Security

Gmail, Google Apps for Business HIPAA Business Associate Agreements

Posted by HIPAA.com Staff

The Health Insurance Portability and Accountability of Act demands that all HIPAA covered businesses prevent unauthorized access to “Protected Health Information” or PHI. PHI includes patients’ names, addresses, and all information pertaining to the patients’ health and payment records. According to the Department of Health and Human Services, “HIPAA Rules apply to covered entities and business associates.” Complete compliance with HIPAA guidelines requires implementation of basic and advanced security measures. Basic security includes benchmark-based password creation and use, personnel education and training, limited access to PHI, data encryption, use of firewalls, antivirus software, and digital signatures. With increasing adoption of electronic medical records and cloud-based software-as-service (SaaS), advanced security measures are necessary. Google’s Business Associate Agreement, introduced in September 2013, offers HIPAA compliant online services for covered entities.

Online Security: Google’s Business Associate Agreement

Many healthcare businesses use Google Business Apps. Google Business Apps are cloud-based software-as-service (SaaS) where small businesses have access to a suite of Google services such as Gmail, Google Calendar, Docs, Drive (storage), Apps etc. Google uses Ernst and Young third party evaluated and ISO 27001 certified encryption and authentication. But despite these foundational precautions, not all components of GBA have a level of security necessary for HIPAA compliance.

Enter Google’s Business Associate Agreement (BAA). Google’s Business Associate Agreement provides an additional layer of online safety by offering HIPAA compliant security for users of Google Apps Vault, Gmail, Google Calendar, and Google Drive. Businesses that opt for this agreement are precluded from using any of the other services in the Google Business Apps package (such as Google Docs, Hangouts, Marketplace, websites, etc), under the domain registered with and covered by Google’s Business Associate Agreement. Google’s BAA guidelines state “Customers who have not entered into a BAA with Google must not use Google services in connection with PHI.” The agreement requires that HIPAA covered businesses sign up for a Google Apps for Business Administrator account.

Training Reduces Human Errors

In addition to having the best online security, complete compliance requires implementation of solid procedures and policies, which includes training for staff members to prevent human errors. The Privacy and Security Rules require that healthcare businesses educate and train workers regarding policies and procedures for HIPAA compliance. Training requires experience and specialized knowledge that even the most advanced healthcare executive may not have.

When evaluating HIPAA training services, make sure the company you choose provides a complete HIPAA training package and is knowledgeable about online security strategies. Training should be affordable, but also useful in other ways. For example, HIPAA training that offers CME and CEU credits is a good way to maintain compliance with HIPAA law while helping your employees maintain valuable credentials.

The post Gmail, Google Apps for Business HIPAA Business Associate Agreements appeared first on HIPAA.com.

The Reality of HIPAA Violations and Enforcement

Posted by HIPAA.com Staff

Who is ultimately responsible for enforcement of HIPAA and what types of penalties are levied when a covered entity or business associate is found to be non-compliant with the regulations? Many healthcare offices and their staff don’t know the answer to this question; they have only a vague notion about the enforcement and the consequences of not adhering to the law.

The real HIPAA enforcement agency is the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR). Complaints are filed with the OCR, and they are responsible for administering, investigating and enforcing the HIPAA privacy standards. The Centers for Medicare & Medicaid (CMS) enforce the code set and security standards.

The American Recovery and Reinvestment Act of 2009 created a tiered penalty configuration for HIPAA violations. But it is the OCR that determines the amount of each penalty, and it is dependent upon the nature and extent of harm that results from the breach. For example:

  • The fine for a first time infringement by someone who did not know they violated HIPAA could be as low as $100 or as high as $50,000.
  • The fine for a violation due to willful neglect, but corrected within the required time period, is a minimum of $10,000 per violation with a maximum of $50,000.
  • The fine when the willful neglect violation is not corrected increases from $10,000 to $50,000.

However, whenever there is a violation that is not considered willful neglect and it is corrected within 30 days of notice, the OCR cannot impose the civil penalty.

