HIPAA Compliance News

Is Yammer HIPAA Compliant?

Posted by HIPAA Journal

Is Yammer HIPAA compliant? Does the platform incorporate all the necessary administrative and technical controls to meet HIPAA requirements? This post explores whether Yammer supports HIPAA compliance and assesses whether the platform can be used by healthcare organizations without violating HIPAA Rules.

What is Yammer?

Yammer has been a standalone social networking and collaboration platform since 2008. Its popularity and potential were noticed by Microsoft, which purchased the company in 2012. Today the platform is used by 85% of Fortune 500 companies.

The freemium platform allows company employees to communicate with each other, collaborate on projects, share knowledge, and ask and get quick answers from co-workers.  Due to similarities in its architecture and functionality, it is often referred to as ‘Twitter for companies’.

In contrast to other social media platforms, communications are private and are not published online. The platform can be kept as a strictly internal communication and collaboration tool, although it is also possible to use the platform to communicate with business associates and customers. Via the platform, users can chat and share documents, photos and other files.

Can Healthcare Organizations Sign a Business Associate Agreement for Yammer?

Since January 1, 2016, Yammer has been covered by the Office 365 Trust Center and is covered by Microsoft’s Office 365 enterprise business associate agreement.

Since purchasing the platform, Microsoft enhanced auditing and reporting capabilities. Detailed activity logs are generated giving admins full visibility into how the platform is being used. Through those logs, administrators can audit users, groups, files, admins, network settings, and see all activities on the platform. The logs meet the HIPAA security standard for audit controls.

The HIPAA security standard for access controls is also satisfied. Users get their own accounts and are logged in through their existing organization credentials. Access is only possible with a valid company email address.

All data in transit into and out of the production environment is encrypted, as is data at rest. Microsoft uses AES 256-bit key encryption to ensure data security.

The platform was designed as multitenant, so an organization’s data is logically separated from other companies using the platform and is kept private.

Is Yammer HIPAA Compliant?

So, is Yammer HIPAA compliant? The answer is yes and no.

Microsoft has incorporated all the necessary controls to ensure Yammer can be HIPAA compliant, but HIPAA compliance depends on the organization and its users. Provided risks are identified and managed and healthcare organizations enter into a business associate agreement with Microsoft that covers Yammer – prior to the service being used in connection with any ePHI – Yammer can be considered to be a HIPAA compliant collaboration tool.

The platform must also be configured correctly, policies need to be developed covering the use of the platform, and staff will need to be trained on Yammer and HIPAA restrictions.

The post Is Yammer HIPAA Compliant? appeared first on HIPAA Journal.

What Covered Entities Should Know About Cloud Computing and HIPAA Compliance

Posted by HIPAA Journal

Healthcare organizations can benefit greatly from transitioning to the cloud, but it is essential to understand the requirements for cloud computing to ensure HIPAA compliance.

In this post we explain some important considerations for healthcare organizations looking to take advantage of the cloud, HIPAA compliance considerations when using cloud services for storing, processing, and sharing ePHI, and we will dispel some of the myths about cloud computing and HIPAA compliance.

Myths About Cloud Computing and HIPAA Compliance

There are many common misconceptions about the cloud and HIPAA compliance, which in some cases prevent healthcare organizations from taking full advantage of the cloud, and in others could result in violations of HIPAA Rules.

Some of the common myths about cloud computing and HIPAA compliance are detailed below:

Use of a ‘HIPAA compliant’ cloud service provider will ensure HIPAA Rules are not violated

False: A cloud service provider can incorporate all the necessary safeguards to ensure the service or platform can be used in a HIPAA compliant manner, but it is the responsibility of the covered entity or business associate using the service to ensure that HIPAA Rules are followed. CSPs will not accept liability for misuse of their service/platform or misconfigurations by healthcare employees.

Cloud service providers are classed as conduits and a BAA is not required

False: Cloud services providers are considered business associates (see below) even if they do not – or cannot access stored data. The failure to enter into a business associate agreement prior to using the platform or service in connection with ePHI is a serious violation of HIPAA Rules.

A business associate agreement is required before de-identified PHI can be stored in the cloud

False: There are no HIPAA Privacy Rule restrictions covering the use or storage of de-identified PHI. De-identified PHI is not considered to be protected health information.

