office of Civil Rights (OCR), the office which administers HIPAA, compliance will still be enthusiastically enforced, according to OCR director Roger Severino. The Congressional Justification for FY2018 predicts a shift from routine HIPAA investigations to larger actions with sizable fines.

Here’s more on what to expect for HIPAA in 2018:

Fewer, but larger enforcement actions
Director Severino’s goal is to find a “big, juicy, egregious” breach case which could mean they will seek out more complex issues with a broad impact for enforcement. At a conference in 2017, Severino said he hasn’t decided yet on a particular area for increased investigations, but he did mention cybersecurity, ransomware and physical security as possibilities.

OCR plans to mitigate their budget decrease with increased enforcement settlement fines. So, while the department is leaner, it also may be meaner.

Possible new guidelines for medical records fees Current OCR guidance regarding patients’ access to and fees for medical records has garnered concern from businesses. The current method gives HIPAA-covered entities the ability to charge “reasonable, cost-based fees” for records, which has been interpreted as restrictive and adding to the cost of HIPAA compliance. Plus, on top of federal regulations, HIPAA entities also contend with a patchwork of state laws regarding medical record fees. The business-sympathetic Congress may require OCR to provide additional clarification regarding medical records fees to allay business concerns.

States may become more involved With OCR reducing its number of HIPAA enforcements, state attorneys generals have begun to step up enforcement activities to ensure privacy for their constituents. Privacy issues in the medical sector and other areas regarding personal information are increasingly important to the public and state AGs may lead the way to protecting citizens.

CompuTech City remains poised to facilitate medical practices’ efforts to be HIPAA compliant. We take a proactive approach to keeping your data secure and are experts in ensuring your network meets stringent HIPAA standards with device encryption, network security, intrusion prevention, gateway anti-virus, anti-spyware, content/URL filtering.

Let us know if you are interested in learning more about 2018 HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to Stay HIPAA Compliant When Using Social Media for Healthcare 

How to Stay HIPAA Compliant When Using Social Media for Healthcare  | HIPAA Compliance for Medical Practices | Scoop.it

Despite regulations surrounding the use of social media within the healthcare industry, there are enormous gains to be made from utilizing social media, from increasing patient engagement to acquiring new patients. Here, we look at why the role of social media is growing in healthcare, and how to make the most of this channel within healthcare internet marketing while still ensuring HIPAA compliance.

Healthcare Social Media Perks

Research data repeatedly indicate that patient outcomes improve when patients are involved and engaged in their own healthcare. Social media acts as the conduit that enables the patient-doctor relationship to extend beyond the traditional face-to-face consultations. When physicians actively engage on social media, they have an additional opportunity to connect with patients and impact their daily choices.

Meanwhile, blogging is both an effective marketing tool for doctors and a valuable source of information for patients looking to learn more about your healthcare organization or seeking health tips for specific conditions. And it’s not just the young, tech-savvy generations that can be reached on social media; one of the fastest growing demographics engaging in social media is the 55-65 year age group.

In addition, social media is an ideal platform for professionally connect with colleagues and industry peers. It is a great place to debate, express opinions, share information and experiences, and build referral networks.

The diversity of social media platforms and post types – including simple text, article shares, images, and videos – enables a new level of connection between the public, patients, and healthcare professionals. However, while social media continues to grow in importance in healthcare marketing, the challenges associated for non-compliance with HIPAA rules and regulations continue to increase.

Social Media HIPAA Compliance Concerns

To ensure HIPAA compliance on social media, it’s important to keep several key issues in mind.

Protected Health Information (PHI) The main compliance issue facing physicians is patient privacy. Physicians must be aware of both HIPAA and state laws with regard to the disclosure of patients’ PHI through social media. Even an inadvertent disclosure of PHI, including visual elements like photos or videos, can result in fines and other penalties. To satisfactorily manage this, healthcare organizations should provide HIPAA training to social media managers and conduct compliance checks. Healthcare organizations must also be prepared to present all electronic communications on demand, should an audit or lawsuit require it.

Medical Advice: Providing medical advice via social media should be treated with extreme caution due to licensing laws. If a patient is located in a state where the doctor is not licensed, the doctor risks liability under state licensing laws.




Tips for HIPAA Compliant Social Media

We recommend you have the following in place before going full-steam ahead on social media:

  • Create a Social Media Working Group to discuss any potential concerns about implementing a social media strategy. The group should include representatives from various parts of the organization.
  • Ensure a thorough understanding of the HIPAA patient privacy regulations and how they pertain to your healthcare organization’s social media accounts.
  • Create an employee use policy for social media and clearly communicate it to all staff.
  • Educate and train staff on the use of social media – plus how not to use it – with real life examples.
  • Create a realistic content strategy that specifies both the frequency and types of social media posts to reduce the likelihood of breaches.
  • Develop a process with the Legal and Compliance departments to approve content prior to being posted.
  • Monitor social media communications with technology controls that flag any words or phrases that may indicate HIPAA non-compliance, so that they can be reviewed before posting.
  • Capture and save records that preserve the format of social communications, including edits and deletions.
  • Archive electronic records so that they can be found, in accordance with federal and state recordkeeping rules.
  • Develop metrics to measure the effectiveness of social media programs.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

8 HIPAA Compliance Steps for Your Medical Practice

8 HIPAA Compliance Steps for Your Medical Practice | HIPAA Compliance for Medical Practices | Scoop.it

Complying with 1996 Health Insurance Portability and Accountability Act (HIPAA) regulations is vital to keep your patients’ protected health information (PHI) private, confidential, and secure. What is HIPAA? It’s the safety standards for all entities handling sensitive electronic patient data. The guidelines apply to everyone in your hospital, medical, or dental practice who saves, accesses, and shares patients’ computerized health and financial records.


