Healthcare and Technology news
50.9K views | +3 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Workers Compensation Disclosures

HIPAA Workers Compensation Disclosures | Healthcare and Technology news | Scoop.it
HIPAA Workers Compensation Disclosures

The HIPAA Privacy Rule dictates how a healthcare provider may share protected information, or PHI in the workers compensation context.

 

PHI disclosures to the employer and the workers compensation board must be HIPAA compliant. HIPAA workers compensation requirements are discussed below.

What is Workers Compensation?

Many employers are required, under state law, to purchase and maintain a workers compensation insurance policy (or to self-insure). When an employee sustains an injury or illness arising out of and in the scope of his or her employment, the employee may file a claim for benefits under that policy.

 

State workers compensation laws are a specific kind of “no-fault” law. That is, an employee who sustains an injury or illness is generally entitled to benefits even if the employee’s injuries were brought about by his or her own negligence. Whether an employee is or is not entitled to benefits is generally not determined by whose “fault” the injury was.

 

To demonstrate entitlement to benefits and reimbursement for healthcare provider treatment costs, employees are required, through their providers, to submit medical information to their employers, and to the state workers’ compensation board. 

What Must a Covered Entity Do for HIPAA Workers Compensation Disclosure Requirements?

The HIPAA Privacy Rule allows covered entities to disclose protected health information to workers’ compensation insurers, state administrators, employers, and other persons or entities involved in workers’ compensation systems, without the individual’s authorization, when:

  • The PHI disclosure is authorized by, and is necessary to comply with:
    • State workers compensation laws; or
    • Similar “no-fault” programs established by law that provide benefits for job-related injuries or illness.
    • The PHI disclosure is required for purposes of obtaining payment for healthcare provided to the injured or ill worker.

In both instances, the “minimum necessary standard” applies. The PHI disclosure, under the HIPAA Privacy Rule, must be reasonably limited to the minimum information necessary to accomplish the HIPAA workers compensation purpose.

 

This means that the medical information that is disclosed must be relevant to the specific injury. Medical information having no relationship to the injury or to payment should not be disclosed.

What is HIPAA Compliant Reasonable Reliance?

When PHI is requested by a state workers’ compensation or other public official, the covered entity may reasonably rely on the state official’s representation that the requested PHI is the minimum necessary for the specific workers’ compensation purpose. 

 

In such circumstances, the covered entity is not required to make a minimum necessary determination when disclosing protected health information as required by state law. The provider will generally be deemed HIPAA compliant under such circumstances.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

What is a HIPAA Limited Data Set?

What is a HIPAA Limited Data Set? | Healthcare and Technology news | Scoop.it
What is a HIPAA Limited Data Set?

Under HIPAA, a limited data set is protected health information (PHI) that excludes certain direct identifiers of an individual, or certain direct identifiers of relatives, employers, or household members of the individual. 

What is a Direct Identifier?

Under HIPAA, a direct identifier is Information that relates specifically to an individual. HIPAA designates the following information as direct identifiers:

  • Names
  • Postal address information, other than town or city, State, and zip code
  • Telephone numbers
  • Fax numbers
  • Electronic mail addresses
  • Social Security numbers
  • Medical record numbers
  • Health-plan beneficiary numbers
  • Account numbers
  • Certificate and license numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Device identifiers and serial numbers
  • Web Universal Resource Locators (URLs)
  • Internet Protocol (IP) address numbers
  • Biometric identifiers (including fingerprints and voice prints)
  • Full-face photographic images and any comparable images

What is the Relationship Between Direct Identifiers and a Limited Data Set?

A “limited data set” is information from which the above direct identifiers have been removed. All of the above-listed identifiers must be removed in order for health information to be a limited data set.

Is a Limited Data Set Still Considered Protected Health Information?

Yes.  A limited data set is still protected health information or “PHI” under HIPAA (or electronic protected health information, if in electronic form).

For patient data to lose its status as PHI, that information must be de-identified. De-identified patient data is health information from a medical record that has been stripped of all “direct identifiers”—that is, all information that can be used to identify the patient from whose medical record the health information was derived, not just the direct identifiers listed above.

Therefore, since a limited data set is PHI, is still subject to the use and disclosure requirements and restrictions of the HIPAA Privacy Rule. 

What is the Significance of Information Comprising a Limited Data Set?

Disclosures of a “limited data set” are not subject to the HIPAA accounting requirements.

 

HIPAA accounting requirements mandate that a patient or research subject has the right to request a written record (an accounting) when a covered entity has made certain disclosures of that person’s protected health information (“PHI”).  The accounting must include all covered disclosures in the six years prior to the date of the person’s request.

 

A covered entity may also disclose a LDS for public health purposes, including those that are emergency preparedness activities. The covered entity must have a data use agreement in order to disclose the limited data set (LDS).

 
 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

What is HIPAA And How To Comply With The HIPAA Security Rule

What is HIPAA And How To Comply With The HIPAA Security Rule | Healthcare and Technology news | Scoop.it

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US legalization that requires healthcare professionals and institutions to secure health information from deletions and data breaches.

 

This law has become relevant in today’s dental practice due to increased data breaches caused by ransomware and cyber attacks.

