HIPAA Compliance for Medical Practices
79.2K views | +1 today
Follow
 
Scoop.it!

How to Engage on Social Media with HIPAA in Mind

How to Engage on Social Media with HIPAA in Mind | HIPAA Compliance for Medical Practices | Scoop.it

Social media is a great tool for growing a healthcare business and connecting with patients on a new level. You have the ability to establish expertise, provide education, and create a brand. But, social media comes with certain risks for healthcare professionals who are not careful. This is important asHIPAA violations can have serious consequences.

 

The basic rules of engagement are simple: Don’t post too many times in one day, don’t make every post a self-promotion, and don’t forget to proofread. However, medical professionals must also keep HIPAA — The Health Insurance Portability and Accountability Act — in mind when using social media.

Read our HIPAA guidelines for three tips to avoid privacy violations when building your online presence.

 

Patrol for protected health information protected by HIPAA

HIPAA outlines 18 types of protected health information, or PHIs, that could reveal the identity of a patient. If any information you share online includes details that could lead back to a specific patient, you’re violating in HIPAA compliance.”

 

The information provided in your own social media profile — names, locations, photos, dates — combined with even minimal information from the post could paint a surprisingly clear picture of PHI with minimal detective work. You might think you’ve disguised their identity, but a good rule of thumb is to leave any biographical information out when posting on social networks.

 

Remember to also use a critical eye when it comes to sharing images. Do a quick scan to make sure a patient or their files aren’t visible in the background of a seemingly harmless office snap.

 

If your practice wants to use photography for marketing or educational purposes, ensure you have proper patient consent. Create a form that explicitly states why a photo or video is being taken and retains your rights to the imagery.

Maintain a professional profile

There is a difference between your personal and professional online presence. Although social media platforms can be a great tool for friends to stay in touch, using social media for business requires greater professional distance.

 

And while an increasing number of people are becoming active on social media, you should never post directly to a patient’s profiles or tag their account in a post, as this would be a violation of HIPAA laws.A patient might engage with your online presence on their own accord, perhaps through a comment on a Facebook post or a review on your Healthgrades profile. 

 

Don’t be afraid to respond back, just leave any additional details about the patient or their treatment out.

Create a HIPAA social media strategy for your practice, and stick to it

An online presence is essential to healthcare marketing, even for the busiest doctor. Set yourself up for success by sticking to a consistent schedule and strategy. Create a HIPAA-compliant social media policy for your practice to establish a brand voice and stay safe. If additional help is needed, you can empower your front office staff with greater responsibility.

 

First and foremost, you’ll need to educate your staff on HIPAA. Anything they post will reflect back on you and your practice, so be sure that whoever manages your social media knows how to look out for possible HIPAA violations.

 

You also might consider implementing a social media style guide with HIPAA in mind, which can give direction on the best practices for your content, tone, and branding. For example, you could provide a repository of HIPAA-compliant responses for your staff to reference when engaging with patients.

 

Every social action you take online conveys something about your practice, so be sure you portray a positive image to your patients while also protecting their privacy.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

What is the Purpose of HIPAA?

What is the Purpose of HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act – or HIPAA as it is better known – is an important legislative Act affecting the U.S. healthcare industry, but what is the purpose of HIPAA?

 

Healthcare professionals often complain about the restrictions of HIPAA – Are the benefits of the legislation worth the extra workload?

What is the Purpose of HIPAA?

HIPAA was first introduced in 1996. In its earliest form, the legislation helped to ensure that employees would continue to receive health insurance coverage when they were between jobs.

 

The legislation also required healthcare organizations to implement controls to secure patient data to prevent healthcare fraud, although it took several years for the rules for doing so to be penned.

 

HIPAA also introduced several new standards that were intended to improve efficiency in the healthcare industry, requiring healthcare organizations to adopt the standards to reduce the paperwork burden.

 

Code sets had to be used along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between healthcare organizations and insurers, streamlining eligibility checks, billing, payments, and other healthcare operations.

 

HIPAA also prohibits the tax-deduction of interest on life insurance loans, enforces group health insurance requirements, and standardizes the amount that may be saved in a pre-tax medical savings account.

 

HIPAA is a comprehensive legislative act incorporating the requirements of several other legislative acts, including the Public Health Service Act, Employee Retirement Income Security Act, and more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Health Data Privacy and Security

HIPAA is now best known for protecting the privacy of patients and ensuring patient data is appropriately secured, with those requirements added by the HIPAA Privacy Rule of 2000 and the HIPAA Security Rule of 2003. The requirement for notifying individuals of a breach of their health information was introduced in the Breach Notification Rule in 2009.

 

The purpose of the HIPAA Privacy Rule was to introduce restrictions on the allowable uses and disclosures of protected health information, stipulating when, with whom, and under what circumstances, health information could be shared. Another important purpose of the HIPAA Privacy Rule was to give patients access to their health data on request.

 

The purpose of the HIPAA Security Rule is mainly to ensure electronic health data is appropriately secured, access to electronic health data is controlled, and an auditable trail of PHI activity is maintained.

 

So, in summary, what is the purpose of HIPAA? To improve efficiency in the healthcare industry, to improve the portability of health insurance, to protect the privacy of patients and health plan members, and to ensure health information is kept secure and patients are notified of breaches of their health data.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
homeofpomeranian@gmail.com's comment, November 27, 5:18 AM
https://buypillsonlinepharmacy.com/product/xanax-2mg-bars-alprazolam/
https://buypillsonlinepharmacy.com/product/oxycontin-80mg-2/
https://buypillsonlinepharmacy.com/product/fentanyl-patches-50mcg-2/
https://buypillsonlinepharmacy.com/product/buy-adderall-online/
https://buypillsonlinepharmacy.com/product/ephedrine-powder/
https://buypillsonlinepharmacy.com/product/alprazolam-powder/
https://buypillsonlinepharmacy.com/product/ayurvedic-urea-powder/
https://buypillsonlinepharmacy.com/product/nembutal-2/
https://buypillsonlinepharmacy.com/product/4-meth-big-crystals/
https://buypillsonlinepharmacy.com/product/blue-crystal-meth/
https://buypillsonlinepharmacy.com/product/amphetamine-powder/
https://buypillsonlinepharmacy.com/product/ketamine-hcl-crystal-powder/
https://buypillsonlinepharmacy.com/product/methamphetamine/
BUY AMBIEN PILLS's curator insight, November 28, 9:50 PM
https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/ https://www.cvsmedshop.com/ https://cvsmedshop.com/ https://www.a-pvpchem.com/ https://a-pvpchem.com/ https://cancermedspharmacy.org/ https://www.cancermedspharmacy.org/ https://vapesshop.org/ https://www.buyfentanylusa.com/ https://buyfentanylusa.com/ https://www.onlinevapesshop.com/ https://diamondusedcars.org/
the high flower's comment, December 4, 6:13 PM
https://thehighflower.com/product/buy-kingpen-cartridges-online/

 https://thehighflower.com/product/buy-muha-meds-online/

https://thehighflower.com/product/buy-710-kingpen-online/

https://thehighflower.com/product/buy-brass-knuckles-online/ ;

https://thehighflower.com/product/buy-cookies-carts-online/

https://thehighflower.com/product/buy-rove-cartridges-online/
Scoop.it!

The Intersection Of HIPAA & The Hitech Act

The Intersection Of HIPAA & The Hitech Act | HIPAA Compliance for Medical Practices | Scoop.it

Since it passed in 2009, the HITECH (Health Information Technology for Economic and Clinical Health) Act was meant to enforce certain rules within the HIPAA Omnibus Rule. It’s important that those in healthcare IT understand the relationship between the two.

 

THE IMPACT OF THE HITECH ACT

 

The HITECH Act’s stated aim was to improve the on-boarding and meaningful use of HIT. In doing so, the HITECH Act also affected the standards of Health and Human Services (HHS) used to evaluate hospitals and expanded the scope of jurisdiction.

 

It also bolstered the HHS OCR’s (Office for Civil Rights) tools of enforcement. Georgina Verdugo, director of the OCR, said that added vigilance would help convince consumers of the privacy and security of their health information and protected personal information (PPI).

 

WHERE HIPAA AND HITECH MEET

 

By broadening the scope of HIPAA, the HITECH Act increased the number of participating stakeholders or business associates. Previously, HIPAA described a business associate as a person performing functions or activities for or on the behalf of a covered entity.

 

HITECH changed HIPAA’s definition of business associates to include:

*Health Information Organizations (HIO)
*Patient Safety Organizations (PSO)
*Gateways, portals, and e-prescribers
*Certain people providing PPI on behalf of another covered entity
*People involved in data transmission including subcontractors and delegates

 

HITECH also created new categories of HIPAA penalties. This was meant to distinguish violations based on nature, extent, and the harm caused to patients. Currently, there are three categories which correspond with three civil penalties outlined in the HITECH Interim Final Rule.

 

HIPAA-HITECH FURTHER CONNECTED

 

There are, of course, other areas where HIPAA and HITECH overlap. They are both sweeping and exhaustive legislation that often cover similar areas, especially where electronic medical records, are concerned.

 

This includes meaningful use and PHI. HITECH incentivizes the meaningful use of electronic medical records in order to improve health care and outcomes.

 

Other areas covered in both HIPAA and HITECH are breach reporting requirements, patient access to PHI, and facilitation of medical research.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

How to Engage on Social Media with HIPAA in Mind

How to Engage on Social Media with HIPAA in Mind | HIPAA Compliance for Medical Practices | Scoop.it

Social media is a great tool for growing a healthcare business and connecting with patients on a new level. You have the ability to establish expertise, provide education, and create a brand. But, social media comes with certain risks for healthcare professionals who are not careful. This is important asHIPAA violations can have serious consequences.

 

The basic rules of engagement are simple: Don’t post too many times in one day, don’t make every post a self-promotion, and don’t forget to proofread. However, medical professionals must also keep HIPAA — The Health Insurance Portability and Accountability Act — in mind when using social media.

Read our HIPAA guidelines for three tips to avoid privacy violations when building your online presence.

 

Patrol for protected health information protected by HIPAA

HIPAA outlines 18 types of protected health information, or PHIs, that could reveal the identity of a patient. If any information you share online includes details that could lead back to a specific patient, you’re violating in HIPAA compliance.”

 

The information provided in your own social media profile — names, locations, photos, dates — combined with even minimal information from the post could paint a surprisingly clear picture of PHI with minimal detective work. You might think you’ve disguised their identity, but a good rule of thumb is to leave any biographical information out when posting on social networks.

 

Remember to also use a critical eye when it comes to sharing images. Do a quick scan to make sure a patient or their files aren’t visible in the background of a seemingly harmless office snap.

 

If your practice wants to use photography for marketing or educational purposes, ensure you have proper patient consent. Create a form that explicitly states why a photo or video is being taken and retains your rights to the imagery.

Maintain a professional profile

There is a difference between your personal and professional online presence. Although social media platforms can be a great tool for friends to stay in touch, using social media for business requires greater professional distance.

 

And while an increasing number of people are becoming active on social media, you should never post directly to a patient’s profiles or tag their account in a post, as this would be a violation of HIPAA laws.A patient might engage with your online presence on their own accord, perhaps through a comment on a Facebook post or a review on your Healthgrades profile. 

