The Basics Of HIPAA Compliance

Michael Menor is Vice President of Support Services for Tech Experts.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is federal legislation that created national standards to protect the privacy of patients’ medical records (including electronic records) and other personal health information.

The legislation makes organizations and individuals who collect and manage personal healthcare data legally liable for its security, including health care providers, health plans, health clearinghouses and business associated with any of these. Consequences of negligence and misuse of private information can include civil and criminal penalties.

As a result of HIPAA, the Department of Health and Human Services created specific regulations for the handling of Protected Health Information (PHI), including electronic or digital forms (ePHI). HIPAA has two main sets of requirements related to privacy and security.

The HIPAA Privacy Rule governs the saving, accessing and sharing of health-related and other personal information, either oral or written.

This rule defines the guidelines safeguarding the confidentiality of PHI. Standards for identifying and authenticating people and organizations requesting PHI are outlined in this rule.
The HIPAA Security Rule more specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically.

This rule primarily focuses on the technological measures used to enforce policies keeping ePHI out of the wrong hands. Failing to comply with these rules can result in penalties for not only organizations, but for the responsible individuals.

Any entity that deals with protected health information must make sure that all the required measures are established and continuously observed — physical (actual data center server access), network, and process security (audits, policies and staff training).

While the legislation is clear on the privacy, security, and accessibility requirements for organizations, over 91,000 violations were recorded between April 2003 and January 2013. These resulted in 22,000 enforcement actions (which included settlements and fines) with 521 referred to the US Department of Justice for criminal investigation.

HIPAA Compliant Best Practices
1. Review and evolve your policies and procedures. HIPAA is not a “set and forget” proposition; compliance must be a living, changing process that is regularly audited for effectiveness and legality. A lot has changed since 1996 and organizations’ policies must reflect those changes.

2. Accessibility rights are as important as rights to privacy. HIPAA gives patients certain control over their healthcare information, including the right to access it on demand and the right to revoke authorization to store their data. Organizations must act quickly when patients ask for their PHI.

3. If you store your data with a third party hosting provider, make sure that they are HIPAA compliant. The Security Rule hands down many stringent administrative, physical and technical requirements for such providers. Make sure that a full-scale risk assessment of the provider is performed on a regular basis and that a process is in place for monitoring compliance.

Apply common sense to your technology platforms. Shut down computer programs and servers containing patient information when not in use, and don’t share passwords among staff members.

The US Department of Health and Human Services has found that storing patients’ information in a HIPAA compliant cloud server can be safer than using a localized server or paper documents, so consider this option for increased security.

A HIPAA violation can be as small as a health care worker discussing a patient’s private health information in the elevator or as large as a $1.2 million fine for not erasing PHI from photocopier hard drives before returning them to the leasing agent.

More than ever, common sense and sound corporate governance must be applied to the technologies and processes that manage confidential data. Protecting that data will protect clients and the organization as well.

HIPAA Email Encryption Requirements

Michael Menor is Vice President of Support Services for Tech Experts.

Question: does the Security Rule allow for sending electronic patient health information (e-PHI) in an email or over the Internet?

Answer: the Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected. The HIPAA Security Rule does not expressly prohibit the use of email for sending e-PHI.

However, the standards for access control, integrity, and transmission security require covered entities, such as insurance providers or healthcare providers, to implement policies and procedures.

These policies and procedures restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

The standard for transmission security also includes addressable specifications for integrity controls and encryption.

By default, whenever you send or receive email, you must connect through the Internet to an email service provider or email server.

The reality is that most email service providers do not use any security at all. This means everything you send to or receive from your email service provider is unsecure, including your user name, password, email message, attachments, who you are sending to, and who you are receiving from.

It gets worse! Most email service providers connect to other email service providers without any encryption.
If the other party is not using a secure email service, their emails can also be compromised. So the email you send and receive through the Internet is wide open, unsecure, and can be intercepted and stolen by thieves.

This is one of the main causes for identity theft, spam, and PHI breaches.

