HIPAA Compliance for Medical Practices
67.1K views | +2 today
Follow
 
Scoop.it!

Maintaining HIPAA Compliance across Digital, Paper Records

Maintaining HIPAA Compliance across Digital, Paper Records | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance and numerous data privacy and security mandates is of paramount importance for healthcare organizations. Since HIPAA is not a one-size-fits-all regulatory regime, best practices for data privacy and security programs demand attention to the specific operating environment of each and every healthcare provider.

To ensure compliance, healthcare organizations must implement policies and procedures that are tailored to their operations and the size of their organization.

To complicate matters, many organizations are also challenged by the need to balance both digital and paper documents while maintaining HIPAA compliance. Many healthcare organizations handle paper documents and digital files smoothly, however it’s the integration of the two that can add increased compliance layers and often hamper productivity.

This can be solved with a combination of procedures and technologies that enable rapid paper-to-digital and digital-to-paper transformation and transmission, ensuring patient care is handled efficiently and within compliance demands. Printers, scanners, faxes, and multifunction devices can provide a highly connected on-ramp/off-ramp between digital healthcare systems and physical documents.

Further, healthcare organizations must understand how compliance requirements apply to these devices.

Both electronic data and paper records are subject to the HIPAA Privacy and Security Rules – a set of federal rules first adopted some 15 years ago and substantially revised in 2013 under the HITECH Act.

However, some healthcare organizations are surprised to learn that the risk of non-compliance can greatly increase with the misuse of office devices such as printers, scanners and fax machines. As a result, it is incumbent upon healthcare providers — in both clinical and administrative environments — to institute sound data handling practices for these devices and the documents processed by each.

Maintaining good data “hygiene” with paper records and files is made easier with user-friendly, compliant print/fax/scan devices and compatible software. Knowledgeable solution providers can assist in integrating hardware and software necessary to ensure the best practices.

To attain compliance with printers, adhere to the following guidelines:

  • Allow users to password-protect print jobs that may only be retrieved via a PIN at the device’s control panel. This prevents sensitive documents from sitting unattended on output trays of shared printers.
  • Configure printers to support face-down printing, faxing, and copying to guard against inadvertent viewing by unauthorized staff.
  • If you must fax, bypass hard-copy printouts by using PC-to-fax or “e-fax” function.

Document digitization enables paper-locked data to enter EMR systems, cloud sharing repositories, and mobile workflows. When employing scanners to assist in executing efficient and accurate data integration, consider digitizing sensitive or confidential documents to a secure FTP site, securing data as soon as it is scanned.

In some cases, moving paper workflows to electronic and automated processes can introduce new efficiencies and increase data security. Turn to tools such as scan-to-email, scan-to-workflow, and electronic file search and retrieval to help bring paper records into the digital workflow.

For many healthcare organizations, the most convenient HIPAA compliant way to transmit information is still by fax technology. Many fax devices are built with advanced security features to address the increasing demand for secure document management. Apply these practices to assist in compliant faxing:

  • Ensure that all faxes are received into memory and cannot be printed without a password, or through an NFC card reader for user-based walk-up authorization.
  • Prevent unauthorized users from sending faxes, limiting the potential for unauthorized sharing of personal health information.
  • Enable secure faxing and fax forwarding to help maintain patient confidentiality by restricting or granting access and privileges on a per-user or per-group basis.

Once device and data policies and procedures are in place, a healthcare organization should conduct a risk assessment and repeat it annually – or even more frequently if it changes any of its hardware, software, or other controls.

This includes taking an inventory of assets that may be related to health data, including office equipment such as scanners, printers, fax machines, and copiers, to identify both the breach potential inherent in those pieces of equipment and their related software tools, and the steps taken to minimize the likelihood of a data breach. At the same time, healthcare organizations should also think about how to ensure data integrity.

From the triage desk to the operating room, fast-paced, regulation-laden healthcare environments leave no room for error. Healthcare organizations can earn the trust of patients, employees and partners by implementing compliant strategies and technologies to help meet HIPAA challenges while balancing paper records and digital documents.

This approach, informed by the regulatory environment and underpinned by the hardware and software capabilities of compliant information systems, enable efficient workflows to provide care while maintaining compliance with required data privacy and security policies. The end result can produce a more efficient use of printer/scan/fax devices, with significantly reduced risk of non-compliance.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’ 

The Impact of HIPAA on Email Communications — What You Need to Know Before You Click ‘Send’  | HIPAA Compliance for Medical Practices | Scoop.it

The recent Sony Pictures hack exposed embarrassing emails, unreleased intellectual property and plenty of passwords, social security numbers and financial data — but it was also a giant HIPAA violation. In addition to unencrypted spreadsheets full of sensitive medical data, the hackers leaked an HR exec’s memo about the special needs and diagnosis of an employee’s child.

While we don’t yet know the cost of Sony’s myriad of security failures, the medical details of many Sony employees and their families now exist on the Internet, where it will likely stay available for the foreseeable future.

 

The Sony hack has taught us plenty of information security lessons, but one of the stickiest is the importance of protecting protected health information (PHI). We’ve already written about the reasons Sony should have used client-side email encryption, but HIPAA compliance is yet another compelling reason to encrypt your email messages.

The Need for HIPAA Compliant Email

If you’re new to the world of HIPAA compliant email, the idea of safely sending messages and files to your patients, other health providers and business associates can seem overwhelming at first. While any professional email should be approached with mindfulness of data security and awareness of the threats to your email privacy, from hacking to phishing, businesses that deal with PHI must be extra vigilant to make sure their communications are compliant with HIPAA and HITECH. After all, a HIPAA violation is as easy as accidentally sending an email to the wrong recipient, and can lead to fines of hundreds of thousands of dollars.

While HIPAA compliant email doesn’t need to be rocket science, the stakes facing the medical community are pretty high. Consumers want more and easier access to their personal health data, but have greater demands when it comes to privacy.

Protecting Patient Privacy In the Digital Age

Any organization that handles PHI (known as a “covered entity”), from health providers such as doctors, nurses, chiropractors, pharmacies and nursing homes to businesses that provide health plans like HMOs, company health benefits and government programs like Medicare — as well as all of their business associates — needs to ensure that their email solutions are HIPAA compliant. And it’s not just corporate organizations – state and local governments, universities, and non-profits also fall under HIPAA and must protect PHI.

 

Since the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it seems that the demand for greater digital access to health data is at odds with the HIPAA Privacy Rule, which demands that a patient’s past, present and future PHI be accessible only to authorized recipients. One of the goals of HITECH was to spur adoption electronic health records (EHRs) for patients and health information exchanges (HIEs) to help doctors share patient data. If your ophthalmologist recently asked you to sign up for an online patient portal, that’s HITECH in action.

 

But another HITECH provision put many covered entities on notice: where prior to HITECH, $250,000 was the maximum annual penalty for a HIPAA violation, that threshold has moved up to $1.5 million. This presents the medical community with the puzzle of how to increase digital access to data without compromising patient privacy.

The Importance of Encryption in HIPAA Compliant Email

The challenges facing healthcare data security, from data thieves and “hacktivists” targeting hospitals to user error and technology adoption, make HIPAA compliant email more important than ever. But what makes an email HIPAA compliant?

 

One of the most important steps any business handling PHI should take is enabling email encryption. Encryption uses a complex cipher algorithm to render your data unreadable to anyone without the necessary credentials (or the encryption key). In short, if a cybercriminal cracks into an email you send to a patient or insurance company, they won’t be able to use that data unless they also get ahold of your encryption key.

 

There are a few options when it comes to email encryption. Many hospitals, healthcare providers and insurance companies deploy portal solutions that use Transport Layer Security (TLS) to encrypt messages. In these scenarios, patients and other providers establish and maintain a separate account for a portal where they can exchange sensitive information. While these solutions do provide for HIPAA compliance, their user experience tends to be clunky and frustrating. At one time or another we’ve all forgotten our username or password and been locked out of our health or financial data.

 

At the end of the day, employees prefer to use the applications they’re used to — including their email service providers. Newer email encryption solutions are able to integrate with the email service you’re already using to provide a seamless, easy-to-use user experience with powerful client-side encryption.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is Your Digital Ad Campaign HIPAA Compliant? 

Is Your Digital Ad Campaign HIPAA Compliant?  | HIPAA Compliance for Medical Practices | Scoop.it

As the importance of digital advertising continues to grow within the medical industry, marketers must ensure that their campaigns remain in compliance with HIPAA regulations.

In light of the evolving patient path to treatment, digital advertising is fast becoming the marketing tactic of choice for medical professionals across the industry. But as hospitals and medical practices scramble to keep pace with their competitors and roll out digital campaigns, there are a number of important considerations that must be taken into account — namely, marketers must ensure that their ads are in compliance with HIPAA regulations.

Staying in the Clear

HIPAA provisions for digital marketing are designed to protect patient confidentiality and satisfy the Privacy Rule, according to the HHS. As CEO of Futures of Palm Beach told Forbes, “Complete patient anonymity is key. Once marketers understand that, they can plan their campaigns accordingly.” Marketers must either avoid using information that could identify a patient, known as protected health information (PHI); obtain written authorization for its use from the patient; or completely anonymize such data by removing identifiers from 18 categories, as UC Berkley describes, including:

  • Names
  • Geographic Identifiers (county, city, addresses, zip code, etc.)
  • Dates (admission date, birth year, etc.)
  • Administrative Details (health plan numbers, driver's license number, etc.)
  • Biometric Identifiers (photos, fingerprints, voice prints, etc.)

Naturally, there are a multitude of ways that patients can be identified online (which may not be covered by these 18 categories), so marketers must exercise caution when developing patient-generated marketing initiatives, such as a real-life success story or endorsement, for example.

Of course, privacy violations are not the only opportunity for medical marketers to run afoul of HIPAA regulations. As Digital Guardian notes, providers and marketers must also comply with the Security Rule, which mandates that electronically stored or sent PHI is protected from data breaches, leaks, and unwanted disclosures. While this provision is primarily aimed at providers, marketers must also ensure that any protected information stored in their systems is secured at all times.

Cover Your Bases

While some hospitals, physicians, and medical marketers try to tiptoe around specific HIPAA provisions, such as PHI, it’s often easiest to avoid the issue altogether by drafting content that attracts patients without introducing potentially fraught information. For instance, marketers can provide generic health advice or tips, comment on the state of the industry, or provide educational resources, without the inclusion of patient-specific information. Taking this safer route may be preferable to the punishment for violating HIPAA — a potential fine of $50,000 per violation, as WebPT notes.

Equally important is that every member of your marketing team be thoroughly trained in HIPAA regulations, with specific guidelines in place for your individual medical organization. Likewise, if you’re interested in enlisting the services of a third-party marketing vendor, make sure that they’re HIPAA certified. Most commonly, violations stem from a lack of experience or confusion surrounding the nuanced rules and regulations. So while HIPAA may seem daunting, a well-informed approach is the key to avoiding compliance issues.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Importance of HIPAA Compliance When Choosing Telemedicine Solutions 

The Importance of HIPAA Compliance When Choosing Telemedicine Solutions  | HIPAA Compliance for Medical Practices | Scoop.it

While the rise of telemedicine technologies is benefiting the health care industry, it may come with an intimidating effect. On one hand, health care professionals are able to provide better quality care more conveniently, improve patient outcomes and increase engagement. On the other hand, because they're sending, retrieving and analyzing privacy information via digital technology, there's a higher risk for data breach. That's what makes Health Insurance Portability and Accountability Act (HIPAA) compliance so important. HIPAA is a set of provisions designed to improve the efficiency and effectiveness of health insurance coverage by eliminated waste, fraud and abuse through health care delivery.