 

The law’s requirements on HIPAA can be demanding and challenging to understand, but we’ve made it easy for you below. There are three areas you need to be compliant with HIPAA.

 

• PHYSICAL – these are measures that prevent loss of devices and physical theft on medical information e.g. keeping workstations away from the public eye and limiting physical access to computers.

 

• ADMINISTRATIVE – measures that make sure patient data is accessible to authorized personnel and is correct. For example, identifying which employees have access to medical information.

 

• TECHNICAL – these are measures that protect your devices and networks from unauthorized access and data breaches e.g. encrypting files that you upload to a cloud or send via email.

 

The components above represent every aspect of your dental practice from your record-keeping and policies to your building safety and technology.

 

HIPAA also requires all your staff members to work together to protect patient data and be on the same page.

 

HIPAA COMPLIANCE

 

The administrative, physical, and technical requirements for HIPAA security may be a lot of information for you to take in.

 

Additionally, it can be overwhelming for you to handle its compliance in your dental practice solely.

 

To make it easier, HIPAA compliance is an organization-wide issue. This means all your employees will have to understand and know their role in securing dental information.

 

Alternatively, you can outsource your HIPAA compliance to consultants, web services, and IT contractors.

 

This ensures your dental practice meets the required standards and makes your life easier.

 

However, outsourcing your HIPAA responsibilities doesn’t mean you ignore your legal obligations.

 

Your company should always stay on top of any HIPAA changes in recommendations and adopt advanced practices to improve medical information security.

 

Ultimately, ensure your dental practice upgrades all its old technology for better and efficient systems that contribute to medical information security.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Secure Mobile Messaging in Healthcare: 4 Recommendations to Remain HIPAA Compliant

Secure Mobile Messaging in Healthcare: 4 Recommendations to Remain HIPAA Compliant | Healthcare and Technology news | Scoop.it

A research study, the State of Clinical Communication and Workflow in healthcare organizations, revealed that 51% of IT respondents planned to implement smartphones for clinical communications.

 

This shows that secure mobile messaging is a priority for healthcare providers as they seek to improve patient care.

 

Email alerts that remind patients of an upcoming doctor’s appointment are useful reminders to prevent missed appointments. But the benefits of mobile messaging in healthcare extend far beyond this capability. 

 

Health industry professionals and IT professionals working in healthcare also overwhelmingly believe (90%) that a unified app that integrates communications with clinical workflows will achieve better clinical, financial, and operational outcomes. 

 

Mobile messaging can improve patient care through improved communications as well as allowing a care team to share information about a patient to improve collaboration.

 

But mobile messaging poses cybersecurity and privacy risks if not handled appropriately. One of the main compliance requirements for mobile messaging is HIPAA Privacy and Security compliance and that protected health information (PHI) must be secured. HIPAA compliance is not optional.

Is Text Messaging HIPAA Compliant?

Not always. Here’s why:

  • SMS messaging isn’t secure and the data is vulnerable to unauthorized access in transmission.
  • Messages on a wireless provider’s server aren’t encrypted.
  • Messages can be deleted at any time by either the sender or receiver.
  • Smartphones can be lost or stolen, increasing the risk of exposure of PHI on the device.

You cannot simply use your phone to text a patient a diagnosis or ask a colleague their opinion. 

 

However, the HIPAA Privacy Rule does not prohibit mobile messaging, though neither does HIPAA provide specific recommendations for protecting PHI sent via mobile messaging. 

 

As with any other technology used to store or transmit PHI, the HIPAA Security Rule provides a list of controls that will allow secure mobile messaging when followed: unique user identification, automatic logoff, encryption/decryption, auditing, integrity management, authentication, and transmission security. 

 

HIPAA-covered entities and business associates must apply these rules to be able to use mobile messaging securely. 

 

4 Recommendations for Secure Mobile Messaging in Healthcare

Healthcare providers want to be able to share patient information via mobile devices to improve patient care. How can a HIPAA-covered entity take advantage of mobile messaging and stay within the HIPAA rules? These four recommendations will get you started.

  1. Conduct a risk analysis. Before implementing mobile messaging, assess the level of risk. Will users need more training to use the tools properly? Is the infrastructure robust enough to secure PHI? . 
  2. Factors for a secure texting platform. There are five factors to check for in a secure mobile messaging solution:
    1. Messages are encrypted in transit and at rest.
    2. The platform requires recipient authentication.
    3. Where does the data live? If it’s in a cloud platform, does it have secure hosting to archive and/or download sensitive content?
    4. Are emergency recovery procedures (data backup, disaster recovery, etc.) in place?
    5. If using a third-party provider, will the vendor sign a business associate agreement and commit to implementing administrative, technical and physical safeguards to protect any PHI that the vendor accesses? 
  3. Audit trails and controls. Messages must have an audit trail to track who sent what data and when they sent it. Messages related to a patient should be stored as part of a patient’s health record. Document retention and disposal policies should be enforced as with any other record. 
  4. Policies for phone loss. Whether the smartphone used is personal or provided by the company, policies must be in place to prevent a breach of PHI. This can include the ability to retrieve and/or delete data remotely, requiring two-factor and/or biometric authentication to access the device, and extensive security training for users.

