Healthcare compliances training and discussion blog

Posts tagged ‘HIPAA Training’

Does the cloud provide an easier route to HIPAA compliance?


A lot of confusion has been raised regarding the compliance of cloud to the HIPAA. On the contrary, the healthcare community itself is not very sure of it and is looking at it as a double edged sword. The cloud presents you a shimmering picture of cost-effective option. It provides you a solution due to which analyzing massive data and the ability to store will become affordable. But the other side seems be bleaker as there are many who are yet to come to terms with this new rule-set of HIPAA, especially those that are now part of the recently published HIPPA omnibus rule. It is better to dig deeper on this to understand instead of merely speculating on the fringes whether to migrate or not to the cloud?

The omnibus rule that was put forth in the last month has further tightened the grip of HIPAA on those who are entrusted with responsibility of protecting the health information.The rule also has increased penalty on the business associates and covered entities, who fail to comply with the HIPAA. At present, there a lot of misconceptions as well as fear regarding use of the cloud. As a result many healthcare organizations and health service providers are shying away from switching over to the cloud. Not taking rescue under the in the latest cloud technology umbrella might result in loss a good deal in terms of both compliance and finances for organizations that wish to play safe.

Can Cloud Computing Really Rescue Health Care And Make It HIPAA Compliant?

Recent times has revealed to the health care sector the various weird and amazing ways in which data breaches can occur and do occur. Many times it occurs due to infrastructure loss, physical theft, or due to sheer negligence (when someone forgets a laptop or forgets to shutdown their PC).

The above scenario of data exploitation and data theft is easily manageable through use of cloud technology. Cloud computing can be more helpful in such cases because herein you can stop the breaches by using services of physical security policies such as the Amazon wherein all the things that can be carried out with the data can be published. Cloud technology is most certainly is far more efficient than what a single group running its infrastructure can accomplish after a lot of personal investment. Of course, reduction in the amount of health data breach is the first benefit of cloud computing.

Deft monitoring of security and the privacy of the infrastructure through automation is the second benefit of cloud. Basically, when the infrastructure program is being written, the infrastructure is coded and thousands of tests are conducted on various levels. Such through levels of tested programs provide a secure base that everything is done in order to automate the expected results and that the infrastructure automatically works the way in which you want it to. Hence, when things start showing changes in the infrastructure code you immediately smell smoke and try to find out the reason for it. Trying to search for the reason for changes in your infrastructure ultimately makes you provide more security to your data.

HIPAA omnibus rule has placed great emphasis on the factors that can risk the health data and the breach notifications. The cloud services developers provide you with the documentations that carry highly detailed processing systems due to which remaining HIPAA compliant as well as cost-efficient does not seem as uphill task. All the instructions that are part of the cloud computing program are written in plain and simple readable English which can be easily defined by anybody in the health business. This gives the HIPAA operators full knowledge about the compliance and non-compliance and related decision. It also helps even the non-technical staff to gain an insight into overall work pertaining to the HIPAA compliance owing to which the overall efficiency of an organization is certain to elevate.

Only six months are left for the covered entities and the partners to become HIPAA compliant and hence it is important that they take steps to understand these benefits of the new cloud computing.

Data breaches in health sector have been damaging the credibility of many health institutions and many times the culprits were left untracked as they were much smarter than the security system of the institutions. Shifting to the cloud is a major decision, which can be taken by the entities only when they thoroughly understand its contribution in lessening the burden of finance as well as maintaining to the strict rules of the HIPAA compliance.

One wonders, what is keeping these people at the fences when one way or the other they are not left with any other alternative than to migrate to the cloud!

About emPower
emPower  is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com.

Media Contact (emPower)
Jason Gaya
marketing@empowerbpo.com

Advertisements

Safeguard your confidential data by implementing HIPAA Privacy Rule’s De-Identification Standard


A legislative act passed in year 1996, called HIPAA or in other words the Health Insurance Portability & Accountability Act affected the health care administration. For years, we have researched upon the safety rule along with three types of security safeguards based mainly on technical and physical grounds.

Amongst the above mentioned three safety points, we delved at the administrative safeguards and its obligatory as well as addressable implementation specifications. In this article, we will examine the main key factors pertaining to the technical and physical safeguards of the security rule. The motive of this article is to simplify and state the main concepts of HIPAA Privacy Rule’s De-Identification Standard.

Physical Safeguards

Physical safeguard rule laid by the HIPAA Privacy Rule’s De-Identification Standarddeals with the strategies and procedures required to be implemented in order to control physical admission to systems or devices containing health information and facilities covering electronic records.

