HIPAA IT Pitfalls to Avoid in 2015 - eFax Corporate

Download HIPAA IT Pitfalls to Avoid in 2015 - eFax Corporate

Post on 18-Jul-2015




2 download

Embed Size (px)


<p>Slide 1</p> <p>HIPAA IT Pitfalls to Avoid in 2015Understanding Compliance &amp; ExceptionsBrad SpannbauerDirector, Product DevelopmenteFax Corporatebrad.spannbauer@j2.com</p> <p>WelcomeHow to ask questions</p> <p>1The information provided in this presentation does not constitute, and is no substitute for, legal or other professional advice. We strongly encourage you to consult your own legal or other professional advisors for individualized guidance regarding the application of the law to your particular situations, and in connection with any compliance-related concerns.</p> <p>With the adoption of the Omnibus Final Ruling in September, 2013, many healthcare IT directors were faced with a seemingly simple question by their organizations senior management: Are we or aren't we HIPAA Compliant?</p> <p>It seems like a simple question, but ever since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, hospitals, group practices and other covered entities have struggled with their response. Even with seventeen years to prepare, many providers were still scrambling to meet all the requirements defined in the Omnibus Rule. </p> <p>2Are you HIPAA compliant or not?</p> <p>With the adoption of the Omnibus Final Ruling in September, 2013, many healthcare IT directors were faced with a seemingly simple question by their organizations senior management: Are we or aren't we HIPAA Compliant?</p> <p>It seems like a simple question, but ever since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, hospitals, group practices and other covered entities have struggled with their response. Even with seventeen years to prepare, many providers were still scrambling to meet all the requirements defined in the Omnibus Rule. </p> <p>3Todays Agenda7 common incorrect HIPAA assumptionsPutting it all together:The Conduit ExceptionThe BAA: Does it transfer your responsibility?The Encryption requirementSo, are you compliant or not?Q &amp; A </p> <p>This webinar will cover the most common incorrect HIPAA assumptions, and provide a detailed examination of the Conduit Exception, one of the most misunderstood provisions of HIPAA and the Final Rule.4Document Concerns</p> <p>Earlier this year we conducted a survey of our customers in the healthcare industry and the results, while not exactly surprising, were enlightening. Our Healthcare IT Pulse survey revealed top concerns related to transferring sensitive healthcare information, technology usage patterns, and top security and compliance issues.</p> <p>As it relates to documents, Changes brought on by legislation such as the Affordable Care Act, including the new healthcare exchanges, often means a sudden influx of added paperwork for healthcare organizations. We found that 54 percent of organizations surveyed cited HIPAA compliance as their top concern, even more important than document management, organization and record keeping.</p> <p>5More Questions Than Answers?</p> <p>Even after publication of the Omnibus Rule, HIPAA contains few absolute measures that must be implemented to achieve compliance. And once you have deployed the technology solutions, implemented the policies and trained your personnel, there is still no federal certification or stamp of approval to reassure you.</p> <p>IT departments efforts are often undertaken with little understanding of what's actually required in order to achieve HIPAA compliance and frequently result in processes that are lacking in small but important ways. From my conversations with customers regarding their compliance needs and solutions, I hear several recurring incorrect assumptions that can spell trouble. Here are seven of the most common incorrect HIPAA assumptions I've encountered.6HIPAA Misconception #1:</p> <p>Our vendors service is HIPAA compliant so were HIPAA compliant. Right?</p> <p>I frequently encounter IT managers who firmly believe that deploying a software package touted as HIPAA compliant is all thats required to achieve compliance. Theyre wrong.</p> <p>Compliance with HIPAA requirements is not transferable; while your vendors status is important, your organization should implement its own comprehensive HIPAA compliance program. Youll want to make sure that your processes are HIPAA compliant, then select vendors that fit your organizations security framework.7HIPAA Misconception #2:</p> <p>Our vendor signed a BAA so were covered. Right?</p> <p>Vendor selection should be guided by established protocols in your overall HIPAA compliance program. When entering into a relationship with a vendor, its like the old adage says: trust, but verify.</p> <p>Even if a vendor willingly offers to sign a Business Associate Agreement (BAA), you should always perform due diligence to ensure their product or service is a match for your organization. Consider the BAA be the starting point of your discussion, not the end point.8</p> <p>HIPAA Misconception #3:</p> <p>We dont use cloud services because theyre not secure. Right?</p> <p>This assumption is no more true than concluding that on-site solutions are always secure.</p> <p>Cloud services offer a number of advantages cost savings, increased efficiency, lower infrastructure overhead over their traditional counterparts, and many offer HIPAA compliant services tailored to the needs of healthcare customers. </p> <p>9</p> <p>HIPAA Misconception #4:</p> <p>Our corporate policies restrict access to PHI so were in compliance. Right?</p> <p>While policies and procedures are key to any HIPAA compliance program, these elements are nothing without rigorous ongoing monitoring, enforcement, and adjustments.</p> <p>Your organization should always be on the lookout for security breaches, both technological and procedural, to ensure Protected Health Information (PHI) is secure. HIPAA requires that your compliance policies and procedures be living documents your organization should be regularly re-evaluating and updating your compliance program, and conducting training sessions with employees to reinforce policies and procedures. </p> <p>10HIPAA Misconception #5:</p> <p>We use an in-house fax server, so our transmissions are secure behind our firewall. Right?