HIPAA

Gmail, Google Apps for Business HIPAA Business Associate Agreements

The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. PHI includes patients’ names, addresses, and all information pertaining to the patients’ health and payment records. According to the Department of Health and Human Services, “HIPAA Rules apply to covered entities and business associates.” Complete compliance with HIPAA guidelines requires implementation of basic and advanced security measures. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. With increasing adoption of electronic medical records and cloud-based software-as-service (SaaS), advanced security measures are necessary. Google’s Business Associate Agreement, introduced in September 2013, offers HIPAA compliant online services for covered entities.

Online Security: Google’s Business Associate Agreement

Many healthcare businesses use Google Business Apps. Google Business Apps are cloud-based software-as-service (SaaS) where small businesses have access to a suite of Google services such as Gmail, Google Calendar, Docs, Drive (storage), Apps etc. Google uses Ernst and Young third party evaluated and ISO 27001 certified encryption and authentication. But despite these foundational precautions, not all components of GBA have a level of security necessary for HIPAA compliance.

Enter Google’s Business Associate Agreement (BAA). Google’s Business Associate Agreement provides an additional layer of online safety by offering HIPAA compliant security for users of Google Apps Vault, Gmail, Google Calendar, and Google Drive. Businesses that opt for this agreement are precluded from using any of the other services in the Google Business Apps package (such as Google Docs, Hangouts, Marketplace, websites, etc), under the domain registered with and covered by Google’s Business Associate Agreement. Google’s BAA guidelines state “Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.” The agreement requires that HIPAA covered businesses sign up for a Google Apps for Business Administrator account.

Training Reduces Human Errors

In addition to having the best online security, complete compliance requires implementation of solid procedures and policies, which includes training for staff members to prevent human errors. The Privacy and Security Rules require that healthcare businesses educate and train workers regarding policies and procedures for HIPAA compliance. Training requires experience and specialized knowledge that even the most advanced healthcare executive may not have.

When evaluating HIPAA training services, make sure the company you choose provides a complete HIPAA training package and is knowledgeable about online security strategies. Training should be affordable, but also useful in other ways. For example, HIPAA training that offers CME and CEU credits is a good way to maintain compliance with HIPAA law while helping your employees maintain valuable credentials.

The post Gmail, Google Apps for Business HIPAA Business Associate Agreements appeared first on HIPAA.com.

The Reality of HIPAA Violations and Enforcement

Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law.

The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code set and security standards.

The American Recovery and Reinvestment Act of 2009 created a tiered penalty configuration for HIPAA violations. But it is the OCR that determines the amount of each penalty, and it is dependent upon the nature and extent of harm that results from the breach. For example:

  • The fine for a first time infringement by someone who did not know they violated HIPAA could be as low as $100 or as high as $50,000.
  • The fine for a violation due to willful neglect, but corrected within the required time period, is a minimum of $10,000 per violation with a maximum of $50,000.
  • The fine when the willful neglect violation is not corrected increases from $10,000 to $50,000.

However, whenever there is a violation that is not considered willful neglect and it is corrected within 30 days of notice, the OCR cannot impose the civil penalty.

A Privacy Rule infraction can be considered criminal and may lead to prosecution by the Department of Justice if someone deliberately acquires or discloses a person’s health information; the fine is $50,000 and up to one year in jail. Whenever an offense is committed through deception, the fine is $100,000 and the jail time is 5 years. And, if person’s health information was sold, transferred or used for profit-making, or any type of personal gain or intent to harm, the fines can go as high as $250,000 with imprisonment for up to 10 years.

Knowing that enforcement of HIPAA is real and that the penalties can be financially and professionally devastating, healthcare offices need to prioritize their training efforts for all of their staff. There truly is no excuse for any healthcare office not to be thoroughly trained in HIPAA law, because if they are found to be out of compliance HHS will not accept ignorance of the law as a defense.

The post The Reality of HIPAA Violations and Enforcement appeared first on HIPAA.com.