Physicians cannot use mobile devices to access ePHI stored in the cloud

False. There is nothing in HIPAA Rules that prevents the use of mobile devices for accessing data stored in the cloud, provided administrative, technical, and physical safeguards are in place to ensure the confidentiality, integrity, and availability of PHI for any data stored in the cloud or downloaded to a mobile device.  However, some healthcare organizations may have internal policies prohibiting the use of mobile devices with cloud services.

Cloud service providers must retain PHI for 6 years

False: HIPAA-covered entities must retain PHI for 6 years, but that rule does not apply to cloud service providers. If a HIPAA covered entity stops using a cloud service, all stored data must be returned to the covered entity or should be permanently deleted. If the CPS is required to retain stored data to meet the requirements of other laws, the information must be returned or deleted when that time period has elapsed.

A cloud service provider cannot be used if data is stored outside of the United States

False: A cloud service provider can store data on servers located in any country. There are no geographical restrictions. However, HIPAA covered entities should assess the risks – by means of a risk analysis – before using such a cloud service, as data stored on servers overseas may not be subject to the same level of protection as data stored on U.S-based servers.

Cloud Service Providers and Business Associate Agreements

While cloud service providers have long been known to be HIPAA business associates, the introduction of the HIPAA Omnibus Rule in 2013 made this clearer. “A data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis.”

The HIPAA conduit exception rule does not apply to cloud service providers. Companies are only considered ‘conduits’ if they offer a transmission only communication services when access to communications is only transient in nature. Cloud service providers are not considered to be conduits, even if the service provider encrypts all data and does not hold the keys to unlock the encryption.

Consequently, a business associate agreement must be entered into with the cloud platform or service provider before the platform or service is used for storing, processing, or transmitting ePHI.

If the cloud service is only ever used for sharing or storing de-identified PHI, a BAA is not required. De-identified PHI is no longer PHI, provided all identifiers have been stripped from the data. (See deidentification of PHI for further information.)

Cloud Computing and HIPAA Compliance

Cloud computing and HIPAA compliance are not at odds. It is possible to take advantage of the cloud and even improve security, but there are important considerations for any healthcare organizations considering using cloud services for storing, sharing, processing, or backing up ePHI

Risk Analysis and Risk Management

Prior to the use of any cloud service it should be subjected to a risk assessment. HIPAA-covered entities and their business associates must conduct their own risk analysis and establish risk management policies.

Business Associate Agreements

Before any cloud platform or service is used in connection with ePHI, the service provider and covered entity must enter into a HIPAA-compliant business associate agreement. The use of a cloud service without a BAA in place is a violation of HIPAA Rules.

Service Level Agreements (SLA)

In addition to a BAA, covered entities should consider a service level agreement (SLA) covering more technical aspects of the service, which may or may not address HIPAA concerns. The service level agreement can cover system uptime, reliability, data backups, disaster recovery times, customer service response times, and data return or deletion when the BAA is terminated. The SLA should also include the penalties should performance fall short of what has been agreed.

Encryption

Any data shared via the cloud should be protected by end-to-end encryption, and any data stored in the cloud should be encrypted at rest. Full considerations should be given to the level of encryption used by the CSP, which should meet NIST standards. While encryption is important, it will not satisfy all Security Rule requirements and will not maintain the integrity of ePHI nor ensure its availability.

Access Controls

Covered entities must ensure that access controls are carefully configured to ensure that only authorized individuals are able to access ePHI stored in the cloud. Prior to the use of any cloud platform or service, the administrative and physical controls implemented by the cloud service provider should be carefully evaluated.

Data Storage Locations

Covered entities should determine the locations where data is stored and risks associated with those locations should be evaluated during the risk analysis. Cloud service providers often store data in multiple locations to ensure fast access and rapid data recovery in the event of disaster. Data protection laws in foreign countries may differ considerable from those in the U.S.

Maintaining an Audit Trail

Healthcare organizations must have visibility into how cloud services are used, who is accessing cloud data, failed attempts to view cloud resources, and files that have been shared, uploaded, or downloaded. An audit trail must be maintained and logs should be reviewed regularly.