A Privacy Rule infraction can be considered criminal and may lead to prosecution by the Department of Justice if someone deliberately acquires or discloses a person’s health information; the fine is $50,000 and up to one year in jail. Whenever an offense is committed through deception, the fine is $100,000 and the jail time is 5 years. And, if person’s health information was sold, transferred or used for profit-making, or any type of personal gain or intent to harm, the fines can go as high as $250,000 with imprisonment for up to 10 years.

Knowing that enforcement of HIPAA is real and that the penalties can be financially and professionally devastating, healthcare offices need to prioritize their training efforts for all of their staff. There truly is no excuse for any healthcare office not to be thoroughly trained in HIPAA law, because if they are found to be out of compliance HHS will not accept ignorance of the law as a defense.

The post The Reality of HIPAA Violations and Enforcement appeared first on HIPAA.com.

Five Steps to HIPAA Security Compliance

Posted by HIPAA.com Staff
The health insurance portability and accountability act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include:
Run a complete risk assessment of the medical practice
Some medical practices adopted electronic health recording systems before there were clear guidelines on what these systems should contain. This means that a medical practice could be using electronic systems which are not compliant with HIPAA standards. To ensure HIPAA compliance a risk assessment should be done on the current systems using HIPAA standards and guidelines to highlight areas in which compliance is not enforced. A risk assessment against HIPAA guidelines exposes areas in which changes are needed.
Prepare for disaster before it occurs
All the data handled by a medical practice should be safe both from loss and corruption. One of the main ways of ensuring that data is not lost in case of any mishaps is backing up of medical data regularly. Data should be backed up in an offsite location such that in case of incidents such as fires in the medical premises the data backup is not destroyed, as well. Antivirus programs should also be installed in all computers to ensure that data is not corrupted or destroyed by computer viruses.
Have an ongoing employee training program
Any system is only as strong as its weakest link and in most cases untrained employees are the weakest links in medical practices. A medical practice could have a very secure encryption system, but if the employees don’t use their passwords to securely access records and files the encryption system is rendered useless, and anyone can gain access to these records. Medical practices should continually train their staff on how to follow the right security protocols to ensure data integrity and security.
Buy medical products with security compliance and compatibility in mind
New equipment bought for a medical institution should be compatible with existing systems and should offer enough security features. Some medical equipment may offer enough security features but may be incompatible with existing systems or vice versa. Thus before making any major purchases enough review of the product should be done to ensure both security and compatibility.
Collaborate with affected parties
Changes which need to be made to bring about HIPAA compliance affect many people in the medical practice. Affected departments should be consulted when making changes to ensure all parties affected by the changes are happy with the changes.

The Health Insurance Portability and Accountability Act has set various guidelines, which should be adhered to by anyone who handles any electronic medical data. These guidelines stipulate that all medical practices must ensure that all necessary measures are in place while saving, accessing and sharing any electronic medical data to keep patient data secure . Lack of compliance to the HIPAA security standards could lead to large fines and in extreme cases even loss of medical licenses. Several steps can be followed by medical practices to ensure compliance to HIPAA standards. These steps include:

Run a complete risk assessment of the medical practice
Some medical practices adopted electronic health recording systems before there were clear guidelines on what these systems should contain. This means that a medical practice could be using electronic systems which are not compliant with HIPAA standards. To ensure HIPAA compliance a risk assessment should be done on the current systems using HIPAA standards and guidelines to highlight areas in which compliance is not enforced. A risk assessment against HIPAA guidelines exposes areas in which changes are needed.

Prepare for disaster before it occurs
All the data handled by a medical practice should be safe both from loss and corruption. One of the main ways of ensuring that data is not lost in case of any mishaps is backing up of medical data regularly. Data should be backed up in an offsite location such that in case of incidents such as fires in the medical premises the data backup is not destroyed, as well. Antivirus programs should also be installed in all computers to ensure that data is not corrupted or destroyed by computer viruses.

