Healthcare compliances training and discussion blog

Posts tagged ‘HIPAA security compliance’

Does the cloud provide an easier route to HIPAA compliance?


A lot of confusion has been raised regarding the compliance of cloud to the HIPAA. On the contrary, the healthcare community itself is not very sure of it and is looking at it as a double edged sword. The cloud presents you a shimmering picture of cost-effective option. It provides you a solution due to which analyzing massive data and the ability to store will become affordable. But the other side seems be bleaker as there are many who are yet to come to terms with this new rule-set of HIPAA, especially those that are now part of the recently published HIPPA omnibus rule. It is better to dig deeper on this to understand instead of merely speculating on the fringes whether to migrate or not to the cloud?

The omnibus rule that was put forth in the last month has further tightened the grip of HIPAA on those who are entrusted with responsibility of protecting the health information.The rule also has increased penalty on the business associates and covered entities, who fail to comply with the HIPAA. At present, there a lot of misconceptions as well as fear regarding use of the cloud. As a result many healthcare organizations and health service providers are shying away from switching over to the cloud. Not taking rescue under the in the latest cloud technology umbrella might result in loss a good deal in terms of both compliance and finances for organizations that wish to play safe.

Can Cloud Computing Really Rescue Health Care And Make It HIPAA Compliant?

Recent times has revealed to the health care sector the various weird and amazing ways in which data breaches can occur and do occur. Many times it occurs due to infrastructure loss, physical theft, or due to sheer negligence (when someone forgets a laptop or forgets to shutdown their PC).

The above scenario of data exploitation and data theft is easily manageable through use of cloud technology. Cloud computing can be more helpful in such cases because herein you can stop the breaches by using services of physical security policies such as the Amazon wherein all the things that can be carried out with the data can be published. Cloud technology is most certainly is far more efficient than what a single group running its infrastructure can accomplish after a lot of personal investment. Of course, reduction in the amount of health data breach is the first benefit of cloud computing.

Deft monitoring of security and the privacy of the infrastructure through automation is the second benefit of cloud. Basically, when the infrastructure program is being written, the infrastructure is coded and thousands of tests are conducted on various levels. Such through levels of tested programs provide a secure base that everything is done in order to automate the expected results and that the infrastructure automatically works the way in which you want it to. Hence, when things start showing changes in the infrastructure code you immediately smell smoke and try to find out the reason for it. Trying to search for the reason for changes in your infrastructure ultimately makes you provide more security to your data.

HIPAA omnibus rule has placed great emphasis on the factors that can risk the health data and the breach notifications. The cloud services developers provide you with the documentations that carry highly detailed processing systems due to which remaining HIPAA compliant as well as cost-efficient does not seem as uphill task. All the instructions that are part of the cloud computing program are written in plain and simple readable English which can be easily defined by anybody in the health business. This gives the HIPAA operators full knowledge about the compliance and non-compliance and related decision. It also helps even the non-technical staff to gain an insight into overall work pertaining to the HIPAA compliance owing to which the overall efficiency of an organization is certain to elevate.

Only six months are left for the covered entities and the partners to become HIPAA compliant and hence it is important that they take steps to understand these benefits of the new cloud computing.

Data breaches in health sector have been damaging the credibility of many health institutions and many times the culprits were left untracked as they were much smarter than the security system of the institutions. Shifting to the cloud is a major decision, which can be taken by the entities only when they thoroughly understand its contribution in lessening the burden of finance as well as maintaining to the strict rules of the HIPAA compliance.

One wonders, what is keeping these people at the fences when one way or the other they are not left with any other alternative than to migrate to the cloud!

About emPower
emPower  is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com.

Media Contact (emPower)
Jason Gaya
marketing@empowerbpo.com

Advertisements

HIPAA Activity on the Rise


HIPAA Audit Program

The HIPAA audit program mandated by the HITECH Act is underway. HHS recently awarded KPMG $9.2 million to commence the program. To date, HHS review of covered entities has been complaint driven. Audit protocols will be developed for covered entities and business associates. The audits will begin late this year or early 2012, and consist of as many as 150 on-site audits of entities varying in type, size, and location. These audits can result in enforcement action if violations are discovered.