Mobile Messaging Can Be HIPAA Compliant

Solutions for secure, HIPAA-compliant mobile messaging exist and can be found on the Internet. Regardless of whether you create your own system or use an existing one, your organization is responsible for your patients’ PHI. 

 

Conduct reasonable due diligence, follow these four recommendations, and continually evaluate your cybersecurity defenses and your organization will reap the benefits of mobile messaging.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Compliant Laptops

HIPAA Compliant Laptops | Healthcare and Technology news | Scoop.it
HIPAA Compliant Laptops

HIPAA regulations require healthcare organizations and individual care providers to take measures to keep patient data secure. Failure to do so can result in fines if an organization suffers a breach of unsecured PHI. 

 

The HIPAA Security Rule requires that mobile devices be rendered secure. Security Rule requirements needed for HIPAA-Compliant laptops are discussed below.

What is a Security Risk Assessment?

The HIPAA Security Rule requires that covered entities (health plans, health care clearinghouses, and health care providers who electronically transmit any health information in connection with a HIPAA-related transaction), and business associates implement security safeguards.

 

These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.

 

The HIPAA Security Rule requires covered entities and business associates to perform a security risk assessment (also known as a Security Risk Analysis). 


Performing a security risk analysis is the first step in identifying and implementing these safeguards. Performing this assessment is also required to have a HIPAA-compliant laptop.

 

A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. 

What are the Elements of a Security Risk Analysis?

The security risk analysis includes six elements:

  • Collecting Data
  • Identifying and Documenting Potential Threats and Vulnerabilities
  • Assessing Current Security Measures
  • Determining the Likelihood of Threat Occurrence
  • Determining the Potential Impact of Threat Occurrence
  • Determining the Level of Risk to ePHI

What is the Relationship Between the Security Risk Assessment and HIPAA-Compliant Laptops?

A risk assessment encompasses a company’s entire IT infrastructure; company policies; administrative processes; physical security controls, and all systems, devices, and equipment that are capable of storing, transmitting or touching ePHI. 

 

These devices include laptops. To have HIPAA-compliant laptops, organizations must conduct a risk assessment, which will provide companies with vital information as to how laptop security measures can be improved or implemented.

 

What Safeguards Must be Implemented to have HIPAA-Compliant Laptops?

In order for covered entities to have HIPAA-compliant laptops, covered entities must:

  • Consider the use of encryption for transmitting ePHI, particularly over the Internet. 
    • If a risk assessment has determined that lack of encryption presents a risk, encryption should be implemented.
    • A covered entity violates HIPAA if it allows transmission of ePHI over an open network, such as via HHS messages.
    • Encrypt data in motion, if it has been determined that ePHI transmission, if not encrypted, would be at significant risk of being accessed by unauthorized entities.
    • Implement access controls to ensure users are authenticated. 
      • Organizations should implement multi-layered security controls to reduce the risk of unauthorized data access.
      • Put protections in place to ensure data cannot be altered or destroyed
      • Put controls in place to allow devices to be audited.
        • Organizations must have the capability to examine access (and attempted access) to ePHI, and any other activity performed on the device that has the potential to affect data security.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

New HIPAA Regulations in 2019

New HIPAA Regulations in 2019 | Healthcare and Technology news | Scoop.it

While there were expected to be some 2018 HIPAA updates, the wheels of change move slowly. OCR has been considering HIPAA updates in 2018 although it is likely to take until the middle of 2019 before any proposed HIPAA updates in 2018 are signed into law. Further, the Trump Administration’s policy of two regulations out for every new one introduced means any new HIPAA regulations in 2019 are likely to be limited. First, there will need to be some easing of existing HIPAA requirements.

 

HIPAA updates in 2018 that were under consideration were changes to how substance abuse and mental health information records are protected. As part of efforts to tackle the opioid crisis, the HHS was considering changes to both HIPAA and 42 CFR Part 2 regulations that serve to protect the privacy of  substance abuse disorder patients who seek treatment at federally assisted programs to improve the level of care that can be provided. Other potential changes to HIPAA regulations in 2018 included the removal of aspects of HIPAA that impede the ability of doctors and hospitals to coordinate to deliver better care at a lower cost.

 

These are the most likely areas for HIPAA 2019 changes: Aspects of HIPAA Rules that are proving unnecessarily burdensome for HIPAA covered entities and provide little benefit to patients and health plan members, and those that can help with the transition to value-based healthcare.

How are New HIPAA Regulations Introduced?

The process of making HIPAA updates is slow, as the lack of HIPAA changes in 2018. It has now been 5 years since there was a major update to HIPAA Rules and many believe changes are now long overdue. Before any regulations are changed, the Department of Health and Human Services will usually seek feedback on aspects of HIPAA regulations which are proving problematic or, due to changes in technologies or practices, are no longer as important as when they were signed into law.

 

After considering the comments and feedback, the HHS then submits a notice of proposed rulemaking followed by a comment period. Comments received from healthcare industry stakeholders are considered before a final rule change occurs. HIPAA-covered entities are then given a grace period to make the necessary changes before compliance with the new HIPAA regulations becomes mandatory and enforceable.