It is therefore mandatory to take maximum care when beginning and removing hardware and software that deals with secured Health Information (PHI) from the network. Utmost care must be taken in disposing off any equipment which is on the edge of retirement, so that PHI contained within such systems is not compromised.

  • Health data stored in the equipment must be controlled and monitored carefully.
  • Access to the hardware and software must be operated by proper trained and authenticated individuals.
  • Make sure that workstations must be situated away from high traffic areas to avoid direct view of the monitor screens to the public.
  • The main person taking the services of contractors and agents must assure that the contractors and agents are professionally trained and are aware of their duties and responsibilities.

Technical Safeguards

Technical security measures deals with factors that require to be executed when transmitting health information electronically over open networks in order to ensure that health information do not go into wrong hands.

  • Responsible entity must follow a strict procedure to make sure information integrity which includes digital signature, check sum, message confirmation.
  • Execute right methods to confirm that the entity entitle to access the electronic records is the one it claims to be. There are some signs to confirm the same that includes card systems, password systems, giving a return call, and hand showing signs
  • Drafting and maintaining all policies implemented and practices followed for HIPAA Privacy Rule’s De-Identification Standard that needs to be presented as and when required by the compliance auditors.

Implementation Specifications

We cannot ignore with the healthcare compliance, as it becomes essential to safeguard Protected Health Information.

It is required to employ a system that will take utmost care of the health information, for this our heath care providers like doctors, hospitals and health plans must be given a unique identifier. At present most of them are using either tax-id numbers or employer identification number.

The security and privacy rules have laid down certain provisions to assure that the personal records of people is not misused, secured and kept confidential, any person failing to follow the rule will be fined up to $250,000 and possible jail time for severe enough violations by HIPAA. HIPAA rule was indeed designed and created to ease the massive process of health care administration.

About emPower

emPower is a leading provider of comprehensive Healthcare Compliance Solutions through Learning Management System (LMS). Its mission is to provide innovative security solutions to enable compliance with applicable laws and regulations and maximize business performance. empower provides range of courses to manage compliance required by regulatory bodies such as O.SHA, HIPAA, Joint commission and Red Flag Rule etc. Apart from this emPower also offers custom demos and tutorials for your website, business process management and software implementation.

Its Learning Management system (LMS) allows students to retrieve all the courses 24/7/365 by accessing the portal. emPower e-learning training program is an interactive mode of learning that guides students to progress at their own pace.

For additional information, please visit http://www.empowerbpo.com.

Day-Long HIPAA Boot Camp Targets HIM Professionals


The 2011 annual convention of the American Health Information Management Association, Oct. 1-6 in Salt Lake City, features a series of in-depth post conference educational sessions on the 6th, including an eight-hour HIPAA Privacy and Security Boot Camp.

The camp is designed for health information management directors, other professionals with little or no privacy experience who is taking on a new role as a privacy officer or would like to, and existing privacy officers who want a better understanding of regulations and issues.

“I’m not going to assume they know too much,” says Kelly McLendon, the presenter and founder of HIXperts, a Titusville, Fla.-based consultancy. “I’m not going to leave anyone behind, but at the same time will go beyond the basics.”

McLendon will cover the tools of HIPAA privacy compliance, such as policy templates, spreadsheets and other forms for specific functions, such as cataloging records systems with protected health information. He’ll cover expected requirements in a final omnibus HIPAA rule expected this year covering the privacy, security, breach notification and enforcement rules, and also cover privacy regulations from the HHS Substance Abuse and Mental Health Services Administration.

“This is a very deep view of HIPAA for HIM and privacy professionals, but we will start from the basics and make sure everyone understands from the ground up,” McLendon says. More information on educational session 7004, “HIPAA Privacy and Security Boot Camp,” which starts at 9:00 a.m., is available at ahima.org.

This article was originally posted at  http://www.healthdatamanagement.com/news/hipaa-ahima-privacy-security-breach-43164-1.html

Tips on PCI DSS Compliance


Too many healthcare organizations have overlooked their obligation to comply with the Payment Card Industry Data Security Standard, says security expert Tom Walsh. Compliance with PCI DSS, designed to help prevent credit card fraud and theft, can help healthcare organizations comply with the HIPAA security rule as well, Walsh stresses. That’s because PCI DSS offers far more security specifics than HIPAA, including, for example, specific password requirements, he notes.