Cloud Benefits for Healthcare Organizations

Some of the key benefits for healthcare organizations from transitioning to the cloud are detailed below:

  • Linking a public cloud with data centers allows healthcare organizations to increase capacity without having to invest in additional hardware
  • The cloud is highly scalable – Capacity can be easily increased to meet business demands
  • Healthcare organizations can improve security by avoiding transporting ePHI on portable devices such as zip drives, portable hard drives, and laptop computers. The loss and theft of portable devices is a major cause of HIPAA data breaches
  • The cloud makes sharing ePHI with partners, patients, and researchers easier and faster
  • An unlimited number of data backups can be stored in the cloud. Data can be recovered quickly in the event of disaster
  • The cloud can help healthcare organizations decommission legacy infrastructure and improve security
  • The cloud allows healthcare organizations to reduce their data center footprints
  • Healthcare data can be securely accessed by authorized individuals in any location
  • The cloud allows healthcare organizations to offer and improve their telehealth services
  • The cloud supports the creation of an edge computing system to reduce latency and speed up data access

Choosing a Cloud Partner

While there are many cloud service providers that are willing to work with healthcare organizations, not all are prepared to accept liability for data breaches or violations of HIPAA Rules. Any CSP that will not sign a BAA should be avoided; however, not all cloud companies offer the same level of protection for stored and transmitted data. Willingness to sign a BAA is no guarantee of the quality of the service.

It is essential for a HIPAA covered entity to carefully assess any cloud service, even if the company claims it supports HIPAA compliance.

HIPAA-Compliant Cloud Platforms and Cloud Services

Over the coming weeks we will be assessing the services of a wide variety of cloud service providers to determine whether their platforms support HIPAA compliance.

For further information on specific vendors and to find out if they offer platforms that support HIPAA compliance, visit the links below:

Cloud Platforms

Cloud-Based Services

The post What Covered Entities Should Know About Cloud Computing and HIPAA Compliance appeared first on HIPAA Journal.

Is Zoom a HIPAA Compliant Video and Web Conferencing Platform?

Posted by HIPAA Journal

Zoom is a popular video and web conferencing platform that has been adopted by more than 750,000 businesses, but is the service suitable for use by healthcare organizations for sharing PHI. Is Zoom HIPAA compliant?  

What is Zoom?

Zoom is a cloud-based video and web conferencing platform that allows workers across multiple locations to take part in meetings, share files, and collaborate. The platform supports webinars and includes a business IM service.

Zoom has already been adopted by many healthcare organizations around the globe who use the platform to consult with other providers and communicate with patients. However, in the United States, healthcare providers must comply with HIPAA Rules.

Any software solution must incorporate a host of security protections to ensure protected health information (PHI) is safeguarded. Further, cloud-based platform providers are classed as a business associates and are also required to comply with HIPAA Rules if their platforms are to be used in conjunction with PHI.

Zoom and HIPAA Compliance

As a business associate, Zoom would be required to enter into a contract with a HIPAA covered entity before its service can be used with ePHI. That contract – a Business Associate Agreement – serves as a confirmation that Zoom is aware of its responsibilities with regards to the privacy and security of PHI.

Zoom is prepared to sign a business associate agreement with healthcare organizations and has ensured that its platform incorporates all of the necessary security controls to meet the strict requirements of HIPAA.

In April 2017 Zoom announced that it had launched the first scalable cloud-based telehealth service for the healthcare industry. Zoom for Telehealth allows enterprises and providers to communicate easily with other organizations, care teams, and patients in a HIPAA compliant manner.

The service incorporates access and authentication controls, all communications are secured with end-to-end AES-256 bit encryption, and the platform integrates with the Epic electronic health record system to support healthcare workflows.

This year Zoom announced that it has partnered with a global telehealth integrator and that its platform has been further enhanced to support full enterprise healthcare workflows.

Is Zoom HIPAA Compliant?

Zoom is a HIPAA compliant web and video conferencing platform that is suitable for use in healthcare, provided a HIPAA-covered entity enters into a business associate agreement with Zoom prior to using the platform.