Let's take a closer look at what it means to be HIPAA-compliant and how telemedicine equipment distributors are prioritizing safety and security via telemedicine

Secure communications through telemedicine

Securing personal health information is more critical than ever before, because telemedicine systems make regularly assessing, discussing and sharing information a normal process nowadays. According to HIT Consultant, the Security Rule requires that technical safeguards are put into such systems to keep parties with unauthorized access out of private information. That's why discussing personal medical matters with physicians and caregivers via text and email may be frowned upon - these channels are not HIPAA compliant, which could encourage a data breach. Additionally, communication outlets such as Skype or FaceTime are also an issue - covered entities are required to have a Business Associate Agreement in order to be HIPAA compliant. Communicating through telemedicine, however, is safe because the information is sealed by the Security Rule.Ensure your telemedicine technology is HIPAA compliant.

Factors to consider when evaluating telemedicine technology

When evaluating potential telemedicine for your organization, make sure to consider the following factors:

  1. Access - Access to the communication of medical data should be restricted to a user database system. This can be self-contained or monitored through an external mechanism.
  2. Log user access - Ensure you can document user entry points to ensure HIPAA policies and procedures are being respected.
  3. Data in transit encryption - Data transferred between authenticated users must be fully secured.
  4. Data at rest encryption - Never permanently store data at rest within the platform - it should never be available outside of the
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA & Texting

HIPAA & Texting | HIPAA Compliance for Medical Practices | Scoop.it

In recent years, a great number of medical practices have embraced text messaging as a popular means for communicating to both patients and their internal staff members. Despite the convenience and time saving benefits, healthcare providers and staff must be aware of potential consequences when texting Electronic Protected Health Information (ePHI). Text messaging includes any communication service or application that enables the transmission of electronic written messages between two or more mobile devices. This includes both Short Message Service (“SMS”) text messaging and other service providers like iMessage, WhatsApp, etc.

The Challenges

Under HIPAA healthcare providers must maintain the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by a covered entity. Unfortunately, text messaging presents multiple threats for meeting some of those requirements. Including:

  • Standard SMS messages are not encrypted
  • Sender does not have the ability to “control” if/when the message is discarded upon viewing
  • No clear path to verify the reader’s identity which opens the door to unintended recipients, AKA a HIPAA breach

Even well intended providers who find ways to implement and oversee texting security measures must also think about documentation. Any exchange between providers regarding a patient’s condition, must also make its way onto the patient’s medical record. Unless the provider integrates text messaging with their EMR, it can be difficult to ensure appropriate documentation.

What Does HIPAA Say?

Unfortunately the HIPAA laws and Office for Civil Rights (OCR) do not have anything specific outlined regarding texting requirements. Any and all forms of communication present some level of risk and it is the healthcare providers’ responsibility to ensure privacy and security while data is being exchanged.

Despite the lack of HIPAA specifications regarding texting, providers should keep in mind a general adherence to the HIPAA Privacy and Security Rules. Both have different objectives and controls for navigating the secure sending of ePHI:

  • HIPAA Privacy Rule – Limits provider disclosure of ePHI only to authorized individuals or entities.
  • HIPAA Security Rule – Requires that providers protect patient’s sensitive data from any threats to access or disclose PHI to unauthorized individuals or entities and should a breach or unauthorized disclosure occur, have a remediation plan.

Best Practices

Despite the risks, a provider can take steps to reduce the likelihood of a breach or HIPAA violation while utilizing text messaging. When texting any sensitive ePHI information that might be locally stored in a device, encryption should be applied in the event of a loss, disposal or theft. Additionally, the text might be stored at the server level (phone carrier).

The following safeguards can help protect PHI along with establishing compliant communication:


Security Risk Analysis (SRA)
– While conducting an SRA, a healthcare provider will identify where ePHI is created, received, maintained, and transmitted. For texts, ePHI will primarily be created, received, and maintained on mobile phones.

Limit PHI – Whenever possible it is best to text with limited or no PHI included in the message, examples: appointment confirmations, instructions to call the office to receive test results, etc.

Policies and Procedures – Ensure texting is included in the policies and procedures, specifically Administrative and Technical policies. It is important to outline what is acceptable to text along with an outline of steps should a text be sent to the wrong patient/incorrect recipient.

Workforce Training – A well trained workforce is any healthcare provider’s best defense against undisclosed PHI exposure. Workforce training should include the sharing of information, securing authorized devices and using secure third party apps that might permit sharing information in a secure way.

Waivers and Intake Forms – Ensure all patient forms are up-to-date with all the current HIPAA requirements. The forms should plainly state which methods the patient allows the provider to contact him/her. Additionally, forms should include who outside the patient can receive their information and what can be sent.

Notice of Privacy Practice – A Notice of Privacy should be standard operating procedure for providers and distributed to all patients. If the provider has included text messaging as part of their communication model, ensure the Notice of Privacy includes texting.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

A Doctors Guide to HIPAA Compliance in 2017

A Doctors Guide to HIPAA Compliance in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance in 2017 is a key issue that many doctors are focussed on.

Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for between $100 to $50,000 for each violation. The maximum HIPAA Violation is $1.5 million for identical provisions during a calendar year. Some HIPAA violations can lead to imprisonment in extreme circumstances. This is why HIPAA compliance in 2017 is such an important factor for doctors.

To ensure that your practice has effective HIPAA compliance in 2017, here are 5 steps to follow:

1) Correct Sharing of Patient Information

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Secured Paper Files

While paper charts are slowly becoming a relic, it is important that past files are stored securely.  Doctors who have moved to using an EHR for all patient records may still have old patient files that need to be transferred. Once converting from paper documents to electronic format is complete, be sure to shred any patient records before you dispose of them.

If your medical practice still uses paper documents, be sure not to leave them in unsecured or unattended areas. This includes charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

3) Encrypted Emails

Never underestimate the importance of email encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you should consider an encrypted email or file sharing service for pertinent patient information.

When sending bulk emails to patients, or many emails in a row, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient address or an email attachment.

This is one of those areas where slow, steady careful checking pays off.

4) HIPAA Secured Patient Portals

If you use or are considering creating a patient portal, ensure it has secure login compliance. Any personal patient information should not be easily accessible without a username and password.

If sharing information with family members of patients, be sure to get written authorization from the patient first. A good practice is to require identity verification for password reminders. You can also remind patients to access their patient portal when they have a secure internet connection (i.e. not in public places).

5) Ensure your Telemedicine platform is HIPAA compliant

Some doctors have considered using Skype or Facetime to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end.

Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. Having HIPAA Compliance in 2017 is as important as it has been for the past 20 years.

When doctors treating patient information caution they can and enjoy the peace of mind that comes with being HIPAA compliant.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Trends to Watch in 2018 

HIPAA Trends to Watch in 2018  | HIPAA Compliance for Medical Practices | Scoop.it

Although the Trump Administration has a $6.194 million budget cut slated for the Office of Civil Rights (OCR), the office which administers HIPAA, compliance will still be enthusiastically enforced, according to OCR director Roger Severino. The Congressional Justification for FY2018 predicts a shift from routine HIPAA investigations to larger actions with sizable fines.

Here’s more on what to expect for HIPAA in 2018:

Fewer, but larger enforcement actions
Director Severino’s goal is to find a “big, juicy, egregious” breach case which could mean they will seek out more complex issues with a broad impact for enforcement. At a conference in 2017, Severino said he hasn’t decided yet on a particular area for increased investigations, but he did mention cybersecurity, ransomware and physical security as possibilities.

OCR plans to mitigate their budget decrease with increased enforcement settlement fines. So, while the department is leaner, it also may be meaner.

Possible new guidelines for medical records fees Current OCR guidance regarding patients’ access to and fees for medical records has garnered concern from businesses. The current method gives HIPAA-covered entities the ability to charge “reasonable, cost-based fees” for records, which has been interpreted as restrictive and adding to the cost of HIPAA compliance. Plus, on top of federal regulations, HIPAA entities also contend with a patchwork of state laws regarding medical record fees. The business-sympathetic Congress may require OCR to provide additional clarification regarding medical records fees to allay business concerns.

States may become more involved With OCR reducing its number of HIPAA enforcements, state attorneys generals have begun to step up enforcement activities to ensure privacy for their constituents. Privacy issues in the medical sector and other areas regarding personal information are increasingly important to the public and state AGs may lead the way to protecting citizens.

CompuTech City remains poised to facilitate medical practices’ efforts to be HIPAA compliant. We take a proactive approach to keeping your data secure and are experts in ensuring your network meets stringent HIPAA standards with device encryption, network security, intrusion prevention, gateway anti-virus, anti-spyware, content/URL filtering.

Let us know if you are interested in learning more about 2018 HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Stay HIPAA Compliant When Using Social Media for Healthcare 

How to Stay HIPAA Compliant When Using Social Media for Healthcare  | HIPAA Compliance for Medical Practices | Scoop.it

Despite regulations surrounding the use of social media within the healthcare industry, there are enormous gains to be made from utilizing social media, from increasing patient engagement to acquiring new patients. Here, we look at why the role of social media is growing in healthcare, and how to make the most of this channel within healthcare internet marketing while still ensuring HIPAA compliance.

Healthcare Social Media Perks

Research data repeatedly indicate that patient outcomes improve when patients are involved and engaged in their own healthcare. Social media acts as the conduit that enables the patient-doctor relationship to extend beyond the traditional face-to-face consultations. When physicians actively engage on social media, they have an additional opportunity to connect with patients and impact their daily choices.

Meanwhile, blogging is both an effective marketing tool for doctors and a valuable source of information for patients looking to learn more about your healthcare organization or seeking health tips for specific conditions. And it’s not just the young, tech-savvy generations that can be reached on social media; one of the fastest growing demographics engaging in social media is the 55-65 year age group.

In addition, social media is an ideal platform for professionally connect with colleagues and industry peers. It is a great place to debate, express opinions, share information and experiences, and build referral networks.

The diversity of social media platforms and post types – including simple text, article shares, images, and videos – enables a new level of connection between the public, patients, and healthcare professionals. However, while social media continues to grow in importance in healthcare marketing, the challenges associated for non-compliance with HIPAA rules and regulations continue to increase.

Social Media HIPAA Compliance Concerns

To ensure HIPAA compliance on social media, it’s important to keep several key issues in mind.

Protected Health Information (PHI) The main compliance issue facing physicians is patient privacy. Physicians must be aware of both HIPAA and state laws with regard to the disclosure of patients’ PHI through social media. Even an inadvertent disclosure of PHI, including visual elements like photos or videos, can result in fines and other penalties. To satisfactorily manage this, healthcare organizations should provide HIPAA training to social media managers and conduct compliance checks. Healthcare organizations must also be prepared to present all electronic communications on demand, should an audit or lawsuit require it.

Medical Advice: Providing medical advice via social media should be treated with extreme caution due to licensing laws. If a patient is located in a state where the doctor is not licensed, the doctor risks liability under state licensing laws.

  

 

 

Tips for HIPAA Compliant Social Media

We recommend you have the following in place before going full-steam ahead on social media:

  • Create a Social Media Working Group to discuss any potential concerns about implementing a social media strategy. The group should include representatives from various parts of the organization.
  • Ensure a thorough understanding of the HIPAA patient privacy regulations and how they pertain to your healthcare organization’s social media accounts.
  • Create an employee use policy for social media and clearly communicate it to all staff.
  • Educate and train staff on the use of social media – plus how not to use it – with real life examples.
  • Create a realistic content strategy that specifies both the frequency and types of social media posts to reduce the likelihood of breaches.
  • Develop a process with the Legal and Compliance departments to approve content prior to being posted.
  • Monitor social media communications with technology controls that flag any words or phrases that may indicate HIPAA non-compliance, so that they can be reviewed before posting.
  • Capture and save records that preserve the format of social communications, including edits and deletions.
  • Archive electronic records so that they can be found, in accordance with federal and state recordkeeping rules.
  • Develop metrics to measure the effectiveness of social media programs.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

8 HIPAA Compliance Steps for Your Medical Practice

8 HIPAA Compliance Steps for Your Medical Practice | HIPAA Compliance for Medical Practices | Scoop.it

Complying with 1996 Health Insurance Portability and Accountability Act (HIPAA) regulations is vital to keep your patients’ protected health information (PHI) private, confidential, and secure. What is HIPAA? It’s the safety standards for all entities handling sensitive electronic patient data. The guidelines apply to everyone in your hospital, medical, or dental practice who saves, accesses, and shares patients’ computerized health and financial records.