To get prepared for a HIPAA audit, providers should perform an updated risk assessment and review their policies and procedures. HHS issued an audit checklist that identifies personnel who may be interviewed and documents that may be requested during an audit.

Accounting of Disclosures and Access Report

The long-anticipated rules regarding accounting of disclosures were proposed this May. There are two major changes covered entities and business associates will need to address: 1) accounting for treatment, payment, and health care operations disclosures, and 2) providing an access report.

Accounting for Disclosures

While the proposed rules broaden the accounting requirement to treatment, payment, and health care operations, HHS proposes to limit the accounting to information maintained in a designated record set for three years prior to the date of the request. There are also proposed exemptions, including, disclosures in which 
breach notice was provided; abuse or neglect reports; patient safety work product, and disclosures for research, health oversight activities, decedents, and others required by law. Keep 
in mind these exemptions may still 
be subject to the Access Report. 
Other proposed changes include decreasing response time to 30 days 
and specifically including business associates.

Access Report

This rule proposes that an individual may request a report describing who has accessed their PHI maintained in an electronic designated record set, including the date and time of access, the person or entity accessing the information, a description of the information, and what was done with the information.

Covered Entities must revise their Notice of Privacy Practices to notify individuals of their right to an accounting and an access report.

Monetary Penalties

For the first time this year, there were three major monetary penalties issued for HIPAA violations. These include a $4.3 million penalty involving failure to provide access, a $1 million penalty involving loss of PHI, and most recently an $865,500 penalty involving unauthorized employee access to electronic PHI. Another reason to update your HIPAA program!

Joy Kosiewicz is an attorney in the Health Care Group at Brouse McDowell in Akron.

HIPAA vs The Cloud


HIPAA Compliance: The objective behind

Sensitivity in maintaining individual health record of every person is too significant and this is what gets ensured under HIPAA security compliance, which aims at protecting an individual’s information to be obtained, created, used and maintained electronically at a specific healthcare unit or hospital. As a result of this rule, the healthcare unit is responsible for taking every measure to keep this information confidential, secure, reliable and free from any electronic interference. But healthcare units usually find it tough to meet the expectations of this security rule & it requires a more technical approach in abiding by the directives of the security rule.

Healthcare unit’s responsibility in ensuring HIPAA security compliance

Under HIPAA security compliance, each of the three aspects, namely administrative, technical and physical, has to be adhered to by implementation specifications. These specifications specify the modus operandi for meeting the three aspects. A healthcare unit or hospital has to either implement a security measure to achieve this objective, execute the given implementation specifications or, may not put into practice either one of the two. But as part of HIPAA compliance, the body has to document whichever choice it wants to implement and this document should additionally comprise of basis of the evaluation on which this decision has been arrived at. Outcome of all this can be visibly noticed in the form of a challenge for IT professionals working in health sector.

Shouldering HIPAA compliance responsibility with cloud computing vendor

No surprise, emergence of cloud computing looked like easing the scenario but with enough caution, given that an outside agency in the form of cloud providing associate is involved besides the healthcare unit. Because of this vendor-client partnering, the ultimate responsibility to abide by HIPAA compliance resting with the healthcare unit gets pooled with the vendor, since implementation gets carried out at the vendor end. Thus, there is much room for the sensitive information getting trickled at the remote location where cloud model has been setup. In this situation, the healthcare unit will have to adhere to all the security aspects and implementation specifications as discussed above, so as to satisfy the HIPAA security rule. In the process, the healthcare unit will have to extend its interference and control at the cloud computing associate’s location in terms of integrity, encryption, data transfer & management, etc., which this body earlier left up to business associate due to contractual limitations or budget constraints.

Documentation of roles

Obviously, the healthcare unit has an opportunity this way to allot even responsibility to its cloud computing business associate and keep it under the scanner, as if HIPAA compliance is not just the healthcare unit’s liability, but is as much an accountability of that vendor. The documented modus operandi of this body can well include the extent to which it has involved vendor and along with, ask the vendor to document its procedures and practices in following the technical requirements and the HIPAA compliance as a whole.