It is still possible for HIPAA Rules to be violated using the platform so users must be aware of their responsibilities with respect to patient privacy, and must only share or communicate PHI with individuals authorized to receive the information. It is the responsibility of the covered entity to ensure Zoom is used correctly and HIPAA Rules are always followed.

The post Is Zoom a HIPAA Compliant Video and Web Conferencing Platform? appeared first on HIPAA Journal.

Is WebEx HIPAA Compliant?

Posted by HIPAA Journal

Is WebEx HIPAA compliant? Is the online meeting and web conferencing platform suitable for use by healthcare organizations or should the service be avoided? In this post we assess the security controls and features of the platform and determine whether use of WebEx could be considered a HIPAA violation.

What is WebEx?

WebEx is a web and video conferencing and collaboration platform that helps businesses connect with remote workers and partners as if they are in the same room.

With tools such as WebEx, healthcare organizations can communicate quickly and easily with the workforce, no matter where employees are located. Regional operational meetings can be conducted, medical education can take place online, and healthcare employees can be trained on new processes and procedures. These platforms can also potentially be used for communicating with patients.

However, before any collaboration tools can be used in connection with protected health information (PHI), healthcare organizations must be certain that the tools support HIPAA compliance. So how does WebEx fare in this regard? Is WebEx HIPAA compliant or should the platform be avoided by HIPAA-covered entities?

WebEx Security

Cisco has implemented a host of security controls to ensure all communications take place securely and information cannot be intercepted. Any information sent from a WebEx application to the WebEx cloud occurs through an encrypted channel which supports TLS 1.0, 1.1 and 1.2 protocols and uses high strength ciphers such as AES-256. Media packets are encrypted using AES 128. There is also the option of end-to-end encryption, which if applied, means Cisco will not decrypt any media streams.

All media streams can be recorded for future reference and meet HIPAA audit requirements. Data is also protected at rest with encryption and audio, video, and data streams are stored separately.

Administrators can configure the platform to provide the desired level of security, including rate limiting on login attempts, the automatic deactivation of accounts after a defined period of inactivity, password policies can be enforced, 2-factor authentication can be used, and strict access controls set to carefully control who has access to the platform.

Cisco also provides full documentation on functionality, technology, and security to help healthcare organizations with their risk assessments.

Cisco will also sign a business associate agreement with HIPAA covered entities and their business associates.

Is WebEx HIPAA Compliant?

WebEx incorporates administrative and technical safeguards that meet HIPAA requirements; however, it is up to covered entities to ensure the platform is configured correctly and that it is used in a manner compliant with HIPAA Rules.

Provided that is the case, and a business associate agreement has been entered into with Cisco covering the use of WebEx for Healthcare, WebEx is HIPAA compliant and can be used by healthcare organizations.

The post Is WebEx HIPAA Compliant? appeared first on HIPAA Journal.

Is Amazon CloudFront HIPAA Compliant?

Posted by HIPAA Journal

Is Amazon CloudFront HIPAA compliant and can the web service be used by HIPAA covered entities without violating HIPAA Rules? In this post we determine whether Amazon CloudFront supports HIPAA compliance or if it should be avoided by HIPAA-covered entities.

What is Amazon CloudFront?

Amazon CloudFront is a web service that allows users to speed up web content delivery over the Internet. Typically, when a website is accessed, the visitor experiences some latency accessing static and dynamic content.

The reason for this is visitors will not make a direct connection to the content, instead they will be routed through a path to reach the server where the content can be accessed. The path can involve many routing points, will inevitably have an impact on the speed at which content can be accessed. By using a content delivery network such as Amazon CloudFront, it is possible to reduce latency and improve reliability and availability of web content.

By delivering content via a network of data centers (edge locations), users are routed to the nearest location with the least latency, thus speeding up their connection. The service also offers a level of protection against DDoS attacks and other cyberthreats that can be harmful to web services.

Is Amazon CloudFront HIPAA Compliant?

In order for any cloud service to be used in conjunction with protected health information, HIPAA-covered entities must enter into a business associate agreement with the service provider. Therefore, before Amazon CloudFront can be deployed, a HIPAA-compliant business associate agreement must be obtained.