New HIPAA Regulations in 2019

OCR issued a request for information in December 2018 asking HIPAA covered entities for feedback on aspects of HIPAA Rules that were overly burdensome or obstruct the provision of healthcare, and areas where HIPAA updates could be made to improve care coordination and data sharing.

 

The period for comments closed on February 11, 2019 and OCR is now considering the responses received. A notice of proposed rulemaking will follow after careful consideration of all comments and feedback, although no timescale has been provided on when the NPRM will be issued. It is reasonable to assume however, that there will be some at least some new HIPAA regulations in 2019.

OCR was specifically looking at making changes to aspects of the HIPAA Privacy Rule that impede the transformation to value-based healthcare and areas where current Privacy Rule requirements limit or discourage coordinated care.

 

Under consideration are changes to HIPAA restrictions on disclosures of PHI that require authorizations from patients. Those requirements may be loosened as they are considered by many to hamper the transformation to value-based healthcare.

 

OCR is considering whether the Privacy Rule should be changed to make the sharing of patient data with other providers mandatory rather than simply allowing data sharing. Both the American Hospital Association (AHA) and the American Medical Association (AMA) have voiced their concern about this aspect of the proposed new HIPAA regulations and are against the change. Both organizations are also against any shortening of the timescale for responding to patient requests for copies of their medical records.

 

OCR is also considering HIPAA changes in 2019 that will help with the fight against the current opioid crisis in the United States. HHS Deputy Secretary Eric Hargan has stated that there have been some complaints about aspects of the HIPAA Privacy Rule that are stopping patients and their families from getting the help they need. There is some debate about whether new HIPAA regulations or changes to the HIPAA Privacy Rule is the right way forward or whether further guidance from OCR would be a better solution.

 

One likely area where HIPAA will be updated is the requirement for healthcare providers to make a good faith effort to obtain individuals’ written acknowledgment of receipt of providers’ Notice of Privacy Practices. That requirement is expected to be dropped in the next round of HIPAA changes.

 

What is certain is new HIPAA regulations are around the corner, but whether there will be any 2019 HIPAA changes remains to be seen. It may take until 2020 for any changes to HIPAA regulations to be rolled out.

Changes to HIPAA Enforcement in 2019

Halfway through 2018, OCR had only agreed three settlements with HIPAA covered entities to resolve HIPAA violations and its enforcement actions were at a fraction of the level in the previous two years. It was starting to look like OCR was easing up on its enforcement of HIPAA Rules. However, OCR picked up pace in the second half of the year and closed 2018 on 10 settlements and one civil monetary penalty – One more penalty than in 2018.

 

2018 ended up being a record year for HIPAA enforcement. The final total for fines and settlements was $28,683,400, which beat the previous record set in 2016 by 22%.

At HIMSS 2019, Roger Severino gave no indications that HIPAA enforcement in 2019 would be eased. Fines and settlements are likely to continue at the same level or even increase.

 

Severino did provide an update on the specific areas of HIPAA compliance that the OCR would be focused on in 2019. OCR is planning to ramp up enforcement of patient access rights. The details have yet to be ironed out, but denying patients access to their medical records, failures to provide copies of medical records in a reasonable time frame, and overcharging are all likely to be scrutinized and could result in financial penalties.

 

OCR will also be continuing to focus on particularly egregious cases of noncompliance – HIPAA-covered entities that have disregarded the duty of care to patients with respect to safeguarding their protected health information. OCR will come down heavy on entities that have a culture of noncompliance and when little to no effort has been put into complying with the HIPAA Rules.

 

The failure to conduct comprehensive risk analyses, poor risk management practices, lack of HIPAA policies and procedures, no business associate agreements, impermissible PHI disclosures, and a lack of safeguards typically attract financial penalties. OCR is also concerned about the volume of email data breaches. Phishing is a major problem area in healthcare and failures to address email security risks are likely to attract OCR’s attention in 2019.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

How to Meet HIPAA Compliance Requirements

How to Meet HIPAA Compliance Requirements | Healthcare and Technology news | Scoop.it

A Revolutionary Approach to HIPAA Compliance

We all know that meeting the requirements set forth in the HIPAA compliance policy is mandatory for any healthcare, medical records, insurance, or other healthcare-related business. Securing individuals’ electronic protected health information (ePHI) is the most critical step to complying with HIPAA.

 

Yet this is often easier said than done, especially when you consider the high number of complex requirements that must be met in order to prove compliance.

The challenges of abiding by the “Security Rule”

For example, one of the most critical items on any HIPAA compliance checklist is meeting the Security Standards for the Protection of Electronic Health Information. Commonly referred to as the “Security Rule,” this requirement establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

The Security Rule addresses the technical and non-technical safeguards that organizations referred to “covered entities” must put in place to secure individuals’ ePHI. All covered entities must assess their security risks, even those entities who utilize certified electronic health record (EHR) technology. Those entities must put in place administrative, physical and technical safeguards to maintain compliance with the Security Rule, and document every security compliance measure.

Related: Sorry for the Inconvenience – The Breaches Just Keep Coming (and so do the Ramifications)

CSPi’s HIPAA compliance solutions

If all of this sounds intimidating, we have some good news: CSPi’s security solutions are uniquely suited to address the requirements specified in the Security Rule (and in turn, to help you stay HIPAA compliant).

