HIPAA

The Benefits Of Managed IT

October 27, 2015

Michael Menor is Vice President of Support Services for Tech Experts.

It can’t be denied that cost drives business. When the technology your business relies on fails, you have to get it repaired or replaced quickly in order to keep the resulting downtime from damaging your business.

The traditional method of computer repair is much like when your car is in disrepair: when your technology isn’t working properly, your organization reacts to the problem by calling your friendly, neighborhood computer repair guy.

The technician will come to your office and try to fix the technology that is broken. When they figure out they can’t fix the problem on the spot, they will give you a quote.

The time and materials of summoning these technicians to the office will cost you money, so will the replacement technology, and most notably, the downtime you accrue.

Add that to the variable cost of fixing the malfunctioning technology… and your business has a real problem.

At Tech Experts, we offer a proactive IT support platform that utilizes remote monitoring and management software to ensure that the technology that’s attached to your network – and your network itself – is up and working properly. Additionally, our whole IT services platform is billed in one monthly payment.

If you add it up, you are saving money in every aspect of your business.

You not only remove the variable costs of keeping your IT running smoothly, but you also get proactive support that, in many cases, gives you the time to replace hardware before it fails, saving you from the doldrums of companywide downtime.

The fact is that small and medium-sized businesses (SMB) need to cut their technology support costs if they want to compete with larger organizations.

There are a myriad of benefits that come from a managed services provider like Tech Experts handling the administration and support of your technology. Besides the obvious cost savings, four other huge benefits include:

Comprehensive Support
A major speedbump SMBs have when shopping for any service that claims to help their business is the quality of that service.

For those that worry that our managed services are too good to be true, we employ certified and trustworthy technicians that are proficient in finding solutions for today’s most challenging business technology problems.

Single Point of Contact
As an alternative from having to manage several vendors, our IT service provides you with a single point of contact for all of your technology needs. Since we understand the intricacies of your network, we can get issues resolved faster.

Faster Support
Through the use of remote support that we offer to all managed clients, we can more quickly address issues you might be having.

Many problems can be solved without an on-site visit. Additionally, annoying obstacles like forgotten passwords and account lock-outs can be resolved in a few minutes when we already have account configurations on file.

HIPAA Compliance
While it may not apply to all businesses, doctors’ offices and other related medical facilities can maintain HIPAA compliance when using our services. By collaborating with us on your organization’s policies, you can avoid costly government fines in the event of a medical breach or network inspection.

Managed IT services can provide you with many other benefits. For more information about how our managed IT services can benefit your organization, call us at (734) 457-5000 today.

The Basics Of HIPAA Compliance

June 30, 2015

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation that created national standards to protect the privacy of patients’ medical records (including electronic records) and other personal health information.

The legislation makes organizations and individuals who collect and manage personal healthcare data legally liable for its security, including health care providers, health plans, health clearinghouses and business associated with any of these. Consequences of negligence and misuse of private information can include civil and criminal penalties.

As a result of HIPAA, the Department of Health and Human Services created specific regulations for the handling of Protected Health Information (PHI), including electronic or digital forms (ePHI). HIPAA has two main sets of requirements related to privacy and security.

The HIPAA Privacy Rule governs the saving, accessing and sharing of health-related and other personal information, either oral or written.

This rule defines the guidelines safeguarding the confidentiality of PHI. Standards for identifying and authenticating people and organizations requesting PHI are outlined in this rule.
The HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically.

This rule primarily focuses on the technological measures used to enforce policies keeping ePHI out of the wrong hands. Failing to comply with these rules can result in penalties for not only organizations, but for the responsible individuals.

Any entity that deals with protected health information must make sure that all the required measures are established and continuously observed — physical (actual data center server access), network, and process security (audits, policies and staff training).

While the legislation is clear on the privacy, security, and accessibility requirements for organizations, over 91,000 violations were recorded between April 2003 and January 2013. These resulted in 22,000 enforcement actions (which included settlements and fines) with 521 referred to the US Department of Justice for criminal investigation.