Recently, Amazon has updated its HIPAA compliance program and CloudFront has now been included as a HIPAA-eligible service. CloudFront is now included in the list of services covered by the business associate agreement provided for AWS. If you have already executed a BAA for AWS, it is possible to use CloudFront to deliver content containing PHI. However, make sure you check that your BAA specifically states CloudFront is covered.

The service should also be configured to log CloudFront usage data for auditing purposes for HIPAA-compliant workloads. Access logs should be enabled on the platform and requests sent to the CloudFront API should be captured.

Provided a BAA has been obtained for AWS – that includes CloudFront – and the solution is configured correctly, Amazon CloudFront is HIPAA compliant and can be used by healthcare organizations without violating HIPAA Rules.

The post Is Amazon CloudFront HIPAA Compliant? appeared first on HIPAA Journal.

Is Citrix ShareFile HIPAA Compliant?

Posted by HIPAA Journal

ShareFile was bought by Citrix Systems in 2011 and the platform is marketed as a suitable data sync, file sharing, and collaboration tool for the healthcare industry, but is Citrix ShareFile HIPAA compliant?

What is Citrix ShareFile?

Citrix ShareFile is a secure file sharing, data storage and collaboration tool that allows large files to be easily shared within a company, with remote workers, and with external partners. The solution allows any authorized individual to instantly access stored documents via desktops and mobile devices.

For healthcare organizations this means the solution can be used to share large files such as DICOM images with researchers, remote healthcare workers, and business associates. The ShareFile patient portal can also be used to share PHI with patients.

Is Citrix ShareFile HIPAA Compliant?

Citrix will sign a business associate agreement with HIPAA covered entities and their business associates that covers the use of FileShare, although it is the responsibility of the covered entity to ensure that the solution is configured correctly and is used in a manner that does not violate HIPAA Rules.

The solution satisfies HIPAA requirements for data security, with appropriate access and authentication controls. Users connect to the solution via an encrypted secure SSL/TLS connection and data is protected at rest with AES 256-bit encryption. The solution also supports encryption on mobile devices. An audit trail is maintained with access logs recording who accessed files, when, and for how long and application errors and events are also logged.

So is Citrix ShareFile HIPAA compliant? The safeguards incorporated into the solution mean the solution does supports HIPAA compliance.

Where HIPAA Covered Entities Must Exercise Caution

Many firms advertise their platforms and software as HIPAA compliant, but that does not mean use does not carry risks. Software solution providers can only build in security and administrative controls that allow their solution to be used in a HIPAA compliant manner. It is the responsibility of users to make sure the solution is configured correctly and HIPAA Rules are not violated.

To avoid HIPAA violations:

  • Ensure a business associate agreement has been obtained prior to the solution being used for storing, syncing, or sharing ePHI
  • Covered entities must perform a risk analysis to determine any potential risks to the confidentiality, integrity, and availability of PHI
  • Ensure encryption is used when sending files to third parties
  • Policies and procedures (administrative safeguards) must be developed covering the use of the solution and staff must be trained
  • Access and authentication controls must be set to restrict access to PHI to only those individuals who are authorized to access information
  • Any PHI shared with third parties must be limited to the minimum necessary data for tasks to be performed
  • Appropriate security controls should be implemented on devices to ensure that in case of theft or loss, the devices cannot be used to gain access to PHI

Citrix offers guidance for covered entities on aspects of HIPAA Rules, how they apply to FileShare, and assistance to ensure HIPAA compliance while using the platform. The information can be accessed on this link.

The post Is Citrix ShareFile HIPAA Compliant? appeared first on HIPAA Journal.

Is eFileCabinet HIPAA Compliant?

Posted by HIPAA Journal

eFileCabinet is a document management and storage solution for businesses that offers on-site and cloud storage, but is the service suitable for the healthcare industry? Is eFileCabinet HIPAA compliant or will using the platform be considered a violation of HIPAA Rules?

What are Document Management Systems?

Document management systems allow organizations to carefully manage electronic documents and store them securely in one location. With huge volumes of documents being created, such systems take the stress out of document management and can help HIPAA covered entities share documents containing ePHI securely and avoid HIPAA violations.