Proper precautions will help you gain the best patient rapport and standing. You’ll also avoid breach-related complaints, reputational damage, hefty monetary fines, civil lawsuits, criminal charges, medical license loss, and/or imprisonment. E-Complish excels at compliance with both Payment Card Industry (PCI) and HIPAA compliance protocols. With us you can be sure client payment info and PHI remains safeguarded, but follow the eight steps below to ensure that your medical or dental facility is compliant

Run Thorough Risk Assessments

Did your medical practice adopt an electronic health record (EHR) system before clear directions specified everything it should contain? Then your office might be using a system that fails to meet HIPAA standards. Using the latest guidelines, run a thorough risk assessment on your current system. That will highlight any noncompliant areas that you need to update to fulfill your obligations. In addition, you or a HIPAA specialist must complete mandatory security risk assessments annually. Then develop detailed action plans and timelines that address all evaluated issues requiring remediation or follow-ups.

Prepare for Disasters Before They Occur

Keeping all customer data that your medical or dental facility handles safe from corruption and loss is key. Installing antivirus programs on all business computers will protect them from viruses that could corrupt or destroy files. To prevent losses due to mishaps, backup all health records frequently. Using off-site locations will stop destructive events like office fires and floods from making valuable backups irretrievable.

Develop a Policy and Procedure Manual

Create written instructions that detail how your staff should address and maintain patient privacy, confidentiality, and security. Include a HIPAA compliance overview with specific processes for patient notifications, disclosures, and relevant forms. Distribute this manual to all existing employees and new hires. Requiring them to sign and return statements that they read and understand your policies and procedures can increase conformity. Review, update, and redistribute your handbook as regulations expand and change.

Establish an Ongoing Staff Training Program

Your weakest links determine your EHR’s strength. In medical and dental offices, untrained employees make the most errors unintentionally. Staffers who fail to follow safety protocols when accessing files and records can render even a very dependable encryption system useless. That might allow unauthorized parties to gain access illegally.

Guiding new hires is just the beginning. Re-educating your entire team to adhere to vital safeguards annually will ensure data security and integrity. Everyone must recognize that protecting health information is essential. Gather staffers’ signatures, acknowledging awareness of HIPAA principles and practices. Document all employees’ names with initial and refresher course dates to verify that you’re fulfilling your ongoing commitment. Also evaluate and revise your training program as regulations expand and change.

Add Compatible and Compliant Office Equipment

All new equipment you buy for your medical or dental facility must be compatible to work well with your existing system while providing sufficient security. Make sure that all purchases include both of these crucial elements because either one alone is an ineffective mistake.

Collaborate With All Affected Internal Parties

The changes you must make to become HIPAA compliant will affect various internal personnel. Inform all involved supervisors and departments about necessary modifications to their routines. Preventing violations requires everyone’s ongoing and diligent participation.


Demonstrate Privacy throughout Your Facility

Treat your patients with the discretion they deserve everywhere from your lobby to examination rooms. Minimize personal references to specific patients by announcing just their given or surnames when calling them to the reception desk, payment windows, and doctor consultations. Providing private, quiet spaces for discussions with individuals will stop uninvolved parties from overhearing sensitive information. Always knock on closed doors before entering patients’ rooms. Never leave their files and documents visible or unsecured where unauthorized people could view them.

Post HIPAA Notices

Print notices explaining your HIPAA practices. Place them in easily noticeable common office areas. Your patients can review applicable privacy laws with information about how you’re striving to protect their health care’s confidentiality.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Medical Practices Are Struggling With HIPAA Compliance 

Medical Practices Are Struggling With HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

We recently conducted a survey of medical practices and billing companies to gauge their knowledge of HIPAA’s Privacy and Security regulations, compliance measures, and communication methods.


With the help of our partners at Porter Research and The Daniel Brown Law Group, we've created an easy-to-consume narrative explaining the various aspects of HIPAA compliance while also presenting the results in a way that's easy to understand.

The survey of more than 1,100 healthcare professionals revealed several areas of concern, including:

  • 66 percent of respondents were unaware of HIPAA audits prior to this survey bringing it to their attention

  • 35 percent of respondents have conducted a HIPAA-required risk analysis

  • 34 percent of owners, managers, and administrators felt “very confident” their electronic devices containing personal health information (PHI) were HIPAA compliant

  • 24 percent of owners, managers, and administrators in small practices have evaluated all of their Business Associate Agreements

  • 56 percent of office staff and non-owner care providers in small practices have received HIPAA training in the last year

While we noticed a trend suggesting billing companies may be doing better with compliance compared to medical practices, what we found most alarming was the consistent information gap between management and staff when handling HIPAA compliance measures.