 

Proper precautions will help you gain the best patient rapport and standing. You’ll also avoid breach-related complaints, reputational damage, hefty monetary fines, civil lawsuits, criminal charges, medical license loss, and/or imprisonment. E-Complish excels at compliance with both Payment Card Industry (PCI) and HIPAA compliance protocols. With us you can be sure client payment info and PHI remains safeguarded, but follow the eight steps below to ensure that your medical or dental facility is compliant

Run Thorough Risk Assessments

Did your medical practice adopt an electronic health record (EHR) system before clear directions specified everything it should contain? Then your office might be using a system that fails to meet HIPAA standards. Using the latest guidelines, run a thorough risk assessment on your current system. That will highlight any noncompliant areas that you need to update to fulfill your obligations. In addition, you or a HIPAA specialist must complete mandatory security risk assessments annually. Then develop detailed action plans and timelines that address all evaluated issues requiring remediation or follow-ups.

Prepare for Disasters Before They Occur

Keeping all customer data that your medical or dental facility handles safe from corruption and loss is key. Installing antivirus programs on all business computers will protect them from viruses that could corrupt or destroy files. To prevent losses due to mishaps, backup all health records frequently. Using off-site locations will stop destructive events like office fires and floods from making valuable backups irretrievable.

Develop a Policy and Procedure Manual

Create written instructions that detail how your staff should address and maintain patient privacy, confidentiality, and security. Include a HIPAA compliance overview with specific processes for patient notifications, disclosures, and relevant forms. Distribute this manual to all existing employees and new hires. Requiring them to sign and return statements that they read and understand your policies and procedures can increase conformity. Review, update, and redistribute your handbook as regulations expand and change.

Establish an Ongoing Staff Training Program

Your weakest links determine your EHR’s strength. In medical and dental offices, untrained employees make the most errors unintentionally. Staffers who fail to follow safety protocols when accessing files and records can render even a very dependable encryption system useless. That might allow unauthorized parties to gain access illegally.

Guiding new hires is just the beginning. Re-educating your entire team to adhere to vital safeguards annually will ensure data security and integrity. Everyone must recognize that protecting health information is essential. Gather staffers’ signatures, acknowledging awareness of HIPAA principles and practices. Document all employees’ names with initial and refresher course dates to verify that you’re fulfilling your ongoing commitment. Also evaluate and revise your training program as regulations expand and change.

Add Compatible and Compliant Office Equipment

All new equipment you buy for your medical or dental facility must be compatible to work well with your existing system while providing sufficient security. Make sure that all purchases include both of these crucial elements because either one alone is an ineffective mistake.

Collaborate With All Affected Internal Parties

The changes you must make to become HIPAA compliant will affect various internal personnel. Inform all involved supervisors and departments about necessary modifications to their routines. Preventing violations requires everyone’s ongoing and diligent participation.

 

Demonstrate Privacy throughout Your Facility

Treat your patients with the discretion they deserve everywhere from your lobby to examination rooms. Minimize personal references to specific patients by announcing just their given or surnames when calling them to the reception desk, payment windows, and doctor consultations. Providing private, quiet spaces for discussions with individuals will stop uninvolved parties from overhearing sensitive information. Always knock on closed doors before entering patients’ rooms. Never leave their files and documents visible or unsecured where unauthorized people could view them.

Post HIPAA Notices

Print notices explaining your HIPAA practices. Place them in easily noticeable common office areas. Your patients can review applicable privacy laws with information about how you’re striving to protect their health care’s confidentiality.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Practices Are Struggling With HIPAA Compliance 

Medical Practices Are Struggling With HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

We recently conducted a survey of medical practices and billing companies to gauge their knowledge of HIPAA’s Privacy and Security regulations, compliance measures, and communication methods.

 

With the help of our partners at Porter Research and The Daniel Brown Law Group, we've created an easy-to-consume narrative explaining the various aspects of HIPAA compliance while also presenting the results in a way that's easy to understand.

The survey of more than 1,100 healthcare professionals revealed several areas of concern, including:

  • 66 percent of respondents were unaware of HIPAA audits prior to this survey bringing it to their attention

  • 35 percent of respondents have conducted a HIPAA-required risk analysis

  • 34 percent of owners, managers, and administrators felt “very confident” their electronic devices containing personal health information (PHI) were HIPAA compliant

  • 24 percent of owners, managers, and administrators in small practices have evaluated all of their Business Associate Agreements

  • 56 percent of office staff and non-owner care providers in small practices have received HIPAA training in the last year

While we noticed a trend suggesting billing companies may be doing better with compliance compared to medical practices, what we found most alarming was the consistent information gap between management and staff when handling HIPAA compliance measures.

 

HIPAA Compliance Resources
Alongside the results, we've also curated a list of resources to help you learn more about the upcoming audits, how to develop a compliance plan, conduct a risk analysis, and how to ensure your electronic devices are HIPAA compliant.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Secure Communication for HIPAA Compliance is Not Enough

Why Secure Communication for HIPAA Compliance is Not Enough | HIPAA Compliance for Medical Practices | Scoop.it

When you spend a lot of time writing about HIPAA compliance and its importance for healthcare providers, you sometimes forget the bigger question: What does HIPAA compliant communicationmean for healthcare?

Yes, we know that HIPAA requires secure and encrypted clinical communication to ensure patient privacy. But is that where the argument starts and ends? Is patient privacy the only reason to embrace HIPAA compliant communication?

Turns out, there’s more to the riddle.

 

Why focus on secure email and secure mobile messaging

According to a 2015 study, healthcare employees use mobile messaging more frequently than voice calling for their business communication. 65 percent of healthcare respondents use email most frequently for business communication, followed by mobile messaging (22 percent) and voice calling (13 percent). The same study also reported that 91 percent of those interviewed use mobile messaging at least a few times per week.

Healthcare often uses mobile communication after receiving a pager alert. Unfortunately, pagers cause unnecessary friction to the process of patient care.

Pagers cost over $1.7 M per year in lost productivity. As such, it is important to find alternative to make healthcare communication processes as efficient and effective as possible.

Similarly, given the prominence of email and mobile communication in healthcare, it also makes sense to remove the friction that these communication cause in terms of efficiency.

If information cannot be easily exchanged through email due to HIPAA concerns or legacy pen-and-paper processes, then the workflow is bogged down.

Why is workflow important?

Efficient clinical workflow saves time, saves money, and saves lives. And in today’s industry, workflow can have a significant effect on reimbursement. As such, effective and efficient communication is key. Practices need to be choosy.

OnPage’s smartphone-based secure messaging tool and Paubox’s mobile friendly HIPAA secure email and forms are designed with secure communication in mind as well as improved workflow. OnPage is able to improve workflow as is Paubox.

And workflow is really where it’s at.

While HIPAA compliance is important to physicians, it is not as important as their patients. Physicians focus on seeing patients and improving patient lives.

Technology that improves practitioners’ efficiency and allow them to spend more time helping patients are meaningful.

How HIPAA secure messaging trumps workflow

As noted, pagers are a huge impediment to optimal workflow in hospitals.

Most paging systems utilize single-function pagers that only allow one-way communication, requiring recipients to disrupt workflow to respond to pages. Paging transmissions can also be intercepted, and the information presented on pager displays can be viewed by anyone in possession of the pager.

However, smartphone-based, HIPAA-compliant group messaging applications improve in-hospital communication. These applications save time as physicians and nurses do not need to receive messages on their pager and then respond via cellphone.

By only using cellphone based secure messaging applications, physicians and nurses have access to secure communication while providing the information security that paging and commercial cellular networks do not.

Additionally, secure messaging technologies enable persistent alerting that ensures messages aren’t dropped, missed or forgotten. By ensuring that messages are not lost, administrators do not need to waste time following up on sent messages.

How secure email and forms improve workflow

A doctor or practitioner must encrypt their emails when they communicate protected health information via email.

Unfortunately, most encrypted email providers use a portal to gate communication. Portals can make recipients take up to five extra steps just to view any messages. It also makes the experience of reading email on a mobile device cumbersome.

Not being able to send and receive emails quickly and easily can significantly bog down workflows.

When it comes to forms, online forms reduce the time patients spend in the office and make the process of patient engagement much more fluid.

Having web forms enables patients to enter their information online and include attachments such as photos or documents, then send in their forms directly to their healthcare provider’s inbox via a HIPAA compliant email provider like Paubox.

Electronic forms make archiving these documents much easier than their paper counterparts as well.

Conclusion

Overall, healthcare cannot ignore the importance of HIPAA compliance; however, healthcare technology also needs to focus on improving the workflow of physicians and practitioners.

As a healthcare provider or practitioner, you need to look for solutions that make communication more efficient.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Choose Effective HIPAA Compliance Software

How to Choose Effective HIPAA Compliance Software | HIPAA Compliance for Medical Practices | Scoop.it

Choosing an effective HIPAA compliance solution for your health care business is essential in defending against HIPAA breaches and fines.

There are many software solutions on the market that give healthcare professionals the ability to address their HIPAA compliance. But when it comes to finding an effective HIPAA compliance software for your practice, it can be difficult to parse the differences between your options.

To help narrow your choices, we’ve put together this guide to give you a sense for the bare-bones essentials that will keep your practice safe in the event of a HIPAA audit.

 

What should effective HIPAA compliance software include? 

1. Self-Audits, Security Risk Assessment

HIPAA compliance software must give you the ability to audit your practice against the HIPAA rules. These audits give you a baseline assessment of the security and privacy measures you already have in place and how they compare to the HIPAA standards.

Security Risk Assessments are also a mandatory component of HIPAA compliance.

Most HIPAA software solutions will give you the ability to complete your Security Risk Assessment, but don’t follow through on remaining HIPAA requirements. Keep in mind that incomplete software solutions will leave your practice exposed to HIPAA breaches and fines, even with a Security Risk Assessment in place.

2. Remediation Plans

Any effective HIPAA compliance software must allow your practice to create remediation plans in response to the gaps uncovered by your self-audits and security risk assessment. Remediation plans are an essential part of becoming HIPAA compliance because they provide the government with proof that your practice has performed due diligence.

A good HIPAA compliance software should give your organization the ability to document and retain all components of your remediation plans with an area for notes and important details tailored to the specific steps taken to remediate your practices’ gaps.

3. Policies, Procedures, Employee Training

One of the essentials of any HIPAA compliance program is a robust and unique set of HIPAA policies and procedures. It’s especially important that the HIPAA compliance software you choose gives you the ability to create, customize, and apply policies and procedures in your practice.

Policies and procedures are the infrastructure around which the rest of your compliance program will be built. The HIPAA Rules outline specific standards for privacy and security that must be implemented, and your organization’s policies and procedures should correspond with all applicable standards.

HIPAA policies and procedures must be updated annually to account for any changes in the running of your organization—an effective HIPAA compliance software should send your reminders or give you support to ensure you meet these annual deadlines and avoid common HIPAA violations.

Once you’ve adopted and applied your policies and procedures, all staff members must be trained on them annually. They must legally attest that they’ve read and understood the policies and procedures of your organization. An effective HIPAA compliance software should have modules for employee training, in addition to documentation capabilities to keep employee attestation stored for at least six years, as mandated by HIPAA.

