All Data Fast News is © Data Fast Solutions, unless where otherwise indicated • All Rights Reserved

Data Fast News

rss

Keep up to date with Data Fast Solutions for your business.


DJS
DJS
DJS's Blog

HIPAA Phase 2 Audits and ePHI

HIPAA Phase 2 Audits and ePHIIn our previous article, "The Importance of Utilizing A Good HIPAA Knowledgeable I.T. Company",  we mentioned that the Office for Civil Rights (OCR) was expected to perform more frequent audits and to assess larger fines as HIPAA complaints and breaches are investigated.  

In addition to audits arising from complaints and breaches, routine phase 2 HIPAA audits are now well underway. The audit protocol, updated last month (April 2016), is available at: 

A portion of the phase 2 audits pertain to electronic protected health information or ePHI 

The U.S. Department of Health and Human Services specifically outlines technical safeguards that must be adhered to as follows regarding ePHI: 

  • Access Control. A covered entity must implement technical policies and procedures that allow only authorized persons to access electronic protected health information (e-PHI). 

  • Audit Controls. A covered entity must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use e-PHI. 

  • Integrity Controls. A covered entity must implement policies and procedures to ensure that e-PHI is not improperly altered or destroyed. Electronic measures must be put in place to confirm that e-PHI has not been improperly altered or destroyed. 

  • Transmission Security. A covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.  

If you are a health care organization, or a covered entity (CE) who is working with the health care industry, it's important to follow the tips below for making sure your ePHI is secure.    

  • Encrypt Personal Health Information (PHI) 

  • Always use SSL (Secure Sockets Layer) for web-based access of any sensitive data. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private. 

  • Encryption techniques and mechanisms should only be known to a select, authorized, few employees. 

  • In addition to text, images and scans should also be encrypted and must not contain any personal identifying information. 

  • Never use public File Transfer Protocol (FTP). 

  • Only use Virtual Private Network (VPN) access for remote access. 

  • Use login retry protection in your application. 

ePHI is a top priority, especially as it relates to phase 2 audits, but it is certainly not the only concern. Outside of audits, there are many aspects to maintaining good, overall cyber security standards in relation to HIPAA rules and regulations. These standards will be addressed in upcoming articles.                    

This article is ©2016 Data Fast Solutions • All Rights Reserved


The Importance of Utilizing A Good HIPAA Knowledgeable I.T. Company

HIPAA MedicalIt's been twenty years since the Health Insurance Portability and Accountability Act (HIPAA) was implemented to improve health care efficiency and protect an individual's private health information. Unfortunately over the years, there have been numerous examples of breaches resulting in civil and criminal penalties. In an article by Healthcare IT News from May of 2014, the top six HIPAA breach fines ranged from 1.7 million to 4.8 million dollars.  

The 4.8 million dollar fine went to New York Presbyterian Hospital and Columbia University which affected 6,800 individuals. Healthcare IT News reported that the breach occurred "when a CU physician, who developed applications for NYP and CU, attempted to deactivate a personally owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on Google."  

Other cases included unencrypted laptops and USB hard drives. Yet another was due to poorly performed software upgrades that resulted in social security numbers of patients being accessible by unauthorized persons over the internet for nearly five months.  

These types of incidents continue to occur, yet every violation is completely preventable when utilizing the services of knowledgeable I.T. companiesThe best I.T. professionals are those who are not only well-versed in I.T. security, but who fully understand HIPAA rules and regulations.  

The most sought after are those like Data-Fast Solutions who are continually educated about new HIPAA privacy and security regulations. This ensures a health care organization can be confident and completely prepared for a possible HIPAA security audit. 

Medical Privacy PracticeAccording to the U.S. Department of Health and Human Services  HIPAA Breach Notification Rule, at: www.hhs.gov/hipaa/for-professionals/breach-notification/index.html, audits can include: 

  • notice of privacy practices; 

  • patients’ rights to request privacy for protected health information (PHI); 

  • access of individuals to PHI; 

  • administrative, physical, and technical safeguards; 

  • uses and disclosures of PHI; 

  • amendment to PHI; and 

  • requirements of the HIPAA Breach Notification Rule. 

HIPAA audits can make any health care organization experience stress if the right safeguards for their technology are not firmly in place. A HIPAA knowledgeable I.T. professional can easily recognize any vulnerabilities and do what is necessary to address them quickly and effectively.  

In 2015, in the month of December alone, one of the second largest HIPAA fines in history was assessed.There is no doubt that HIPAA breaches resulting in fines in the millions can be detrimental to any health care company. However, for smaller companies dealing with protected health information (PHI) even the lowest fine can adversely affect a business. Monetary fines are not the only concern. It can take two to three years for a HIPAA investigation to occur.  

The Office for Civil Rights (OCR) is expected to perform more frequent audits and to assess larger fines as HIPAA complaints and breaches are investigated. The I.T. related fines levied by the OCR for violations occurring due to unencrypted hardware and poorly performed software upgrades simply would not occur with a good I.T. company in place. HIPAA I.T. experts can easily and seamlessly handle all aspects of sensitive technology to ensure the stress and time involved in a potential audit is minimal                                                                                                            

This article is ©2016 Data Fast Solutions • All Rights Reserved