There are many document management systems on the market, but not all support HIPAA compliance, so what about eFileCabinet? Is eFileCabinet HIPAA compliant?

eFileCabinet Security and Privacy Controls

Security controls include the encryption of data in transit and at rest with 256-bit encryption. Sensitive data can be securely shared with third-parties and remote employees via the company’s SecureDrawer feature. SecureDrawer allows files to be shared without having to send documents beyond the protection of the firewall. The files remain in the eFileCabinet system and are accessed through a secure, encrypted portal.

eFileCabinet allows user and role-based permissions to be set to limit access to sensitive information as well as restrict what users and user groups can do with documents containing ePHI. Controls can be set with varying levels of user authentication, from simple passwords to voice prints and facial recognition. Users are also automatically logged off after a period of inactivity.

Automated file retention satisfies HIPAA integrity control requirements, data backups are performed, and an audit trail is maintained with records kept of user access, what users have done with documents, and whether documents have been copied or downloaded.

Will eFileCabinet Sign a BAA with HIPAA Covered Entities and their Business Associates?

Privacy and security controls are only one part of HIPAA compliance. Even with all appropriate controls in place, a document management system is not a ‘HIPAA compliant’ service unless a business associate agreement (BAA) has entered into with the service provider. By providing a BAA, the service provider is confirming they have implemented all appropriate controls to ensure data security and are aware of their responsibilities with respect to HIPAA.  eFileCabinet is prepared to sign a BAA with HIPAA covered entities and their business associates.

However, it is up to the covered entity to ensure that all controls made available through eFileCabinet to support HIPAA compliance are configured correctly. Fail to set access controls appropriately, for example, and HIPAA Rules would be violated.

Is eFileCabinet HIPAA Compliant?

In our opinion, eFileCabinet has all the necessary security, access, and audit controls to ensure it can be used by healthcare organizations in a manner compliant with HIPAA Rules. eFileCabinet will also sign a business associate agreement with HIPAA covered entities and their business associates.

So, is eFileCabinet HIPAA compliant? Provided a business associate agreement has been entered into prior to the platform being used for storing or sharing ePHI, eFileCabinet can be considered a HIPAA compliant document management system.

The post Is eFileCabinet HIPAA Compliant? appeared first on HIPAA Journal.

$100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes

Posted by HIPAA Journal

HIPAA covered entities and their business associates must abide by HIPAA Rules, yet when businesses closes the HIPAA obligations do not end. The HHS’ Office for Civil Rights (OCR) has made this clear with a $100,000 penalty for FileFax Inc., for violations that occurred after the business had ceased trading.

FileFax is a Northbrook, IL-based firm that offers medical record storage, maintenance, and delivery services for HIPAA covered entities. The firm ceased trading during the course of OCRs investigation into potential HIPAA violations.

An investigation was launched following an anonymous tip – received on February 10, 2015 – about an individual that had taken documents containing protected health information to a recycling facility and sold the paperwork.

That individual was a “dumpster diver”, not an employee of FileFax. OCR determined that the woman had taken files to the recycling facility on February 6 and 9 and sold the paperwork to the recycling firm for cash. The paperwork, which included patients’ medical records, was left unsecured at the recycling facility. In total, the records of 2,150 patients were included in the paperwork.

OCR determined that between January 28, 2015 and February 14, 2015, FileFax had impermissibly disclosed the PHI of 2,150 patients as a result of either: A) Leaving the records in an unlocked truck where they could be accessed by individuals unauthorized to view the information or; B) By granting permission to an individual to remove the PHI and leaving the unsecured paperwork outside its facility for the woman to collect.

Since FileFax is no longer in business – the firm was involuntarily dissolved by the Illinois Secretary of State on August 11, 2017 – the HIPAA penalty will be covered by the court appointed receiver, who liquidated the assets of FileFax and is holding the proceeds of that liquidation.

A corrective action plan has also been issued that requires the receiver to catalogue all remaining medical records and ensure the records are stored securely for the remainder of the retention period. Once that time period has elapsed, the receiver must ensure the records are securely and permanently destroyed in accordance with HIPAA Rules.

The settlement has been agreed with no admission of liability.