4. Documentation

Documentation is the most important aspect of any HIPAA compliance program. Without proper documentation of your compliance efforts, your practice will not be able to properly defend itself in the event of a HIPAA audit.

An effective HIPAA compliance software should be able to create documentation for each and every step of your compliance program. This documentation must be retained for at least six years in order to adhere to federally mandated HIPAA standards, and your HIPAA software should be able to maintain these records on your behalf.

5. Business Associate Management

HIPAA regulation requires health care professionals to execute contracts with their health care vendors before they share health care data. These contracts are called Business Associate Agreements (BAAs), and they’re meant to protect your practice from liability in the event of a breach caused by a health care vendor.

An effective HIPAA compliance software should come included with pre-vetted Business Associate Agreements, in addition to a means for properly storing them once they’ve been executed and signed. Because Business Associate Agreements must be reviewed annually, HIPAA compliance software should also allow users to easily review stored files to make necessary changes and avoid HIPAA violations caused by out of date or missing BAAs.

6. Breach/Incident Management

The final component of an effective HIPAA compliance software we’ll discuss is Incident Management. Any time a healthcare organization experiences a data breach, that breach must be tracked, documented, investigated, and reported to HHS OCR.

An effective HIPAA compliance software should give users the ability to track and document all stages of a data breach or incident investigation. In the event that the data breach spurs an OCR HIPAA investigation, the affected organization must be able to demonstrate the steps they’ve taken in the aftermath of a breach.

Once again, documentation is key here, not only because it’s legally required by the HIPAA Breach Notification Rule, but because it’s essential to protecting the affected organization from ensuing HIPAA fines.

Why should you choose a total HIPAA compliance software? 

Choosing a total HIPAA compliance software gives your practice a way to handle HIPAA right the first time around. Piecemeal, self-serve software solutions waste time and don’t give your practice everything needed to become HIPAA compliance. Without a HIPAA compliance software that addresses each of the HIPAA standards listed above, your practice could be at risk of incurring serious HIPAA fines.

HIPAA enforcement has ramped up significantly in recent years, now totaling more than $46 million since 2015 alone.

Protecting your practice and your reputation from HIPAA breaches and fines is easier than ever before, especially with total HIPAA software solutions that work for you.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Checklist and Employee Sanctions 

HIPAA Compliance Checklist and Employee Sanctions  | HIPAA Compliance for Medical Practices | Scoop.it

A HIPAA compliance checklist is the tool to turn to when imposing sanctions on employees for HIPAA privacy breaches.  It may feel like a never-ending and thankless task, but consider the alternatives.  It can be tempting to adopt a “no harm, no foul” approach to employee sanctions.  But this is not the way the Office for Civil Rights, the government agency that investigates HIPAA breaches, looks at things.  To that end, your HIPAA Compliance Checklist must also address employee sanctions.

HIPAA is all about protecting PHI

There are numerous examples of the OCR imposing penalties on organizations for not protecting PHI.  And these penalties are imposed even though there was no evidence of anyone receiving or accessing any PHI in cases where a breach occurred.

  • The OCR considers encryption of ePHI by malicious software (e.g., ransomware) to be an unauthorized disclosure not permitted under the Privacy Rule.  Even in a ransomware attack, an organization could reasonably conclude there is a low probability that the PHI has been compromised.  But if it cannot reach that conclusion,  it is required to comply with the applicable breach notification provisions.  And this is the case even if there is no evidence that the PHI was viewed by anyone else.
  • An employee of Cancer Care Group of Indianapolis left unencrypted back-up media in a bag in a car; the car was broken into and the bag stolen.  There was no evidence that any information was ever disseminated, but the OCR imposed a penalty of $750,000 on the group.
  • In 2014, the OCR imposed a fine of $400,000 on Idaho State University for a breach of unsecured ePHI.  This was because the school had left its firewalls disabled for over 10 months!   Again, there was no indication PHI was accessed by any unauthorized persons; it was simply not protecting its PHI.

These are just a few examples of settlements, some involving employees failing to follow procedures, or where there were no procedures at all.  In these case, penalties were imposed but no information was shown to have been accessed by unauthorized parties.

HIPAA compliance requirements do not explicitly link employee sanctions to reportable HIPAA breaches

It is certainly possible to have an unauthorized disclosure that is not a reportable breach.  The definition of a breach is the acquisition, access, use or disclosure of protected health information.  This is done in a manner not permitted under the regulations.  And the disclosure compromises the security or privacy of the protected health information.

These days, employees are often the source of breaches.  They include events from lost laptops to including PHI in social media posts occurring almost daily.  It is very important to include a policy on employee sanctions in your HIPAA Compliance Checklist.  An employee sanctions policy can and should take into account the potential harm from the unauthorized disclosure.  But a “no harm, no foul” approach may leave the organization open to penalties by the OCR.

A HIPAA compliance checklist for employee sanctions policies should address several issues

  1. The policy should reference Section 164.530 of the Administrative Requirements, which requires covered entities to have and apply appropriate sanctions against members of their workforce.
  2. Section 6102(b)(4)(F) of the Affordable Care Act also requires that the standards be consistently enforced through disciplinary mechanisms.
  3. Most policies utilize a Level system, tying the action of the employee and the effect on unauthorized disclosure of PHI to the sanction recommended.  Levels could start from situations where an employee did not follow procedures, but there was no unauthorized disclosure of PHI.  Levels usually top out at situations where the actions were malicious and willful, causing harm or intending to cause harm to the patient.
  4. Mitigating factors may be enumerated, and repeated patterns of violation may result in a higher level of discipline.

Employee Sanctions should be standardized

Organizations usually strive to administer most disciplinary policies in a consistent, standardized way.  Employee sanctions for HIPAA violations are no different.  Inconsistent application can carry consequences ranging from confusing messages to erosion of public trust to vulnerability to penalties and fines.

One way to increase standardization of disciplinary actions is to develop a grid, matching the riskiness of the actions to the level of sanction.

The HIPAA regulations explicitly require organizations to have and apply appropriate sanctions against workforce members who fail to comply with the privacy policies and procedures of the organization.  While sanctions can be related to the incident and the potential harm, they also need to demonstrate that the organization is taking seriously its responsibility to protect the privacy of patient information – even when there is no evidence of unauthorized disclosure or when the breach is not reportable.

Regardless of the method you choose to develop employee sanctions, make sure your HIPAA compliance checklist addresses appropriate sanctions, and implement your policies consistently!   Healthcare Compliance requirements must be truly effective.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Violation and Hospital Employee viewing PHI 

HIPAA Violation and Hospital Employee viewing PHI  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Violation rocks hospital!  An employee at St. Charles Health system accessed over 2400 patients’ medical records over a two-year period because they were curious. We all know that curiosity killed the cat and now it may have direr consequences for this curiosity seeker and the hospital system. 

HIPAA Violation without intent to commit fraud

The employee who viewed the protected health information (PHI) without a legitimate reason to do so is in jeopardy of large civil fines, loss of their respective clinical license and criminal prosecution. Not to mention termination from their present position. The hospital system has to repair its damaged reputation while at the same time prepare to defend itself against potential civil/criminal lawsuits.  There are too many incidences were an organization is liable for HIPAA violations, even though they “didn’t do it”.

 

Now the local District Attorney has taken interest in this matter and is launching a criminal investigation. Under the HIPAA statute there is no individual right of action, however, the Attorney General of the state where the infraction took place may file charges on the individual(s) behalf.

 

The aforementioned employee signed an affidavit stating that the HIPAA violation they committed, and any of the information they accessed was not to commit fraud, however, that did not halt the criminal investigation.

Hospital employee viewing PHI

This real-life incident demonstrates how healthcare providers and their employees can face serious trouble for viewing records inappropriately. Just remember this incident when you want to be inquisitive about a patient that you are not treating or accessing a patient’s medical records for no business purpose.

 

When performing your job function, it is not a HIPAA violation if you release and/or access a patient’s PHI for treatment, payment or health operations (TPO). When accessing and/or releasing a patient’s PHI, ask yourself does this fall under the TPO exceptions? If it does, then you should just release the minimum information necessary to complete the task and if it does not, then you may need an authorization signed by the patient or his/her representative. In the event you are unsure if you can release and/or access a patient’s PHI, contact your supervisor or your organization’s Privacy Officer.

 

Finally, this violation reaffirms the need to conduct a HIPAA Risk Analyses, including monitoring the privacy/breach rule.  Use your policies and procedures for efficient and effective training, auditing and monitoring.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Are You Feeling Confident About Your HIPAA Compliance? 

Are You Feeling Confident About Your HIPAA Compliance?  | HIPAA Compliance for Medical Practices | Scoop.it

A friendly reminder that, with the recent HHS Office of Civil Rights announcement, covered entities may soon be facing some unwelcome audits. Now’s the time to review compliance.

 

HIPAA compliance can sometimes feel like changing the oil in your car: inarguably necessary, a serious problem when left unchecked, yet tedious enough that some are willing to let the task slide. The difference, of course, is that one is bad for your engine while the other is a federally mandated and legally enforceable standard.

Friendly reminder: the HHS Office of Civil Rights (OCR) recently announced the Phase II launch of its HIPAA audit program, part of the 2009 HITECH Act. And with their finalized Audit Protocol published on April 8th, all signs point to the OCR soon getting down to brass tacks.

 

This needn’t be cause for alarm. But if covered entities or their business associates haven’t recently ensured that their compliance is watertight — especially regarding the measurement of referral and appointment activity — there’s definitely no time like the present.

There’s No Reason for Panic — Just Preparation

Audits are tentatively set to begin sometime in May, according to OCR official Devin McGraw via Politico, at which point randomly selected covered entities will receive an email announcing their fates (they recommend checking spam folders).

Business associates, who are also subject to individual audits, will be subject to audits in June or July. The agency plans to conduct roughly 200 remote desk audits, to be completed by December 2016, and anywhere from 10-25 “full scale” field audits thereafter, according to Healthcare Info Security. If you’re uncomfortable with the vagueness of this plan, you’re not alone.

The good news is that the majority of organizations will not be audited. However, if selected, entities will have a mere ten business days to prepare and submit all relevant documents via a secure online portal. Desk audits may (or may not) entail just a review of policies, or pertain to only one of the three HIPAA Rules: Privacy, Security, or Breach Notification. However, certain charmed organizations may, in fact, get to experience the unique joy of both desk and on-site audits.

Possibility for Consequences?

Officially, Phase II OCR audits are relatively benign, designed to “develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.” Nevertheless, they will open a formal investigation, should they find a “serious compliance issue,” however defined. And while OCR won’t publish the audit results (or even list which companies are audited), the whole process is subject to the Freedom of Information Act (FOIA), which means that journalists or other public agents can legally publish results. 

 

You may recall that 115 covered entities were audited in 2011 during Phase 1 of program, unearthing major compliance breaches; 89% were found to have compliance issues, and smaller organizations tended to struggle in multiple areas. 

Given the involvement of business associates — many of whom are not primarily dedicated to healthcare — one of the most difficult compliance aspects to cover will be Protected Health Information (PHI) and ePHI (electronic PHI). For instance, if your marketing agency measures referral and appointment activity, they’re likely in the domain of PHI and will need to be in solid compliance.

 

The bottom line is that if you haven’t implemented HIPAA privacy and security policies and procedures, recently conducted an inventory of relevant assets, or regularly completed risk assessments, then now is probably your last chance to do so before the audit process begins.

 

In the end, however, integrating a comprehensive HIPAA compliance program will keep you from running afoul of any regulatory standards that may come down the pipeline. The HHS is only conducting these audits in order to better enforce compliance standards in the future. So while you may or may not be audited this year, you and your digital marketing vendors must be prepared to stand up to scrutiny at any time.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Social Media and HIPAA Compliance: What Medical Professionals Should Know 

Social Media and HIPAA Compliance: What Medical Professionals Should Know  | HIPAA Compliance for Medical Practices | Scoop.it

Social media is fast becoming one of the most impactful marketing channels for medical professionals; however, HIPAA regulations must be taken into account.

