hipaa it pitfalls to avoid in 2015 - efax corporate

Download HIPAA IT Pitfalls to Avoid in 2015 - eFax Corporate

Post on 18-Jul-2015

221 views

Category:

Technology

2 download

Embed Size (px)

TRANSCRIPT

Slide 1

HIPAA IT Pitfalls to Avoid in 2015Understanding Compliance & ExceptionsBrad SpannbauerDirector, Product DevelopmenteFax Corporatebrad.spannbauer@j2.com

WelcomeHow to ask questions

1The information provided in this presentation does not constitute, and is no substitute for, legal or other professional advice. We strongly encourage you to consult your own legal or other professional advisors for individualized guidance regarding the application of the law to your particular situations, and in connection with any compliance-related concerns.

With the adoption of the Omnibus Final Ruling in September, 2013, many healthcare IT directors were faced with a seemingly simple question by their organizations senior management: Are we or aren't we HIPAA Compliant?

It seems like a simple question, but ever since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, hospitals, group practices and other covered entities have struggled with their response. Even with seventeen years to prepare, many providers were still scrambling to meet all the requirements defined in the Omnibus Rule.

2Are you HIPAA compliant or not?

With the adoption of the Omnibus Final Ruling in September, 2013, many healthcare IT directors were faced with a seemingly simple question by their organizations senior management: Are we or aren't we HIPAA Compliant?

It seems like a simple question, but ever since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, hospitals, group practices and other covered entities have struggled with their response. Even with seventeen years to prepare, many providers were still scrambling to meet all the requirements defined in the Omnibus Rule.

3Todays Agenda7 common incorrect HIPAA assumptionsPutting it all together:The Conduit ExceptionThe BAA: Does it transfer your responsibility?The Encryption requirementSo, are you compliant or not?Q & A

This webinar will cover the most common incorrect HIPAA assumptions, and provide a detailed examination of the Conduit Exception, one of the most misunderstood provisions of HIPAA and the Final Rule.4Document Concerns

Earlier this year we conducted a survey of our customers in the healthcare industry and the results, while not exactly surprising, were enlightening. Our Healthcare IT Pulse survey revealed top concerns related to transferring sensitive healthcare information, technology usage patterns, and top security and compliance issues.

As it relates to documents, Changes brought on by legislation such as the Affordable Care Act, including the new healthcare exchanges, often means a sudden influx of added paperwork for healthcare organizations. We found that 54 percent of organizations surveyed cited HIPAA compliance as their top concern, even more important than document management, organization and record keeping.

5More Questions Than Answers?

Even after publication of the Omnibus Rule, HIPAA contains few absolute measures that must be implemented to achieve compliance. And once you have deployed the technology solutions, implemented the policies and trained your personnel, there is still no federal certification or stamp of approval to reassure you.

IT departments efforts are often undertaken with little understanding of what's actually required in order to achieve HIPAA compliance and frequently result in processes that are lacking in small but important ways. From my conversations with customers regarding their compliance needs and solutions, I hear several recurring incorrect assumptions that can spell trouble. Here are seven of the most common incorrect HIPAA assumptions I've encountered.6HIPAA Misconception #1:

Our vendors service is HIPAA compliant so were HIPAA compliant. Right?

I frequently encounter IT managers who firmly believe that deploying a software package touted as HIPAA compliant is all thats required to achieve compliance. Theyre wrong.

Compliance with HIPAA requirements is not transferable; while your vendors status is important, your organization should implement its own comprehensive HIPAA compliance program. Youll want to make sure that your processes are HIPAA compliant, then select vendors that fit your organizations security framework.7HIPAA Misconception #2:

Our vendor signed a BAA so were covered. Right?

Vendor selection should be guided by established protocols in your overall HIPAA compliance program. When entering into a relationship with a vendor, its like the old adage says: trust, but verify.