According to the U.S. Department of Health & Human Services (HHS), “…a covered entity must implement an addressable implementation specification if it is reasonable and appropriate to do so, and must implement an equivalent alternative if the addressable implementation specification is unreasonable and inappropriate, and there is a reasonable and appropriate alternative.”

This basically states that encryption is required. If you choose not to encrypt your data, you must document, in writing, a reasonable explanation why you chose not to do so.

In the event of an audit, the Office for Civil Rights (OCR) will review your documentation and determine whether or not they agree with you. You’re required to encrypt PHI in motion and at rest whenever it is “reasonable and appropriate” to do so.

I’ll bet that if you do a proper risk analysis, you’ll find very few scenarios where it’s not. Even if you think you’ve found one, and then you’re beached, you have to convince the OCR, who think encryption is both necessary and easy, that you’re correct.

I have convinced myself and others that encryption is required by HIPAA.

Better safe than sorry, after all.

IT Policies Companies Under HIPAA Regulations Must Have

Thomas Fox is president of Tech Experts, southeast Michigan’s leading small business computer support company.

HIPAA (the Health Insurance Portability and Accountability Act) and HITECH (the Health Information Technology for Economic and Clinical Health act) have been around for quite some time. Even so, many companies covered by these laws are way behind when it comes to implementation. When you really think about it, even companies not covered by these laws should have the requisite policies and procedures in place.

Access Control Policy
How are users granted access to programs, client data and equipment? Also includes how administrators are notified to disable accounts.

Security Awareness Training
Organizations must ensure regular training of employees regarding security updates and what to be aware of. You must also keep an audit trail of reminders and communications in case you’re audited.

[Read more…]

HIPAA Risk Analysis And Assessment

Risk Management - Arrows Hit in Target.by Michael Menor, Network Technician
The phrases “risk analysis” and “risk assessment” are becoming incredibly commonplace today. They’re littering the blogosphere, popping up in advertisements by newly-announced, so-called experts and being “webinar-ed” to death.

In reality, most people promoting these phrases don’t know what they’re talking about. They don’t know what they’re talking about, I’ve come to discover, because most people don’t understand what risk itself means.

Understand Risk To Conduct Analysis
In today’s increasingly more privacy- and security-minded world, and especially in healthcare, the state of risk management of information is a mess!

This problem comes about for many reasons, including but not limited to the following:

There is little agreement on standard terminology, approach and tools. Key risk-related terms such as assets, threats, vulnerabilities, controls, likelihood and impact are misused and sometimes used interchangeably. One does not find these terms in many other professions. All physicists know what velocity, acceleration, mass, energy, etc. mean. All accountants agree to definitions of basic terms such as debits, credits, balance sheets, assets, liabilities, etc.

Many so-called “experts,” some recently-minted and/or self-proclaimed as such, don’t understand basic risk fundamentals.

Most individuals do not understand that you simply can’t observe risk and that risk is a derived value.

You simply cannot begin to conduct a bona fide risk analysis if you don’t understand what risk is and what risk is not.

There is huge inefficiency and ineffectiveness in protecting the privacy and security of Protected Health Information (PHI) and electronic PHI (ePHI).
As of October 24, 2013 the PHI/ePHI of 26.9 million fellow Americans have been disclosed according to the HHS/OCR “Wall of Shame.” For example, laptops with unencrypted hard drives being stolen from Advocate Medical Group.

Actions To Take
First and foremost, organizations must understand some key, fundamental points about risk before they embark on completing a risk analysis. For example, I present you with five images and ask you to indicate the level of risk (high, medium, low, no risk) you observe in each image.

The images include a bald tire, the same bald tire turned into a tire swing in a backyard, a frayed rope tied to a beam, the tire swing in a tree perched over the edge of a cliff and, finally, a child swinging in the tire swing in a backyard.

What was the greatest amount of risk you observed? I would guess you “saw” high risk in more than one of the images! Some “saw” risk in all the images. 1) You cannot “see” risk; it must be evaluated; and, 2) In reality, there is no risk in any of these images.