HIPAA Compliance Resources
Alongside the results, we've also curated a list of resources to help you learn more about the upcoming audits, how to develop a compliance plan, conduct a risk analysis, and how to ensure your electronic devices are HIPAA compliant.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why Secure Communication for HIPAA Compliance is Not Enough

Why Secure Communication for HIPAA Compliance is Not Enough | HIPAA Compliance for Medical Practices | Scoop.it

When you spend a lot of time writing about HIPAA compliance and its importance for healthcare providers, you sometimes forget the bigger question: What does HIPAA compliant communicationmean for healthcare?

Yes, we know that HIPAA requires secure and encrypted clinical communication to ensure patient privacy. But is that where the argument starts and ends? Is patient privacy the only reason to embrace HIPAA compliant communication?

Turns out, there’s more to the riddle.


Why focus on secure email and secure mobile messaging

According to a 2015 study, healthcare employees use mobile messaging more frequently than voice calling for their business communication. 65 percent of healthcare respondents use email most frequently for business communication, followed by mobile messaging (22 percent) and voice calling (13 percent). The same study also reported that 91 percent of those interviewed use mobile messaging at least a few times per week.

Healthcare often uses mobile communication after receiving a pager alert. Unfortunately, pagers cause unnecessary friction to the process of patient care.

Pagers cost over $1.7 M per year in lost productivity. As such, it is important to find alternative to make healthcare communication processes as efficient and effective as possible.

Similarly, given the prominence of email and mobile communication in healthcare, it also makes sense to remove the friction that these communication cause in terms of efficiency.

If information cannot be easily exchanged through email due to HIPAA concerns or legacy pen-and-paper processes, then the workflow is bogged down.

Why is workflow important?

Efficient clinical workflow saves time, saves money, and saves lives. And in today’s industry, workflow can have a significant effect on reimbursement. As such, effective and efficient communication is key. Practices need to be choosy.

OnPage’s smartphone-based secure messaging tool and Paubox’s mobile friendly HIPAA secure email and forms are designed with secure communication in mind as well as improved workflow. OnPage is able to improve workflow as is Paubox.

And workflow is really where it’s at.

While HIPAA compliance is important to physicians, it is not as important as their patients. Physicians focus on seeing patients and improving patient lives.

Technology that improves practitioners’ efficiency and allow them to spend more time helping patients are meaningful.

How HIPAA secure messaging trumps workflow

As noted, pagers are a huge impediment to optimal workflow in hospitals.

Most paging systems utilize single-function pagers that only allow one-way communication, requiring recipients to disrupt workflow to respond to pages. Paging transmissions can also be intercepted, and the information presented on pager displays can be viewed by anyone in possession of the pager.

However, smartphone-based, HIPAA-compliant group messaging applications improve in-hospital communication. These applications save time as physicians and nurses do not need to receive messages on their pager and then respond via cellphone.

By only using cellphone based secure messaging applications, physicians and nurses have access to secure communication while providing the information security that paging and commercial cellular networks do not.

Additionally, secure messaging technologies enable persistent alerting that ensures messages aren’t dropped, missed or forgotten. By ensuring that messages are not lost, administrators do not need to waste time following up on sent messages.

How secure email and forms improve workflow

A doctor or practitioner must encrypt their emails when they communicate protected health information via email.

Unfortunately, most encrypted email providers use a portal to gate communication. Portals can make recipients take up to five extra steps just to view any messages. It also makes the experience of reading email on a mobile device cumbersome.

Not being able to send and receive emails quickly and easily can significantly bog down workflows.

When it comes to forms, online forms reduce the time patients spend in the office and make the process of patient engagement much more fluid.

Having web forms enables patients to enter their information online and include attachments such as photos or documents, then send in their forms directly to their healthcare provider’s inbox via a HIPAA compliant email provider like Paubox.

Electronic forms make archiving these documents much easier than their paper counterparts as well.


Overall, healthcare cannot ignore the importance of HIPAA compliance; however, healthcare technology also needs to focus on improving the workflow of physicians and practitioners.

As a healthcare provider or practitioner, you need to look for solutions that make communication more efficient.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to Choose Effective HIPAA Compliance Software

How to Choose Effective HIPAA Compliance Software | HIPAA Compliance for Medical Practices | Scoop.it

Choosing an effective HIPAA compliance solution for your health care business is essential in defending against HIPAA breaches and fines.

There are many software solutions on the market that give healthcare professionals the ability to address their HIPAA compliance. But when it comes to finding an effective HIPAA compliance software for your practice, it can be difficult to parse the differences between your options.

To help narrow your choices, we’ve put together this guide to give you a sense for the bare-bones essentials that will keep your practice safe in the event of a HIPAA audit.


What should effective HIPAA compliance software include? 

1. Self-Audits, Security Risk Assessment

HIPAA compliance software must give you the ability to audit your practice against the HIPAA rules. These audits give you a baseline assessment of the security and privacy measures you already have in place and how they compare to the HIPAA standards.

Security Risk Assessments are also a mandatory component of HIPAA compliance.

