Tag Archives: HIPAA Compliance

HIPAA Risk Assessment Consultant Compliance Brandon, Tampa, Plant City, Lakeland, Winter Haven, Apollo Beach, New Tampa, Temple Terrace, Protected Health Information

5 Things Everyone gets Wrong About HIPAA

The following article covering HIPAA is advisory in nature and should not be construed as or substituted for proper legal advice.  

HIPAA does not have to be confusing. Whether you are a doctor, manage a practice, or are a patient, you should know about HIPAA. Surprisingly, even many medical professionals struggle with the intricacies of the law. In the meantime, the Office of Civil Rights Health and Human Services division continues to dole out exorbitant fines to medical offices that fail to comply. Here are 5 misconceptions to help you better understand the HIPAA law.

1. HIPAA is about data privacy.

In actuality, HIPAA is about data as property. Your data has a tangible value. It is stored, transferred, bought and sold both legally and illegally every day. HIPAA takes a specific subset of data, called Protected Health Information (PHI), assigns ownership of it to doctors and other medical offices (referred to as covered entities), and outlines the proper way they can use that data. In addition, HIPAA provides guidelines on how to best protect that data, and penalties for failing to do so. So, in short, your doctor owns your medical data.

In order to best understand this concept, we need to compare it to another law. The EU’s General Data Protection Regulation (GDPR) assigns the ownership of a citizen’s data to the individual citizen. It then gives the authority of that citizen to share their data as needed, and to revoke access to that data at any time and for any reason. Some states have begun to push for GDPR-like legislation in recent months. Data protection legislation seems to slowly be moving in that direction.

2. My doctor or practice is HIPAA compliant.

HIPAA Compliance is a cultural shift. Risk assessments provide a snapshot of how the covered entity is doing at that moment. Striving for compliance is a full-time, never-ending process that requires teamwork. Compliance can disappear at the snap of a finger. There is no magic pill to achieve compliance.

Achieving compliance shouldn’t be like cramming for a test, making changes to how a practice operates, and then going back to “normal” operations after the assessment. It should be practiced every hour of every day. When completed properly, a Risk Assessment will identify the difference between the offices making a conscientious effort and the “crammers.”

It is rare to find a doctor’s office that can achieve and maintain HIPAA Compliance. Far too many have failed to even make an attempt.

3. My PHI isn’t worth worrying about.

When you go to the doctor, you fill out a patient history form. Often, that form has information on it that you wouldn’t want shared with the public. A few examples might include:

  • Questions about sexual contacts and sexually transmitted illnesses
  • Current or prior drug/alcohol abuse
  • Prior psychiatric treatment
  • Prior surgeries or diseases
  • Last colonoscopy/Pap Test/Mammogram and their results
  • Medication you are taking
  • DNA profile

PHI is valuable to pharmaceutical reps, cyber-criminals, government actors, marketing firms, other doctors, and in some cases, media outlets (for example, a celebrity going into rehab.)

4. HIPAA is a new law and more time should be given for compliance.

HIPAA first became law in 1996. Covered entities have had more than 20 years to adjust. The Office of Civil Rights began enforcement of the privacy rule in 2003 and the security rule in 2009. Enforcement increased sharply in 2013. Many covered entities approached it with an attitude of “it won’t happen to me.” OCR has stepped up random audits and investigated complaints. There have been marketing campaigns designed to warn doctors that enforcement was coming. The federal government is no longer giving credit to covered entities that claim ignorance.

5. HIPAA Compliance is too expensive and time consuming.

Securing your data is becoming more and more critical every day. Cyber-crime happens because it has a much lower risk than street crime, with a very high reward. This remains true for all data, but especially true of PHI because the market for it on the Dark Web is a seller’s dream. An oft-cited statistic that appears to be attributed to the National Cyber Security Alliance states that 60% of small and medium businesses close permanently after a data breach. They attribute it to recovery costs, embarrassment, and a loss of trust from their customers. Covered entities suffer these as well, and then face government scrutiny and exorbitant fines. By following the federal guidelines, practices often find that they function more efficiently, have less downtime due to network problems, and spend less time worrying about government regulators.

At A Better Choice Network Solutions, we strive to help keep your money and data out of the hands of cyber-criminals. We will work within your budget to help you secure your critical data against attack. We are a full-service IT organization in the Tampa Bay area, and are available for sales, repair, consulting, compliance assessments and educating end users. Feel free to reach us at info@abcnetfl.com.

Follow us on Facebook at www.facebook.com/abcnetfl or check out our secure website at www.abcnetfl.com.

HIPAA Compliance tips

HIPAA Compliance Tips to Remember

Confusion often occurs regarding how to best secure patients protected health information (PHI). In addition, striving for HIPAA Compliance is important to protect your reputation and your income. Due to this confusion, we have partnered with KnowBe4 to provide training and testing of our end users in cybersecurity topics, including HIPAA Compliance.

HIPAA, or the Health Insurance Portability & Accountability Act (HIPAA) is a civil rights law which gives patients control over the use and disclosure of their health information. Due to HIPAA, covered entities and business associates must ensure the privacy and security of all patients’ protected health information (PHI).  Covered entities include any entity that provides care.  Business associates include any company that provides services to covered entities that gives them access to protected health information.

Communications (whether electronic, written, or oral) about your patients can contain sensitive information which is protected by HIPAA. As a result, a patient’s protected health information should only be used or released if necessary for treatment, payment, or healthcare operations, to provide adequate care and fulfill your responsibilities as a health care provider.

Tips to increase HIPAA Compliance

  • Always cross shred documents that contain protected health information.
  • Discard CD-ROMs, USBs and other digital storage carefully in order to prevent data from being stolen.  Ask your supervisor or manager how you can properly dispose of these.
  • Report suspicious activity to your Help Desk or IT team immediately.
  • Do not leave messages concerning a patient’s health information on answering machines or voicemails.
  • Access only electronic information that you “need to know” to perform your job. If you don’t need the information for your job responsibilities, you probably should not access it.
  • Lock all unattended computers.
  • Secure laptop computers and other mobile devices.
  • Encrypt files and folders on mobile devices.
  • Store passwords in secured areas only – not accessible by others. Therefore, don’t hide your password on a post-it note at your workstation.

Employees who do not take care of sensitive information often result in fines, increased operating costs, loss of customer confidence, and even more governmental regulation for their practice. Do your part to keep sensitive information safe at all times in order to benefit your patients.

Finally, you should always strive to keep your PHI secure. Create and follow sound policies that govern the use and access of PHI.  Restrict access to the internet and PHI to appropriate use only.

Single doctor practices must do annual assessments.  At A Better Choice Network Solutions, we help our clients protect their patients and themselves from cybersecurity threats. We believe that you should never pay a cyber-criminal for the use or return of your data. A fully comprehensive HIPAA Compliance Assessment can help you identify threats to the PHI of your patients.  

 

Be sure to follow us on Facebook, Twitter, and LinkedIn for updates and news on cyber-security and technology.