HIPAA Retention Requirements and Disposal of PHI

There are no HIPAA retention requirements – Covered entities and their business associates are not required to keep medical records after their business has ceased trading. However, that does not mean medical records and PHI can be disposed of immediately. Businesses are bound by state laws, which do require documents to be retained for a set period of time. For instance, in Florida, physicians must maintain medical records for 5 years after the last patient contact and in North Carolina hospitals must maintain records for 11 years following the last date of discharge.

During that time, HIPAA requires appropriate administrative, technical, and physical safeguards to be implemented to ensure those records are secure and remain confidential. After the retention period is over, all PHI must be disposed of in a compliant manner.

In the case of paper records, disposal typically means shredding, burning, pulping, or pulverization. Whatever method chosen must render the documents indecipherable and incapable of reconstruction.

This HIPAA breach is similar to several others that have occurred over the past few years. Businesses have ceased trading and paper records containing the protected health information of patients have been dumped, abandoned, or left unsecured. There have also been cases where businesses have moved location and left paperwork behind, only for contractors performing a cleanup or refurb of the property to find the paperwork and dispose of it with regular trash.

The failure to secure PHI during the retention period and the incorrect disposal of records after that retention period is over are violations of HIPAA Rules that can attract a significant financial penalty.

“The careless handling of PHI is never acceptable,” said OCR Director Roger Severino in a press release about the latest HIPAA settlement. “Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies.”

The post $100,000 Settlement Shows HIPAA Obligations Don’t End When a Business Closes appeared first on HIPAA Journal.

Is Box HIPAA Compliant?

Posted by HIPAA Journal

Is Box HIPAA compliant? Can Box be used by healthcare organizations for the storage of documents containing protected health information or would doing so be a violation of HIPAA Rules? An assessment of the security controls of the Box cloud storage and content management service and its suitability for use in healthcare.

What is Box?

Box is a cloud storage and content management service that supports collaboration and file-sharing. Users can share files, invite others to view, edit or upload content. Box can be used for personal use; however, businesses need to sign up for either a business, enterprise, or elite account.

Is Box Covered by the Conduit Exception Rule?

The HIPAA conduit exception rule was introduced to allow HIPAA covered entities to use certain communications channels without having to obtain a business associate agreement. The conduit exception rule applies to telecoms companies and Internet service providers that act as conduits through which data flows. Cloud storage services are not covered under the HIPAA conduit exception rule, even if those entities claim they never access any data uploaded to their cloud service. Therefore, cloud storage services can only be used if a business associate agreement is entered into with the service provider.

Box and the HIPAA Business Associate Agreement

Box is confident it has put appropriate security controls in place to ensure all customers’ data is secured, both in transit to Box and while stored in the cloud. The company was formed in 2004, although it took nine years for the company to make its move into the healthcare sphere. In April 2013, Box started signing business associate agreements with HIPAA covered entities and their business associates. Box only offers a BAA to HIPAA covered entities if they have an enterprise or elite account.

Box for Healthcare Launched

In addition to agreeing to sign a BAA and having its service verified as supporting HIPAA compliance by an independent auditor, the company has now launched its Box for Healthcare service. The Box for Healthcare service has been developed to integrate seamlessly with top healthcare vendors such as IBM, Microsoft, Apple, TigerText, eHealth Technologies, and EDCO Health apps. The service helps healthcare organizations coordinate care, collaborate with research organizations, and share information securely with third parties outside the protection of the firewall.

The service includes all the necessary security controls to comply with the HIPAA Security Rule including data encryption at rest and in transit, audit controls, and configurable administrative controls that allow customers to monitor access, usage and document edits by employees and third parties, and set appropriate access and authentication controls.

Is Box HIPAA Compliant?

Any cloud service can be used in a manner that violates HIPAA Rules, as HIPAA compliance is more about the people that use a product or service rather than the product or service itself. That said, Box has implemented a wide range of safeguards and controls to ensure data privacy and security. So, is Box HIPAA compliant?

Provided a BAA has been obtained before the platform is used to store documents containing PHI, Box can be considered a HIPAA compliant cloud storage provider. However, it is the responsibility of the covered entity to ensure that the service is configured correctly and HIPAA Rules are followed.

The post Is Box HIPAA Compliant? appeared first on HIPAA Journal.