Most HIPAA software solutions will give you the ability to complete your Security Risk Assessment, but don’t follow through on remaining HIPAA requirements. Keep in mind that incomplete software solutions will leave your practice exposed to HIPAA breaches and fines, even with a Security Risk Assessment in place.

2. Remediation Plans

Any effective HIPAA compliance software must allow your practice to create remediation plans in response to the gaps uncovered by your self-audits and security risk assessment. Remediation plans are an essential part of becoming HIPAA compliance because they provide the government with proof that your practice has performed due diligence.

A good HIPAA compliance software should give your organization the ability to document and retain all components of your remediation plans with an area for notes and important details tailored to the specific steps taken to remediate your practices’ gaps.

3. Policies, Procedures, Employee Training

One of the essentials of any HIPAA compliance program is a robust and unique set of HIPAA policies and procedures. It’s especially important that the HIPAA compliance software you choose gives you the ability to create, customize, and apply policies and procedures in your practice.

Policies and procedures are the infrastructure around which the rest of your compliance program will be built. The HIPAA Rules outline specific standards for privacy and security that must be implemented, and your organization’s policies and procedures should correspond with all applicable standards.

HIPAA policies and procedures must be updated annually to account for any changes in the running of your organization—an effective HIPAA compliance software should send your reminders or give you support to ensure you meet these annual deadlines and avoid common HIPAA violations.

Once you’ve adopted and applied your policies and procedures, all staff members must be trained on them annually. They must legally attest that they’ve read and understood the policies and procedures of your organization. An effective HIPAA compliance software should have modules for employee training, in addition to documentation capabilities to keep employee attestation stored for at least six years, as mandated by HIPAA.

4. Documentation

Documentation is the most important aspect of any HIPAA compliance program. Without proper documentation of your compliance efforts, your practice will not be able to properly defend itself in the event of a HIPAA audit.

An effective HIPAA compliance software should be able to create documentation for each and every step of your compliance program. This documentation must be retained for at least six years in order to adhere to federally mandated HIPAA standards, and your HIPAA software should be able to maintain these records on your behalf.

5. Business Associate Management

HIPAA regulation requires health care professionals to execute contracts with their health care vendors before they share health care data. These contracts are called Business Associate Agreements (BAAs), and they’re meant to protect your practice from liability in the event of a breach caused by a health care vendor.

An effective HIPAA compliance software should come included with pre-vetted Business Associate Agreements, in addition to a means for properly storing them once they’ve been executed and signed. Because Business Associate Agreements must be reviewed annually, HIPAA compliance software should also allow users to easily review stored files to make necessary changes and avoid HIPAA violations caused by out of date or missing BAAs.

6. Breach/Incident Management

The final component of an effective HIPAA compliance software we’ll discuss is Incident Management. Any time a healthcare organization experiences a data breach, that breach must be tracked, documented, investigated, and reported to HHS OCR.

An effective HIPAA compliance software should give users the ability to track and document all stages of a data breach or incident investigation. In the event that the data breach spurs an OCR HIPAA investigation, the affected organization must be able to demonstrate the steps they’ve taken in the aftermath of a breach.

Once again, documentation is key here, not only because it’s legally required by the HIPAA Breach Notification Rule, but because it’s essential to protecting the affected organization from ensuing HIPAA fines.

Why should you choose a total HIPAA compliance software? 

Choosing a total HIPAA compliance software gives your practice a way to handle HIPAA right the first time around. Piecemeal, self-serve software solutions waste time and don’t give your practice everything needed to become HIPAA compliance. Without a HIPAA compliance software that addresses each of the HIPAA standards listed above, your practice could be at risk of incurring serious HIPAA fines.

HIPAA enforcement has ramped up significantly in recent years, now totaling more than $46 million since 2015 alone.

Protecting your practice and your reputation from HIPAA breaches and fines is easier than ever before, especially with total HIPAA software solutions that work for you.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance Checklist and Employee Sanctions 

HIPAA Compliance Checklist and Employee Sanctions  | HIPAA Compliance for Medical Practices | Scoop.it

A HIPAA compliance checklist is the tool to turn to when imposing sanctions on employees for HIPAA privacy breaches.  It may feel like a never-ending and thankless task, but consider the alternatives.  It can be tempting to adopt a “no harm, no foul” approach to employee sanctions.  But this is not the way the Office for Civil Rights, the government agency that investigates HIPAA breaches, looks at things.  To that end, your HIPAA Compliance Checklist must also address employee sanctions.

HIPAA is all about protecting PHI

There are numerous examples of the OCR imposing penalties on organizations for not protecting PHI.  And these penalties are imposed even though there was no evidence of anyone receiving or accessing any PHI in cases where a breach occurred.

  • The OCR considers encryption of ePHI by malicious software (e.g., ransomware) to be an unauthorized disclosure not permitted under the Privacy Rule.  Even in a ransomware attack, an organization could reasonably conclude there is a low probability that the PHI has been compromised.  But if it cannot reach that conclusion,  it is required to comply with the applicable breach notification provisions.  And this is the case even if there is no evidence that the PHI was viewed by anyone else.
  • An employee of Cancer Care Group of Indianapolis left unencrypted back-up media in a bag in a car; the car was broken into and the bag stolen.  There was no evidence that any information was ever disseminated, but the OCR imposed a penalty of $750,000 on the group.
  • In 2014, the OCR imposed a fine of $400,000 on Idaho State University for a breach of unsecured ePHI.  This was because the school had left its firewalls disabled for over 10 months!   Again, there was no indication PHI was accessed by any unauthorized persons; it was simply not protecting its PHI.