While cloud computing can be the technical answer for healthcare IT professionals to successfully satisfy HIPAA security compliance, the organisations in healthcare can well ensure strict adherence of HIPAA rules by shouldering equal responsibility with their cloud computing business associates.

About emPower eLearning

emPower  is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com/HIPAA_Compliance_Training.html.

Day-Long HIPAA Boot Camp Targets HIM Professionals


The 2011 annual convention of the American Health Information Management Association, Oct. 1-6 in Salt Lake City, features a series of in-depth post conference educational sessions on the 6th, including an eight-hour HIPAA Privacy and Security Boot Camp.

The camp is designed for health information management directors, other professionals with little or no privacy experience who is taking on a new role as a privacy officer or would like to, and existing privacy officers who want a better understanding of regulations and issues.

“I’m not going to assume they know too much,” says Kelly McLendon, the presenter and founder of HIXperts, a Titusville, Fla.-based consultancy. “I’m not going to leave anyone behind, but at the same time will go beyond the basics.”

McLendon will cover the tools of HIPAA privacy compliance, such as policy templates, spreadsheets and other forms for specific functions, such as cataloging records systems with protected health information. He’ll cover expected requirements in a final omnibus HIPAA rule expected this year covering the privacy, security, breach notification and enforcement rules, and also cover privacy regulations from the HHS Substance Abuse and Mental Health Services Administration.

“This is a very deep view of HIPAA for HIM and privacy professionals, but we will start from the basics and make sure everyone understands from the ground up,” McLendon says. More information on educational session 7004, “HIPAA Privacy and Security Boot Camp,” which starts at 9:00 a.m., is available at ahima.org.

This article was originally posted at  http://www.healthdatamanagement.com/news/hipaa-ahima-privacy-security-breach-43164-1.html

Tips on PCI DSS Compliance


Too many healthcare organizations have overlooked their obligation to comply with the Payment Card Industry Data Security Standard, says security expert Tom Walsh. Compliance with PCI DSS, designed to help prevent credit card fraud and theft, can help healthcare organizations comply with the HIPAA security rule as well, Walsh stresses. That’s because PCI DSS offers far more security specifics than HIPAA, including, for example, specific password requirements, he notes.

“If an organization can meet all of the requirements of PCI, it’s going to be in great shape when it comes to HIPAA security compliance,” Walsh contends. “The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all of the controls required to meet all the standards required in PCI. If they could, it would be a great help with HIPAA.”

Large payment card transaction volume merchants, including many hospitals, must have independent audits and frequent vulnerability tests, Walsh explains. Those with smaller payment card transaction levels are required to conduct a self-assessment and complete a “self-assessment questionnaire.” All merchants are required to complete an “attestation of compliance.”

In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, Walsh offers an overview of PCI DSS and suggests key compliance steps, including:

  • Creating a diagram that shows how credit transactions are handled;
  • Identifying all applications and systems involved and creating an inventory of all card reading devices;
  • Conducting an initial self-assessment and creating a plan to remediate any problems identified;
  • Creating a credit card handling policy and training staff annually on how to carry it out.

On May 18, Walsh will conduct an in-depth webinar on PCI DSS compliance in partnership with Information Security Media Group.

Walsh, CISSP, is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on information security in healthcare. He has conducted numerous presentations on PCI and has helped dozens of healthcare organizations conduct PCI self- assessments. Walsh also serves as information security officer at San Antonio Community Hospital on an outsourced basis.

HOWARD ANDERSON: For starters, please briefly describe the Payment Card Industry Data Security Standard and who must comply.

TOM WALSH: … To counter the threat of fraud, and unintentional security breaches, the major credit card companies worked collaboratively to create a common industry standard. … In September of 2006, the five major credit card companies formed the organization called the PCI Security Standards Council, and what the council tried to do was come up with a set of standard data security criteria that they wanted all the organizations that handle or process credit cards to follow.

The standard itself covers both technical and operational system components associated with the card holder data environment. It includes things like the access to credit card data, transferring the information, storage of the information, retention and disposal. They’ve been updating the standard over the years, and the current version of the PCI Data Security Standard is Version 2.0.

…Mainly the goals are to build and maintain a secure network, protect the card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test the networks, and then maintain an information security policy. These are all good things and generally considered common practices.