HIPAA Compliant Best Practices
1. Review and evolve your policies and procedures. HIPAA is not a “set and forget” proposition; compliance must be a living, changing process that is regularly audited for effectiveness and legality. A lot has changed since 1996 and organizations’ policies must reflect those changes.

2. Accessibility rights are as important as rights to privacy. HIPAA gives patients certain control over their healthcare information, including the right to access it on demand and the right to revoke authorization to store their data. Organizations must act quickly when patients ask for their PHI.

3. If you store your data with a third party hosting provider, make sure that they are HIPAA compliant. The Security Rule hands down many stringent administrative, physical and technical requirements for such providers. Make sure that a full-scale risk assessment of the provider is performed on a regular basis and that a process is in place for monitoring compliance.

Apply common sense to your technology platforms. Shut down computer programs and servers containing patient information when not in use, and don’t share passwords among staff members.

The US Department of Health and Human Services has found that storing patients’ information in a HIPAA compliant cloud server can be safer than using a localized server or paper documents, so consider this option for increased security.

A HIPAA violation can be as small as a health care worker discussing a patient’s private health information in the elevator or as large as a $1.2 million fine for not erasing PHI from photocopier hard drives before returning them to the leasing agent.

More than ever, common sense and sound corporate governance must be applied to the technologies and processes that manage confidential data. Protecting that data will protect clients and the organization as well.

HIPAA Email Encryption Requirements

April 30, 2015

Question: does the Security Rule allow for sending electronic patient health information (e-PHI) in an email or over the Internet?

Answer: the Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected. The HIPAA Security Rule does not expressly prohibit the use of email for sending e-PHI.

However, the standards for access control, integrity, and transmission security require covered entities, such as insurance providers or healthcare providers, to implement policies and procedures.

These policies and procedures restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

The standard for transmission security also includes addressable specifications for integrity controls and encryption.

By default, whenever you send or receive email, you must connect through the Internet to an email service provider or email server.

The reality is that most email service providers do not use any security at all. This means everything you send to or receive from your email service provider is unsecure, including your user name, password, email message, attachments, who you are sending to, and who you are receiving from.

It gets worse! Most email service providers connect to other email service providers without any encryption.
If the other party is not using a secure email service, their emails can also be compromised. So the email you send and receive through the Internet is wide open, unsecure, and can be intercepted and stolen by thieves.

This is one of the main causes for identity theft, spam, and PHI breaches.

According to the U.S. Department of Health & Human Services (HHS), “…a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”

This basically states that encryption is required. If you choose not to encrypt your data, you must document, in writing, a reasonable explanation why you chose not to do so.

In the event of an audit, the Office for Civil Rights (OCR) will review your documentation and determine whether or not they agree with you. You’re required to encrypt PHI in motion and at rest whenever it is “reasonable and appropriate” to do so.

I’ll bet that if you do a proper risk analysis, you’ll find very few scenarios where it’s not. Even if you think you’ve found one, and then you’re beached, you have to convince the OCR, who think encryption is both necessary and easy, that you’re correct.

I have convinced myself and others that encryption is required by HIPAA.

Better safe than sorry, after all.

IT Policies Companies Under HIPAA Regulations Must Have

November 30, 2014

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

HIPAA (the Health Insurance Portability and Accountability Act) and HITECH (the Health Information Technology for Economic and Clinical Health act) have been around for quite some time. Even so, many companies covered by these laws are way behind when it comes to implementation. When you really think about it, even companies not covered by these laws should have the requisite policies and procedures in place.

Access Control Policy
How are users granted access to programs, client data and equipment? Also includes how administrators are notified to disable accounts.

Security Awareness Training
Organizations must ensure regular training of employees regarding security updates and what to be aware of. You must also keep an audit trail of reminders and communications in case you’re audited.