 

Don’t be afraid to respond back, just leave any additional details about the patient or their treatment out.

Create a HIPAA social media strategy for your practice, and stick to it

An online presence is essential to healthcare marketing, even for the busiest doctor. Set yourself up for success by sticking to a consistent schedule and strategy. Create a HIPAA-compliant social media policy for your practice to establish a brand voice and stay safe. If additional help is needed, you can empower your front office staff with greater responsibility.

 

First and foremost, you’ll need to educate your staff on HIPAA. Anything they post will reflect back on you and your practice, so be sure that whoever manages your social media knows how to look out for possible HIPAA violations.

 

You also might consider implementing a social media style guide with HIPAA in mind, which can give direction on the best practices for your content, tone, and branding. For example, you could provide a repository of HIPAA-compliant responses for your staff to reference when engaging with patients.

 

Every social action you take online conveys something about your practice, so be sure you portray a positive image to your patients while also protecting their privacy.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Do you Know the Recent Changes in HIPAA?

Do you Know the Recent Changes in HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

The recent HIPAA changes extend the scope and extent of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (HITECH). Many of the new HIPAA rules for 2013 account for changes in working practices and advances in technology since the original legislation was enacted in 1996.

 

Within the recent HIPAA changes, the Security Rule introduces three “safeguards” to protect the integrity of electronically stored and transmitted Protected Health Information (ePHI). These three safeguards are:

  • Administrative Safeguards – covering factors such as the assigning of an information security officer, business associate agreements, risk assessments, training and the development of appropriate policies.
  • Physical Safeguards – covering equipment specifications, controls for devices and media used to store ePHI (including flash drives), and physical access to servers and other hardware on which ePHI is stored.
  • Technical Safeguards – covering issues such as who can remotely access a database on which ePHI is stored, audit controls, transmission security and how access to and the communication of ePHI is monitored.

 

These safeguards are of particular significance to covered entities that have implemented BYOD policies, have storage issues with the requirement to save six years of ePHI, or who provide unfiltered Internet access.

 

In order to comply with the recent HIPAA changes, covered entities must implement mechanisms that ensure the end-to-end security of patient data and have processes in place to prevent a data breach.

A Revised Definition of Data Breaches

Also included among the new HIPAA rules for 2013 was a revised definition of what constitutes a data breach. A data breach will now be presumed to have occurred when there has been the unauthorized exposure of ePHI unless the healthcare organization, health insurance provider, employer or vendor/business associate can demonstrate that there is a low probability that patient data was compromised.

 

One of the best ways of demonstrating a low probability that patient data was compromised is through encryption. The encryption of data is an “addressable” requirement of the HIPAA Security Rule, meaning that it does not have to be implemented if a covered entity can show it is not necessary, or if a suitable alternative to the requirement is instigated.

 

However, by encrypting all personal identifiers and health-related data any unauthorized exposure of ePHI will be undecipherable, unreadable and unusable – resulting in a low probability that patient data was compromised.

 

The encryption of data in databases, on servers, on flash drives or as it moves through a network can also help covered entities avoid OCR fines for failing to comply with the recent HIPAA changes.

The Implementation of Encryption in Healthcare

The implementation of encryption in healthcare is not difficult to achieve. Many covered entities are switching their primary method of communication to secure messaging. Secure messaging compliments the BYOD policies that many covered entities have introduced, and eliminates the risk of a data breach – not only through encrypted communications, but also by encapsulating communications within a private network that provides full message accountability.

Secure messaging not only helps to comply with the recent HIPAA changes, but the mechanisms intended to provide an audit trail for ePHI also accelerate the communications cycle in many areas of healthcare. Secure messaging has also been proven to foster collaboration and enhance productivity – improving the speed of diagnoses, the accuracy with which prescriptions are filled and reducing the volume of adverse events.

Whereas secure messaging resolves the issue of encryption in healthcare since the new HIPAA rules for 2013 were introduced, secure email archiving is an appropriate solution for communications sent and received prior to the recent HIPAA changes. Covered entities have to keep healthcare data for a minimum of six years, and secure email archiving not only stores them in an encrypted format, but also indexes emails and their content for easy retrieval in the event of discovery or compliance audit.

The Cyber Threat to the Integrity of ePHI

The single largest cause of data breaches has been, to date, human error. Employees mislaying USB Flash drives, unencrypted laptops stolen from the back seat of a car and the improper disposal of ePHI have been responsible for many millions of records being exposed. Aware that employees are the weakest link in a covered entity´s cybersecurity defenses, criminals are targeting them through phishing campaigns and malware downloads.

One of the strongest defenses against cyber threats is the implementation of a web filter. With a suitably robust web filter, covered entities can prevent employees being directed to bogus websites that request their login credentials and sites that harbor malware. Web filtering solutions can also be configured to prevent the download of certain file types, making it harder for a cybercriminal to break through a covered entity´s cybersecurity defenses.

Web filters also have a productivity-enhancing benefit. With the ability to restrict access to any website, administrators can prevent employees from using social media channels, visiting shopping portals or watching live-streamed videos during working hours. Restricting access to certain areas of the Internet can also eliminate potential HR issues and create a more user-friendly working environment.

 
 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What is a HIPAA Violation? What Are The Fines /Penalties? 

What is a HIPAA Violation? What Are The Fines /Penalties?  | HIPAA Compliance for Medical Practices | Scoop.it

Signed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is legislation that provides data privacy and security provisions for safeguarding medical information. Essentially, if you’re handling, transmitting, in possession of, or responsible for any health records; you’re going to need to be in compliance with HIPAA.

 

Regulation around HIPAA is strict and specific. However, what happens if HIPAA guidelines aren’t followed to the letter?

It’s important to know what constitutes a HIPAA violation for the sake of personal data.

 

Did you know that there are stiff penalties and fines for a violation? A breach could also destroy your business and your credibility within the healthcare community.

HIPAA Penalty & Fine Structure

What are the consequences of violating HIPAA?

There are four tiers of HIPAA violations:

 

    • Tier 1. Lack of awareness where a covered entity or individual was unaware that the act in question was a violation. Fines start at $100 and go up to $50,000 per violation, topping out at $1.5 million each year.
    • Tier 2. Reasonable cause to believe the individual or entity knew about the rule or regulation. Issues at this tier are considered a lack of due diligence. The fines range from $1,000 to $50,000 per violation. The maximum fine is $1.5 million per year.
    • Tier 3. The HIPAA violation was performed with willful neglect. The party then corrected the violation within the required time period of 30 days after discovery. Fines at this tier start at $10,000 and go to $50,000. The maximum penalty is $1.5 million per year.
    • Tier 4. At this tier, the violation was made with willful neglect of HIPAA Rules. Further, the entity made no effort to correct the violation. There is a standard $50,000 fine per violation at this tier with a maximum fine of $1.5 million each year.

 

There are also criminal penalties for HIPAA violations and potential jail sentences:

    • Unknowingly or with Reasonable Cause. The person may receive a jail sentence of up to one year.
    • False Pretenses may result in a five years’ maximum jail sentence and a fine increase to $100,000 per violation.
    • Personal Reasons or to Commit Fraud or a Crime. Malicious intent such as data breaches may lead to a jail sentence of up to 10 years and a fine up to $250,000 per violation.

 

As you can see from the HIPAA fines chart, the penalty structure for violations can act as a strong deterrent for healthcare organizations.

 

Recent HIPAA violations cases reported by federal law enforcement include:

    • Memorial Healthcare System received a fine of $5,500,000 in 2017
    • Children’s Medical Center of Dallas incurred a penalty of $3,200,000 in 2017
    • Advocate Health Care Network’s violation warranted a $5,500,000 fine in 2016
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Social Media Rules

HIPAA Social Media Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations.

 

There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules?

HIPAA and Social Media

The first rule of using social media in healthcare is to never disclose protected health information on social media channels. The second rule is to never disclose protected health information on social media. (see the definition of protected health information for further information).

 

The HIPAA Privacy Rule prohibits the use of PHI on social media networks. That includes any text about specific patients as well as images or videos that could result in a patient being identified. PHI can only be included in social media posts if a patient has given their consent, in writing, to allow their PHI to be used and then only for the purpose specifically mentioned in the consent form.

Social media channels can be used for posting health tips, details of events, new medical research, bios of staff, and for marketing messages, provided no PHI is included in the posts.

Employees Must be Trained on HIPAA Social Media Rules

In 2017, 71% of all Internet users visited social media websites. The popularity of social media networks combined with the ease of sharing information means HIPAA training should include the use of social media. If employees are not specifically trained on HIPAA social media rules it is highly likely that violations will occur.

Training on HIPAA should be provided before an employee starts working for the company or as soon as is possible following appointment. Refresher training should also be provided at least once a year to ensure HIPAA social media rules are not forgotten.

HIPAA Violations on Social Media

In 2015, ProPublica published the results of an investigation into HIPAA social media violations by nurses and care home workers. The investigation primarily centered on photographs and videos of patients in compromising positions and patients being abused.

 

In some cases, images and videos were widely shared, in others photographs and videos were shared in private groups. ProPublica uncovered 47 HIPAA violations on social media since 2012, although there were undoubtedly many more that were not discovered and were never reported.

 

In most cases, the HIPAA violations on social media resulted in disciplinary action against the employees concerned, there were several terminations for violations of patient privacy, and in some cases, the violations resulted in criminal charges. A nursing assistant who shared a video of a patient in underwear on Snapchat was fired and served 30 days in jail.

 

It is not only employees that can be punished for violating HIPAA Rules. There are also severe penalties for HIPAA violations for healthcare providers.

Common Social Media HIPAA Violations

  • Posting of images and videos of patients without written consent
  • Posting of gossip about patients
  • Posting of any information that could allow an individual to be identified
  • Sharing of photographs or images taken inside a healthcare facility in which patients or PHI are visible
  • Sharing of photos, videos, or text on social media platforms within a private group

HIPAA Social Media Guidelines

Listed below are some basic HIPAA social media guidelines to follow in your organization, together with links to further information to help ensure compliance with HIPAA Rules.