Five Steps to HIPAA Security Compliance

The health insurance portability and accountability act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include:
Run a complete risk assessment of the medical practice
Some medical practices adopted electronic health recording systems before there were clear guidelines on what these systems should contain. This means that a medical practice could be using electronic systems which are not compliant with HIPAA standards. To ensure HIPAA compliance a risk assessment should be done on the current systems using HIPAA standards and guidelines to highlight areas in which compliance is not enforced. A risk assessment against HIPAA guidelines exposes areas in which changes are needed.
Prepare for disaster before it occurs
All the data handled by a medical practice should be safe both from loss and corruption. One of the main ways of ensuring that data is not lost in case of any mishaps is backing up of medical data regularly. Data should be backed up in an offsite location such that in case of incidents such as fires in the medical premises the data backup is not destroyed, as well. Antivirus programs should also be installed in all computers to ensure that data is not corrupted or destroyed by computer viruses.
Have an ongoing employee training program
Any system is only as strong as its weakest link and in most cases untrained employees are the weakest links in medical practices. A medical practice could have a very secure encryption system, but if the employees don’t use their passwords to securely access records and files the encryption system is rendered useless, and anyone can gain access to these records. Medical practices should continually train their staff on how to follow the right security protocols to ensure data integrity and security.
Buy medical products with security compliance and compatibility in mind
New equipment bought for a medical institution should be compatible with existing systems and should offer enough security features. Some medical equipment may offer enough security features but may be incompatible with existing systems or vice versa. Thus before making any major purchases enough review of the product should be done to ensure both security and compatibility.
Collaborate with affected parties
Changes which need to be made to bring about HIPAA compliance affect many people in the medical practice. Affected departments should be consulted when making changes to ensure all parties affected by the changes are happy with the changes.

The Health Insurance Portability and Accountability Act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include:

Run a complete risk assessment of the medical practice
Some medical practices adopted electronic health recording systems before there were clear guidelines on what these systems should contain. This means that a medical practice could be using electronic systems which are not compliant with HIPAA standards. To ensure HIPAA compliance a risk assessment should be done on the current systems using HIPAA standards and guidelines to highlight areas in which compliance is not enforced. A risk assessment against HIPAA guidelines exposes areas in which changes are needed.

Prepare for disaster before it occurs
All the data handled by a medical practice should be safe both from loss and corruption. One of the main ways of ensuring that data is not lost in case of any mishaps is backing up of medical data regularly. Data should be backed up in an offsite location such that in case of incidents such as fires in the medical premises the data backup is not destroyed, as well. Antivirus programs should also be installed in all computers to ensure that data is not corrupted or destroyed by computer viruses.

Have an ongoing employee training program
Any system is only as strong as its weakest link and in most cases untrained employees are the weakest links in medical practices. A medical practice could have a very secure encryption system, but if the employees don’t use their passwords to securely access records and files the encryption system is rendered useless, and anyone can gain access to these records. Medical practices should continually train their staff on how to follow the right security protocols to ensure data integrity and security.

Buy medical products with security compliance and compatibility in mind
New equipment bought for a medical institution should be compatible with existing systems and should offer enough security features. Some medical equipment may offer enough security features but may be incompatible with existing systems or vice-versa. Thus before making any major purchases enough review of the product should be done to ensure both security and compatibility.

Collaborate with affected parties
Changes which need to be made to bring about HIPAA compliance affect many people in the medical practice. Affected departments should be consulted when making changes to ensure all parties affected by the changes are happy with the changes.

The post Five Steps to HIPAA Security Compliance appeared first on HIPAA.com.

Dentists: Don’t Forget HIPAA Compliance

Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements?  Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013?
Compared to the ever-growing size of medical practices today, most dental offices are still rather small with just one to five dentists practicing together, and maintaining compliance is not easy for a small office. It requires a continual effort on the part of the dentist and the office staff. This commitment of time, people and resources is sometimes where the process hits a wall. Many dental offices did their initial training when the Privacy Rules were enacted but have not kept current with training, and often the HIPAA protocols that they put in place have fallen by the wayside. This is especially true in offices with a limited number of employees and frequent staff turnover.
Almost all dental practices submit their claims electronically to insurance companies, which subjects them to the HIPAA regulations in regards to electronic claims submission. But, are these offices following through with the certification requirements to safeguard and protect electronic patient information, and is there a written risk assessment?
Most offices are much more familiar with the HIPAA Privacy Rule. But, without the benefit of refresher training and instruction for new staff, these offices may not be fully adhering to the HIPAA privacy conditions.
The American Dental Association does offer resources and online webinars for dental offices to help them educate their staff and remain compliant with HIPAA laws. But, there are also many other online training programs, such as HIPAA School that are ideal for the small dental office…and besides providing a good solid base of instruction, they help offices stay on track with their HIPAA programs.
Dentists who realize the importance of training their staff regularly and making sure new hires are immediately well-informed and proficient in HIPAA law are much less likely to have any reported complaints or fail an audit. HIPAA training is crucial, not just because the office could be substantially fined if not in compliance, but because it is essential to protecting their patient’s private health information.

Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements?  Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013?