One thing I want to point out is that many people get confused, and they wonder whether this applies to the entire network and to the entire organization. But it really pertains only to those systems or applications that are used for the storage, processing or transmission of cardholder data. That is why a lot of organizations try to segregate out credit card data transactions from their other operations.

Security Controls

ANDERSON: Many healthcare organizations have been focused heavily on complying with HIPAA’s privacy and security rules, while sometimes overlooking other industry standards, such as PCI. So tell us about security controls that PCI requires.

WALSH: Many organizations are worried about complying with HIPAA, and they’ve forgotten that PCI applies globally to any organization that stores or processes or transmits card holder data. So most healthcare organizations accept credit card for payment for co-pays or for paying for their services outright. As part of this, they have to go in and look at these security requirements and they have to do what’s called a self-assessment, and that is a questionnaire form they have to fill out and it has certain criteria. The criteria are based on the environment in which your credit card processing takes place.

While the council is really responsible for managing the data security standards, each of the credit card brands maintains its own separate compliance and enforcement program, which makes it a little bit of a challenge. Each card brand has their own determination for validation of compliance, and most of it is based on reporting, and the reporting is usually a requirement for the acquiring financial institutions or banks, or the merchant service processors that work with the organization when they process credit cards.

Generally they’ll ask for … some kind of a letter to provide evidence or proof that the healthcare organization that is processing the credit cards is, indeed, in compliance with the PCI data security standard.

Now sometimes a breach may occur, and that is when these organizations will get involved, and then they’ll want to see proof that you’ve been compliant over the years. …

One of the things I’ve seen, which is a trend, is that the banks or merchant service processors are now sending letters to [certain] organizations and they are asking them to prove that they’re compliant by going online to a website and completing their self-assessment questionnaire. …

The other part about this that can be difficult is that when you go on the website to complete the self-assessment questionnaire, many times what is included in that registration process is a vulnerability scan that will be conducted by the organization that the bank or merchant service processor has contracted to go out and conduct the scan. …

The other thing is, who gets these letters? Generally it’s not going to end up with IT or information security; it usually will end up with whoever in the organization has the relationship with the bank or the credit card company. So the bad news is, somebody could be getting this letter and not know what to do with it, and either hold on to it or ignore it. And meanwhile, the folks who really know what they should be doing about it aren’t getting the word.

So as far as a compliance audit … you should be doing it on an annual basis. … In most cases, my clients, when they go through this, they’ll hold on to the result of it and won’t turn it over unless they are asked to produce it.

PCI Compliance

ANDERSON: So what are a few of the steps that an organization can take to assess whether they are PCI compliant now?

WALSH: Well some of the things that they need to look at is to figure out who in their organization is handling or processing credit cards. So you’ve got to look at the various departments. Now in a hospital, it will typically be the departments such as admitting, registration or patient access … where the patient first checks in and pays for a co-pay. It could be the cashier at the hospital. Patient financial services, which does the patient billing, handles credit cards [as do the] gift shops, cafeteria, any of the outpatient services, such as the pharmacy … or clinics or urgent care centers or if the organization sells or rents medical equipment and supplies. So those would be areas where credit cards are being handled. So the first step is really getting a handle on the environment itself.

The next step would be to determine who really owns the PCI project. … They need a high-level executive to take ownership of it. You need to determine what merchant level and type you are -based on the number of transactions you process, and the environment that you process it in – are you using just point-of-sale terminals or are you using some secure website for processing transactions. Then create a transaction work flow map or a diagram that shows how credit card transactions take place in the organization, and where all the data may reside so you have an idea then of what you need to assess. Then identify the applications and systems associated with the processing, storage and transmission of the credit card data. You might want to do an inventory of any of your point-of-sale terminals or cash register systems, or card readers that attach to a workstation.

Then you would conduct your initial self assessment, filling out the self assessment questionnaire. Sometimes [those doing this for the] first time … may want to call upon a vendor for some help with that. Once they have done the assessment, they will probably find some shortcomings, and that would be something you would put in a report of findings to your executive management to make a determination of the next steps through some type of an action plan, and what is it going to cost to remediate these. What kinds of resources do we need?