  • Develop clear policies covering social media use and ensure all employees are aware of how HIPAA relates to social media platforms
  • Train all staff on acceptable social media use as part of HIPAA training and conduct refresher training sessions annually
  • Provide examples to staff on what is acceptable – and what is not – to improve understanding
  • Communicate the possible penalties for social media HIPAA violations – termination, loss of license, and criminal penalties
  • Ensure all new uses of social media sites are approved by your compliance department
  • Review and update your policies on social media annually
  • Develop policies and procedures on use of social media for marketing, including standardizing how marketing takes place on social media accounts
  • Develop a policy that requires personal and corporate accounts to be totally separated
  • Create a policy that requires all social media posts to be approved by your legal or compliance department prior to posting
  • Monitor your organization’s social media accounts and communications and implement controls that can flag potential HIPAA violations
  • Maintain a record of social media posts using your organization’s official accounts that preserves posts, edits, and the format of social media messages
  • Do not enter into social media discussions with patients who have disclosed PHI on social media.
  • Encourage staff to report any potential HIPAA violations
  • Ensure social media accounts are included in your organization’s risk assessments
  • Ensure appropriate access controls are in place to prevent unauthorized use of corporate social media accounts
  • Moderate all comments on social media platforms

 

The Department of Health and Human Services’ Office for Civil Rights has issued guidance on HIPAA social media regulations, detailing the specific aspects of HIPAA that apply to social media networks. A HIPAA compliance checklist for social media can be viewed on the HHS website.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Gabe Maxwell's comment, September 26, 6:56 PM
<a href="https://getmedicalmarijuanaonline.com/product/buy-gushers-online/">Buy Gushers</a>
<a href="https://getmedicalmarijuanaonline.com/product/special-blend-10g-oral-applicator-3-pack/">Buy 10g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/green-label-15g-oral-applicator-6-pack/">Buy 15g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-moonrocks-now/">Buy Moonrocks</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-nyc-diesel/">Buy Nyc Diesel</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-lemon-kush/">Buy Lemon Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-zkittlez/">Buy Zkittlez</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-purple-kush/">Buy Purple Kush</a>

<a href="https://getmedicalmarijuanaonline.com/product/buy-gelato-33/
">Buy Gelato</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-mango-kush/
">Buy Mango Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-fire-og-kush/
">Buy Fire Og</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-death-star/
">Buy Death Star</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-green-crack-buy-green-crack-online/
">Buy Green Crack</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grapefruit-kush/
">Buy Grapefruit kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/ghost-train-haze/
">Buy Ghost Train Haze</a>

<a href="https://getmedicalmarijuanaonline.com/product/chocolope/
">Buy Chocolope</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-banana-kush/
">Buy Banana Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-headband/
">Buy Headband</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-golden-goat/
">Buy Golden Goat</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-orange-kush/
">Buy Orange Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-northern-lights-2/
">Buy Northern Lights</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grape-ape/
">Buy Grape Ape</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-agent-orange-buy-agent-orange-online/
">Buy Agent Orange</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-blueberry-kush-online/">Buy Blueberry Kush</a>
Scoop.it!

HIPAA/HITECH Act and Compliance

HIPAA/HITECH Act and Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) legislation was created in 2009 to stimulate the adoption of electronic health records (EHR) and supporting technology in the United States. It introduced the Meaningful Use program incentivizing healthcare organizations to maintain the Protected Health Information of patients in electronic format, rather than in paper files.

 

Health Insurance Portability and Accountability Act (HIPAA), a Federal legislation that promulgated in 1996 requires the US Department of Health and Human Services (HHS) to develop national standards to protect the privacy and security of patients’ medical records and other personal health information. It got ratified in 2013 calling as the “Final Omnibus” rule, to include Enforcement and Civil Penalties.

 

HITECH and HIPAA, are separate and unrelated laws, but they do reinforce each other in certain ways. For example, HITECHrequires that any physician and hospital that attests to meaningful use must also have performed a HIPAA security risk assessment as outlined in the Omnibus rule.

 

Who does HIPAA affect?

According to HIPAA, if you belong to the category of “covered entities” or “business associates,” and you handle “protected health information (PHI),” you are required to be HIPAA-compliant.

1.Covered Entities:

  • Health Care Providers like Doctors, Surgeons, Dentists, Psychologists, Podiatrists, Laboratory technicians, Optometrists, Hospitals, Clinics, Nursing homes, organizations in the life sciences field such as medical devices, biotechnology, Pharmacies, schools when they enroll students in health plans, nonprofit organizations that provide some healthcare services, and even government agencies.
  • Health Plans like Health Insurance Companies, HMOs, Employer-Sponsored Health Plans, Government Programs like Medicare, Medicaid, Military and Veterans’ health programs.
  • Healthcare Clearing Houses. These are organizations that collect information from a healthcare entity, processes the data in an industry-standard format and delivers it to another entity. Examples of clearinghouses include: Billing services, Community health management information system.

2. Business Associates:

  • "Business associate” refers to any organization or individual who acts as a vendor or subcontractor with access to PHI.
  • Examples of business associates include: Data transmission providers, Data processing firms, Data storage or document shredding companies, Medical equipment companies, Consultants hired for audits, Electronic health information exchanges, External auditors or accountants, Medical transcription companies, Answering services, Data conversion and data analysis service providers, Law firms, Software vendors and consultants, Financial institutions (if engaging in accounts receivable or other functions extending beyond payment processing), ISPs, ASPs, Cloud vendors, Researchers (if performing HIPAA functions for a covered entity), etc.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Protecting PHI: Managing HIPAA Risk with Outside Consultants 

Protecting PHI: Managing HIPAA Risk with Outside Consultants  | HIPAA Compliance for Medical Practices | Scoop.it

The rising complexity of healthcare, particularly as it relates to providers’ growing technical needs, is increasingly prompting healthcare organizations to seek the help of outside consultants. In engagements with healthcare entities, thought IT consultants try to minimize interaction with patient data, they often have access to protected health information (PHI). When working with HIPAA Covered Entities, consultants are treated as “business associates” and are required to comply with Privacy Rules designed to protect PHI.

 

Managing HIPAA compliance when engaging outside consultants requires that consultants enter into a Business Associate Agreement (BAA). The BAA must:

  • Describe the permitted and required uses of PHI by the business associate in the context of their role
  • Provide that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided for by the contract

Here are several best practices to follow to ensure the protection of PHI in consulting arrangements.

 

FTE Mentality

During the contract period, the expectation is that consultants act as if they were an employee of the hospital or provider organization and therefore treat PHI in this manner. It is important to know that consultant business associates could be held liable or equally responsible for a PHI data breach in the same way a full-time employee could be.

 

Role-Based Access Rules

Limit access to PHI based on role to ensure that only the parties that need PHI have access to it. An IT strategist, for example, does not need to see live patient data. Associates leading implementation projects, on the other hand, may need access to live PHI. Typically, this occurs late in the implementation process, when the time comes to test a system with live, identifiable patient data.

 

Safeguard Access Points

If a hospital wants a consultant to have regular access to PHI, it would be preferable that the hospital provides the consultant with a computer or device with appropriate access authorizations and restrictions in place. Avoid the use of personal devices whenever possible. Make sure that only approved and authorized devices can be used inside the firewall and require multi-factor authentication during log-in. Avoid inappropriate access to PHI by way of shared or public data access points. Don’t allow private access to PHI where others could intervene.

 

Keep it Local

Don’t take PHI away from the source of use. Consultants should avoid storing PHI on personal devices, including smart phones, which are particularly susceptible to theft and loss. Devices used to store or access PHI must be registered. Best practices often include controls giving IT staff advance permission to remotely wipe or lock a stolen registered device. Avoid leaving registered devices in cars or unprotected areas.

 

Paper-based reports also pose threat of PHI leak. Documents you take home over the weekend, for example, could be accessed by family members, lost, or stolen. Electronic, paper, verbal and image-based PHI should all be confidently secured. Of course the regulations also relate to visual and verbal protections. When accessing PHI avoid allowing others to view your screen over your shoulder. When discussing PHI make sure only those who need to know and have appropriate authority can hear the conversation.

 

The healthcare industry is making great strides in establishing digital infrastructure, much of which is cloud-based, putting new onus on providers and their business partners to ensure the security of that information. No one wants to make headlines for the latest data breach, least of all the IT consultants hired by providers to help guide their data management efforts. Rigorous attention to HIPAA Privacy Rule guidelines is not only required – it’s imperative to maintaining trust in the healthcare ecosystem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Police –Are They Coming For You?

HIPAA Police –Are They Coming For You? | HIPAA Compliance for Medical Practices | Scoop.it

As reported by Health and Human Services (HHS) HIPAA fines and audits are significantly on the rise. 5% of practices are being audited against the HITECH Act and Omnibus Rule. Are you compliant?

 

“How do all these regulations affect me as a Healthcare Covered Entity or Business Associate?”

To answer that question, let’s first look at what the regulations are and get a brief description. Once we read and understand what we are facing, the steps to complying with the rules should be attainable. I would love to say attaining compliance is easy, but with anything in life, if you want success you will have to work for it.

 

HITECH ACT

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) was created to motivate the implementation of electronic health records (EHR) and supporting technology in the United States. President Obama signed HITECH into law on February 17, 2009, as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

 

The HITECH act specified that by the beginning of 2011, healthcare providers would be given monetary incentives for being able to demonstrate Meaningful Use (MU) of electronic health records (EHR). These monetary incentives, up to $44,000 per doctor, will be offered until 2016, after which time penalties will be levied for failing to demonstrate such use.

 

FYI, the main failure that the centers for Medicare and Medicaid have discovered when auditing providers who have implemented an EHR system is their failure to perform a proper Risk Analysis.

 

OMNIBUS RULE

The United States Government’s requirement to implement Electronic Medical Records and Health IT compliance has prompted the US Government to adopt the long-awaited HIPAA Omnibus Rule http://compliancy-group.com/hipaa-omnibus-rule

The Omnibus Rule was finalized by the Office for Civil Rights (OCR). The Office of Management and Budget (OMB) approved the final rule and subsequently published it in the Federal Register.

 

The rule effectively merges four separate rulemakings, which are as follows:

  • Amendments to HIPAA Privacy and Security rules requirements;
  • HIPAA and HIPAA HITECH under one rule now
  • Further requirements for data breach notifications and penalty enforcements
  • Approving the regulations in regards to the HITECH Act’s breach notification rule

 

It is apparent for this new rule that the health care industry will need to educate patients with regards to their privacy and disclosure rights. Patients will need to know how their information is used and disclosed, and how to submit complaints pertaining to privacy violations. Health Care providers should also try to better understand HIPAA requirements so that they are aware of their risks and responsibilities towards their patients.

 

In addition, the Omnibus Rule includes provisions that would govern the use of patient information in marketing; eliminates and modifies the “harm threshold” provision that presently allows healthcare providers to refrain from reporting data breaches that are deemed not harmful; ensures that business associates and subcontractors are liable for their own breaches and requires Business Associates to comply with HIPAA for the first time since HIPAA was first introduced. The rule also requires HIPAA privacy and security requirements to be employed by business associates and sub-contractors.

 

So, what does compliance with these rules look like? Is it a 3-ring binder on a shelf with some policies, is it an online training course, or is it my IT person telling me I am protected? Actually, it is a little of all three.

  1. RISK ANALYSIS– A true risk analysis covering Administrative, (Policies and Procedures), Technical, (How are your Network, Computers, Routers, protected), Physical, What safeguards have you put into place at your location? (Alarms, Shredding, Screen Protectors).
  2. RISK MANAGEMENT- The risk analysis is going to identify deficiencies. Risk Management is then put in place to track how your remediation plan will work to fix the deficiencies that were found during the Risk Analysis.
  3. VENDOR MANAGEMENT– Vendor Management tracks the companies and people that access your site where PHI or ePHI is stored and keeps track of who you share PHI or ePHI with. Depending on the relationship, you will want to have either a Business Associate Agreement (if they meet the requirements for being labeled a Business Associate) or a Confidentiality Agreement. Remember, for Business Associates, an agreement alone is not enough; you also need assurances that they are complying with the HIPAA Security Rule before you share or continue to share PHI or ePHI with them.
  4. DOCUMENT MANAGEMENT– It is hard to imagine compliance without a place to store policies, procedures, business associate agreements, or any other compliance documents. Why you ask? Because the rule specifically states that you must retain all compliance documents for a min of 6 years (depending on the state your business is in these rules may be more stringent).