Compared to the ever-growing size of medical practices today, most dental offices are still rather small with just one to five dentists practicing together, and maintaining compliance is not easy for a small office. It requires a continual effort on the part of the dentist and the office staff. This commitment of time, people and resources is sometimes where the process hits a wall. Many dental offices did their initial training when the Privacy Rules were enacted but have not kept current with training, and often the HIPAA protocols that they put in place have fallen by the wayside. This is especially true in offices with a limited number of employees and frequent staff turnover.

Almost all dental practices submit their claims electronically to insurance companies, which subjects them to the HIPAA regulations in regards to electronic claims submission. But, are these offices following through with the certification requirements to safeguard and protect electronic patient information, and is there a written risk assessment?

Most offices are much more familiar with the HIPAA Privacy Rule. But, without the benefit of refresher training and instruction for new staff, these offices may not be fully adhering to the HIPAA privacy conditions.

The American Dental Association does offer resources and online webinars for dental offices to help them educate their staff and remain compliant with HIPAA laws. But, there are also many other online HIPAA training programs that are ideal for the small dental office…and besides providing a good solid base of instruction, they help offices stay on track with their HIPAA programs.

Dentists who realize the importance of training their staff regularly and making sure new hires are immediately well-informed and proficient in HIPAA law are much less likely to have any reported complaints or fail an audit. HIPAA training is crucial, not just because the office could be substantially fined if not in compliance, but because it is essential to protecting their patient’s private health information.

The post Dentists: Don’t Forget HIPAA Compliance appeared first on HIPAA.com.

Celebrate Earth Day 2011 with eco-friendly digital HIPAA reference materials

Here are the top 5 highest rated HIPAA books on Amazon that are available in earth-friendly digital Kindle format.  We thought it would be good to celebrate Earth Day by sharing these with you, and encouraging everyone who hasn’t gone paperless yet to consider doing so. Note that in most cases, buying the book in Kindle format is cheaper than buying the same book in print form. Handy tip for saving money, or justifying the cost of a Kindle if you don’t already have one!

#1: Practical Guide to HIPAA Privacy and Security Compliance

Practical Guide to HIPAA Privacy and Security Compliance

496 pages

Description:

This book is a one-stop resource for HIPAA privacy and security advice that can immediately be applied to any organization’s unique situation. It defines what HIPAA is, what it requires, and what can be done to achieve and maintain compliance. It describes the HIPAA Privacy and Security Rules and compliance tasks in easy-to-understand language, focusing not on technical jargon, but on what organizations need to do to meet requirements. Anyone preparing an organization for HIPAA laws will receive expert guidance on requirements and other commonly-discussed topics. The book enables organizations determine how HIPAA will impact them, regardless of whether they are a HIPAA Covered Entity.

#2: PKI Security Solutions for the Enterprise: Solving HIPAA, E-Paper Act, and Other Compliance Issues

PKI Security Solutions for the Enterprise: Solving HIPAA, E-Paper Act, and Other Compliance Issues

336 pages

Description:

  • Outlines cost-effective, bottom-line solutions that show how companies can protect transactions over the Internet using PKI
  • First book to explain how PKI (Public Key Infrastructure) is used by companies to comply with the HIPAA (Health Insurance Portability and Accountability Act) rules mandated by the U.S. Department of Labor, Health, and Human Services
  • Illustrates how to use PKI for important business solutions with the help of detailed case studies in health care, financial, government, and consumer industries

#3: A Guide to HIPAA Security and the Law

A Guide to HIPAA Security and the Law

372 pages

Description:

This publication discusses the HIPAA Security Rule’s role in the broader context of HIPAA and its other regulations, and provides useful guidance for implementing HIPAA security. At the heart of this publication is a detailed section-by-section analysis of each security topic covered in the Security Rule. This publication also covers the risks of non-compliance by describing the applicable enforcement mechanisms that apply and the prospects for litigation relating to HIPAA security.

#4: The Clinical Documentation Sourcebook: The Complete Paperwork Resource for Your Mental Health Practice

The Clinical Documentation Sourcebook: The Complete Paperwork Resource for Your Mental Health Practice

336 pages

Description:

The paperwork required when providing mental health services in the current era of third-party accountability can be quite daunting. The sourcebook is designed to help clinicians provide this documentation in a form that satisfies managed care requirements and maximizes prospects for approval of payments. Includes ready-to-use sample forms that meet the documentation requirements of virtually every managed care organization. The sourcebook also provides properly completed examples of each form, as well as a computer disk which contains word-processing versions of every form in the book.