More than ever before, medical professionals are using social media every day in both their personal and professional lives. And of course this isn’t a bad thing: physicians, nurses, and other practitioners are in a unique position to engage and educate current patients and others in search of treatment. However, when used incorrectly, social media can be a veritable minefield in regards to HIPAA regulations for patient confidentiality. So in the interest of keeping those tweets flowing, let’s run through four easy ways to maintain compliance with these regulations.

1) Don’t Talk About Patients (Even When it’s Subtle)

HIPAA regulations for patient confidentiality may seem complicated, but they all essentially boil down to one key point: don’t share your patients’ personal information. Few medical professionals would post something as obviously problematic as “John Smith from Cherry Street came in last night with such-and-such medical condition,” but that’s far from the only way to incur a violation. Rather than taking the risk of accidentally broadcasting protected information like specific appointment times and diagnoses, avoid the issue altogether by never referring to an actual case or visit.

That said, medical professionals should absolutely post interesting and relevant information on their professional social media accounts. Just be sure to always keep things in broad terms — talk about specific conditions or treatment options, not specific patients.

2) Don’t Like, Share, Retweet, or Regram Your Patients’ Posts

Even if you don’t share the information yourself, it’s still possible for a physician to breach his or her patient’s confidentiality. One way to do so is by engaging with a specific patient on any social platform. Even if your patient chooses to post his or her medical information in a public forum, sharing this post with your own network could land you in hot water.

The easiest way to avoid this issue is by doing something that’s fairly intuitive: create separate accounts for your professional and personal activities.

3) Don’t Post Pictures of Patients or Their Documentation

When to comes to HIPAA compliance, one key mistake that should always be avoided is posting pictures of real-life patients. Even if you’re celebrating something as meaningful as a patient’s recovery from a serious illness or injury, sharing a photo of their likeness still counts in HIPAA’s eyes as a forbidden personal identifier. Another thing to keep in mind when posting photos from around the office or clinic: a patient’s files can accidentally get caught in the background. Always triple-check that your image is free of any potentially confidential paperwork or other materials.

It may sound easier to rule out photos of your workplace altogether, but warm, engaging imagery bolsters patient trust in your medical brand — in some cases increasing conversion rates by as much as 95%. Just be smart about the photos you share with your network.

4) Don’t Send Confidential Information Through Direct Messages

Switching over to direct messages might seem like an easy loophole in all of the regulations outlined above, as the interface of any social media platform would have you think that such messages are private and confidential. However, doing so would risk violating another one of HIPAA’s major tenets: the Security Rule, which mandates that all electronic protected health information (ePHI) is stored in such a way that it is secure from potential data breaches, leaks, or any other form of unwanted disclosure. Most social media messaging services do not meet HIPAA’s standard for compliance with this rule, and thus they should never be used to share patient data or health records with colleagues or even the patients themselves.

Luckily, a number of medical industry apps — such as DrFirst’s Backline — offer secure messaging platforms that are in compliance with HIPAA’s Security Rule. So keep the sharing away from Twitter DMs and Facebook Messenger and stick to the software and services that guarantee both compliance and conversions.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA & Email

HIPAA & Email | HIPAA Compliance for Medical Practices | Scoop.it

Is it possible to email patients in a HIPAA compliant manner? What can and cannot be included in an email to patients? What does HIPAA have to say about it? These questions have long been on the minds of providers as they attempt to navigate towards greater messaging options without opening themselves up to breaches, penalties or fines. Before determining if HIPAA and email can effectively coexist, let’s take a step back and understand what the HIPAA Privacy and Security rules allow.

HIPAA Privacy Rule

Per the Office for Civil Rights (OCR) of the Department of Health and Human Services webpage, “The HIPAA Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

OCR then goes on to state if the patient reaches out to a healthcare provider using email, the provider can assume that email communication is acceptable. If the provider feels the patient does not understand the possible risks of using un-encrypted email, the provider should alert the patient and ensure that they want to continue with email communications.

Additionally, the Privacy Rule states that patients have the right to request a provider communicate with them by alternative means if reasonable; “For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.” See 45 C.F.R. § 164.522(b).

HIPAA Security Rule

The HIPAA Security Rule does not prohibit the use of e-mail to send ePHI, however, it does outline some standards to protect and guard the integrity of unauthorized access to ePHI. Sited from the OCR website, “However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI. The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

Recap of the Privacy and Security Standards:

Providers may e-mail patients but they must take precautions.

Should the patient request his/her provider use e-email, the provider must take the necessary steps to ensure the ePHI is protected.

As a standard practice, providers should warn patients about the risks of e-mail communications.

Information shared over an open network increases the likelihood of unauthorized access. 

Best Practices for HIPAA Compliant Email

Below is a list of some best practices to ensure compliant e-mail along with adhering to the Privacy and Security Rules:

  • Encrypt e-mail messages – If the provider is not using a patient portal or e-mail application, encrypt any/all sent e-mail messages and avoid sending any PHI. Additionally, any attachments (specifically those including PHI) should be encrypted as well.
  • Capture each patient’s consent to receive communication by email – Include a communication consent form within the patient on-boarding forms to verify communication preferences and allow patients to opt in or out of e-mail correspondence.
  • Utilize a secure, HIPAA compliant email application – There are many email applications and servers designed to offer providers a HIPAA compliant e-mail offering.
  • Message patients through an EMR portal – A secure EMR portal is the perfect place to send HIPAA compliant messages to patients. Patients may log in to view appointment reminders, test results and physician/nurse messages without the threat of unsecured e-mail.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Consequences for HIPAA Violations

Consequences for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before, another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 in order to settle potential violations of the HIPAA Privacy Rule. Once a medical records storage company for covered entities, Filefax shut their doors during the OCR investigation yet could not escape additional fines and penalties that followed after their doors were closed. The bottom line, HIPAA violations do not stop just because a business closes.

 

The consequences of HIPAA violations are significant and far reaching. Beyond the financial ramifications, organizations stand to lose their good standing reputation, client/patient trust and their ability to operate a business. It can take organizations months, even years to recover from penalties if they ever do, so why have so many of us read the headlines but not heeded the warnings?

What Qualifies as a HIPAA Violation?

A HIPAA violation occurs when either a covered entity (CE) or business associate (BA) fails to comply with one of more provisions of the HIPAA Security, Privacy or Breach Notification Rules. Violations may result for a number of reasons and may be deliberate or unintentional.

  • Example of a Deliberate Violation – Inadequate Privacy training for clinical staff which results in a patient complaint regarding disclosing their full identity through a verbal announcement in a waiting area or hospital emergency room.
  • Example of a Unintentional Violation – Commonly this is a symptom of negligence such as: failure to complete a Security Risk Analysis, failure to employ encryption for laptops/electronic media resulting in loss/theft or failure to maintain policies and procedures instructing staff members on how to appropriately handle protected health information (PHI.)
Penalties and Fines

The penalties and/or fines administered by OCR are based on the severity of each HIPAA violation. Some HIPAA violations can be expensive and vary greatly in cost based on the level of negligence displayed. Contrary to what the headlines may lead you to believe, OCR will first strive to resolve violations using non-punitive measures such as issuing guidance to help the provider fix the areas without issuing a fine however that is not always possible.

If a penalty is issued, it can range in cost from $100 to $50,000 per violation (or record) with a maximum penalty of $1.5 million per year of violations of an identical provision. OCR takes many different factors into account when determining what is the appropriate financial penalty and uses a four tiered approach as shown in the image below. A few of these factors include: number of patients affected, what specific data was exposed and for how long, etc. Along with the financial ramifications, HIPAA violations can also carry criminal charges that may result in jail time if warranted.

 

Avoidance is Key

Being that the stakes are high and much is on the line, how does a practice or organization protect themselves against HIPAA violations? Show due-diligence.  The best task to start with is complete a comprehensive, organization wide HIPAA risk analysis to determine any gaps in compliance. Without a baseline knowledge about their security, privacy and breach-notification posture, both CE’s and BA’s operate day to day unaware of their security vulnerabilities which can directly lead to HIPAA violations and data breaches.

 

Unsure where your organization stands? Take our short 5-minute HIPAA compliance quiz designed to quickly outline your organization’s basic level of compliance.

 

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility? 

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility?  | HIPAA Compliance for Medical Practices | Scoop.it

If your healthcare practice must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations, a breach of protected health information may require patient and government notifications.  

HIPAA provides data privacy and security provisions for safeguarding medical information, and if that information is compromised either through a breach of your information system or sheer carelessness on the part of an employee, you may be subject to heavy monetary penalties.

But what qualifies as a HIPAA breach, what happens if it affects a limited number of your patients, and what are you required to do?

Rules That Apply

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  Such impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least these factors:

1.     The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2.     The unauthorized person who used the protected health information or to whom the disclosure was made;

3.     Whether the protected health information was actually acquired or viewed; and

4.     The extent to which the risk to the protected health information has been mitigated.

Those affected by this rule have discretion to provide the required breach notifications without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first applies to “the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”

The second exception involves” the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.”

In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

The final exception applies “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”

In addition to notifying affected individuals and the media (when appropriate), you must notify the Office of Civil Rights (OCR) of breaches of unsecured protected health information. by visiting the Health and Human Services (HHS) web site and filling out and electronically submitting a breach report form. If the breach affects 500 or more individuals, covered entities must notify the OCR without unreasonable delay and no later than 60 days following the breach.

Deadline Approaching

If the breach affects fewer than 500 individuals, your practice has no later than 60 days after the end of the calendar year in which the breach is discovered.  This means that if your practice has experienced a breach of fewer than 500 individuals and it has not been reported yet, you have until March 1, only a few days away to file the notification.

If you experience a breach affecting more than 500 residents of your State or jurisdiction you must provide notice to media outlets serving the State or jurisdiction, as well as notifying the affected individuals.  This notification will likely be in the form of a press release to the appropriate media outlets and must be provided no later than 60 days following the discovery of the breach and must include the same information required for the individual notice.

Don’t Leave Anything to Chance

As you can see, HIPAA breach notification requirements are quite stringent and can be complex. If your practice has experienced a breach, the HIPAA compliance experts and former criminal investigators at Colington Consulting can rapidly respond on-site to assist your practice in conducting a HIPAA breach investigation.  Their investigative process uses systematic approach to quickly determine how the breach was caused. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

ARE YOU SURE YOUR MEDICAL BUSINESS IS HIPAA COMPLIANT? 

ARE YOU SURE YOUR MEDICAL BUSINESS IS HIPAA COMPLIANT?  | HIPAA Compliance for Medical Practices | Scoop.it

What Exactly Is HIPAA?

HIPAA (Health Insurance Portability and Accountability Act) is a U.S. law that took effect in 2003 to assure that patient’s medical records and other health information provided to health plans, hospitals, doctors and other health care providers is protected.  HIPAA is enforced by the U.S. Department of Health and Human Services, to provide nation-wide privacy and security standards for patient information, while allowing patients greater access to their medical records and more control over how their personal health information is used and disclosed.  HIPAA established national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity (medical provider).

The HIPAA Security Risk Assessment

There are over 50 HIPAA Security Standards and Implementation Specifications that must be addressed with policy and procedures. They are all applicable to Covered Entities and Business Associates. The HIPAA rule is very detailed, and it is important that you not miss any compliance requirements.

One of the best ways to ensure HIPAA compliance is to implement a HIPAA security risk assessment. This will tell you what areas of your practice are in compliance, and which areas need corrections to be made in order to become compliant. No matter what, you want to make certain you are following all the requirements of the HIPAA Security Rule, as there are steep fines resulting from non-compliance.