5. TRAINING OF YOUR STAFF– One of the most important aspects of compliance is the tracking of not only HIPAA 101 training for your staff but also of your staff’s acknowledgment that they understand the HIPAA Privacy and Security Policies that you

 
 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Benefits of Performing a HIPAA Risk Assessment

The Benefits of Performing a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates that covered entities must conduct a risk assessment of their healthcare company.

 

 A wide range of organizations – from healthcare insurance providers to hospitals – fall into this covered entity group. While it may seem taxing and time-consuming to provide standardized training to your employees, there are many reasons doing so can behoove you. For one, it’s the law. Since 2009, Security Risk Assessments (SRAs) have been a required annual practice set forth by the HIPAA Security Rule.

 

Don’t wait to become a breach headline; nip breaches in bud by detecting security issues before they wreak havoc. You can’t be secure if you are not compliant; and a HIPAA Risk Assessment will safeguard your organization in more ways than one. Technology is a timesaver that has simplified the medical filing and billing processes, but it leaves the potential for leaks and hacking.

 

A risk analysis will identify and document potential threats and liabilities that can cause a breach of sensitive data. An IT security consulting company can check all portable media (laptops), desktops, and networks to ensure they’re ironclad. IT security measures, such as encryption and two-factor authentication2, will be addressed in order to make it challenging for unwanted eyes to get a glimpse of patient information.  

 

Employees are the greatest threat to HIPAA compliance, so it’s important to make sure they’re well informed on how to prevent breaches. Annual HIPAA Security Awareness Training Programs provide a thorough understanding of each person’s role in preventing breaches and protecting physical and electronic information.

 

HIPAA training is a regulatory requirement, many employee actions that go awry could easily be prevented. A consultant will offer tips and tricks for minimizing that risk; a few include never leaving work phones and laptops unattended, never sharing passwords or company credentials, choosing to shred files as opposed to trashing them, and overcoming the temptation to “snoop” on patient information without just cause.

 

While many of these suggestions seem like common sense, there are also many lesser known incidences that arise while working in the medical field. Did you know that you cannot access your own medical records using your login credentials? While it may seem innocent enough, everyone is required to submit a request to access medical materials. 

 

Don’t deter a Risk Assessment out of indolence. HIPAA Risk Assessments must be accurate and extremely thorough.  Questions about all the administrative, technical, and physical safeguards an organization has in place must be asked about.

 

If outsourcing your HIPAA Risk Assessment, choose a company that provides comprehensive training courses. No two companies are alike so cookie-cutter answers don’t exist for compliancy; a client-facing doctor’s office and corporate health insurance agency will require that different preventive measures be put into place.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How HIPAA Helps Strengthen Patient Trust

How HIPAA Helps Strengthen Patient Trust | HIPAA Compliance for Medical Practices | Scoop.it

Trust is a vital factor that affects the success of any relationship, whether it be personal or professional. Without this foundational element, interpersonal and business relationships would be filled with suspicion and uncertainty leading to conflict and ultimately the disintegration of any bond that existed.

 

In today’s digitally-driven world, this core human value is now more critical than ever. Many of the transactions we perform daily force us to deal with entities we have never met in real life. Dealing with any organization that processes and stores our personal data requires us to trust that they will honor their commitments and keep our sensitive information secure.

 

When it comes to healthcare, patient trust is a core element of any practice. Any incident that jeopardizes patient trust can destroy the relationship and threaten the future of the organization.  As people are effectively placing their health and welfare under the direct care of a practitioner, trust is effectively the only human emotion at play in this relationship.

 

We not only trust them with our lives but with keeping our medical information private and secure. Should this data be compromised in any way, it would not only place the patient in a precarious position but would also destroy the trust relationship that existed with the practitioner.

HIPAA Strengthens Patient Trust

The Health Insurance Portability and Accountability Act (HIPAA) helps strengthen patient trust in various ways. It provides mechanisms that enhance the transparency, privacy, and security of electronic healthcare information. Not only does the Act help prevent sensitive patient data from compromise, but it also gives patients access and protects their private medical information.

 

Under HIPAA, medical organizations and practitioners that process and store patient healthcare information must implement measures that ensure compliance with the obligations stipulated under the statute.

 

Some of these measures include conducting regular security risk assessments and deploying technologies that protect access to patient information such as Multi-Factor Authentication (MFA) and encryption.

 

Complying with the provisions specified under HIPAA should not only be seen as a legal or regulatory obligation but as accreditation that the organization takes patient confidentiality and security seriously. It helps build that vital trust factor as patients know that the entity has implemented the necessary safeguards needed to protect the privacy of their sensitive medical information. Achieving HIPAA compliance should therefore not be seen as a regulatory obligation but as an essential business practice that builds patient trust.

The Healthcare Industry is Not Immune to Cybersecurity Risks

As the world has become more digital and many of the vital services that run our lives have moved online, cybersecurity is a fundamental principle that every organization needs to put into practice. No enterprise is immune from a cyberattack, and this fact is particularly true for organizations that operate in the healthcare industry.

 

According to the 2018 Verizon Protected Health Information Data Breach Report, 58% of incidents involved insiders. This statistic highlighted the fact that healthcare is the leading industry in which internal actors are the biggest threat to an organization. It’s interesting to note that the majority of these incidents involved human error.

 

Although malicious actions such as misuse of information, physical intrusion, and hacking also contributed to breaches involving the healthcare industry, human error was a leading cause of data compromise. These statistics show the vital role HIPAA can play in helping organizations reduce the risk of data breaches involving protected health information.

How to Comply with HIPAA Rules

HIPAA compliance is not a one time exercise but an ongoing assessment that involves a synchronized endeavor involving people, processes, and technology. As human error is the leading cause of data breaches in the healthcare industry, it is vitally important to implement the safeguards that HIPAA has created to reduce the risk of intentional or accidental compromise of patient healthcare information.

 

Under HIPAA, there are specific obligations that are required and others that are addressable. Required safeguards are mandatory for any organization that stores, processes, or transmits electronically protected healthcare information. Addressable provisions are not mandatory, but organizations need to either implement these or provide evidence that shows that these are not relevant to their specific circumstances.

 

The HIPAA Privacy Rule deals with protected health information (PHI) in general.  The HIPAA Security Rule provides compliance regulations for electronic PHI (ePHI). Under this section of the Act, there are various administrative, physical, and technical safeguards that offer the appropriate measures healthcare organizations need to implement to ensure patient privacy and the security of their ePHI.

 

Administrative safeguards include actions such as undertaking risk analysis and performing an information system activity review. It also recommends that organizations conduct regular cybersecurity awareness training and create an incident response plan.

 

Physical safeguards include measures such as deploying facility access controls and implementing the necessary steps to securely and safely dispose of media that contain ePHI.

Finally, the technical safeguards specified under HIPAA’s security rule include legislative obligations that healthcare organizations need to implement such as ensuring unique user identification, creating an emergency access procedure, and installing technologies that provide data integrity and transmission security.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards

Understanding the HIPAA Security Rule: HIPAA Physical Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

While HIPAA covers a broad scope of healthcare related items, its Security Rule specifically sets forth standards concerning the safety of electronic Protected Health Information or ePHI. Furthermore, the Security Rule can be broken down into three keys areas of implementation: Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In Part I of this blog series we will discuss the basics regarding HIPAA Physical Safeguards, or Section 164.310 of the Security Rule, and how they relate to ePHI (electronic Protected Health Information).

 

The Department of Health and Human Services defines HIPAA Physical Safeguards as “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings from natural and environmental hazards, and unauthorized intrusion”. In short, a covered entity must have physical protocols in place to protect is ePHI from disaster and/or theft.

HIPAA Physical Safeguards can be broken down into the following standards:

  • Facility Access ControlThis standard requires covered entities to implement policies and procedures to limit physical access to information systems and the facilities in which they are stored. Proper authorization to access these systems should also be ensured. The Facility Access Control Standard also requires the following implementations:
    • Contingency Operations
    • Facility Security Plan
    • Access Control and Validation Procedures
    • Maintenance Records

 

  • Workstation Use: A workstation is defined as an electronic computing device and any electronic media stored in its immediate environment. According to this standard, covered entities must implement policies and procedures surrounding the functions and physical attributes of any workstation that can access ePHI. The importance of these policies and procedures is to limit exposure to viruses, compromisation of information systems, and breaches of confidential information.

 

  • Workstation Security: This standard differs from Workstation Use in that it refers specifically to how workstations are to be physically protected from unauthorized users. Under this standard, converted entities must implement physical safeguards for all workstations that access ePHI to restrict unauthorized users. Essentially, a covered entity must take precautions - such as locked doors/equipment – to prevent non-employees from physically accessing a workstation.

 

  • Device and Media Controls: Device and Media controls refer to electronic media- meaning electronic storage media devices in computers (hard drives) and any removable/transportable digital memory medium such as tapes, disks, or digital memory cards. The purpose of this standard is to have policies and procedures in place to govern the receipt and removal of hardware and electronic media that contains ePHI, into and out of a facility, and the movement of these items within the facility. Covered entities must be able to account for all ePHI as it is moved between electronic devices. They must be able to account for this ePHI, even if it is disposed of. This standard is broken down into the following implementations:
    • Disposal
    • Media Re-Use
    • Accountability
    • Data Backup and Storage

In order to comply with these standards related to HIPAA Physical Safeguards, here are some examples of basic practices that any covered entity can apply to its medical practice:

  • Keep access to any device that stores or processes ePHI restricted to authorized personnel only. Avoid having these devices in areas that can easily be accessed by patients or visitors.
  • Ensure that ePHI is disposed of properly. Hard drives and any other devices that store patient information must be destroyed in the proper manner, and a certificate of disposal should be obtained and kept as a record.
  • Keep an inventory of all devices in the office that store or process ePHI. Additionally, note down which staff have accesses to these devices and what roles they play in processing ePHI.

 

These are examples of general steps that will help covered entities comply with HIPAA.   It is important that the annual mandatory HIPAA risk assessments be comprehensive and should review all physical safeguards at your location, pinpoint specific vulnerabilities and determine the corresponding action items and additional physical safeguards that may need to be implemented.

In summary, the Physical Safeguards standard of the HIPAA Security Rule sets forth a comprehensive framework regarding the physical protection of ePHI. As covered entities continue to modernize and move away from traditional paper-based records keeping, they will need to keep these standards in mind for the privacy of their patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Understanding the HIPAA Security Rule: Administrative Safeguards

Understanding the HIPAA Security Rule: Administrative Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

The Administrative Safeguards are the most comprehensive standards, as they cover over half of the HIPAA Security Rule. These standards encompass many of the oversight aspects of managing a covered entity. The other two posts in this blog series covered Technical Safeguards and Physical Safeguards.

 

The Department of Health and Human Services defines these safeguards as “administrative” actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information”.