Here’s what happens over and over again:

People make assumptions and make things up in risk analysis.

People don’t understand this fundamental truth about risk – you can’t have significant risk without the potential for significant loss or harm.

People tend to relate potential vulnerabilities (e.g., frayed rope, bald tire) with risk.

People forget that one must consider likelihood or probabilities of bad things happening and of impact or harm.

The most important actions organizations must take if they don’t understand risk are to “train up” and/or farm out the work to experts.

And they must remember these truths:

Risk can only possibly exist if three conditions are met: an asset like a laptop with ePHI, a threat to that asset (e.g., a thief may steal it) and a vulnerability (e.g., it is not encrypted) that may be exploited by that threat.

For any single asset (e.g., a laptop with PHI), there may be many different threats and many different vulnerabilities; therefore, there may be many risks to be identified, assigned a value and prioritized.

Controls may already have been implemented or may be implemented to mitigate the likelihood of a certain threat exploiting a certain vulnerability. Controls come in several forms, often categorized as administrative, physical or technical.

Risk has an impact or harm component.

When it comes to health information risk, the adverse impact or harm may come about if the confidentiality and/or the integrity and/or the availability of that information is compromised.

(Image Source: iCLIPART)

Got Compliance? Simplifying HIPAA And PCI Requirements

By Tech Experts Staff
Many of our clients from health care providers to any business that accepts credit cards via in house applications have compliance standards they must meet.

The health care industry in particular has to be compliant with HIPAA and possibly PCI as well. So, with compliance being such an important issue what are some ways businesses can be sure they are in compliance?

At Tech Experts we offer many different services that are designed to help your business be more compliant with the strict standards in place by HIPAA and PCI.

HIPAA was established in 1996 at a time when the health care industry was starting to move away from paper and rely on computerized documentation for day to day operations. With this new technology being used brought more security risks that needed to be addressed as a whole; this is what brought about HIPAA.

While new technology is great in improving productivity businesses have to learn to adapt to the new security risks that come into play when using these production increasing technologies.

One of the first services we offer to clients is our Email Hosting services. We have various offerings with email based off of POP email and Exchange email. For compliance we offer archiving services with both one year and ten year retention policies.

We also offer solutions that are encrypted so the traffic cannot be easily captured and read which protects the information you send by email.

The second service we offer to clients needing to meet compliance standards is our offsite backup system.

Our offsite backups send your important data over encrypted connections just like the email system protecting your data from theft as it travels from your location to the safety of our datacenters.

Depending on your ability to function in the event of a disaster/outage we also offer disaster recovery options to help your business continue to function should your primary server go down.

The third service we offer is managed services. With managed services you can be sure that your computer always has an up to date, high end, antivirus installed. We monitor the antivirus that is installed on all of our managed service clients workstations and servers to ensure they are safe and secure.

While an antivirus does not guarantee you will not get an infection (because no antivirus can guarantee this) having a good one does ensure that the likelihood of being infected is greatly reduced.

With our managed services offering, we also monitor failed login attempts to see if there are any brute force attacks targeting your network. This lets us quickly address a problem before it becomes a network breach. Patch management is another feature of managed services that helps with compliance.

Patch Management ensures that your computers are kept up to date with the latest security patches.

Our managed services plans also include remote service and support. We offer a robust remote support feature that allows us to troubleshoot and correct almost any issue remotely.

The ability to offer such a comprehensive remote support tool means that we can more quickly address issues you run into without having to actually come out to your location.

Another component we offer to make your business more compliant is our server and workstation packages. Any server we offer can be programmed to make your business more compliant.

From enforcing regular password changes, account lockout policies, to hardware or software restriction policies, our servers are sure to improve your current network configuration.

With all of our services bundled a business can vastly improve their security and become more compliant than they were previously.

If your curious how compliant your business is, give us a call. We can setup a security evaluation based on the requirements for your industry. We can then offer some suggestions to improve your network’s security and compliance.