Our ARIA Software-Defined Security (SDS) solution and applications help healthcare organizations protect the security of individuals’ ePHI information with powerful tools and capabilities required to:

  • Know and prove what ePHI records were accessed (if any) through:

    • The automatic detection of intrusion or unauthorized access.
    • Continual and complete monitoring of ePHI data as it moves through the network (including east-west traffic), and is accessed throughout the environment.
    • The ability to stop or disrupt incidents that could lead to potential disclosure.
    • Block or redirect identified data conversations with ePHI repositories and provide the auditable documented detail of measures take to maintain HIPAA compliance.
    • Prevent unauthorized access of customer data through the use of encryption that can be applied on a per-customer basis.

Working in conjunction with ARIA, our nVoy Series provides additional proof of HIPAA compliance with:

  • Automated breach verification and notification, critical to giving healthcare organizations a better way to comply.
  • Detailed and complete HIPAA compliance reports, including recordings of all conversations involving ePHI.
  • Auditable proof of the exact impact of data breach, including:
    • What devices are involved and to what degree?
    • When did the breach start and when did it end?
    • What critical databases or files were accessed?
    • Who did the intruder talk to?

Visit CSPi at HIMSS19 in the Cybersecurity Command Center Booth 400, Kiosk 91.

Interested in learning more about CSPi, including how our innovative security tools are helping today’s healthcare leaders achieve compliance with HIPAA? Make your plans to visit with us at the upcoming HIMSS conference, or visit www.cspi.com, to learn more about our HIPAA compliance programs.

About CSPi

CSPi is a leading cybersecurity firm that has been solving security challenges since 1968. Our security solutions take a radically different approach to enterprise-wide data security by focusing on the data at its source, securing DevOps applications and leveraging network traffic for actionable insights. CSPI’s ARIA SDS platform uses a simple automated approach to protect any organization’s critical data, including PII/PHI, on-premise and in public clouds, no matter if is in use, in transit, or at rest. Our Myricom® nVoy Series appliances provide compliance assurance, automated breach verification and network monitoring enabled by the 10G dropless packet capture capabilities of our Myricom® ARC intelligent adapters. To learn more about how our cybersecurity products can help you with data privacy regulation compliance, check out our how-to guide, “Successfully Complying with Data Privacy Regulations.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Compliant Cloud Storage

HIPAA Compliant Cloud Storage | Healthcare and Technology news | Scoop.it

HIPAA compliant cloud storage is contingent on several aspects. To use a cloud storage and be HIPAA compliant, it is important to ensure that the cloud service provider

 

(CSP) has sufficient safeguards to secure the protected health information (PHI) that is transmitted, stored, or maintained on behalf of their covered entity (CE) client. Additionally, they must be willing to sign a HIPAA business associate agreement (BAA).

Security Measures for HIPAA Compliant Cloud Storage

Cloud service providers must have certain measures in place to secure PHI and track access to PHI. These include the following:

  • Access controls: each person with the ability to access data stored by the CSP must have unique login credentials. The HIPAA minimum necessary standard requires access to PHI to be limited, so that it is only accessed for a specific purpose. Utilizing unique logins allows organizations to designate different levels of access to PHI based on an employee’s job function. 

 

  • Audit logs: unique login credentials also allows audit logs to be created. Audit logs establish normal access patterns for each employee (what information they access, how frequently they access it, and for how long). Being aware of each employee’s access patterns is the key to detecting insider breaches.

 

  • Encryption: HIPAA compliant cloud storage platforms should utilize end-to-end encryption (E2EE). E2EE is a means of protecting sensitive data by converting data into code that can only be read with a decryption key. E2EE is the best way to prevent unauthorized access to PHI.

 

  • Data backup:HIPAA requires healthcare organizations, and their business associates, to backup patient data. Data backup ensures that organizations that experience a breach, or natural disaster, are able to quickly restore data.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

The HIPAA Security Rule and Vulnerability Scans

The HIPAA Security Rule and Vulnerability Scans | Healthcare and Technology news | Scoop.it

Under the HIPAA Security Rule, covered entities must implement safeguards to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI).

 

ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. 

 

To this end, the HIPAA Security Rule requires covered entities to perform a security risk analysis (also known as security risk assessment), which the Security Rule defines as an “accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” Scans known as vulnerability scans may be performed to identify known vulnerabilities in applications, networks, and firewalls. 

What are Vulnerability Scans?

Vulnerabilities are weaknesses which, if triggered or exploited by a threat, create a risk of improper access to or disclosure of ePHI.

 

 Vulnerability scans are scans designed to identify vulnerabilities, or weaknesses, that have the potential to cause a security incident. 


Under the HIPAA Security Rule, a security incident is defined as:

  • The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information in an information system; or
  • The attempted or successful unauthorized access, use, disclosure, modification or interference with system operations in an information system. 

In plain English, a HIPAA security incident is an attempt (which can be successful or not) to do something unauthorized.

 

The “something” that is unauthorized, is an unauthorized access, use, disclosure, modification, destruction, or interference.

 

A HIPAA security incident may occur when:

  1. The unauthorized attempt to access, use, disclose, modify, destroy, or interfere, targets an organization’s information system.
  2. The unauthorized attempt is made to access, use, disclose, modify, or interfere with that information system’s system operations.