“If an organization can meet all of the requirements of PCI, it’s going to be in great shape when it comes to HIPAA security compliance,” Walsh contends. “The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all of the controls required to meet all the standards required in PCI. If they could, it would be a great help with HIPAA.”

Large payment card transaction volume merchants, including many hospitals, must have independent audits and frequent vulnerability tests, Walsh explains. Those with smaller payment card transaction levels are required to conduct a self-assessment and complete a “self-assessment questionnaire.” All merchants are required to complete an “attestation of compliance.”

In an interview (transcript below) with Howard Anderson, executive editor of HealthcareInfoSecurity.com, Walsh offers an overview of PCI DSS and suggests key compliance steps, including:

  • Creating a diagram that shows how credit transactions are handled;
  • Identifying all applications and systems involved and creating an inventory of all card reading devices;
  • Conducting an initial self-assessment and creating a plan to remediate any problems identified;
  • Creating a credit card handling policy and training staff annually on how to carry it out.

On May 18, Walsh will conduct an in-depth webinar on PCI DSS compliance in partnership with Information Security Media Group.

Walsh, CISSP, is president of Tom Walsh Consulting, an Overland Park, Kan.-based firm that advises healthcare organizations on information security in healthcare. He has conducted numerous presentations on PCI and has helped dozens of healthcare organizations conduct PCI self- assessments. Walsh also serves as information security officer at San Antonio Community Hospital on an outsourced basis.

HOWARD ANDERSON: For starters, please briefly describe the Payment Card Industry Data Security Standard and who must comply.

TOM WALSH: … To counter the threat of fraud, and unintentional security breaches, the major credit card companies worked collaboratively to create a common industry standard. … In September of 2006, the five major credit card companies formed the organization called the PCI Security Standards Council, and what the council tried to do was come up with a set of standard data security criteria that they wanted all the organizations that handle or process credit cards to follow.

The standard itself covers both technical and operational system components associated with the card holder data environment. It includes things like the access to credit card data, transferring the information, storage of the information, retention and disposal. They’ve been updating the standard over the years, and the current version of the PCI Data Security Standard is Version 2.0.

…Mainly the goals are to build and maintain a secure network, protect the card holder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test the networks, and then maintain an information security policy. These are all good things and generally considered common practices.

One thing I want to point out is that many people get confused, and they wonder whether this applies to the entire network and to the entire organization. But it really pertains only to those systems or applications that are used for the storage, processing or transmission of cardholder data. That is why a lot of organizations try to segregate out credit card data transactions from their other operations.

Security Controls

ANDERSON: Many healthcare organizations have been focused heavily on complying with HIPAA’s privacy and security rules, while sometimes overlooking other industry standards, such as PCI. So tell us about security controls that PCI requires.

WALSH: Many organizations are worried about complying with HIPAA, and they’ve forgotten that PCI applies globally to any organization that stores or processes or transmits card holder data. So most healthcare organizations accept credit card for payment for co-pays or for paying for their services outright. As part of this, they have to go in and look at these security requirements and they have to do what’s called a self-assessment, and that is a questionnaire form they have to fill out and it has certain criteria. The criteria are based on the environment in which your credit card processing takes place.

While the council is really responsible for managing the data security standards, each of the credit card brands maintains its own separate compliance and enforcement program, which makes it a little bit of a challenge. Each card brand has their own determination for validation of compliance, and most of it is based on reporting, and the reporting is usually a requirement for the acquiring financial institutions or banks, or the merchant service processors that work with the organization when they process credit cards.

Generally they’ll ask for … some kind of a letter to provide evidence or proof that the healthcare organization that is processing the credit cards is, indeed, in compliance with the PCI data security standard.

Now sometimes a breach may occur, and that is when these organizations will get involved, and then they’ll want to see proof that you’ve been compliant over the years. …

One of the things I’ve seen, which is a trend, is that the banks or merchant service processors are now sending letters to [certain] organizations and they are asking them to prove that they’re compliant by going online to a website and completing their self-assessment questionnaire. …

The other part about this that can be difficult is that when you go on the website to complete the self-assessment questionnaire, many times what is included in that registration process is a vulnerability scan that will be conducted by the organization that the bank or merchant service processor has contracted to go out and conduct the scan. …

The other thing is, who gets these letters? Generally it’s not going to end up with IT or information security; it usually will end up with whoever in the organization has the relationship with the bank or the credit card company. So the bad news is, somebody could be getting this letter and not know what to do with it, and either hold on to it or ignore it. And meanwhile, the folks who really know what they should be doing about it aren’t getting the word.