These are just a few examples of settlements, some involving employees failing to follow procedures, or where there were no procedures at all.  In these case, penalties were imposed but no information was shown to have been accessed by unauthorized parties.

HIPAA compliance requirements do not explicitly link employee sanctions to reportable HIPAA breaches

It is certainly possible to have an unauthorized disclosure that is not a reportable breach.  The definition of a breach is the acquisition, access, use or disclosure of protected health information.  This is done in a manner not permitted under the regulations.  And the disclosure compromises the security or privacy of the protected health information.

These days, employees are often the source of breaches.  They include events from lost laptops to including PHI in social media posts occurring almost daily.  It is very important to include a policy on employee sanctions in your HIPAA Compliance Checklist.  An employee sanctions policy can and should take into account the potential harm from the unauthorized disclosure.  But a “no harm, no foul” approach may leave the organization open to penalties by the OCR.

A HIPAA compliance checklist for employee sanctions policies should address several issues

  1. The policy should reference Section 164.530 of the Administrative Requirements, which requires covered entities to have and apply appropriate sanctions against members of their workforce.
  2. Section 6102(b)(4)(F) of the Affordable Care Act also requires that the standards be consistently enforced through disciplinary mechanisms.
  3. Most policies utilize a Level system, tying the action of the employee and the effect on unauthorized disclosure of PHI to the sanction recommended.  Levels could start from situations where an employee did not follow procedures, but there was no unauthorized disclosure of PHI.  Levels usually top out at situations where the actions were malicious and willful, causing harm or intending to cause harm to the patient.
  4. Mitigating factors may be enumerated, and repeated patterns of violation may result in a higher level of discipline.

Employee Sanctions should be standardized

Organizations usually strive to administer most disciplinary policies in a consistent, standardized way.  Employee sanctions for HIPAA violations are no different.  Inconsistent application can carry consequences ranging from confusing messages to erosion of public trust to vulnerability to penalties and fines.

One way to increase standardization of disciplinary actions is to develop a grid, matching the riskiness of the actions to the level of sanction.

The HIPAA regulations explicitly require organizations to have and apply appropriate sanctions against workforce members who fail to comply with the privacy policies and procedures of the organization.  While sanctions can be related to the incident and the potential harm, they also need to demonstrate that the organization is taking seriously its responsibility to protect the privacy of patient information – even when there is no evidence of unauthorized disclosure or when the breach is not reportable.

Regardless of the method you choose to develop employee sanctions, make sure your HIPAA compliance checklist addresses appropriate sanctions, and implement your policies consistently!   Healthcare Compliance requirements must be truly effective.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Violation and Hospital Employee viewing PHI 

HIPAA Violation and Hospital Employee viewing PHI  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Violation rocks hospital!  An employee at St. Charles Health system accessed over 2400 patients’ medical records over a two-year period because they were curious. We all know that curiosity killed the cat and now it may have direr consequences for this curiosity seeker and the hospital system. 

HIPAA Violation without intent to commit fraud

The employee who viewed the protected health information (PHI) without a legitimate reason to do so is in jeopardy of large civil fines, loss of their respective clinical license and criminal prosecution. Not to mention termination from their present position. The hospital system has to repair its damaged reputation while at the same time prepare to defend itself against potential civil/criminal lawsuits.  There are too many incidences were an organization is liable for HIPAA violations, even though they “didn’t do it”.


Now the local District Attorney has taken interest in this matter and is launching a criminal investigation. Under the HIPAA statute there is no individual right of action, however, the Attorney General of the state where the infraction took place may file charges on the individual(s) behalf.


The aforementioned employee signed an affidavit stating that the HIPAA violation they committed, and any of the information they accessed was not to commit fraud, however, that did not halt the criminal investigation.

Hospital employee viewing PHI

This real-life incident demonstrates how healthcare providers and their employees can face serious trouble for viewing records inappropriately. Just remember this incident when you want to be inquisitive about a patient that you are not treating or accessing a patient’s medical records for no business purpose.


When performing your job function, it is not a HIPAA violation if you release and/or access a patient’s PHI for treatment, payment or health operations (TPO). When accessing and/or releasing a patient’s PHI, ask yourself does this fall under the TPO exceptions? If it does, then you should just release the minimum information necessary to complete the task and if it does not, then you may need an authorization signed by the patient or his/her representative. In the event you are unsure if you can release and/or access a patient’s PHI, contact your supervisor or your organization’s Privacy Officer.