Have an ongoing employee training program
Any system is only as strong as its weakest link and in most cases untrained employees are the weakest links in medical practices. A medical practice could have a very secure encryption system, but if the employees don’t use their passwords to securely access records and files the encryption system is rendered useless, and anyone can gain access to these records. Medical practices should continually train their staff on how to follow the right security protocols to ensure data integrity and security.

Buy medical products with security compliance and compatibility in mind
New equipment bought for a medical institution should be compatible with existing systems and should offer enough security features. Some medical equipment may offer enough security features but may be incompatible with existing systems or vice-versa. Thus before making any major purchases enough review of the product should be done to ensure both security and compatibility.

Collaborate with affected parties
Changes which need to be made to bring about HIPAA compliance affect many people in the medical practice. Affected departments should be consulted when making changes to ensure all parties affected by the changes are happy with the changes.

The post Five Steps to HIPAA Security Compliance appeared first on HIPAA.com.

Don’t Overthink HIPAA Privacy Rules

Posted by user

Ever since HIPAA Privacy Rules became finalized law in 2003, many healthcare practices have been anxious and fearful of penalties should they interpret the law incorrectly and be out of compliance. Non-compliance fines can be hefty, so it is understandable why many providers practice with apprehension.

HIPAA rules have brought a needed awareness for patient privacy, but at the same time much of the law is hazy with areas often needing legal interpretation.  According to Ronald B. Sterling, MBA, a health technology consultant, “A lot of people overthink HIPAA and take it to extremes.” (1)  When the law is unclear and healthcare professionals are worried about self-protection, staff members tend to go overboard when interpreting the rules.  And the office philosophy becomes if we want to be safe and stay compliant, we can’t tell anyone anything!  Hospitals also have this mindset created by overzealous risk managers and lawyers. The doctors with privileges at these institutions take this viewpoint back to their practice as the safe hospital-endorsed thing to do.

Interpretation errors, even when on side of caution, aren’t necessarily good for the patients and can actually infringe upon their rights.  And, the “don’t tell anyone anything” concept is keeping information from people who need and deserve to be informed.

Medcape reported that at a congressional subcommittee hearing on HIPAA last April, Carol Levine from the United Hospital Fund testified that when she took her sister to the emergency room with severe abdominal pain, even though her sister asked her to stay with her in the room, a triage nurse said, “You can’t come with her.  It’s a HIPAA rule.”  When her sister replied, “But I want her with me,” the nurse responded, “no way.” (1) Congressman Tim Murphy also testified at that hearing and spoke of provider anxiety by saying, “Fearful of new penalties for violating HIPAA, doctors and nurses were refusing to even talk about a patient’s illness with caretakers, all of whom were [professional] caretakers, spouses, siblings, or those managing the affairs of their elderly parent.” (1)

These are examples of how incorrect versions of this law can actually work against the people it was designed to protect, the patients.  Withholding information does not protect anyone and is a violation of the patient’s rights.  There are numerous resources available to help healthcare professionals understand this law.  While some questions can be answered quickly by accessing the U.S. Department of Health and Human Service’s website, the best protection comes from thorough HIPAA training. (2)

Sources:
1. www.medscape.com/viewarticle/810648 (requires registration)
2. www.hhs.gov/ocr/privacy/hipaa/