So as far as a compliance audit … you should be doing it on an annual basis. … In most cases, my clients, when they go through this, they’ll hold on to the result of it and won’t turn it over unless they are asked to produce it.

PCI Compliance

ANDERSON: So what are a few of the steps that an organization can take to assess whether they are PCI compliant now?

WALSH: Well some of the things that they need to look at is to figure out who in their organization is handling or processing credit cards. So you’ve got to look at the various departments. Now in a hospital, it will typically be the departments such as admitting, registration or patient access … where the patient first checks in and pays for a co-pay. It could be the cashier at the hospital. Patient financial services, which does the patient billing, handles credit cards [as do the] gift shops, cafeteria, any of the outpatient services, such as the pharmacy … or clinics or urgent care centers or if the organization sells or rents medical equipment and supplies. So those would be areas where credit cards are being handled. So the first step is really getting a handle on the environment itself.

The next step would be to determine who really owns the PCI project. … They need a high-level executive to take ownership of it. You need to determine what merchant level and type you are -based on the number of transactions you process, and the environment that you process it in – are you using just point-of-sale terminals or are you using some secure website for processing transactions. Then create a transaction work flow map or a diagram that shows how credit card transactions take place in the organization, and where all the data may reside so you have an idea then of what you need to assess. Then identify the applications and systems associated with the processing, storage and transmission of the credit card data. You might want to do an inventory of any of your point-of-sale terminals or cash register systems, or card readers that attach to a workstation.

Then you would conduct your initial self assessment, filling out the self assessment questionnaire. Sometimes [those doing this for the] first time … may want to call upon a vendor for some help with that. Once they have done the assessment, they will probably find some shortcomings, and that would be something you would put in a report of findings to your executive management to make a determination of the next steps through some type of an action plan, and what is it going to cost to remediate these. What kinds of resources do we need?

Some simple things … that need to be done include creating a credit card handling policy and then conducting awareness training for all your employees. Now the requirement is to train everyone who is handling credit cards when they are newly hired and then annually. And part of that annual training is that the employee has to acknowledge that they received a copy of the credit card handling policy and understand what their responsibilities are. So those are some of the key steps that need to be taken right away.

HIPAA, PCI Overlap

ANDERSON: And is there any overlap between what HIPAA requires and what PCI requires? WALSH:Well there is some overlap. The HIPAA security rule is kind of vague. It was written that way so it could be scalable. So it doesn’t give you a lot of detail, whereas the PCI Data Security Standard is very specific and detailed in its requirements. So for example … within the HIPAA security rule there is really no specification for passwords other than under the standard of security awareness training that we have to conduct password management training and we have to teach people how to manage their passwords. But when you look under the technical safeguard section, it talks about authentication but it doesn’t specify passwords, which is probably the most commonly used method today in healthcare of authenticating a user. When you look at PCI, they have eight specific requirements on passwords. So they specify things like minimum password length and complexity, history and password expirations; it’s very detailed.

So, if an organization can meet all of the requirements of PCI, you’re going to be in great shape when it comes to HIPAA security compliance. The problem is that most organizations just can’t afford right now to invest in their infrastructure as well as all the controls that are required to meet all the standards in PCI. If they could, it  would be a great help with HIPAA.

ANDERSON: Finally, you’ll be offering a webinar on PCI compliance strategies May 18, so tell us what information you are planning to provide in that event.

WALSH: In that webinar, I’m going to go into more detail about the PCI Data Security Standard. I’ll also be talking about some of the common mistakes that I’ve seen in healthcare organizations as far as addressing the standard. We’ll provide a more detailed action plan. …

This article was originally posted at  http://www.healthcareinfosecurity.com/articles.php?art_id=3581&pg=3

Cost Effective HIPAA Compliance Training Programs


emPower eLearning Solutions is excited to offer a training solution that will help organizations train their entire work population in a timely and cost effective manor. emPower eLearning Solutions Compliance Training is devoted to helping organizations meet the Administrative Simplification Act section 164.530(b)(1). This section requires employers to provide HIPAA Training awareness and Job Role policy training. Our course is designed to reach all level of employees from providers to billing clerks to housekeeping.

HIPAA’s intent is to reform the healthcare industry by reducing costs, simplifying administrative processes and burdens, and improving the privacy and security of patient’s information.

For More http://www.empowerbpo.com/HIPAA_Compliance_Training.html

Tag Cloud