Some simple things … that need to be done include creating a credit card handling policy and then conducting awareness training for all your employees. Now the requirement is to train everyone who is handling credit cards when they are newly hired and then annually. And part of that annual training is that the employee has to acknowledge that they received a copy of the credit card handling policy and understand what their responsibilities are. So those are some of the key steps that need to be taken right away.

HIPAA, PCI Overlap

ANDERSON: And is there any overlap between what HIPAA requires and what PCI requires? WALSH:Well there is some overlap. The HIPAA security rule is kind of vague. It was written that way so it could be scalable. So it doesn’t give you a lot of detail, whereas the PCI Data Security Standard is very specific and detailed in its requirements. So for example … within the HIPAA security rule there is really no specification for passwords other than under the standard of security awareness training that we have to conduct password management training and we have to teach people how to manage their passwords. But when you look under the technical safeguard section, it talks about authentication but it doesn’t specify passwords, which is probably the most commonly used method today in healthcare of authenticating a user. When you look at PCI, they have eight specific requirements on passwords. So they specify things like minimum password length and complexity, history and password expirations; it’s very detailed.

So, if an organization can meet all of the requirements of PCI, you’re going to be in great shape when it comes to HIPAA security compliance. The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all the controls that are required to meet all the standards in PCI. If they could, it  would be a great help with HIPAA.

ANDERSON: Finally, you’ll be offering a webinar on PCI compliance strategies May 18, so tell us what information you are planning to provide in that event.

WALSH: In that webinar, I’m going to go into more detail about the PCI Data Security Standard. I’ll also be talking about some of the common mistakes that I’ve seen in healthcare organizations as far as addressing the standard. We’ll provide a more detailed action plan. …

This article was originally posted at  http://www.healthcareinfosecurity.com/articles.php?art_id=3581&pg=3

Cost Effective HIPAA Compliance Training Programs


emPower eLearning Solutions is excited to offer a training solution that will help organizations train their entire work population in a timely and cost effective manor. emPower eLearning Solutions Compliance Training is devoted to helping organizations meet the Administrative Simplification Act section 164.530(b)(1). This section requires employers to provide HIPAA Training awareness and Job Role policy training. Our course is designed to reach all level of employees from providers to billing clerks to housekeeping.

HIPAA’s intent is to reform the healthcare industry by reducing costs, simplifying administrative processes and burdens, and improving the privacy and security of patient’s information.

For More http://www.empowerbpo.com/HIPAA_Compliance_Training.html

Patient info lost on subway earns MGH $1 million HIPAA fine


Massachusetts General Hospital will pay the U.S. government $1 million to settle what the feds are calling “potential violations of the HIPAA Privacy Rule,” according to a statement issued by the U.S. Department of Health and Human Services. The case involves patient information that an employee left on the subway.

This marks the second fine related to HIPAA noncompliance in a week. The first fine, imposed on Cignet Health, was a $4.3 million civil penalty, mostly for failing to cooperate with an investigation.

The settlement follows a probe by HHS’ Office for Civil Rights, which enforces HIPAA rules that require healthcare providers to protect the privacy of patient information through administrative, physical and technical safeguards.

“We hope the healthcare industry will take a close look at this agreement and recognize that OCR is serious about HIPAA enforcement. It is a covered entity’s responsibility to protect its patients’ health information,” OCR Director Georgina Verdugo said in a statement.

The possible HIPAA violation occurred after a Mass General employee left the documents on a subway in March 2009. The documents consisted of protected health information for 192 patients of MGH’s Infectious Disease Associates outpatient practice, which includes HIV/AIDS patients. The investigation found that Mass General failed to implement “reasonable, appropriate safeguards to protect the privacy of PHI” removed from Mass General’s premises and disclosed, potentially violating the HIPAA rule.

A patient schedule containing names and medical records numbers, as well as billing forms that included names, dates of birth, diagnoses, insurer policy numbers and providers, were among documents lost.

As part of a corrective action plan, MGH has promised to develop comprehensive policies and procedures to ensure PHI is protected when removed from the MGH premises, train its workforce on the policies and send twice-yearly reports to HHS for three years.

Tag Cloud