The Three Parts of the HIPAA Security Rule

The HIPAA Security Rule requires a healthcare facility and its staff to implement specific safeguards in these three areas:

•             Administrative

•             Physical

•             Technical Safeguards

These safeguards ensure the confidentiality, integrity, and security of protected health information (PHI). While “required implementation specifications” must be implemented, “addressable implementation specifications” must be implemented if it is appropriate and reasonable to do so. Your choice must be documented. Do not make the mistake of automatically thinking that “addressable implementation specifications” are optional. If you are unsure if any “addressable implementation specifications” apply to you, it is best to implement them, as most are considered to be standard “best practices” for a medical business.

The results of your HIPAA security risk assessment should provide you with a list of areas where you need improvement. This is where you will begin to work on policies and procedures to address the deficiencies by documenting and outlining all “required implementation specifications”, and all applicable “addressable implementation specifications” needed to become HIPAA compliant.

Just A Few Examples of HIPAA Policy Requirements

Here are a few examples of the types of HIPAA “required” controls you will need to implement.

One of the main requirements is controlling the access to patient’s records by your staff members. This requires a unique user identification login and logout for identifying and tracking each user, as well as comprehensive HIPAA training for your staff. Often, staff will find HIPAA compliance inconvenient, but they must recognize it is for their own protection.

You must have a secure procedure for accessing PHI during an emergency. Should the power go off, do you have a back-up power source? Are your records securely backed-up in compliance with HIPAA ? Healthcare organizations should have a contingency plan in place for emergency operations and disaster recovery.

It is advisable that all patient data be encrypted and decrypted. After a risk assessment, all laptops, computers, and mobile devices may need to be encrypted. Do you have firewall protection? Is your network accessible from outside your business? Do you have intrusion protection? Is your wireless network secured? Any company that handles sensitive patient data protected by HIPAA should run a cybersecurity assessment , to thoroughly check your network to determine how secure it is, and explain measures that must be taken to secure any holes in that system.

Audit controls, via hardware or software, must record and examine activity in information systems containing or using ePHI.

Transmission of all ePHI must be secure.

There are many other required and addressable specifications that need to be implemented. This is only a handful, to give you an idea of the types of issues you will need to address.

Once Your Are HIPAA Compliant, Then What?

Once you have achieved HIPAA compliance, it is then important that procedures and policies be put into place to maintain compliance. Employers must keep a record that all employees have received proper HIPAA training. They need to understand how HIPAA is implemented in your office. If you switch IT companies, you will need to make certain that the new company is HIPAA compliant, and they will need to provide you with a Business Associate Agreement. Yes, HIPAA compliance is a never ending task for businesses that handle patient health information.

If you are concerned about understanding and meeting all of the “required” and “addressable” security standards and implementation specifications your business must have in order to be HIPAA compliant, consider bringing in Colington Consulting to review the status of your HIPAA compliance program. Colington Consulting are experts in the field who know the HIPAA rules inside and out. They will help you avoid problems and steep fines by ensuring your business is meeting HIPAA compliance requirements,  relieving you from any doubt about the status of your business’s HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance When Selling Health Care Practice 

HIPAA Compliance When Selling Health Care Practice  | HIPAA Compliance for Medical Practices | Scoop.it

When considering the sale of your healthcare practice (regardless of whether you are a physician, physical therapist, dentist, optometrist, etc.), you will undoubtedly be confronted by a litany of questions:

  1. Valuation – how do I ensure I get a fair price?
  2. Type of Sale – am I selling assets or majority of stock/shares/membership interest in the entity?
  3. Due Diligence – how much research and risk assessment must I do in regards to existing liabilities (for both myself and the buyer) as well as the security/financing of the buyer?
  4. Verification of State, Federal Regulatory Compliance – who is responsible for verifying compliance with Fraud and Abuse laws, Stark Law, Anti-Kickback Statute, HIPAA, Tax Exempt Status, Anti-Trust laws, etc.?
  5. Restrictive Covenant – duration? location? key employees?
  6. Assumption of risk, indemnity – how is it expressed and covered?
  7. Holdover – how long should I remain onboard and accessible to the buyer – as an employee or an independent consultant?
  8. Termination – what will trigger cancellation of the transaction?

 

All of these questions warrant consultation with an attorney with experience in structuring such transactions. 

However, in addition to the traditional machinations of such a transaction, you will need to receive consultation from an attorney aware of additional aspects of the healthcare profession that make the sale of a practice more difficult. Namely, you need to be aware of the requirements for patient consent of the transfer of files and HIPAA Compliance.
 

Notification Requirement to Patients

 

Pursuant to state and federal regulations, patients must be given the option to choose another health care provider and/or have a copy of their medical records sent to the physician of their choice. Specifically, medical records and other personal health information should not be transferred to another health care practitioner or practice without the patient’s informed consent. As such, when moving forward with a contemplated sale of practice, it is important that the mechanics of informing patients of the contemplated sale and providing them the option to choose their own provider is incorporated into the timing of the transaction. 

Unfortunately, this often leads to the sale of the practice taking much longer than what might be within the parties' expectations. 
 

Sharing Patient Files and Medical Records through Business Associate Agreement


As the above transition is unavoidable, buyers and sellers can and should embrace it. This can be accomplished by ensuring there is either a holdover of the old practitioner within the new practice–as an employee or an independent contractor. Furthermore, the seller is permitted to then share his or her patient files and medical records (i.e. PHI) with the buyer pursuant to a HIPAA-compliant Business Associate Agreement. This is permitted because the buyer, as a business associate, is using the PHI from the seller for “health care operations”, a permitted use under HIPAA. “Health care operations” include business management and general administrative operations of the entity, including the sale, transfer, merger or consolidation of all or part of the covered entity with another covered entity.
 

The American Medical Association provides further guidance for the transfer of patient records upon the sale of a medical practice. Ethical Opinion 7.04 states, “The transfer of records of patients is subject, however, to the following: (1) All active patients should be notified that the physician (or the estate) is transferring the practice to another physician who will retain custody of their records and that at their written request, within a reasonable time specified in the notice, the records or copies will be sent to any other physician of their choice… (2) A reasonable charge may be made for the cost of duplicating records.”

 

Priming or Retaining Medical Records


Practitioners should also check state and federal regulations regarding recordkeeping requirements and/or retention. When selling or closing a practice, practitioners should review their medical records to ensure that the records contain all information and documentation as required by state and federal law.  
 

Medical record ownership is established by state law, licensing regulations, and judicial decisions.  Generally, the practitioner's patient file and medical record is owned by the practitioner or corporate entity responsible for compiling and maintaining it, who also serve as the custodian of its contents. The Health Insurance and Portability Act of 1996 (“HIPAA”) expanded patients’ right to access, audit and amend their protected health information (“PHI”) pursuant to the HIPAA Privacy Standards. As custodian, the practitioner is responsible for providing their patient with informed written consent regarding their role as well as how the patient may access and transfer its contents at will to desired third-party practitioners.  Practitioners, in this dual role as custodian and owner, must take special care regarding the destruction, retention, or transfer of medical records when their practice is sold or closed.

Practitioners who are selling or closing their practice should ensure that the control, ownership and patient’s right to access their medical records is specifically addressed prior to transferring or storing any medical records in order to be in compliance with the applicable state law. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Keeping Your Online Medical Marketing HIPAA-Compliant

Keeping Your Online Medical Marketing HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

Medical marketing is at least three years behind any other industry for two reasons: First, HIPAA laws determine how patient information is gathered, stored and used. Second, the FDA imposes regulations on how medical practices can market their products and services.

Each day, millions of Americans search for health information online. Because online search is a major part of healthcare consumers’ decision-making, there is a risk that their protected health information (PHI) could be accidentally exposed by a medical facility, causing a HIPAA violation.

As a medical practitioner, it is your responsibility to ensure that any protected health information (PHI) you are collecting for your patients is safe and protected. Technological advancements can certainly add more efficiency to routine operations, but new technologies may bring new concerns with HIPAA compliance.

HIPAA compliance is one of the biggest concerns for medical practitioners, and for a good reason: Privacy violations can result in severe consequences, including hefty penalties and even jail time. To make matters more complicated, the HIPAA law is vague on what actions medical practices must take to make their digital marketing efforts HIPAA-compliant.

 

So, what best practices can you follow to keep your online marketing efforts HIPAA-compliant?

HIPAA compliance and digital marketing

Online marketing is vital for the growth of medical practices, as many patients turn to online sources to learn more about symptoms and treatment options and to search for nearby medical practices. Most medical practices have a website, and many use email marketing and social media to reach out to the target audience. Security is the biggest concern in these media. The following guidelines will help you stay HIPAA-compliant.

 

1. A HIPAA-compliant website: If you want potential patients to find your practice online, it is critical for you to have an active online presence. However, HIPAA laws are a concern. While it can be challenging to have a HIPAA-compliant website, it is not impossible. However, you must ensure your practice website has these elements to comply with HIPAA laws:

 

  • Patient data must be encrypted: Patient-related information contained in contact forms, appointment request forms and online check-in forms is at risk and must be encrypted. You can protect the private information by using an SSL certificate on your website. SSL complies with HIPAA’s data encryption standards and keeps private patient information safe.
  • Store data on a HIPAA-compliant server: Your server should have an antivirus, offsite backup, firewall and OS patch management in order to stay HIPAA-compliant. Also, make sure data is encrypted when you are storing it on the server.
  • Use a secure network to transmit HIPAA-protected information: You should never send HIPAA-protected information through an unencrypted network to an insecure email account. If you want to send or receive HIPAA-protected information by email, it must be encrypted end-to-end. A good alternative would be to store private information on your HIPAA-compliant server and set up email alerts to notify you any time new data is submitted.
  • Properly dispose of patient-related information: Practices are legally required to retain patient records for a particular period. When you are finally disposing of private information, it is recommended to delete all backups, archives as well as history stored on your server.
  • Regularly update privacy policy on your practice website: Your privacy policy must be regularly updated to keep up with any changes in your practice’s privacy policy to stay HIPAA-compliant.

 

2. HIPAA-compliant email marketing: It is important to design an email marketing strategy that will keep your practice on the right side of HIPAA compliance. Follow these basic tips:

  • An email containing PHI must be encrypted: Even basic information as simple as a name and email address of a patient can be considered PHI. So the best practice is to encrypt all professional emails. You can either choose to manually encrypt each professional email before sending it out or use a HIPAA-compliant automated service.
  • Make sure email marketing services are HIPAA-compliant: Just because you are paying for a service, do not make the mistake of assuming it is HIPAA-compliant. In fact, many email marketing services are designed for corporate use. When choosing an email marketing service, ensure that it offers HIPAA-compliant emails.
  • Never send email communication to patients who did not request it: Most practices ask for patients’ email addresses on their sign-in forms. However, unless the patient has indicated that he or she wishes to receive emails from your practice, you should avoid sending any email. You can simplify this process by adding a question about the patient’s communication preferences on your sign-in forms. However, even when the patient requests email communication, you must ensure appropriate safety measures.
  • Inform patients about the potential risks of email communication: Despite taking all security measures on your end, there is a good chance that your patients’ email services are not secure enough to prevent potential breaches. It is important that your patients understand this risk before agreeing to email communication with your practice.