Finally, this violation reaffirms the need to conduct a HIPAA Risk Analyses, including monitoring the privacy/breach rule.  Use your policies and procedures for efficient and effective training, auditing and monitoring.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Breach Notification Rule

HIPAA Breach Notification Rule | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Breach Notification Rules under the HITECH and GINA Act were issued on January 25, 2013, resulting in modifications to HIPAA Privacy, Security, and Enforcement. This is commonly known as the Omnibus Rule. The Omnibus Rule mandates covered entities (CEs) and business associates (BAs) provide the required HIPAA breach notifications following an impermissible use or disclosure of protected health information (PHI).

What is a HIPAA Breach?

A HIPAA breach notification may be required because of an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) of an individual.  An impermissible use or disclosure is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the protected health information has been compromised.

A risk assessment must include consideration of at least the following factors:

  • The extent and nature of the PHI involved (i.e. types of identifiers and likelihood of re-identification);
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • If the PHI was viewed and/or acquired;
  • To what extent the risk to the PHI has been mitigated.

How Does a HIPAA Breach Notification Work?

(1) HIPAA Breach Notification Rule: Following a breach of unsecured PHI, CEs must notify affected individual(s) and the Secretary of Health and Human Services (HHS).”  In instances where the breach affects more than 500 residents of a State or jurisdiction, notice must be provided to prominent local media.  In addition, BAs must notify CEs that a breach has occurred.

Individual HIPAA breach notifications must occur without delay, but not later than 60 days from the date of the breach discovery.  A breach is considered to be “discovered” when at least one employee of the entity knows of the breach.  This does not include the person responsible for the breach.

(2) Covered Entities HIPAA Breach Notification: Covered entities are required to notify affected individuals following the discovery of a breach of unsecured PHI. The CE must provide the individual notice in written form by first-class mail.  Notices by email are permissible if the affected individual has agreed to receive notices electronically.

What about Business Associates?

(1) Business Associates HIPAA Breach Notification:  If a breach of unsecured PHI occurs by a business associate, the BA must notify the CE following the discovery of the breach.  A business associate must provide notice to the covered entity no later than 60 days from the day of discovery of the breach.  BAs are required to provide the identification of each individual affected by the breach.  The covered entity is responsible for ensuring the individuals are notified of a breach by a business associate even if the covered entity is charged with the responsibility of providing individual notices to the business associate.

(2) Out-of-date Information: If the CE or BA has insufficient or out-of-date information for more than 10individuals, the CE must provide a substitute individual notice by one of two methods.  It may post the notice on the home page of its website for at least 90 days.  Or it may provide the notice in major print or broadcast media where the affected individuals reside. This notice must include a toll-free number that remains active for at least 90 days.  If the CE or BA has insufficient or out-of-date information for less than 10 individuals, the covered entity may provide a substitute notice by an alternative form of written, telephone, or other means of notification.

HHS Wall of Shame

As required by section 13402(e)(4) of the HITECH Act, the Secretary posts a list of HIPAA breaches of unsecured protected health information affecting 500 or more individuals. These HIPAA breaches can range from a laptop theft to a hacking/IT incident.In 2015 there were over 113 million breaches of individual records reported, and the number of incidents related to “hacking” and “IT incidents” have doubled since 2014.   And this only includes breaches involving 500 or more individuals!

Most recently, St. Joseph Health (SJH) has agreed to settle potential violations of HIPAA Privacy and Security Rules following the report that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012.  The public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.  SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan.  This plan requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff accordingly.

The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information. Entities must not only conduct a comprehensive HIPAA risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Medical Device Cybersecurity - 4 Steps to Take 

Medical Device Cybersecurity - 4 Steps to Take  | HIPAA Compliance for Medical Practices | Scoop.it

As if the headlines today are not scary enough, now we have to be worried – very worried, it seems – about medical device cybersecurity!  Reports of hacking and other incidents related to medical device cybersecurity are all over the news lately.  Not only does it have a financial impact, but confidentiality and HIPAA issues come up immediately!  The first 6 months of 2017 have seen an inordinate number of cybersecurity meltdowns.   In addition, other HIPAA breaches and data leaks occur much too often.

  • In April 2017, hospitals in Europe were shut down by the WannaCry ransomware.  At least two contrast agent injectors were compromised as part of that attack.
  • In 2015, three hospitals suffered data breaches when devices were infected by malware.  The devices included a blood gas analyzer and a picture archiving and communications system (PACS) system.  In these instances, the malware made its way from the device to other systems in the hospitals, leaving the hospital facing a ransom demand to cleanse its systems.  And this happened even though the hospitals had firewalls, intrusion detection and other security tools in place!
  • In August 2017, the FDA approved a firmware patch to address cybersecurity vulnerabilities in 500,000 pacemakers manufactured by Abbott.  The problems were identified over a year ago!


Why are medical devices vulnerable to cyber attacks?

Most of the time, the medical device cybersecurity flaws are due to external software such as Windows.  Many devices have Windows operating systems as the interface to the persons operating the equipment.  Windows is also used to interface with electronic health record systems.  If the device is connected to the internet, a pathway exists for malware to infect the Windows software on the device.  Malware can then make its way to other connected devices or applications.

But as the pacemaker issue mentioned above shows, there can also be vulnerabilities in the devices themselves.  An investment firm lit a fire when it issued a report a year ago claiming most devices had little to no built-in cybersecurity measures.

What does the government advise about medical device cybersecurity?