What are Examples of HIPAA Security Incidents?

Examples of a HIPAA security incident include:

  • Theft of passwords that are used to access electronic protected health information (ePHI).
  • Viruses, malware, or hacking attacks that interfere with the operations of information systems with ePHI.
  • Failure to terminate the account of a former employee that is then used by an unauthorized user to access information systems with ePHI.
  • Providing media with ePHI, such as a PC hard drive or laptop, to another user who is not authorized to access the ePHI prior to removing the ePHI stored on the media.

How Do Vulnerability Scans Identify Weaknesses?

HIPAA vulnerability scans to test for holes and flaws in information systems, and for incorrect system implementation and configuration.

Common flaws that can be revealed through a vulnerability scan include:

  • Flaws in software. Such flaws can be found in computer operating systems, such as Microsoft 7. Such flaws can also be found in software programs, such as Microsoft Office, Google Chrome, or Internet Explorer. 
  • Flaws in hardware. Vulnerability scans can reveal vulnerabilities that exist on hardware devices. Hardware devices include network firewalls, printers, or routers.  

If a vulnerability scan identifies a vulnerability, the vulnerability may be remediated if the software or network vendor at issue has released a security patch. Installation of the patch may eliminate the security weakness.  

 
 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

How Does HIPAA Enforcement Work?

How Does HIPAA Enforcement Work? | Healthcare and Technology news | Scoop.it

HIPAA enforcement takes place on both the federal government and state government levels.

 

The Department of Health and Human Services’ Office for Civil Rights receives and investigates complaints, and issues penalties and fines.

 

Enforcement action can be taken with respect to any of the HIPAA Rules. These rules include the HIPAA Privacy Rule, the Security Rule, the Breach Notification Rule, and the HIPAA Omnibus Rule. 

 

When an individual reports a violation, files a complaint or discloses a breach, OCR reviews the complaint, report, or disclosure.

 

OCR may then pursue enforcement in the form of investigations or audits. Audits are randomly conducted. Thus far, HHS has publicly announced, with respect to each audit it has conducted, when the audit was to take place, and what the audit consisted of.  

 

Investigations, in contrast, are made in response to a specific complaint. Upon receiving a complaint, OCR seeks information from the entity against whom the complaint is filed, about the extent of its HIPAA compliance.

 

Investigation sometimes results in the entity that is the subject of the complaint taking voluntary steps to improve its compliance. In addition, after an investigation starts, HIPAA enforcement can take the form of OCR providing technical assistance to an entity to resolve the matter. Technical assistance consists of OCR’s advising the entity as to what is expected of it in terms of HIPAA compliance.

 

Typically, an entity agrees to make specified changes. 

In addition, state attorneys general can enforce HIPAA. The ability to do so was given to states in the 2009 amendment to HIPAA that appears in the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

 

States were reluctant to take enforcement actions in the initial years after the amendment; however, recently, states have not only engaged in more vigorous HIPAA enforcement activity but have joined together with other states in multistate litigation. 

 

There are significant consequences for breaking the HIPAA laws in new ways as well: The first multistate litigation was brought in December of 2018. Arizona and 15 other states filed suit, asserting claims under HIPAA as well as various applicable state data protection laws.

 

The suit was filed as a result of a data breach in which hackers infiltrated WebChart, and stole the electronically protected health information (ePHI) of approximately 4 million individuals. 

 

As shown above, consequences for breaking the HIPAA law can be severe. Covered entities can address their obligations under HIPAA by working with Compliancy Group.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

What are HIPAA Operating System Requirements?

What are HIPAA Operating System Requirements? | Healthcare and Technology news | Scoop.it

The HIPAA Security Rule, requires covered entities and business associates to develop effective administrative, technical, and physical safeguards to ensure protected health information (PHI) is secure.

 

The Security Rule does not impose minimum HIPAA operating system requirements for a business’ computer systems.

 

Indeed, the HIPAA Security Rule generally does not impose any specific HIPAA software requirements (including HIPAA operating system requirements) on entities.

 

No provision of the Security Rule tells you, for example, what kind of antivirus, antimalware, or firewall software to purchase.

 

 The absence of a security rule grocery shopping list is very much by design. The Security Rule was written to provide flexibility for covered entities to implement HIPAA cybersecurity measures that best fit their particular organizational needs.

What are HIPAA Operating System Requirements?

HIPAA indirectly regulates operating system requirements.  

The Security Rule mandates requirements for information systems that contain electronically protected health information, or ePHI. ePHI is defined as any protected health information that is created, stored, transmitted, or received in any electronic format or media. Information systems must contain security capabilities, or features, that are sufficient to satisfy the technical safeguard implementation requirements of the Security Rule.

 

These HIPAA operating system requirements include (among others) audit controls, unique user identification, person or entity authentication, and transmission security.

 

The administrative safeguard implementation requirements of the Security Rule requires that entities perform a risk analysis, in which any known security vulnerabilities of an operating system should be considered. In performing the analysis, entities should ask themselves, “Is my operating system vulnerable to being exploited?