Dentists: Don’t Forget HIPAA Compliance

Posted by HIPAA.com Staff
Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements?  Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013?
Compared to the ever-growing size of medical practices today, most dental offices are still rather small with just one to five dentists practicing together, and maintaining compliance is not easy for a small office. It requires a continual effort on the part of the dentist and the office staff. This commitment of time, people and resources is sometimes where the process hits a wall. Many dental offices did their initial training when the Privacy Rules were enacted but have not kept current with training, and often the HIPAA protocols that they put in place have fallen by the wayside. This is especially true in offices with a limited number of employees and frequent staff turnover.
Almost all dental practices submit their claims electronically to insurance companies, which subjects them to the HIPAA regulations in regards to electronic claims submission. But, are these offices following through with the certification requirements to safeguard and protect electronic patient information, and is there a written risk assessment?
Most offices are much more familiar with the HIPAA Privacy Rule. But, without the benefit of refresher training and instruction for new staff, these offices may not be fully adhering to the HIPAA privacy conditions.
The American Dental Association does offer resources and online webinars for dental offices to help them educate their staff and remain compliant with HIPAA laws. But, there are also many other online training programs, such as HIPAA School that are ideal for the small dental office…and besides providing a good solid base of instruction, they help offices stay on track with their HIPAA programs.
Dentists who realize the importance of training their staff regularly and making sure new hires are immediately well-informed and proficient in HIPAA law are much less likely to have any reported complaints or fail an audit. HIPAA training is crucial, not just because the office could be substantially fined if not in compliance, but because it is essential to protecting their patient’s private health information.

Since the inception of HIPAA in 1996, its broad implications have affected all areas of health care including dentistry. And, if asked, most dentists and their staff would say they know what the HIPAA regulations are, and yes, they have been trained, but are they really up to date with HIPAA’s ever expanding changes and compliance requirements?  Are they trained in the areas of HIPAA Security, Privacy, Enforcement and Breach Notification Rules and do they know that they must be in compliance with the 2013 HIPAA Omnibus Final Rule by September 23, 2013?

Compared to the ever-growing size of medical practices today, most dental offices are still rather small with just one to five dentists practicing together, and maintaining compliance is not easy for a small office. It requires a continual effort on the part of the dentist and the office staff. This commitment of time, people and resources is sometimes where the process hits a wall. Many dental offices did their initial training when the Privacy Rules were enacted but have not kept current with training, and often the HIPAA protocols that they put in place have fallen by the wayside. This is especially true in offices with a limited number of employees and frequent staff turnover.

Almost all dental practices submit their claims electronically to insurance companies, which subjects them to the HIPAA regulations in regards to electronic claims submission. But, are these offices following through with the certification requirements to safeguard and protect electronic patient information, and is there a written risk assessment?

Most offices are much more familiar with the HIPAA Privacy Rule. But, without the benefit of refresher training and instruction for new staff, these offices may not be fully adhering to the HIPAA privacy conditions.

The American Dental Association does offer resources and online webinars for dental offices to help them educate their staff and remain compliant with HIPAA laws. But, there are also many other online HIPAA training programs that are ideal for the small dental office…and besides providing a good solid base of instruction, they help offices stay on track with their HIPAA programs.

Dentists who realize the importance of training their staff regularly and making sure new hires are immediately well-informed and proficient in HIPAA law are much less likely to have any reported complaints or fail an audit. HIPAA training is crucial, not just because the office could be substantially fined if not in compliance, but because it is essential to protecting their patient’s private health information.

The post Dentists: Don’t Forget HIPAA Compliance appeared first on HIPAA.com.

HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules

Posted by Ed Jones

June 7, 2013.  Today, HHS published in the Federal RegisterTechnical Corrections to the HIPAA Privacy, Security, and Enforcement Rules” that were published on January 25, 2013, as the Final Rule:Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules.”

According to the Summary in today’s Corrections Final Rule:  “These technical corrections address certain inadvertent errors and omissions in the HIPAA Privacy, Security, and Enforcement Rules that are located at 45 CFR parts 160 and 164.

The effective date of the Corrections Final Rule is June 7, 2013.

The post HHS Publishes Technical Corrections to January 25, 2013, HIPAA Privacy, Security, and Enforcement Rules appeared first on HIPAA.com.

HIPAA Final Rule: Today is Effective Date–Covered Entities and Business Associates Have 180 Days to Comply

Posted by Ed Jones

March 26, 2013.  Today is the first big milestone since the January 25, 2013, publication in the Federal Register of the Final Rule:  Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act [HITECH Act] and the Genetic Information Nondiscrimination Act; Other Modifications of the HIPAA Rules. Today is the effective date of the Final Rule, and covered entities and business associates must comply by September 23, 2013.