Two government agencies are concerned about medical device cybersecurity.  The Food and Drug Administration (FDA) has principally been concerned about patient safety.  The Office of Civil Rights (OCR)  of the Health and Human Services Department (HHS) administers the Privacy and Security HIPAA rules.

In its focus on patient safety, the FDA did not focus much on the HIPAA security issues related to medical device cybersecurity.  The FDA expanded its view of medical device cybersecurity considerations with its Postmarket Management of Cybersecurity in Medical Devices guidance issued on December 28, 2016.  This non-binding guidance advises device manufacturers to consider several strategies for reducing medical device cybersecurity risks.

  • Maintaining robust software lifecycle processes that include monitoring third party software components for new vulnerabilities.
  • Understanding, detecting and establishing communication processes with users when vulnerabilities are recognized.
  • Adopting coordinated vulnerability disclosure policies and deploying mitigation measures that address risks.

The 4 things medical device users should do

First, ask vendors how they are implementing the FDA Postmarket Management Guidance.  In this day and age, there is really no excuse for not keeping third party software like Windows up to date.

Second, expand the information you keep in your inventory of medical devices to include several factors, including:

  • The risk of each device, e.g., use of third party software, connection to the internet, etc.
  • The type of data kept on the device, whether it is static or dynamic.
  • The security controls that exist on the device, e.g., encryption, use of passwords, etc.

Third, include medical devices with third party software in the periodic HIPAA Security Rule Risk Assessment you perform.

Fourth, keep a sharp eye out for communications about vulnerabilities of your medical devices – and for patches to firmware that can improve the resistance of devices to hacking.

Medical device cybersecurity is not a particularly glamorous issue, but paying attention to it is vital in this environment.  Hospitals have long had to keep electrical/electronic equipment safe to use around patients.  Cybersecurity is just another part of that culture of safety.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Your Guide to Staying HIPAA Compliant When Emailing Patients 

Your Guide to Staying HIPAA Compliant When Emailing Patients  | HIPAA Compliance for Medical Practices | Scoop.it

In the age of electronic communication, there is the ever-present concern of compromised data. Data can be intercepted and accessed by third parties with their own agendas.

Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public.

In response to growing concerns of data interception, Congress passed HIPAA: the Health Insurance Portability and Accountability Act. One of the purposes of this legislation is to protect a patient’s privacy.

Email is not secure

In general, email communication is not secure for two reasons:

  1. The data isn’t encrypted by default.
  2. It’s impossible to tell if the receiver is the intended recipient.

Encryption is the process of modifying data to make it unreadable, but in a way so that it can be returned to its readable state. The reorganization requires a cipher (a code) that both sender and recipient know. Anyone without the cipher will only see gibberish.

By default, most email clients do not encrypt your communications. This includes the popular web-based email clients like Outlook, Gmail, and Yahoo. However, some of these services offer paid features that comply with HIPAA regulations.

Furthermore, there’s never a foolproof way to ensure that the intended recipient is actually the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.

Nevertheless, modern patients expect instant communication, so you can’t avoid emailing. For many patients and practices, email is becoming the preferred method of communication.

Here’s how to stay compliant with your electronic communications.

Encrypt everything

Any piece of electronic data is required to be encrypted, including physical documents scanned to a computer. It’s a simple process to have a scanned document/image sent to your storage location via encrypted email. Speak with your IT professional to set this up.

Protected health information (PHI) must be protected at rest and transit. This means it must be secured during transmission across networks or the Internet and when it’s stored in drives at workstations and servers.

The person conducting the transmission is the liable party. As a non covered entity or business associate, a replying patient isn’t bound by HIPAA regulations. You are only responsible for your emails’ security.

While HIPAA does not require that you encrypt every device and storage location, it would be silly not to. Encryption is cheap, easy, and can protect you from embarrassing mistakes and tedious litigation. Even if you technically followed the rules, you could still upset your patients if data were exposed.

It isn’t necessary to use a dedicated service to send HIPAA compliant emails. These services work, but with some added expense.

Some email clients allow for configurations that satisfy the law. For example, the desktop client Microsoft Outlook offers an encryption option under Security Settings. If you then enable Internet Message Access Protocol (IMAP) and choose to delete emails from the server (and store them solely on your local disk), you can guarantee no chance of interception.

While encryption is important, it’s worth mentioning that HIPAA doesn’t require you to encrypt interagency emails. If you send an email to a colleague on the same secure server, no encryption is necessary. However, best practice is to encrypt everything to be safe.

If a patient is unable to accept encrypted communications, they can waive their right to privately receive emails from you. In this case, you can use any means of communication that works for you and the patient. Just make sure to have them sign a consent form and save it.

Get the patient’s consent

Consent is an important part of privacy. You can ensure you have the right contact information and protect yourself from lawsuits by getting permission in writing from your patient before you correspond through email.

On the form, explain to the patient the inherent risks of electronic communication. Offer some advice on safeguarding their computer to ensure their emails aren’t accessed by other people.

I recommend having your attorney evaluate a consent form before you send it to your patients.

Here’s a template to give you an idea of what it looks like. For best results, use an online intake form with e-signature capabilities (like ours).