 

Administrative Safeguards are broken down into the following standards:

  • Security Management Process: A covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations. There are four required implementations for this standard:
    • Risk Analysis
    • Risk Management
    • Sanction Policy
    • Information System Activity Review
  • Assigned Security Responsibility: This standard requires the designation of a security official who is responsible for the development and implementation of policies and procedures.
  • Workforce Security: Under this standard, a covered entity must implement policies and procedures to ensure that all staff members have appropriate access to ePHI, and also to prevent those workforce members who do not have permission, from accessing it. There are three addressable implementations under this standard:
    • Authorization and/or Supervision
    • Workforce Clearance Procedure
    • Termination Procedures
  • Information Access Management: This standard relates to the implementation of policies and procedures regarding the authorization of access to ePHI. There are three addressable implementations under this standard:
    • Isolating Healthcare Clearinghouse Functions
    • Access Authorization
    • Access Establishment and Authorization
  • Security Awareness and Training: Under this standard, a covered entity must have a security awareness and training program for all members of its workforce, including physicians and management. There are four implementations for this standard:
    • Security Reminders
    • Protection of Malicious Software
    • Log-in Monitoring
    • Password Management
  • Security Incident Procedures: Covered entities must have policies and procedures in place to address security incidents. There is one implementation:
    • Response and Reporting
  • Contingency Plan: The purpose of this standard is for covered entities to establish policies and procedures for responding to emergencies or other occurrences (fire, vandalism, natural disasters, etc.) that may damage systems containing ePHI. There are five implementations for this standard:
    • Data Backup Plan
    • Disaster Recovery Plan
    • Emergency Mode Operation Plan
    • Testing and Revision Procedures
    • Applications and Data Criticality Analysis
  • Evaluation: This standard requires covered entities to perform periodic technical and nontechnical evaluations in response to environmental and operational changes affecting the security of ePHI.
  • Business Associate Contracts and Other Arrangements: The final standard relates to the relationship between a covered entity and the vendors it uses. It states that the covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf, only if the covered entity obtains the correct assurances. There is one implementation under this standard:
    • Written Contract or Other Arrangement

HIPAA Administrative standards provide a broad and wide-encompassing scope of administrative functions that a covered entity must implement regarding the security of ePHI. Here are some basic practices that a covered entity can put into place:

 

  • Perform a regular risk analysis of systems used by the office to determine any new vulnerabilities or weaknesses.
  • Appoint a HIPAA Security Officer who oversees the implementation of these standards and maintains all policies and procedures related to security measures.
  • Ensure that all staff members adhere to a policy of creating strong passwords to access workstations/software programs that access ePHI. These passwords should not be common words or phrases and should not be shared among employees.
  • Create regular backups of any servers or systems that process ePHI. This can be done via a cloud-based system or an encrypted backup tape/hard drive.
  • Immediately remove access to any programs that process ePHI (EMR, billing/scheduling software, etc.) for any employee that becomes no longer associated with the covered entity (termination or job change). This will help prevent improper access to patient data.
  • Obtain and maintain Business Associate Agreements (BAAs) with any third-party vendors that store or process PHI. These agreements must ensure that the vendor will appropriately safeguard patient information.

 

As with Physical and Technical Standards, Administrative Standards need to be reviewed for each covered entity through an annual HIPAA Security Risk Assessment. These assessments are not only mandatory, but they are essential to determine any risks that can lead to a breach of data.

 

In closing, the HIPAA Security Rule covers a wide range of standards and implementations that covered entities must employ to ensure HIPAA compliance. Failure to adhere to these policies can lead to OCR (Office of Civil Rights) sanctions in the forms of audits and even severe civil penalties.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

HIPAA Law Enforcement

HIPAA Law Enforcement | HIPAA Compliance for Medical Practices | Scoop.it

The battle between individuals’ privacy rights and the needs of law enforcement, has raged for centuries in one form or another. When the HIPAA Privacy Rule was implemented, the authors of this rule tried to appease, as it were, both sides.

 

The resulting “compromise” is that protected health information – the information the HIPAA Privacy Rule affords some protection from disclosure – can be disclosed when disclosure is needed by law enforcement.

 

There are limits, however, as to how, where, when, and why, law enforcement may obtain this information.

 

The HIPAA law enforcement exception to the general rule restricting use and disclosure of PHI (unless an exception permits or requires use or disclosure), is discussed below.

What is the HIPAA Law Enforcement Exception?

The HIPAA law enforcement exception can be found in the text of the HIPAA Privacy Rule. 

 

Did you vet your vendors? If not you’re at risk! Learn how to send your vendors risk assessments here.

 

The Privacy Rule provision that addresses whether PHI can be disclosed to law enforcement is 45 CFR § 164.512. This provision is entitled, “Uses and disclosures for which an authorization or opportunity to agree or object is not required.” 

 

The provision then lists circumstances under which PHI may be used or disclosed, despite the general rule. Circumstances allowing use of PHI without written authorization (or an opportunity to agree or object) include (among others):

 

  • A specific state or federal law requires the disclosure of PHI.
  • Public health activities, which include (among other things):
    • Reporting of disease or injury
    • Reporting vital events such as birth or death
    • Conducting of public health surveillance
    • Conducting of public health investigations
    • Conducting of public health interventions.
  • When a covered entity reasonably believes an individual is a victim of abuse, neglect, or domestic violence.
  • When a health oversight agency seeks to conduct health oversight activities authorized by law. These activities include: 
    • Inspections
    • Licensure or disciplinary actions
    • civil, administrative, or criminal proceedings or actions
    • Other activities necessary for appropriate oversight of the healthcare system, government benefit programs, and of:
      • Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
      • Entities subject to civil rights laws for which health information is necessary for determining compliance.
      • Disclosures for judicial and administrative proceedings.
      • Law enforcement purposes

The HIPAA Law Enforcement Exception: What Does it Cover?

Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances (subject to certain conditions): 

  • As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; 
  • To identify or locate a suspect, fugitive, material witness, or missing person; 
  • In response to a law enforcement official’s request for information about a victim or suspected victim of a crime; 
  • To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; 
  • When a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and 
  • By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice | HIPAA Compliance for Medical Practices | Scoop.it

In 2018, ten companies had to pay $28.7 Million to HIPAA as fines. The United States law requires all covered entities to comply with HIPAA. Covered entities, in this case, refers to health care providers, such as hospitals, dental clinics, and pharmacies.

 

The American Dental Association conducted research which indicated a significant increase in dental practices, both in terms of size and number.

 

Statistics show that US Citizens who had access to dental care rose to 248 Million in 2016, from 170 Million in 2006.

 

The increase in dental practices across the States makes them prone to cyber hacking.

 

This is where HIPAA comes in. For dentists, the HIPAA rule is inclusive of;

 

• A Security Rule
• Privacy Rule
• Breach Notification Rule

 

WHAT IS HIPAA?

 

HIPAA compliance refers to the process through which covered entities and business associates adhere to set rules which seek to protect Protected Health Information.

 

In simple terms, it seeks to ensure a patient’s healthcare data remains private. Protected Health Information is anyone’s healthcare data. The privacy and security rule control what healthcare professionals such as dentists can, or cannot do with your PHI.

 

THE IMPORTANCE OF HIPAA

 

HIPAA was initially introduced in 1996 to address insurance coverage for people working two jobs. It also sought to avoid health care fraud, and protect patients’ health information.

 

FOR YOUR DENTAL PRACTICE, FOLLOWING HIPAA WILL;

 

• Immensely help you transition from manual to electronic health records.
• Streamline your administrative healthcare functions.
• Protect your client’s health information.
• Set boundaries regarding using and releasing health records.
• Boost the efficiency of your clinic.
• Hold violators answerable if they violate a patient’s rights, through both criminal and civil penalties.

 

FOR YOUR PATIENTS, FOLLOWING HIPAA WILL;

 

• Safeguard their personal and sensitive health information.
• Give them control over who gets access to their information.
• They get a right to obtain and go through their health records, and they get to request corrections when necessary.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

What is a HIPAA-Covered Entity?

What is a HIPAA-Covered Entity? | HIPAA Compliance for Medical Practices | Scoop.it

The term “HIPAA Covered Entity” was not actually in the original Healthcare Insurance Portability and Accountability Act when it was originally enacted in August 1996.

 

The term first appeared in the HHR´s proposed HIPAA Privacy Rule when the Rule was released for public comments in November 1999 and subsequently published after amendments had been made in December 2000.

 

The HIPAA Privacy Rule evolved from the “Administrative Simplification Rule” of the original legislation. This Rule required the Secretary of the Department of Health & Human Services to develop a set of national standards for the protection of certain health information.

 

These standards defined what health information was to be protected and who was responsible for protecting it – Covered Entities.

HIPAA Covered Entity Definition

At first glance, the HIPAA Covered Entity definition appears straightforward. The Privacy Rule defines a Covered HIPAA Entity as any health plan or any healthcare clearinghouse, or any healthcare provider who transmits Protected Health Information (or PHI as per the standards developed by the Department of Health & Human Services) in electronic form.

 

However, reading deeper into the HIPAA Covered Entity definition uncovers a few gray areas. For example insurance companies providing workers´ compensation are not regarded as health plans, despite the fact they will be in receipt of personally identifiable information – usually consider to be protected – in the process of settling workers´ compensation claims.

 

A further gray area exists around the definition of a healthcare clearinghouse – which, in most instances only receives PHI when it is providing processing services to a health plan or healthcare provider. This would make a healthcare clearinghouse a Business Associate (see “HIPAA Covered Entity vs Business Associate) rather than a Covered HIPAA Entity under the HIPAA Covered Entity definition.

Is an Employer a HIPAA Covered Entity?

One would think if a healthcare clearinghouse qualifies as a Covered Entity under HIPAA, an employer must do as well. An employer – particularly an employer´s HR department – receives lots of personally identifiable information that is classified as protected; but even when an employer sponsors a self-insured group health plan, the answer to “Is an employer a HIPAA Covered Entity?” is generally “No”.

 

The reason for this is because a self-insured group health plan is considered to be a separate legal entity from the sponsoring employer.

 

Therefore it is the group health plan and not the employer that is the Covered Entity under HIPAA – unless the employer also administers the group health plan and it has more than fifty participants. (This scenario rarely occurs. Large plans are usually administered by a third party who acts as a Business Associate to the group health plan).

 

However, because PHI is shared with an employer in the execution of administrative functions on behalf of the group plan, certain conditions exist about the use and disclosure of the information. Among these conditions is that the information shared with the employer will remain protected (as per the HIPAA Privacy Rule) and not used-for employment-related actions. In effect, employers – although not Covered Entities – are bound by the same rules as a Covered HIPAA Entity in certain circumstances.

HIPAA Covered Entity Examples

In order to provide HIPAA Covered Entity examples, we have used the examples provided by the Department of Health & Human Services. These examples are not exhaustive and are subject to change.

 

Any organization that does not appear among the following HIPAA Covered Entity examples, but believes they may be subject to HIPAA, should read the section at the end of the this article entitled “Is Your Organization a Covered HIPAA Entity?”

HIPAA Covered Entity Examples: Health Plans

HIPAA-covered health plans are mostly plans that insure against the cost of health treatment, dental treatment, vision treatment or prescription drugs.

 

Other HIPAA Covered Entity examples within the health plan category include health maintenance organizations (“HMOs”), long-term healthcare insurers (excluding nursing home fixed-indemnity policies) and – as mentioned above – employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans.