 

If an operating system is vulnerable to exploitation, the risk analysis must reflect that fact, and you must take whatever steps are reasonable to address the vulnerability.

When is an Operating System Vulnerable to Exploitation?

An operating system is vulnerable to exploitation when that operating system contains known vulnerabilities for which a security fix is unavailable.

 

Security fixes may be unavailable for a number of reasons. One reason why a fix might be unavailable is because the manufacturer of the operating system no longer provides support for that system, as in, no longer provides new security updates, non-security hotfixes, assisted support options, or technical content updates. This “dropping” of support for an operating system is colloquially referred to sunsetting of the operating system.

 

Microsoft “sunset” its popular Windows XP Operating System in 2014, advising users that security updates would no longer be provided for Windows XP. Microsoft advised users that “Security updates patch vulnerabilities that may be exploited by malware and help keep users and their data safer. PCs running Windows XP after April 8, 2014, are not considered secure.”

 

Windows XP was launched in 2001. In 2009, Windows released its Windows 7 operating system. The most current version of Windows, known as Windows 10, was launched in 2015.

 

Microsoft has announced that support for Windows 7 will end on January 14, 2020. After that date, Microsoft will no longer provide security updates or support for computers using Windows 10. Accordingly, Microsoft has advised Windows users, “Now is the time to upgrade to Windows 10.”

 

Continuing to use an operating system that has known vulnerabilities identified in a risk analysis, does not suffice to meet the required risk management component of the HIPAA Security Rule. 

 

Risk management requires organizations to “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” By definition, if you are using an operating system that no longer offers security measure support, you are improperly managing your risk, and, if, as a result of that impropriety, your organization’s ePHI becomes compromised, you are subject to being audited and fined by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA and Medical Record Copy Fees

HIPAA and Medical Record Copy Fees | Healthcare and Technology news | Scoop.it

Patients often request copies of their medical records. Traditionally, state law governed the subject of medical record copy fees.

 

State laws typically permit providers to charge a per-page copy fee, of up to a certain dollar value, or to charge a flat fee of up to a certain amount for the entire medical record. Many covered entities simply charge the maximum amount that state law allows. 

Such state laws (and the healthcare providers acting in accordance with them), however, cannot do an end-run around the HIPAA right of access rules, the latter of which provide that medical record copy fees must be reasonable.

 

Medical record copy fees that are flat fees, untethered to the actual costs of reproduction, may be considered excessive under the HIPAA Privacy Rule’s right of access provisions. When the two laws are in conflict, HIPAA, the federal law, prevails.    

The HIPAA Privacy Rule’s Right of Access and Medical Record Copy Fees

This point – that HIPAA preempts contrary state law – has been reiterated under guidance provided by the Department of Health and Human Services’ (HHS) Office of Civil Rights. This guidance specifies that HIPAA, through its right of access provisions, limits the amounts that a covered entity may charge a patient requesting access to his or her medical records.

Under the HIPAA Privacy Rule Right of Access, medical record copy fees must be reasonable and cost-based.

This means that providers may only charge for the following:

  • Labor for copying the PHI requested by the individual, whether in paper or electronic form.  

           i)Labor for copying includes only labor for creating and delivering the electronic or paper copy in the form and format requested or agreed upon by the individual, once the PHI that is responsive to the request has been identified, retrieved or collected, compiled and/or collated, and is ready to be copied.

 

Labor for copying does not include:

  • Costs associated with reviewing the request for access; 
  • Searching for and retrieving the PHI, which includes locating and reviewing the PHI in the medical or other records, 
  • Segregating or otherwise preparing the PHI that is responsive to the request for copying.
  • Supplies for creating the paper copy (e.g.,  paper, toner) or electronic media (e.g., CD or USB drive) if the individual requests that the electronic copy is provided on portable media.  
    • However, a covered entity may not require an individual to purchase portable media; individuals have the right to have their  PHI e-mailed or mailed to them upon request.
    • Labor to prepare an explanation or summary of the PHI, if the individual in advance both chooses to receive an explanation or summary and agrees to the fee that may be charged

 

In sum, costs associated with updates to or maintenance of systems and data, capital for data storage and maintenance, and labor associated with ensuring compliance with HIPAA (and other applicable law) in fulfilling an access request (e.g., verification, ensuring only information about the correct individual is included, etc.) and other costs not included above, even if authorized by State law, are not permitted for purposes of calculating the fees that can be charged to individuals.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Cryptomining Malware Can Affect HIPAA Obligations

Cryptomining Malware Can Affect HIPAA Obligations | Healthcare and Technology news | Scoop.it

The well-established security firm Check Point recently ranked cryptomining as the leading cyber-threat in healthcare – ahead of ransomware. Cryptomining malware, also known as cryptocurrency mining malware, refers to software programs and malware components developed to take over a computer’s resources and use them for cryptocurrency mining, without a user’s authorization. This hijacking of computer resources can result in a shutdown and even total systems failure.  Cryptomining is not specifically addressed by the HIPAA security rule. However, the threat of cryptomining malware should make covered entities and business associates evaluate their Security Rule compliance efforts, and, if necessary, implementing additional cybersecurity measures as needed to protect against this unique and powerful threat.