 

3. HIPAA-compliant social media marketing: Social media can be a great way for practices to reach out to potential and current patients. However, staying HIPAA-compliant is a major concern. A slip-up will not only make your practice look bad, but it can also put you in trouble with the law. With some effort and knowledge, your practice can be active on social media without violating HIPAA. Follow these guidelines:

 
  • Stay up-to-date: Laws may change, so it is sage advice to regularly check for updates and make sure your social media efforts are in line with the current laws. You can look up the U.S. Department of Health and Human Services website for the most up-to-date information.
  • Create a social media policy for your practice: A social media policy will let your employees know what is allowed to post, and what is not allowed. In your social media policy, you can also establish roles and responsibilities for staff members who will be posting on your practice’s behalf.
  • Never include any identifiers in posts: With so much of the information available online, even an insignificant detail could help users identify your patient. Basic details such as date, time and location can give away a patient’s identity. When positing on social media, you must make sure to remove the following identifiers:
    • Name
    • Location
    • Dates
    • Contact numbers
    • E-mail addresses
    • Social security numbers
    • Medical record numbers
    • Health plan beneficiary numbers
    • Account numbers
    • Certificate/license numbers
    • Vehicle serial numbers and license plate numbers
    • Device identifiers and serial numbers
    • URLs
    • IP address numbers
    • Biometric identifiers such as finger and voice prints
    • Full-face photographs
    • Other unique identifying numbers, characteristics or codes
  • Keep separate social media profiles for personal and professional use: Even if you are an individual physician, you should have a separate personal profile for discussing anything outside of healthcare. The same goes for your employees. Your employees should be instructed not to accept a friend request from a patient as that could lead to conversations that may violate HIPAA guidelines.

Staff training: An integral part of HIPAA compliance

According to industry reports, of the 268 breach incidents reported to the Department of Health and Human Services in 2015, nearly 73 percent of the incidents occurred at providers’ sites. While network security at the providers’ sites is a vital concern, the vast majority of incidents have more human causes.

Nearly four of every five breach incidents at the providers’ sites have nothing to do with server-network hacking. They are mistakes rooted in human behavior. These events could have been prevented by staff, had they been trained on HIPAA laws.

The most basic requirement of HIPAA is training. The law requires appropriate training for every employee on his or her responsibilities to protect patient information. Training should aim at engaging employees through case studies of actual breaches. Training programs should include real-life exercises in which staff members are presented situations and choices that have led others into privacy breaches. During the training sessions, decisions should be discussed, situations should be simulated, new and more efficient processes should be established, and a sense of responsibility should be fostered.

 

Even with safety measures in place to protect your patients’ private information, it is still possible for a violation to occur if employees are not informed. You should provide HIPAA compliance training to employees when they start working at your practice. This training should include information about the HIPAA privacy rules, violations and monitoring patient record requests.

In order for your medical practice to be HIPAA-compliant, each staff member must be HIPAA-compliant. It is your responsibility to educate, inform and train your employees on HIPAA regulations and the consequences of non-compliance.

 

At Practice Builders, our team of online marketing and HIPAA-compliance experts will work closely with you to ensure an optimum patient experience. Through content marketing, HIPAA-compliant emails, social media and strategic SEO, we help you grow your medical practice while you focus on providing top-notch care for your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Fifth Discipline: A Metaphor for 21st Century HIPAA Compliance

The Fifth Discipline: A Metaphor for 21st Century HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it
Introduction

This month's HIPAA Survival Guide Newsletter article uses the metaphor from the Fifth Discipline, a book written by Professor Peter Senge circa 1990, to describe the system approach required if organizations what to change their compliance DNA. Senge's book contemplates what's required for a "learning organization." This article contemplates what 21st century compliance DNA looks like and why it matters that "systems thinking" underpins all compliance initiatives. First, we address what Senge calls the "learning disabilities." 

Subscribe to our FREE HITECH / HIPAA Compliance Newsletter here.
 
1. I am My Position

In the 24/7/365 online world that all knowledge workers now inhabit it is hard to predict who within an organization will be the compliance (specifically in the case "cybersecurity") change agent. It's important that knowledge workers do not get caught up in the organization pecking order because it generally only serves to constrain where innovative ideas may come from. This is especially true with respect to the kind of comprehensive systemic approach to cybersecurity required to reduce risks to levels that are reasonable and appropriate pursuant to the regulatory regime targeted.
 
One thing is certain, the functional group where the cybersecurity change agent ("CA") may emerge is an unknown unknown. The CA may not emerge from the "usual suspects" (e.g. information technology). Why is that? Because a cybersecurity vision and the resources to get it implemented requires much more than technical acumen. It also requires communication skills necessary to transform an organization's cybersecurity initiative into something that it does as part of the value it delivers to customers/patients, and not some "bolt on" necessary evil activity.

2. The Enemy is Out There

Compliance in the 21st century is not about reacting to Big Brother looking over your shoulder but rather delivering value to customers. There are no regulatory agencies "out there" that you should be at war with. You are at war with the increasing sophisticated "bad guys" that want access to your customer's sensitive data to monetize it, or to perform other nefarious activities, that customers are obviously interested in avoiding. For example, the public policy that underpins our respective customers interest in privacy will only increase over time. 
 
The more we are surveilled, watched, tracked, etc. the more our desire for privacy will increase. A desire for privacy is a visceral reaction to some semblance of quietude and repose that all human beings need when we are bombarded with thousands of messages each day demanding our attention. The organizations that can seamlessly provide us with privacy as part of their value proposition are likely to attract our loyalty-all other things being equal.

3. Illusion of Taking Charge

Unfortunately, although we all understand that a successful HIPAA Compliance Initiative ("HCI") cannot proceed without the executive management team's ("EMT") participation, the latter cannot take the lead role in running the initiative. The reason for this may not be obvious on its face. Compliance officers quickly realize the dilemma of having been thrust into "the belly of the whale." An HCI is much more complex and time consuming than almost everyone expects, even when you expect it to be a full time job. This is especially true when your organization is trying to launch its HCI. The EMT, if they are busy doing what they should be doing, they generally do not have the bandwidth to take on this job; no matter how good their intentions. This is a job for professional compliance officers.
 
That said, there are always exceptions. Where we tend to find these exceptions the most are small boutique business associates where HIPAA compliance is the difference between winning a piece of business or not even being included in the game. Here the EMT clearly understands what HIPAA compliance means to their value proposition and embrace compliance as they would any other revenue generation opportunity.
 
4. Fixation on Events

We are too focused on the short term, which prevents us from seeing long-term patterns of change that are the cause of the immediate events. This is especially true when an organization experiences a breach. The focus tends to be on "responding to the event" instead of focusing on root causes and systemic failures. In addition, this event focus often precludes any real change in the organization's compliance DNA, reverting back to business as usual as soon as the event has been "handled."

5. Delusion of Learning from Experience

People seldom directly experience consequences of their decisions. For example, breaches generally don't happen often enough for an organization to develop deep institutional knowledge from the lessons learned. Further, often the lessons learned are not the right ones. Blame is generally assigned to individuals instead of the organization's HCI writ large. The bottom line is that systemic risks require systemic solutions. We are not convinced that "systems thinking" has permeated the business culture to the extent required to manage systemic risks. Remember, "systems thinking" is not the same thing as "throwing technology at a problem." A system is much broader in scope than the technology that underpins it. As non-trivial as that technology may be, it is usually the "people" part of the system that poses the most difficulty. Problems that encompass systemic risk are by definition wicked problems, because they inherently contain more organizational complexity than technical complexity.
 
The anecdotal evidence is that the healthcare industry, writ large, appears to have learned little from the historic breaches that have already occurred and from reputation damage from being listed on HHS' Wall of Shame. Many reasons have been posited for healthcare's learning disability. The one that we have settled on is that for historical reasons (in no small part due to academic training), the industry views itself more as a group of "clinicians" rather than as "business people." In part this dichotomy has persisted because healthcare, as practiced in the U.S., is a business like none other. 
  • Pricing transparency does not exist. 
  • There is no easy way to compare quality between providers. 
  • Very little accountability to patients (i.e. primarily because the latter are generally not the "payers") for quality outcomes (fee-for-service is still king). 

We could go on but you get the picture. For good reason, almost all senior healthcare executives are doctors. Therefore, there is very little mixing of business DNA from other industries. The healthcare industry is a beast unto itself.

6. Myth of the Management Team 

We tend not to work together but rather fight over turfs and avoid doing anything that risks looking bad. We are not competent to discuss whether there is more turf wars in healthcare than in other industries. However, we can say that the management team's that we have interacted with understand very little with respect to how privacy and security should be incorporated into the organization DNA. Most tend to view compliance as this "bolt on" necessary evil that simply needs to be managed. Few management teams understand that in the 21st century cybersecurity (i.e. both privacy and security combined) must be an inherent part of the organization's value proposition done on behalf of patients. Ah, but therein lies the problem, ask any healthcare management team who their customers are and they may say "patients" out of political correctness, but the reality on the ground is far different. Their "customers" are generally insurance companies or large employers. Why? Because the latter pay the $$ that keep the wheels of healthcare turning.

7. Parable of the Boiling Frog 

We tend not to notice or are unwilling to notice threats that rise gradually which results in an inability to react until it's too late. The healthcare frog has been boiling since the HITECH Act was promulgated in 2009. There have been hundreds of high profile breaches and thousands more that don't make frontpage news. Yet it is clear that the industry has failed to take any significant action en masse. The prevailing feeling appears to be "breaches are things that happen somewhere else." Privacy and security are simply not top of mind for clinicians. Nursing schools and medical schools barely teach students enough to allow them to spell HIPAA (mostly) but not much more. The water keeps getting hotter but the frog remains mostly oblivious. As we all know, this story does not end well for the frog. One day something really bad, but otherwise utterly preventable happens. This fails to move the needle for the practice next door. In that practice another frog is starting to boil.

Conclusion 
 
According to the book, it is no longer sufficient for an organization to rely upon just one person to learn for the organization (if it ever was). A successful business is one that can effectively develop the capacity for members to learn at all levels of the organization. A learning organization requires its members to be open to new ideas, be able to communicate effectively with each other, understand the organization, form a vision shared by all members and work together to achieve that vision.
 
Although, the book's conclusions sound like yet more platitudes, given that we all become somewhat jaded by the "vision thing;" it certainly rings true with what's required to change an organization's DNA pursuant to privacy & security. If not, it is likely to continue "raining breaches" for the foreseeable future.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Email Compliance: 6 Best Practices for Medical Data Security 

HIPAA Email Compliance: 6 Best Practices for Medical Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

As technology advances and legislation changes, HIPAA email compliance can seem like a constantly moving target. With the challenges facing today’s healthcare landscape, including the proliferation of electronic health records (EHRs) and health information exchanges (HIEs), hackers and “hacktivists” targeting hospitals and the adoption of cloud and mobile technology in healthcare, HIPAA compliance is becoming more challenging — and more important — than ever.

Much has changed since 1996, when the Health Insurance Portability and Accountability Act (HIPAA) was signed into law. The World Wide Web was still relatively new, mobile phones were relatively rare (and great for your biceps!) and your health data was divided into thick manila folders stuffed with paperwork. Now, all that stands between patients and the entirety of their medical histories is a username and a password, and a startling number of those passwords is “password.”

The Challenge of Protecting Patient Data

When most of us think about HIPAA compliance, we think about its access control aspect — that is, who gets access to protected health information (PHI), and when. A leak of PHI can be as simple as a medical professional forgetting to log out of their portal, and leaving patient data open on the desktop to be viewed by anyone walking by (this is why automatic logout is one of the “technical safeguards” required to maintain HIPAA compliance).

When it comes to protecting PHI, the penalties add up fast — and since the passing of the 2009 Recovery Act, violating HIPAA has only grown more expensive. Each individual violation will run your business anywhere from $100 to $50,000, if it’s a first offense (and a lack of due diligence, as opposed to willful neglect). Violations due to willful neglect, however, cost a covered entity a minimum of $50,000 per violation. And when you consider how many patients have their data stored on a single server, those $50,000 violations stack up fast.

Doctors, hospital administrators, insurance professionals and anyone who deals with PHI need to be aware of the growing threats to patient privacy and be proactive with their information security. Here are six ways to lock down patient data and stay ahead of the threat.