HIPAA Covered Entity Examples: Healthcare Clearinghouses

In medical billing, healthcare clearinghouses receive claims information from healthcare providers, check the claims for errors, and verify the format of each claim is compatible with the payer´s software. Healthcare clearinghouses, repricing companies, and community health management information systems are classified as HIPAA Covered Entity examples as their sole roles are PHI-related – an important point to note before discussing “HIPAA Covered Entity vs Business Associate” below.

HIPAA Covered Entity Examples: Healthcare Providers

The HIPAA Covered Entity definition of a healthcare provider has not changed since 1999 despite the healthcare industry evolving substantially.

 

Therefore HIPAA Covered Entity examples of healthcare providers remains “providers who submit HIPAA transactions electronically” – electronic transactions including claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Privacy or Security Rule.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Prepare For A HIPAA Compliance Audit in 2019

How to Prepare For A HIPAA Compliance Audit in 2019 | HIPAA Compliance for Medical Practices | Scoop.it

1. Focus on HIPAA training for employees

Staff training is critical for an understanding of HIPAA compliance requirements. Employees who haven’t been trained or don’t have experience with compliance regulations can increase the risk of a failed audit.

 

Document your training to show the OCR (Office of Civil Rights), that you are dedicated to employee instruction. Create and publish policies that make training and education a priority. Make sure your team is thoroughly trained before the audit because OCR will ask questions to ensure everyone understands HIPAA regulations and compliance rules.

2. Create a Risk Management Plan and Conduct a Risk Analysis

A risk management plan and a risk analysis are required.

A HIPAA risk analysis looks for any security risks your company might be exposed to – all risks. The risk management plan is a strategy to address those risks.

 

In conducting the risk assessment, you should also prepare your security documents. Compliance rules state reports should be recorded, written, and kept in an easily accessible location. Rules should be specific to all aspects of your business, and not isolated to one area.

 

For example, all policies regarding the HIPAA privacy and security rule should be documented. Documents that cover incident response, breach notification, IT and firewalls, and physical security should be included. These documents will not only help in the audit process but provide clear direction in the operation of the business.

 

3. Select a Security Assessment and Privacy Officer

HIPAA requires a security and privacy officer for each covered entity and business. This does not have to be a new hire, but you do need someone responsible for the security and privacy of PHI. They are responsible for showing the effort being made to meet regulations.

 

The officer should also review business associate agreements. The OCR will discuss the third-party relationships that involve electronic protected health information. Create a list of vendors and suppliers, and the security and safeguards they have in place through the business associates agreement.

 

This officer should schedule a regular review of security policies and conduct a risk analysis on IT systems and data security. They should also have a record of any breaches or incidents. Don’t try to hide any problems or data breaches during the audit. Be honest. Incidents happen, and the OCR wants to know how you responded to the security breach.

4. Review Policy Implementation

As important as it is to document policies and procedures, it’s also important to see how those policies are being implemented. The OCR will review how those policies and procedures apply to the daily business operation, and if they are implemented consistently.

Talk to your team to see how the policies are working.

 

If employees are struggling to follow policy, then take the time to analyze the problems and make adjustments as needed. Create an implementation schedule to include in the audit. The OCR wants to see the policies in action. If you are still implementing the plans, then show them the schedule, so that they know progress is being made.

5. Conduct an Internal Audit

An internal audit program is the best way to identify problems in your system before the OCR audit. Regularly conducting internal audits will not only help you solve problems before they turn into a fine, but also keep your team sharp and take pressure off during the actual review.

 

It’s often a good idea to work with an organization that specializes in compliance or data security to help conduct the internal audit. They can review your security and compliance standards and take a close look at your risk analysis and risk management plan. With an outside perspective, they may be able to identify problems that didn’t show up in your internal risk assessment. Partnering with an IT and data security provider will help ensure a complete and thorough internal audit.

 

As a best practice, review your policies and procedures as the auditor might. Consider if the policies are meeting the intent of the regulation and improving patient privacy and security. By critically analyzing these methods, you can find areas of improvement in both business operations and HIPAA compliance.

6. Create an Internal Remediation Plan

Once you’ve gone through the above steps and conducted an internal audit in preparation for your HIPAA audit, you should create a remediation plan to reduce risks and correct findings. Attach a schedule with timelines to the remediation plan and be prepared to discuss the plan with OCR during the audit.

 

While HIPAA sets guidelines and standards for protected health information, it’s also essential to see HIPAA as a continual process. A remediation plan and a schedule help to keep covered entities and businesses on track and compliant, even between audits.

 

Finally, make sure you limit your internal audit concerns to the policies and procedures of your business. While the business associate agreements are an important part of HIPAA, focusing on vendors and suppliers can leave your operations at risk. Your primary concern with the remediation plan and audit should be internal processes.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What Happens if a Nurse Violates HIPAA?

What Happens if a Nurse Violates HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?  

 

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules?

What are the Penalties if a Nurse Violates HIPAA?

Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA Rules may not have negative consequences and can be dealt with internally. Employers may decide to provide additional training in some cases to ensure the requirements of HIPAA are fully understood.

 

If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – or your supervisor. The failure to report a minor violation could have major consequences. You can read more about accidental HIPAA violations here.

 

Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to result in disciplinary action, including termination and punishment by the board of nursing. Termination for a HIPAA violation does not just mean loss of current employment and benefits. It can make it very hard for a nurse to find alternative employment. HIPAA-covered entities are unlikely to recruit a nurse that has previously been fired for violating HIPAA Rules.

 

Willful violations of HIPAA Rules, including theft of PHI for personal gain or use of PHI with intent to cause harm, can result in criminal penalties for HIPAA violations. HIPAA-covered entities are likely to report such incidents to law enforcement and investigations will be launched. Complaints about HIPAA violations submitted to the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are rare, although theft of PHI for financial gain is likely to result in up to 10 years in jail.

 

There is no private cause of action in HIPAA. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. There may be a viable claim, in some cases, under state laws.

Further information on the penalties for HIPAA violations are detailed here.

Examples of HIPAA Violations by Nurses

The list of possible HIPAA violations by nurses is long, although the most common nurse HIPAA violations are listed below.

  • Accessing the PHI of patients you are not required to treat
  • Gossiping – Talking about specific patients and disclosing their health information to family, friends & colleagues
  • Disclosing PHI to anyone not authorized to receive the information
  • Taking PHI to a new employer
  • Theft of PHI for personal gain
  • Use of PHI to cause harm
  • Improper disposal of PHI – Discarding protected health information with regular trash
  • Leaving PHI in a location where it can be accessed by unauthorized individuals
  • Disclosing excessive PHI and violating the HIPAA minimum necessary standard
  • Using the credentials of another employee to access EMRs/Sharing login credentials
  • Sharing PHI on social media networks (See below)

Nurses Who Violate HIPAA with Social Media

Sharing protected health information on social media websites should be further explained. There have been several instances in recent years of nurses who violate HIPAA with social media.

 

Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation. The same applies to sharing PHI including photographs and videos of patients via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless prior authorization has been received from a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media sites. The National Council of State Boards of Nursing (NCSBN) has released a useful guide for nurses on the use of social media (on this link).

 

There have been several recent cases of nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking embarrassing or degrading photographs and sharing them with friends via social media networks.

 

There has been considerable publicity surrounding the practice, following the publication of a report on the extent to which this is occurring by ProPublica (Summarized here). In that case it involved the sharing of photographs of patients on Snapchat. 35 separate cases were uncovered.

 

In January, a nursing assistant was fired for sharing videos and photos of abuse of a patient with Alzheimer’s on Snapchat. A criminal complaint was filed and the nursing assistant faces up to three and a half years in jail if convicted.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
genuinemedica's comment, September 25, 5:44 AM
visit on https://bit.ly/2lnMOdb
Gabe Maxwell's comment, September 26, 6:50 PM
<a href="https://getmedicalmarijuanaonline.com/product/buy-gushers-online/">Buy Gushers</a>
<a href="https://getmedicalmarijuanaonline.com/product/special-blend-10g-oral-applicator-3-pack/">Buy 10g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/green-label-15g-oral-applicator-6-pack/">Buy 15g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-moonrocks-now/">Buy Moonrocks</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-nyc-diesel/">Buy Nyc Diesel</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-lemon-kush/">Buy Lemon Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-zkittlez/">Buy Zkittlez</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-purple-kush/">Buy Purple Kush</a>

<a href="https://getmedicalmarijuanaonline.com/product/buy-gelato-33/
">Buy Gelato</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-mango-kush/
">Buy Mango Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-fire-og-kush/
">Buy Fire Og</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-death-star/
">Buy Death Star</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-green-crack-buy-green-crack-online/
">Buy Green Crack</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grapefruit-kush/
">Buy Grapefruit kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/ghost-train-haze/
">Buy Ghost Train Haze</a>

<a href="https://getmedicalmarijuanaonline.com/product/chocolope/
">Buy Chocolope</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-banana-kush/
">Buy Banana Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-headband/
">Buy Headband</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-golden-goat/
">Buy Golden Goat</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-orange-kush/
">Buy Orange Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-northern-lights-2/
">Buy Northern Lights</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grape-ape/
">Buy Grape Ape</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-agent-orange-buy-agent-orange-online/
">Buy Agent Orange</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-blueberry-kush-online/">Buy Blueberry Kush</a>
Scoop.it!

How to protect your organization against a HIPAA breach

How to protect your organization against a HIPAA breach | HIPAA Compliance for Medical Practices | Scoop.it

Here’s the sad truth about information systems: Very few of them are safe from hackers. If cyber criminals can read President Obama's unclassified email, if foreign hackers can affect the screening of a major motion picture, and if an international ring of hackers can steal $1 billion from more 100 banks by—in part—causing ATMs to spew money onto sidewalks, then few IT systems are completely secure. 

 

 

The question, then, is: What steps should we take now to prepare? Having adequate insurance coverage is a good place to start, for a couple of reasons.

 

First,  adequate coverage that is tailored to fit a healthcare organization and that has appropriate liability limits makes sense for any business today. Read: Agency seeks to strengthen cyber defenses for insurers Second, all healthcare companies regardless of size need to be prepared to respond quickly.

 

A data breach makes all consumers, including patients and health plan members, extremely vulnerable. Once a breach occurs, consumers whose financial data and personal health information (PHI) are in the hands of criminals could lose thousands or even millions of dollars.

 

But also they could lose something of much more value: peace of mind. In addition, healthcare organizations have become prime targets because patient data has an even higher street value than other personal information. Last year, experts estimated that data from one patient was worth about $10 to a criminal, an amount that was 10 to 20 times higher than what one credit card number would fetch. 

 

Next: Why healthcare is more vulnerable to breaches     For all these reasons, it’s vital for those responsible for storing and securing patients’ and health plan members’ financial and health information respond quickly. Given that many healthcare providers maintain all three types of protected data—personal credit information personal identification information , and PHI—the opportunity for hackers to access all three types, and especially PHI, makes all healthcare providers and insurers attractive targets.

 

The longer we wait to inform patients and members, the more time criminals have to wreak havoc on bank accounts, credit cards, and to use medical information to their advantage. Retail breaches usually are limited to the theft of credit card or bank card data. In healthcare, we are more vulnerable to cyber crime because there are so many enterprises of various sizes, from small physician groups to the largest health insurers, and each one is a target. Each physician group and each healthcare organization regardless of size is linked to larger companies, such as hospitals and insurers, and to smaller companies, including systems vendors and other healthcare providers.