 

Under the HIPAA Security Rule, covered entities and business associates must implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronically protected health information (ePHI). Cryptomining malware can compromise this confidentiality, availability, and integrity. To understand the nature of the threat posed by cryptomining malware, it is useful to first understand some basic concepts.


These include cryptocurrencycryptography, and cryptomining.

What is Cryptocurrency?

Cryptocurrency is digital money that can be purchased, transferred, and/or sold. Cryptocurrency exists solely on the Internet. This form of currency is not backed by anything tangible (such as gold), nor is it backed or managed by any bank or government. Cryptocurrency transactions, or trades, are changed and verified by a decentralized (not affiliated with anyone single entity) network of computers.

What is Cryptography?

Cryptography is a method of protecting information by encrypting it into an unreadable format known as ciphertext. Ciphertext can be converted to regular text through the process of decryption. Cryptography encrypts and protects the data used to help identify and track cryptocurrency transactions.

What is Cryptomining? 

Cryptocurrency miners engage in cryptomining to earn more cryptocurrency (often referred to as “coins” or “Bitcoins”). 

Here is how the mining process works:

Miners compete with other cryptominers to solve complicated mathematical problems. Solving the problems enables the miner to authorize a transaction and to chain together (blockchain) blocks of transactions. Once a transaction is included in a block, it is secure and complete.

For his or her mining activities, the miner receives a small amount of cryptocurrency of his or her own, The more currency a miner “mines,” the more currency a miner ends up owning. Cryptocurrency can then be sold for actual cash. 

So, you may now be thinking, …..

“What Does Any of This Have to do with HIPAA Health Care?”

Crpyotmining malware is surreptitiously installed on a user’s computer. Once it is installed, the  cryptomining malware turns the affected computer, in effect, into a mining operation – one through which the miners solve their math problems and “earn” their coins and cash.

Here’s the problem: Cryptomining has an enormous appetite for computer power.  As the malware is enabling the mining, the mining process consumes significant computing power, bandwidth, and even electricity.  Particularly persistent forms of malware consume resources even after a user has logged off.   

Eventually, a device or a network may simply become unable to mining malware’s energy requirements, causing the device or network to crash.

Since any Internet-connected device can be infected with cryptomining malware, those devices used by covered entities or business associates that are missing essential security features – which features include, but are not limited to, antivirus software, firewalls, updates and patches for operating systems – can, upon a malware attack, shut down or experience total system failure.  ePHI data thus becomes compromised. As in, lost, rendered inaccessible, or damaged beyond repair. The HIPAA Security rule thus becomes implicated, and, if an organization is found to have implemented ineffective security safeguards, the Department of Health and Human Services’ Office of Civil Rights (OCR) can audit and fine that organization.

Compliancy Group Simplifies HIPAA Compliance

Covered entities and business associates can address their HIPAA cybersecurity compliance obligations under the Security Rule by working with Compliancy Group.

Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA cybersecurity issues so they can get back to confidently running their business. 

Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and MaintainTM  their HIPAA compliance!

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Big Data in Healthcare: A Cause for Concern?

Big Data in Healthcare: A Cause for Concern? | Healthcare and Technology news | Scoop.it

A federal advisory panel has kicked off discussions about the privacy and security challenges related to the use of big data in healthcare, with a goal of making policy recommendations in the coming weeks.


During the Jan. 12 meeting of the Health IT Policy Committee's Privacy and Security Workgroup - formerly called the Tiger Team - members began sorting through a number of key big data themes that emerged from two public hearings the group hosted in December. The workgroup and the committee will make recommendations to the Office of the National Coordinator for Health IT, which could ultimately lead to new policies from the Department of Health and Human Services.


Last month's hearings included testimony from a number of stakeholders from various segments of the healthcare sector. For instance, testimony highlighted that while analyzing big data can bring big potential benefits, including better treatment outcomes and lower costs, it also can bring privacy risks to individuals, says workgroup Chair Deven McGraw, an attorney at the law firm Manatt, Phelps & Phillips, LLP.

The workgroup will now help to assess whether the nation has the right policy framework in place "in order to maximize what is good about what health data presents for us, while addressing the concerns that are raised," McGraw says.

Big Data Challenges

Big data concerns that emerged from the hearings in December included whether various "tools" that are commonly used to help protect an individual's health data privacy are sufficient, given the complexities of various big data use cases, McGraw says.

Those "tools" include data de-identification methods; patient consent; transparency to patients and consumers about how their data might be used; various practices related to data collection, use and purpose; and security measures to protect data.

Other concerns arising from the testimony that the workgroup plans to dig into relate to the legal landscape, such as whether there are regulatory gaps in HIPAA and other laws regarding keeping health data used for big data analytics private.

The workgroup, which will continue its discussion on Jan. 26, will also consider the harm that could be caused if big data is not kept private, including discrimination, medical identity theft, and mistrust of the healthcare system.

In early February, however, the workgroup will temporarily shift gears to discuss ONC's 10-year interoperability roadmap, which is expected to be released in late January. The roadmap will focus on secure health data exchange.

Nevertheless, the workgroup hopes to hammer out some preliminary findings or early recommendations about protecting big data so that it can make a presentation at the March 10 meeting of the HIT Policy Committee, McGraw says.


No comment yet.