1. Use strong data encryption.

Any PHI data you’re storing, whether it be on your desktop, on a server or in the cloud, should be encrypted. Encryption obscures your data, making it unintelligible to anyone who doesn’t have the key to decrypt it. As proven by the 2014 CHS Heartbleed attack, which resulted in the theft of 4.5 million social security numbers from one of the largest hospital groups in the United States, cybercriminals have both the desire and the means to crack into hospital servers and steal sensitive data. With encryption, that data is still protected even after hackers get their hands on it, provided they weren’t able to also steal the encryption key.Data encryption isn’t just best practice for information security, though — it’s a written requirement to maintain HIPAA compliance. Established in 2009, the HIPAA Breach Notification Rule gives businesses 60 days to notify all parties who may be affected by a leak of “unsecured protected health information.” Here, “unsecured” is another way of saying “unencrypted.”The HHS actually goes into detail about its encryption standards for data at rest and data in motion. For data at rest (data that sits in storage), for example, the HHS’ standards are consistent with those of the National Institute of Standards and Technology (NIST), and include centrally managing all storage encryption, using multi-factor authentication for encryption solutions and using the Advanced Encryption Standard (AES) for encryption algorithms.

2. Encrypt your emails, as well.

A tremendous amount of PHI is exchanged over email, and HIPAA compliant email requires encryption, too. In a post-HITECH (Health Information Technology for Economic and Clinical Health) world, the data shared digitally between doctors and their patients can be extremely useful for enterprising hackers, and email is a particularly vulnerable vector of attack.The traditional route hospitals and providers take for HIPAA compliant email is a portal solution that uses Transport Layer Security (TLS) to encrypt messages. While these legacy portal solutions do provide for HIPAA email compliance, they are certainly not easy for either the providers or patients who use them. Webmail portals tend to be inconvenient to use, requiring separate usernames and passwords for each and every system and creating information silos for medical information.Newer email encryption solutions bypass the annoyance of email portals by integrating seamlessly with more popular email services, like Gmail. Virtru Pro, for example, works with the service you’re already using to provide client-side encryption for HIPAA compliant email. In this case, encrypted PHI can be delivered safely and securely directly to the inbox, with no need for separate accounts or credentials. This allows for both HIPAA compliant email and convenience. (To learn more, read our FAQ about how Virtru Pro enables HITECH and HIPAA compliance for Gmail, or download our free guide)

3. Use multi-factor authentication wherever possible.

If a hacker steals your password, can they access your data? If you’re using multi-factor authentication, you may still be safe. Without multi-factor authentication, your password is a single point of failure, the only gatekeeper separating you from the data thieves.To help satisfy the Person or Entity Authentication component of HIPAA compliance, the HHS recommends that businesses handling PHI require, in addition to a password or PIN, either something the individual possesses (like a token or smart card) or a biometric (for example, a fingerprint or iris scan) for identity verification. These are both examples of multi-factor authentication, which requires a combination of something a user knows with something a user has.Anyone who has used a debit card is familiar with multi-factor authentication. Even if someone gets a hold of your card, that person can’t withdraw money at an ATM without your PIN. Requiring two separate steps to verify your identity makes it doubly hard for someone to gain access to your money (or your data) by posing as you.

4. Make all of your employees HIPAA compliance experts.

One of the standards HIPAA lists among its Administrative Safeguards is Security and Awareness Training. Any business is only as secure as its least vigilant employee. All it takes is one tired worker uploading notes to their personal cloud, or leaving handwritten passwords in open spaces, to violate HIPAA compliance laws. It’s essential to make sure that every employee is thoroughly trained and refreshed in HIPAA and HITECH regulations, as well as your company’s security policies.While many of the technical safeguards that protect HIPAA compliance are automated, like timed session logouts and password complexity requirements, nothing can replace thorough training and adequate knowledge sharing when it comes to strengthening your security posture.

5. Review the compliance and security practices of business associates.

When it comes to HIPAA compliance, you can’t just tidy up shop internally. As with its employees, a company is also only as compliant as its least secure partner/vendor/contractor, and every business your hospital, private practice or insurance company partners with is a potential vector for attack or HIPAA violation.There are a few precautions any HIPAA-covered entity should take when it enters into a business associate agreement, including securing the right to audit the associate for compliance. Lay down ground rules for HIPAA compliance best practices, including a mutual obligation to encrypt any shared PHI, and ensure that your business associate can’t pass PHI from your patients on to subcontractors without your approval. This includes using only HIPAA compliant email to exchange PHI.

6. Be aware of social engineering and inside threats.

While usually, the leak of PHI is simply an act of user error or negligence, many data leaks are caused by malice — both from the outside and within. While many infosec efforts are directed at the stereotypical hacker, hiding in the shadows in a musty basement cracking into a distant server, 28 percent of security incidents come from within the organization, and 66 percent of malicious hacks are acts of social engineering, a method of intrusion that relies on social manipulation.Social engineering can be as simple as someone walking into a hospital dressed like a convincing repair person, sneaking in a thumb drive and leaving with sensitive PHI. Make sure your internal security audits address these scenarios, as well as insider data threats.

Between legislation and technological advances, healthcare in the United States has recently undergone a dramatic transformation. It’s vital that healthcare providers and other covered entities keep pace with these changes. While it isn’t necessary to be an infosec expert or a white hat hacker, doctors, nurses and administrators should know the law, know the threats and keep vigilant to protect the privacy of their patients and the HIPAA compliance of their practices.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Is Gmail HIPAA Compliant?

Is Gmail HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

What is a HIPAA compliant email?

 

Before discussing the unique case of Gmail, we should first understand what makes an email HIPAA compliant. If you’re looking for a way to prove HIPAA compliance, read this blog post first.


The Health Insurance Portability and Accountability Act of 1996, more commonly known as HIPAA, is a set of compliance rules in the Healthcare industry. HIPAA consists of 3 main parts; The Privacy Rule, The Security Rule and The Breach Notification Rule.

The Privacy Rule protects individually identifiable health information. The Security Rule provides standards for electronic Protected Health Information (PHI).  The Breach Notification Rule stipulates the way and timeliness individuals affected by the breach have to be contacted.

PHI should be looked at as an equation:  Identifiers + Health Information. Identifiers can include Name, SSN, and Email, whereas health Information includes attributes medications, clinical notes and insurance.

Since traditional email was merely meant to connect people, it was built with message delivery as the top priority, in some respects leaving security as an afterthought.  While this was beneficial in the early days of email, it means that the first generation of email systems were ill-equipped to protect sensitive patient information.

In most cases, making an email HIPAA compliant means making sure that the message is encrypted from one inbox to another and not delivered in clear text. Unencrypted emails is not only a security risk but, also a risk for a HIPAA violation fine for healthcare providers.

 

The Difference Between G Suite (Google Apps) and Gmail for HIPAA Compliance

When it comes down to compliance capabilities,  it is important to note that Google offers two separate email products: Gmail and G Suite. Gmail targets personal email addresses. G Suite (formerly Google Apps) targets business email accounts and is meant to be used alongside an owned domain. Gmail is a free service and is associated with the @gmail.com email addresses. G Suite is a paid service.

Another very important distinction is the ability to acquire a Business Associate Agreement (BAA) for an email account. Google is willing to sign a BAA with your organization if you are using G Suite. However, if you are using a gmail account Google does not offer BAAs.

But even if you use G Suite becoming compliant doesn’t stop at a BAA. Google is willing to sign a BAA for some, but not all of their services. Additionally, G Suite only encrypts email at rest and in transit, but not necessarily all of the way to the recipient’s inbox. This means in the last step an email may still be delivered as clear text, leaving it vulnerable to be stolen. This is certainly not ideal for any emails transmitting PHI.

 

Your Patients

Google, by far, is the most utilized personal email option. Because of this, it is safe to assume that the majority of your patients are using gmail for their personal emails. Google has admitted that users’ emails are “subject to automated processing.” Or in other words, Google scans your emails for keywords for advertising retargeting to you and your contacts. If you are corresponding with a patient via their gmail account, how do you think they would feel realizing Gmail is exposing their health information to Google?

 

To Put It Simply

Gmail is not a HIPAA compliant solution.

If your organization needs to meet HIPAA regulations, using Gmail for work is not compliant. You are leaving yourself vulnerable to fines because your patients’ PHI is being scanned by a third party without your patient's’ consent or knowledge.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Bottom Line on HIPAA Compliance and Your Email 

The Bottom Line on HIPAA Compliance and Your Email  | HIPAA Compliance for Medical Practices | Scoop.it

Email is everywhere, and it’s not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable rise recently, but about half of the world now uses email, and that figure is increasing. In medicine, approximately 50% of patients either use or want to use email to contact their healthcare providers, and about a third of clinics are actually making it possible for them to do so.

 

Email, however, was invented well before either HIPAA or our society’s modern appreciation for the importance of strong online security. Because of this, in its most basic and typical form, email has no credible controls to ensure sender and recipient identity, to protect message integrity, or, perhaps most importantly, to prevent third-party snooping. These deficiencies intersect particularly poorly with the legal and ethical demands on healthcare communication, which turns the situation into a powder keg.

In short, email in medicine can be a HIPAA disaster. But it doesn’t have to be.

Let’s talk about the problem and what you can do to solve it.

What HIPAA Compliance Demands from Email

If your healthcare activities are covered by HIPAA and you want to use email to store or transmit protected health information (PHI), then two important sections of the HIPAA regulations will apply to you: the Privacy Rule and the Security Rule.

We’ve discussed these rules before in more detail, but the one-sentence summary is that the Privacy Rule governs how all PHI must be treated, while the Security Rule provides additional regulations for PHI that is in electronic form (ePHI).

The HIPAA Privacy Rule and email

When it comes to email and the HIPAA Privacy rule, the U.S. Department of Health and Human Services (HHS), which administers HIPAA, has actually weighed in with specific guidance. Here’s a snippet of their position:

 

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

 

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).

Sounds like great news! For reference, the 45 CFR § 164.530(c) that they referenced is just a citation for a section of the actual HIPAA regulations, and it simply requires that you “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

Of course, when it comes to email, the definition of an “appropriate technical safeguard” becomes important. HHS weighs in on this, as well:

Covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

So that brings us to the Security Rule…

The HIPAA Security Rule and email

The 45 CFR Part 164, Subpart C, which HHS referenced above is actually quite long and contains many of the foundational aspects of the HIPAA Security Rule. Instead of going through all of it, we’re going to assume that you already have a functioning HIPAA compliance program in place, and we’ll spend this section highlighting just a few key regulations that are especially important when it comes to email. If you need a more thorough rundown on the Security Rule first, check out our earlier complete guide to HIPAA compliance.

Within the Security Rule, much of the important technical guidance shows up in 45 CFR § 164.312, a section on “technical safeguards.” Let’s take an abridged look at some of this section’s requirements as they apply to email:

  • Access control
    Only those people with appropriate access rights should be able to access ePHI. This means that you should use strict security measures for your email account, including a strong password and two-factor authentication. However, you should also consider this requirement as it applies to emails once they leave your email provider’s server and travel across the Internet; if they are unencrypted, then you can’t control access to them as they pass through other servers.
  • Unique user identification and identity verification
    Users on systems with ePHI must be uniquely identified, and their identities must be verifiable. This means no shared logins for email accounts, and it also means that the identity of every person sending or receiving ePHI should be verifiable. Basic email does not have sender or recipient identity verification capabilities.
  • Data integrity
    Systems must protect ePHI from improper alteration or destruction, both at rest and in transit. Technical measures to guard against data loss or corruption need to be in place, and basic email does not include integrity controls.
  • Encryption and decryption
    A mechanism should be used to encrypt and decrypt ePHI. Basic email does not employ encryption.
  • Transmission security
    Technical measures must guard against unauthorized access to ePHI that is being transmitted. Basic email transmission protocols include no guarantee of secure transit.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.