Significant rules (defined by Executive Order 12866) and major rules (defined by the Small Business Regulatory Enforcement Fairness Act) are required to have a 60 day delayed effective date,” which was the case with the Final Rule discussed herein.

Here are comments from the preamble of the Final Rule pertaining to the effective and compliance dates:

“The final rule is effective on March 26, 2013.  Covered entities and business associates of all sizes will have 180 days beyond the effective date of the final rule to come into compliance with most of the final rule’s provisions, including the modifications to the Breach Notification Rule and the changes to the HIPAA Privacy Rule under GINA.  We understand that some covered entities, business associates, and subcontractors remain concerned that a 180-day period does not provide sufficient time to come into compliance with the modifications. However, we believe not only that providing a 180-day compliance period best comports with section 1175(b)(2) of the Social Security Act, 42 U.S.C. 1320d–4, and our implementing provision at 45 CFR 160.104(c)(1), which require the Secretary to provide at least a 180-day period for covered entities to comply with modifications to standards and implementation specifications in the HIPAA Rules, but also that providing a 180-day compliance period best protects the privacy and security of patient information, in accordance with the goals of the HITECH Act.

“In addition, to make clear to the industry our expectation that going forward we will provide a 180-day compliance date for future modifications to the HIPAA Rules, we adopt the provision we proposed at 45 CFR 160.105, which provides that with respect to new or modified standards or implementation specifications in the HIPAA Rules, except as otherwise provided, covered entities and business associates must comply with the applicable new or modified standards or implementation specifications no later than 180 days from the effective date of any such change. In cases where a future modification necessitates a longer compliance period, the Department will expressly provide for one, as it has done in this rulemaking with respect to the time permitted for business associate agreements to be modified.

“For the reasons proposed, the final rule also retains the compliance date provisions at 45 CFR 164.534 and 164.318, which provide the compliance dates of April 14, 2003, and April 20, 2005, for initial implementation of the HIPAA Privacy and Security Rules, respectively. We note that 160.105 regarding the compliance date of new or modified standards or implementation specifications does not apply to modifications to the provisions of the HIPAA Enforcement Rule, because such provisions are not standards or implementation specifications (as the terms are defined at 160.103). Such provisions are in effect and apply at the time the final rule becomes effective or as otherwise specifically provided. In addition, as explained above, our general rule for a 180-day compliance period for new or modified standards would not apply where we expressly provide a different compliance period in the regulation for one or more provisions. For purposes of this rule, the 180-day compliance period would not govern the time period required to modify those business associate agreements that qualify for the longer transition period in 164.532….

“Finally, the provisions of section 13402(j) of the HITECH Act apply to breaches of unsecured protected health information discovered on or after September 23, 2009, the date of the publication of the interim final rule. Thus, during the 180 day period before compliance with this final rule is required, covered entities and business associates are still required to comply with the breach notification requirements under the HITECH Act and must continue to comply with the requirements of the interim final rule. We believe that this transition period provides covered entities and business associates with adequate time to come into compliance with the revisions in this final rule and at the same time to continue to fulfill their breach notification obligations under the HITECH Act.”

78 Federal Register 5569-5570

For provisions of the modifications of the Final Rule, you may access them through electronic Code of Federal Regulation links available at www.ecfr.gov.  On the opening screen, scroll down to “Title 45:  Public Welfare” and click “Go.”  Then, click on “1-199:  Subtitle A–Department of Health and Human Services.”  Scroll down to “Subchapter C: Administrative Date Standards and Related Requirements” for the “Parts” and “Subparts” of interest, click, and you can then access desired sections.  For example, Part 164 is “Security and Privacy,” and Subpart C is “Security Standards for the Protection of Electronic Protected Health Information,” Subpart D is “Notification in the Case of Breach of Unsecured Protected Health Information,” and Subpart E is” Privacy of Individually Identifiable Health Information.”

The post HIPAA Final Rule: Today is Effective Date–Covered Entities and Business Associates Have 180 Days to Comply appeared first on HIPAA.com.