Once you have the consent form, be sure to keep it safe. If the patient ever blames you for a privacy breach, you’ll want to be able to show that you had their permission.

When a patient initiates an email conversation, it’s safe to assume they permit that type of communication (unless they have previously expressed otherwise). Still, you must treat secure these emails like any other.

If a patient hasn’t agreed to communicate electronically, never contact them through email.

Include a privacy statement with each email

Every email you send should conclude with a privacy statement. The statement should notify the receiver that the email is inherently insecure, express that the content is strictly confidential, and tell them who to report the email to if they are not the correct recipient.

The purpose of this statement is to remind the recipient every time that their correspondence isn’t 100% safe. If they choose to reply with confidential information, they are doing so at their own risk. Further, it encourages parties who shouldn’t read the email to report the miscommunication.

If your email needs are simple, this can be done by adding a signature to your emails through your client. If you work in a larger practice, speak with your IT professional to ensure that all emails include this statement.

That said, email disclaimers are not a substitute for properly encrypted PHI emails. The purpose of the disclaimer is simply to inform. It does not absolve you of responsibility in any way.

Use an email provider that signs a Business Associate Agreement

A Business Associate Agreement is a HIPAA requirement for email providers. There are countless services that specialize in HIPAA compliant communications for healthcare providers. Each come with their own features.These agreements do not come standard with free email clients, but many paid versions offer this service.

If a provider does not sign this agreement, they are noncompliant. Do not assume an email service provider has signed an agreement unless it is clearly advertised on their website.

Develop an office policy

It’s important to have a clearly defined policy for your staff or colleagues regarding protected health information (PHI). A casual discussion isn’t enough. You need procedures.

In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of PHI (mental health issues, for instance) to in-person meetings only.

Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not the receptionist, administrative assistant, or billing department. These restricted parties should only contact patients regarding administrative issues and immediately notify healthcare staff if a patient mentions medical information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

7 Tips for HIPAA Compliant Email

7 Tips for HIPAA Compliant Email | HIPAA Compliance for Medical Practices | Scoop.it

You can use email securely and still remain compliant with HIPAA. Here are seven tips for securely using email in a HIPAA-compliant organization.

1) Get consent

Get a patient’s written consent before sending them email. A good email consent form will explain the risks of communicating via email, explain how and why you’ll use email, explain how patients should safeguard their computer, and get the patient’s signature.  Search the internet for “email consent form” to find lots of templates you adapt. It also can’t hurt to have your lawyer review the form before you start using it.

Do something with the patient’s consent.

Write a procedure for staff to follow when handling consent forms that patients fill out.  This is important for two reasons: (1) It’s the only way to be sure that you’re actually honoring the patient’s wishes about email communication, and (2) If you are ever audited or experience a security breach, it will be important to have a written procedure as evidence to prove that you’re handling email securely.

2) Policy: define what staff are allowed to do with email.

Your policy should define which email addresses and devices should be used to send PHI, what information should never be sent via email (e.g., mental health and substance abuse info), and who they are allowed to email (patients, other providers, etc.).

3) Have a privacy statement at the end of emails.

A privacy statement should be automatically appended to the end of every outgoing email. Your statement reminds recipients that email is inherently insecure, states that the email is privileged and confidential, and tells the recipient who to contact if they are not the right person. Speak with your email / IT provider – they should be able to set this up for you.

4) Say yes to Business Associate Agreements.

HIPAA Business Associate Agreements are required under HIPAA. Don’t use an email provider who refuses to sign HIPAA Business Associate agreements for your medical practice. Paid Google and Office365 services will sign such an agreement. Free services like free Gmail, Yahoo Mail, Hotmail/Outlook.com won’t.

5) Say no to any company that won’t sign a BAA.

Companies will give you all sorts of reasons as to why they won’t sign a Business Associate agreement. Here are a few that we’ve heard:

  • “Our lawyers say we don’t need one.”
  • “We never open your emails, so we’re not a Business Associate.”
  • “None of our thousands of customers have ever asked us to do that.”
  • “We’re a ‘conduit’, not a business associate.”

These are all nonsense. There are plenty of providers out there who are willing to sign a Business Associate agreement. If a vendor’s not, you’re either speaking to the wrong person within the company, or there’s a reason that they won’t. Walk away and go find a vendor that knows how to support healthcare organizations.

6) Encrypt email with PHI or PII.

Let’s say you’re emailing a patient with the results of a lab test. You need to be as sure as can be that your patient is actually sitting at the computer when that email is opened AND that nobody else read the email in between your computer and theirs.

Using a secure email gives you that level of assurance – the message is encrypted when it leaves your computer, and can’t be read by anyone except your patient who has a password that only she or he knows. That means anyone trying to read it along the way will only see nonsense.

7) Better yet, automatically encrypt any sensitive email.

The best systems will automatically read your email on the way out, look for sensitive terms (like social security numbers, diagnoses like “diabetes,” medication names like “Zoloft,” etc.), and automatically send these encrypted and securely. These systems are great because they remove the chance of making mistakes – emails to your spouse about dinner plans are sent normally, but emails about patients, treatments, diagnoses, and lab tests are sent securely.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.