 

At each location in the chain, from a small three-member doctor group to a major national corporation, we’ve made IT systems easier to hack by allowing access to as many providers as possible so that physicians can see patients’ data from last week, last month, and last year. Also, we’ve granted patients wider access to their data through online portals that let them view their electronic health records easily from any device, including handheld tablets and smartphones. Improving access for patients and connecting more devices to networks makes it easier for criminals to gain access too. What’s more, providers have been converting millions of patients’ paper records to electronic data over the past few years.

 

While those paper records were inconvenient and easy to lose, they were at least more secure than electronic medical charts, a factor that might make physician groups the most vulnerable of all entities in healthcare. Not only is the data in today’s EHRs accessible to hackers, but many physician offices are in various stages of upgrading their EHR systems to comply with federal meaningful use regulations.

 

While they’re putting these systems in place, few physicians are worrying about installing comprehensive data-security systems. Next: How healthcare executives should prepare for potential breaches     Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), physician groups and healthcare organizations of all sizes are responsible for ensuring that all business associates have secured their information systems. Keep in mind that third-party business-associate vendors cause a large percentage of data breaches.

 

So, for many reasons, it’s a dangerous time for anyone running a physician’s office. Having adequate cyber coverage will go a long way toward mitigating the damage of a breach.  Some policies automatically add cyber coverage o their typical malpractice insurance policies that often include services to take over the response function for the insured.

 

Such offerings are important because they allow any healthcare organization to deliver a fast, thorough, and appropriate response as soon as possible after a cyber hack of any kind. A quick response is vital to retaining the respect of your customers and vendors In addition, your coverage should allow you to offer all of your patients and employees credit monitoring for at least six months if not longer.

 

And the coverage should help patients and employees notify all of their credit card issuers. Your current cyber coverage might already include the services of a breach consultant who can advise you and—more importantly advise your patients or health plan members—about the steps to take to protect their data after a breach. Just having someone to consult with on such a treacherous issue could be enough to calm your nerves and those of your patients or plan members as well.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Gabe Maxwell's comment, September 26, 7:14 PM
<a href="https://getmedicalmarijuanaonline.com/product/buy-gushers-online/">Buy Gushers</a>
<a href="https://getmedicalmarijuanaonline.com/product/special-blend-10g-oral-applicator-3-pack/">Buy 10g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/green-label-15g-oral-applicator-6-pack/">Buy 15g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-moonrocks-now/">Buy Moonrocks</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-nyc-diesel/">Buy Nyc Diesel</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-lemon-kush/">Buy Lemon Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-zkittlez/">Buy Zkittlez</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-purple-kush/">Buy Purple Kush</a>

<a href="https://getmedicalmarijuanaonline.com/product/buy-gelato-33/
">Buy Gelato</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-mango-kush/
">Buy Mango Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-fire-og-kush/
">Buy Fire Og</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-death-star/
">Buy Death Star</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-green-crack-buy-green-crack-online/
">Buy Green Crack</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grapefruit-kush/
">Buy Grapefruit kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/ghost-train-haze/
">Buy Ghost Train Haze</a>

<a href="https://getmedicalmarijuanaonline.com/product/chocolope/
">Buy Chocolope</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-banana-kush/
">Buy Banana Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-headband/
">Buy Headband</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-golden-goat/
">Buy Golden Goat</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-orange-kush/
">Buy Orange Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-northern-lights-2/
">Buy Northern Lights</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grape-ape/
">Buy Grape Ape</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-agent-orange-buy-agent-orange-online/
">Buy Agent Orange</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-blueberry-kush-online/">Buy Blueberry Kush</a>
Scoop.it!

The HIPAA Password Requirements

The HIPAA Password Requirements | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication.

 

The HIPAA password requirements can be found in the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”.

Experts Disagree on Best HIPAA Compliance Password Policy

Although all security experts agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case letters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be changed (if at all) and the best way of safeguarding them.

 

Whereas some experts claim the best HIPAA compliance password policy involves changing passwords every sixty or ninety days, other experts say the effort is a waste of time. A competent hacker should be able to crack any user-generated password within ten minutes using a combination of technical, sociological, or subversive methods (i.e. social engineering).

 

There is more agreement between experts when it comes to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority recommend the use of password management tools. Although these tools can also be hacked, the software saves passwords in encrypted format, making them unusable by hackers.

The HIPAA Password Requirements are Addressable Requirements

One important point to mention when discussing the HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be put off to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”

In the context of the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if an alternative security measure can be implemented that accomplishes the same purpose as creating, changing and safeguarding passwords, the Covered Entity is in compliance with HIPAA.

 

Two-factor authentication fulfills this requirement perfectly. Whether by SMS notification or push notification, a person using a username and password to log into a database containing PHI also has to insert a PIN code to confirm their identity. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.

Two Factor Authentication is Already Used by Many Medical Facilities

Interestingly, two factor authentication is already used by many medical facilities, but not to safeguard the confidentiality, integrity and security of PHI. Instead it is used by medical facilities accepting credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by others to comply with the DEA´s Electronic Prescription for Controlled Substances Rules.

 

Healthcare IT professionals will be quick to stress that two factor authentication can slow workflows, but recent advances in the software allow for LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only transmits PIN codes (and not PHI) the software does not need to be HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than frequent changes of passwords and password management tools.

 

Effectively, Covered Entities never need change a password again.

The only thing Covered Entities have to remember before implementing two factor authentication to protect PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for implementing the alternative solution have to be documented. This will satisfy the HIPAA requirements for conducting a risk analysis and also satisfy auditors if the Covered Entity is chosen to be investigated as part of HHS´ HIPAA Audit Program.

Why an Alternative to the HIPAA Password Requirements should be Considered

It was mentioned above that most user-generated passwords can be cracked within ten minutes. That may seem an outrageous claim to some IT professionals, but this tool on the ramdom-ize password generating website will give you an idea of how long it could take a determined hacker to crack any password by brute force alone. Social engineering and phishing will likely accelerate the speed at which the hacker succeeds.

 

Randomized passwords containing numbers, symbols and a mixture of upper and lower case letters obviously take a longer to crack – but they are still crackable. They are also much harder for users to remember; and although secure password management tools exist to store passwords securely, if a user wants to access a password-protected account from another device, password management tools are ineffective. The only way for the user to access the account is to have the password written down or saved on another device – such as an unsecured smartphone.

 

Accessing password-protected accounts from secondary devices increases the risk of a data breach due to keylogging malware. This type of malware runs undetected on computers and mobile devices, secretly recording every keystroke in a file for later retrieval by a hacker. As this is a foreseeable risk to the security of Protected Health Information, Covered Entities must either introduce policies to limit users to the devices from which they can access password-protected accounts, or find an alternative to the HIPAA password requirements.  

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Regulations for Radiologists 101

HIPAA Regulations for Radiologists 101 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are a complex set of rules and regulations that are designed to promote a more patient oriented medical system that enhances patient care. HIPAA regulations that promote the accessibility of medical records to patients and increase the security of electronic patient health information are also included in the HIPAA Omnibus Rule. Radiologists often receive patients through a referral system or send patient files to another medical doctor or facility after x-rays and other scans are interpreted. This constant sharing of sensitive patient information makes learning what are HIPAA regulations and how do they affect radiologists an important task for any radiologist.

 

HIPAA Omnibus Rule

The HIPAA Omnibus Rule has changed the way that patient information is collected, stored, transmitted and created in response to the HITECH Act. The HITECH Act offers organizations incentives for using electronic patient health information while improving the security of that data. When asking what are HIPAA regulations one of the most important things to consider is your organization’s privacy policy. New HIPAA regulations state that organizations and entities must update their privacy policies and business agreements to comply with the current standards.

 

Current HIPAA standards require that all businesses sharing patient information must be HIPAA compliant. For instance, if a radiologist receives referrals or bills insurance companies on behalf of clients, the insurance company and the organization referring clients should both be HIPAA compliant. Current business associate agreements will be allowed until late September of 2014, but after that date all business associates will need to comply with the HIPAA Security Rule to avoid penalties or fines.

 

What is Affected by HIPAA?

Nearly every aspect of creating, sharing and transmitting electronic patient health information has been affected by new HIPAA regulations. In addition to revising and updating your organization’s privacy policies and business agreements, you will also need to look at your internal records storage and the accessibility of patient records. For instance, your internal computer systems must be secure and protected from data loss or third-party access. Data encryption is required anytime that you transmit electronic patient information. If your organization is using a third-party storage system for patient health information, the company providing web-based storage services will also need to be HIPAA compliant.

 

One of the areas that will be most affected for radiologists is how patient information is disclosed. Since radiology is a field where referrals are very common, care must be taken to ensure formal, written consent is provided each time you share patient health information. For example, a radiologist sending the results of an x-ray to a general practitioner will need to have written consent by the patient to do so. In order to understand and comply with current HIPAA regulations, it is best to use a HIPAA compliance checklist and HIPAA compliance software. HIPAA compliance software will walk you through the process of meeting current HIPAA regulations and help you avoid the confusion of updating and revising your current policies and practices on your own.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Ignoring the Minimum Necessary Standard in HIPAA Could Cost You

Why Ignoring the Minimum Necessary Standard in HIPAA Could Cost You | HIPAA Compliance for Medical Practices | Scoop.it

Does your healthcare organization develop and implement policies and procedures that are appropriate and reflect your organization’s business practices?

Under the HIPAA Minimum Necessary Standard, all covered entities must have policies and procedures that identify who needs access to Protected Health Information (PHI) to perform their job duties, the categories of PHI required, and the conditions where access is justified.

 

For instance, as a hospital, you can allow doctors, surgeons, or others to access a patient’s medical records if they’re involved in the treatment of that patient. If the entire medical history is required, your organization’s policies and procedures must explicitly state so and include a justified reason.

 

As a provider, you also need to take reasonable steps to make sure that no PHI is accidentally available for access. For example, if you’ll be hosting a meeting in your office, then you must ensure that no one from the meeting can access PHI documents accidentally.

How Does The Minimum  Necessary Requirement Work?

As the name implies, under the HIPAA Minimum Necessary Standard, it’s mandatory for covered entities to take reasonable measures to limit the use or disclosure of PHI and requests for PHI, to the minimum necessary needed to achieve the intended goal.

However, it’s important to note that the minimum necessary standard does not apply to:

  • Requests for disclosure by a healthcare provider for treatment purposes  
  • Disclosing information to the patient in question   
  • Uses or disclosures after a patient’s authorization  
  • Uses or disclosures needed to comply with the Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Rules  
  • Disclosing PHI to the Department of Health and Human Services (HHS) under the Privacy Rule for reasons of enforcement  
  • Disclosing PHI for use under other laws

The Minimum Necessary Standard of the HIPAA Privacy Rule requires that your covered entity develops and implements policies and procedures that are appropriate for your organization and that reflect your business’ practices and workforce. Only those who need access to PHI should receive access, and even then, the PHI should be restricted to the minimum necessary information needed to perform the job.

Why Does It Matter?

Did you know the healthcare industry is one of the most vulnerable sectors when it comes to cyber-attacks and data theft? If your organization fails to meet the minimum necessary standard, you could face fines of $50,000 or more.     