#5: HIPAA Survival Guide for Providers: Privacy, Security and the HITECH Act

HIPAA Survival Guide for Providers: Privacy, Security and the HITECH Act

Description:

The HIPAA Survival Guide attempts a “forest from the trees” overview of the HIPAA Privacy and Security rules, and also includes a general overview of the HITECH Act as it pertains to these rules. The genesis of these rules is covered in the Background section. The HIPAA Survival Guide only targets a subset of covered entities, namely healthcare providers, focusing mostly on small providers, since this group will clearly be the most challenged by new laws and regulations.

The Third Edition of the HIPAA Survival Guide updates various substantive text of the first two editions and adds completely new material. The HITECH Act has indeed proven to be transformational. In order to deal more effectively with its changing regulatory landscape we have decided to release an updated version available on Amazon’s Kindle.

BONUS #6 – YES, IT’S A HIPAA ROMANCE NOVEL — HIPAA Hysteria

We’re really not sure how good this could be, but cmon — a steamy romantic novel set in the wild world of HIPAA compliance? Yes please!

HIPAA Hysteria

Description:

Is it a romantic comedy? Yes! Is it a legal thriller? Yes!

Margaret Nicks, a new graduate with a couple of degrees in health information management, becomes the Acting Director of Health Information Management at a hospital when the Director suffers a stroke. She quickly finds out that her new duty of getting the hospital HIPAA compliant won’t be easy. But she hires a consultant that she had met at a Cross Country seminar. Follow their struggles with the hospital doctors, staff, and administration to get them into compliance. They are attracted to each other, but legal ethics prevents him from dating her. After the compliance date, a hospital employee commits identity theft and blames it on the hospital’s failure to enforce HIPAA. Management tries to hang Margaret out to dry to save the hospital administrator and the governing board from liability. The U.S. Attorney indicts her under the theory of corporate criminal liability. So she hires the consultant, who is also an experienced defense attorney. Can he keep her out of federal prison? Will they end up an item after she is no longer his client?

Don’t have a Kindle yet? Get one at a discounted price on Amazon here.

The HIPAA Compliance Headache

HIPAA Compliance Introduced. “Hip…what?”  That was my reaction when I first encountered HIPAA.  I was working at a dental office while home from college for the summer.  I had worked at that office part time while in high school and was now receiving instruction about the “new way” to do things around the office.  I…

The post The HIPAA Compliance Headache appeared first on SIMBUS.

HIPAA video

Good video about network security, mentions HIPAA, security and the economics of spam.

ABSTRACT

Computer security has recently imported a lot of ideas from economics, psychology and sociology, leading to fresh insights and new tools. I will describe one thread of research that draws together techniques from fields as diverse as signals intelligence and sociology to search for artificial communities.

Evildoers online divide roughly into two categories – those who don’t want their websites to be found, such as phishermen, and those who do. The latter category runs from fake escrow sites through dodgy stores to postmodern Ponzi schemes. A few of them buy ads, but many set up fake communities in the hope of having victims driven to their sites for free. How can these reputation thieves be detected?

Some of our work in security economics and social networking may give an insight into the practical effects of network topology. These tie up in various ways with traffic analysis, long used by the signals intelligence agencies which trawl the airwaves and networks looking for interesting targets. I’ll describe a number of dubious business enterprises we’ve unearthed. Recent advances in algorithms, such as Newman’s modularity matrix, have increased the robustness of covert community detection. But much scope remains for wrongdoers to hide themselves better as they become topologically aware; we can expect attack and defence to go through several rounds of coevolution. I’ll therefore end up by talking about some strategic issues, such as the extent to which search engines and other service providers could, or should, share information in the interests of wickedness detection.

Speaker: Ross Anderson Ross Anderson is one of the top security researchers in the world.

View Video

11 Years of HIPAA and it’s still not easy for consumers

NPR NPR did a good audio story on Morning Edition about the current state of HIPAA that is worth a listen.

Holding on to health insurance can be a big challenge if you have a chronic disease or history of illness. But it wasn’t supposed to be that way. Eleven years ago this month, Congress passed a law intended to free people who felt trapped in their jobs because they were afraid of losing their health insurance.

Click the Listen button to hear this story: Portable Health Insurance Faces Challenges – NPR.org

A good link for consumers from the story:
A CONSUMER GUIDE FOR GETTING AND KEEPING HEALTH INSURANCE.

(story found via HIPAAClicks.com)

HIPAA Checklists

Get started with HIPAA compliance by checking out these free checklists. You may want to build your own customized checklist when developing your strategy for complying with HIPAA.

Bookmark this page, since it will be updated when we find more useful free HIPAA checklists.

Free HIPAA Compliance Checklists

Do you know of any other good HIPAA checklists we could add to this list? Leave a comment below!