Even if a vendor willingly offers to sign a Business Associate Agreement (BAA), you should always perform due diligence to ensure their product or service is a match for your organization. Consider the BAA be the starting point of your discussion, not the end point.8

HIPAA Misconception #3:

We dont use cloud services because theyre not secure. Right?

This assumption is no more true than concluding that on-site solutions are always secure.

Cloud services offer a number of advantages cost savings, increased efficiency, lower infrastructure overhead over their traditional counterparts, and many offer HIPAA compliant services tailored to the needs of healthcare customers.

9

HIPAA Misconception #4:

Our corporate policies restrict access to PHI so were in compliance. Right?

While policies and procedures are key to any HIPAA compliance program, these elements are nothing without rigorous ongoing monitoring, enforcement, and adjustments.

Your organization should always be on the lookout for security breaches, both technological and procedural, to ensure Protected Health Information (PHI) is secure. HIPAA requires that your compliance policies and procedures be living documents your organization should be regularly re-evaluating and updating your compliance program, and conducting training sessions with employees to reinforce policies and procedures.

10HIPAA Misconception #5:

We use an in-house fax server, so our transmissions are secure behind our firewall. Right?

Fax servers can help ensure the security of PHI during transmission, but often fall short in protecting the same data while stored on your network.

Fax servers often hand-off PHI data to email or file servers that may be vulnerable to unauthorized access from within your network.

Encryption of stored PHI is an addressable implementation specification, so youll want to seek solutions that offer at rest encryption of PHI stored within your systems.

11HIPAA Misconception #6:

Our EHR system has a well-documented audit trail so a document-sharing policy would be redundant. Right?

An audit trail is great, but it only covers data while it lives within your EHR system. What happens once a record is printed?

Consider implementing a clear, comprehensive document sharing policy that addresses handling of PHI both within and outside of your EHR system.

Think of the document sharing policy as a complement to your EHR audit trail, not a redundancy.12HIPAA Misconception #7:

Our email provider offers TLS encryption so were secure sending email attachments. Right?

TLS encryption is a great tool to help secure emails in transit, but it works only if both sides of the email transaction are configured properly.

Many consumer email providers arent equipped to support TLS encryption for their subscribers. If your email provider is only using opportunistic TLS and the recipient doesnt support TLS, emails with PHI could be transmitted with no encryption at all.

You may want to think twice about sending PHI over email, particularly when other, more secure methods are available.13

Putting the Pieces Together

So now that weve discussed some of the common misconceptions, lets put this information into practice. 14Fax for PHI

One of the key findings from the survey that we cited earlier is that fax continues to be a favored approach for communication, as61 percent of healthcare organizations surveyed cited fax as one of the top approaches to exchanging critical information with nonemployees, with 26 percent citing fax as the No. 1 approach to exchanging critical information.

Meanwhile,other methods, for example digital file transfer was ranked No. 1 by only six percent of respondents, and email was cited by12 percent of healthcare organizations as one of their two least used methods of communication for exchanging critical information with nonemployees.

Yet there are still some misunderstandings about how faxing is treated for HIPAA compliance.

15

Putting It All TogetherThe Conduit Exception

Consider the often misunderstood HIPAA Conduit Exception and related comments in the Omnibus Final Ruling. The conduit exception applies to vendorseither off-line or on-linethat provide a service that acts as a transport to ePHI but does not necessarily access or store the information.

To illustrate, Lets consider two usages of the same basic hosted fax service, with one key difference: document archival.16Conduit Exception Scenario #1: Hosted Fax Without ArchivingThe Conduit Exception

HOSTED FAX

One version of the hosted fax service does not store sent or received faxes, it simply transports them from sender to receiver (certainly with Transport Layer Security (TLS) encryption while in-transit)

There is no electronic archival or storage involved with this service. Users cant go back a day, week or month later and retrieve or search by keyword for faxes they sent and received. This service would fall under the conduit exception .

17

Conduit Exception Scenario #2: Hosted Fax With Archiving

Recommended

View more >