 

In fact, penalties for HIPAA violations can reach $1,500,000 annually per violation based on the type of breach.  

The largest American health data breach to ever occur took place in January 2015. It exposed the electronic PHI of nearly 79 million people and resulted in Anthem Insurance paying OCR $16 Million!  

The investigation found that Anthem did not perform

enterprise-wide risk analysis and the organization’s procedures did not regularly review information system activity. Anthem also failed to identify and respond to security incidents, and they did not implement proper minimum access controls to prevent the risk of cyber-attacks from stealing sensitive ePHI.

 

Complying with HIPAA’s minimum necessary standard matters if you want to avoid the risk of an expensive fine.

How Can You Comply?

Under HIPAA’s minimum necessary standard, the terms ‘reasonable’ and ‘necessary’ are open to interpretation and left up to the judgment of the covered entity. It’s up to your organization to determine what information should be disclosed and what information needs restricted access.

 

However, to make sure that you’re complying with this requirement, there are some basic steps you should follow:

  1. Prepare a list of all systems that contain PHI and what types of PHI they include.
  2. Establish role-based permissions that restrict access to certain kinds of PHI. All information systems should limit access to certain types of information. For instance, you can limit access to health insurance numbers, Social Security numbers, and medical histories if it’s not necessary for everyone to see that PHI.
  3. Design and implement a policy for sanctions if violations of the minimum necessary standard occur.
  4. Provide proper employee training about the types of information they’re permitted to access and what information is off limits. Be clear about the consequences of obtaining information when not authorized.
  5. Create alerts when possible that notify the compliance team if there’s an unauthorized attempt to access PHI.
  6. Ensure that the minimum necessary rule is being applied to all information shared externally, with third parties and subcontractors. It’s mandatory for covered entities to limit how much PHI is disclosed based on the job duties and the nature of the third party’s business.
  7. Perform annual reviews and periodic audits of permissions and review logs to determine if anyone has knowingly or unknowingly accessed restricted information. Such reviews may also be required when a major incident takes place, such as the treatment of a celebrity in your organization, or if a shooting or newsworthy accident takes place and your organization is involved.
  8. Document all actions taken to address cases of unauthorized access or accessing more information than is necessary and the sanctions that took place as a result.

Adhering to the HIPAA Minimum Necessary Standard is important to protect your organization and your patient relationships. When you take the appropriate steps to comply with HIPAA, you’ll not only have a much better chance of avoiding the risk of a costly data breach, but you’ll also build trust with your patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why should you care about HIPAA?

Why should you care about HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

Why should you care about HIPAA?

Can you afford a $50,000 fine for a HIPAA violation? The healthcare industry is extremely vulnerable to cyber-attacks and data theft. According to the HIPAA enforcement rule, penalties can reach up to $1,500,000 per year per violation depending upon the type of HIPAA violation.

Look at some of the biggest HIPAA penalties enforced by the Office for Civil Rights:

In October 2018, Anthem Insurance pays OCR $16 Million in Record HIPAA Settlement after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronically protected health information of almost 79 million people. OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

 

A judge ruled in June 2018 that MD Anderson Cancer Center has to pay $4,348,000 in civil money penalties to OCR following an investigation of the theft of 3 unencrypted devices that resulted in a breach of ePHI (electronic Protected Health Information) of over 33,500 individuals.

 

Fresenius Medical Care North America (FMCNA) is paying 3.5 million dollars with a corrective action plan after 5 separate data breaches in 2012 because they failed to implement policies and procedures and to implement proper protection of PHI (Protected Health Information).

 

CardioNet has been fined 2.5 million with a corrective action plan after a laptop was stolen from an employee's vehicle. Further investigation revealed insufficient risk analysis and risk management at the company. Their policies and procedures were in draft status and had not been implemented.

 

One surprise inspection can expose a HIPAA violation and change your business forever.  New legislation now allows patients in Connecticut to sue healthcare providers for privacy violations or PHI disclosure as well.  You may say that your job as a healthcare provider is only to treat your patients, that you don't need to worry about Cybersecurity or technology. 

 

Bear in mind though - it is a fact that Cybersecurity issues can impact and have impacted patient care on several occasions! Protect the integrity of your business and your patients' private health information to avoid a HIPAA violation that could cost you money, respect, and patients!

 

You may understand that HIPAA violations can lead to fines, but you may also be wondering: What is a corrective action plan? Often, when the Office of Civil Rights (OCR) imposes a fine for a HIPAA violation, they also enforce a Corrective Action Plan with a strict timeline to correct underlying compliance problems and a goal to prevent breaches from recurring.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Hdvnglobal's comment, July 29, 1:09 PM
Go to Vietnam travel: https://buff.ly/2tdBsbK - tks.
Scoop.it!

HIPAA Training is not HIPAA Compliance

HIPAA Training is not HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

We hear from so many doctors’ and dentists’ offices that they are “HIPAA-compliant” because they have completed the required annual HIPAA training for their staff.   FALSE! HIPAA Training is not HIPAA Compliance. HIPAA Training is only one of the components of HIPAA Compliance – thinking otherwise could lead to a false sense of security.

 

HIPAA law consists of various requirements in the areas of security and privacy, use and disclosure of PHI (protected health information) and in breach notification rules.

Minimum steps needed for HIPAA Compliance:

At the very minimum, a doctor’s or dentist’s office must do the following for HIPAA Compliance:

  1. Exercise privacy in the office everywhere.   Be careful about accidental disclosure of patient information.
  2. Display the Notice of Privacy Practices prominently in your office lobby and on your website.
  3. Exercise caution in the use and disclosure of PHI (Protected Health Information).     Patients have the right to review and obtain their PHI.   The onus falls on the medical practice to secure and protect PHI from unauthorized disclosure of any kind.
  4. Conduct the mandatory annual risk assessment, or hire an expert to conduct it for you.   The assessor must take into consideration all the security and privacy-related criteria while conducting the assessment, including all your administrative, physical and technical safeguards.   A detailed list of recommendations and action items should follow as a result of the risk assessment.
  5. Prepare and follow security and privacy policies and procedures.   Your risk assessment should highlight the minimum required policies and procedures that you would need to prepare or obtain.   Physicians and staff members should be familiar with and should follow these policies and procedures on a daily basis.
  6. Provide annual HIPAA Training to your staff and physicians.

Breach notification:

Breaches have unfortunately become only too common these days in an environment where medical records are extremely valuable in the black market.   HIPAA law also specifies strict breach notification requirements in the event of a breach.   The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) requires the practice to inform all individuals whose data might have been lost or stolen.  

 

A breach of more than 500 records is considered a reportable breach, that is, the practice must notify HHS.   This could result in an audit of the practice by federal agencies, and the first thing they are going to ask you for is a copy of your last annual risk assessment.

Small practices may be targets of breaches too:

Many small practices think that they are too small to be targeted.   False again!   If you look at the HHS "Wall of Shame" which lists reported breaches of more than 500 patient records, you will see several small practices listed there who have undergone breaches.   The reality is that smaller practices are likely to be even more affected by a breach considering the high expenses and workload that follow.    The Ponemon Institute has calculated the average healthcare data breach cost to be $380 per record - for 500 records, that comes to approximately $190,000, which can be highly damaging for a small healthcare practice.

 

We often hear from dentists that they do not believe they need to comply.   Also False!  In fact, just recently, on January 2018, Steven Yang, DDS of California and Zachary Adkins, DDS of New Mexico had breaches of 3000+ patient records each due to the theft of a laptop and other portable electronic devices respectively.   

 

Robert Smith, DMD of Tennessee reported 1500 records breached after a hack.  Several other providers such as physicians, hospitals, pharmacies, health plans, and business associates have experienced breaches in the recent past.   It can and will happen to anyone regardless of size - please do not think that it won't happen to you!

Culture of Security and Privacy:

HIPAA Training is not HIPAA Compliance.   Practices should take these requirements seriously as they are here to protect patients and medical professionals.   Protect yourself and your patients by incorporating a culture of security and privacy compliance in your medical practice.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do you know the HIPAA Technical Safeguards-Security Rule?

Do you know the HIPAA Technical Safeguards-Security Rule? | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Security Rule is broken down into three specific implementations – Physical Safeguards, Technical Safeguards, and Administrative Safeguards. In this post, we will discuss the specific standards surrounding HIPAA Technical Safeguards, or section 164.312 of the HIPAA Security Rule.

 

The HIPAA Security Rule defines Technical Safeguards as “the technology and the policy and procedures for its use that protect electronically protected health information (ePHI) and control access to it”. Essentially, these safeguards provide a detailed overview of access and protection of ePHI.

 

Technical Safeguards can be broken down into the following standards:

  • Access Control: This standard requires a covered entity to implement technical policies and procedures for electronic information systems that maintain ePHI to allow access only to those persons or software programs that have been granted access rights. The Access Control Standard is broken down into four specific implementations:
    • Unique User Identification
    • Emergency Access Procedure
    • Automatic Logoff
    • Encryption and Decryption

These implementations ensure that only the correct person is logging on to an electronic device and accessing information on that device in an appropriate manner.

 

  • Audit Controls: Under this standard, covered entities must implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI. By implementing this standard, a covered entity can examine its information systems and determine if any security violations are taking place.
  • Integrity: The Integrity standard requires the covered entity to implement policies and procedures to protect ePHI from improper alteration or destruction. This standard has one specific implementation:
    • A mechanism to Authenticate Electronic Protected Health Information

Under this implementation, the covered entity must have mechanisms in place to ensure that ePHI has not been altered or destroyed in an unauthorized manner.

 

  • Person or Entity Authentication: Under this standard, covered entities must implement procedures to verify that a person or entity seeking access to ePHI is the one claimed.
  • Transmission Security: The final standard requires covered entities to implement technical security measures to guard against unauthorized access to ePHI that is being transmitted over an electronic communications network. This standard has two specific implementations:
    • Integrity Controls
    • Encryption

Much of the language surrounding the HIPAA Technical Safeguards can be a little overwhelming, but here are some example practices that covered entities can implement as they strive to get HIPAA compliant:

 

  • Ensure that all staff have unique user IDs/log-in credentials for all workstations and any programs that store or process ePHI. This will allow the HIPAA Security officer or IT administrator to determine exactly which staff member has accessed specific data.
  • Create defined roles for staff members within medical software/programs (EMR, scheduling, billing, etc.) based on their job status with the practice. For example, some staff members can be given read-only access, while others can change and edit data.
  • Avoid transmitting ePHI over unsecured electronic means such as email. If the covered entity maintains a website, a good practice would be to make sure it does not transmit or store any ePHI unless the website is protected with encryption.
  • Update/patch all technological devices that process ePHI regularly. The software can become quickly outdated, it is crucial to implement these updates to stay current with security needs.

 

These general steps are building blocks towards HIPAA compliance. Annual mandatory HIPAA risk assessments will help covered entities determine any additional vulnerabilities that need to be addressed regarding HIPAA Technical Safeguards.

 

The HIPAA Technical Safeguards are an integral part of the HIPAA Security Rule. Keeping in line with the standards mentioned above will allow a covered entity to ensure that it is doing all it can to secure the technology it uses to treat patients.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...