</p> <p>Fax servers can help ensure the security of PHI during transmission, but often fall short in protecting the same data while stored on your network.</p> <p>Fax servers often hand-off PHI data to email or file servers that may be vulnerable to unauthorized access from within your network.</p> <p>Encryption of stored PHI is an addressable implementation specification, so youll want to seek solutions that offer at rest encryption of PHI stored within your systems.</p> <p>11HIPAA Misconception #6:</p> <p>Our EHR system has a well-documented audit trail so a document-sharing policy would be redundant. Right?</p> <p>An audit trail is great, but it only covers data while it lives within your EHR system. What happens once a record is printed?</p> <p>Consider implementing a clear, comprehensive document sharing policy that addresses handling of PHI both within and outside of your EHR system.</p> <p>Think of the document sharing policy as a complement to your EHR audit trail, not a redundancy.12HIPAA Misconception #7:</p> <p>Our email provider offers TLS encryption so were secure sending email attachments. Right?</p> <p>TLS encryption is a great tool to help secure emails in transit, but it works only if both sides of the email transaction are configured properly.</p> <p>Many consumer email providers arent equipped to support TLS encryption for their subscribers. If your email provider is only using opportunistic TLS and the recipient doesnt support TLS, emails with PHI could be transmitted with no encryption at all.</p> <p>You may want to think twice about sending PHI over email, particularly when other, more secure methods are available.13</p> <p>Putting the Pieces Together</p> <p>So now that weve discussed some of the common misconceptions, lets put this information into practice. 14Fax for PHI</p> <p>One of the key findings from the survey that we cited earlier is that fax continues to be a favored approach for communication, as61 percent of healthcare organizations surveyed cited fax as one of the top approaches to exchanging critical information with nonemployees, with 26 percent citing fax as the No. 1 approach to exchanging critical information. </p> <p>Meanwhile,other methods, for example digital file transfer was ranked No. 1 by only six percent of respondents, and email was cited by12 percent of healthcare organizations as one of their two least used methods of communication for exchanging critical information with nonemployees.</p> <p>Yet there are still some misunderstandings about how faxing is treated for HIPAA compliance.</p> <p>15</p> <p>Putting It All TogetherThe Conduit Exception</p> <p>Consider the often misunderstood HIPAA Conduit Exception and related comments in the Omnibus Final Ruling. The conduit exception applies to vendorseither off-line or on-linethat provide a service that acts as a transport to ePHI but does not necessarily access or store the information.</p> <p>To illustrate, Lets consider two usages of the same basic hosted fax service, with one key difference: document archival.16Conduit Exception Scenario #1: Hosted Fax Without ArchivingThe Conduit Exception</p> <p>HOSTED FAX</p> <p>One version of the hosted fax service does not store sent or received faxes, it simply transports them from sender to receiver (certainly with Transport Layer Security (TLS) encryption while in-transit)</p> <p>There is no electronic archival or storage involved with this service. Users cant go back a day, week or month later and retrieve or search by keyword for faxes they sent and received. This service would fall under the conduit exception .</p> <p>17</p> <p> Conduit Exception Scenario #2: Hosted Fax With Archiving</p> <p>The Conduit Exception</p> <p>HOSTED FAX</p> <p>Now, if the same service offers an on-line storage function for the faxes your users send or receive, it would most likely not be subject to the conduit exception, and as a covered entity you would need assurances from the vendor the Business Associatethat those documents are secure.</p> <p>This assurance would most likely come in the form of a Business Associate Agreement (BAA).</p> <p>Looking at these two examples, where problems can occur is if the vendor doesnt understand these differences. As a covered entity you may rely on the vendor to know these differences. But if a vendor simply says we always sign BAAs, for example, you might enable or disable a security feature, not realizing that it changes the nature of the HIPAA compliance requirements for that service.</p> <p>18</p> <p>A BAA Doesnt Transfer Responsibility to Your Vendor. It Means You Share Responsibility.</p> <p>It is important for Covered Entities to remember, a BAA does not transfer all responsibility from you to your vendor, it establishes a shared responsibility. So if you rely on a BAA from a vendor, you still have responsibility for the privacy and security of your PHI.</p> <p>19</p> <p>We Recommend Sending Encrypted Notifications, Not Documents</p> <p>HOSTED FAX</p> <p>Lets go back to the second scenario where you use an electronic faxing service and you want on-line archival access.</p> <p>You may have a BAA with the vendor. But we also recommend that instead of sending or receiving documents containing PHI to and from a personal productivity application like MS Outlook, that the service instead sends encrypted notifications to an email address. The user would then use a password to log in to the on-line service to access their electronic faxes. This could certainly be a HIPAA compliant service.</p> <p>Not subject to the conduit exception, but one wheresince the vendor is storing PHI as part of the overall servicemay offer both encrypted in transit and encrypted at rest security.20Consider Data Encryption to be a de facto Requirement</p> <p>Its definitely Best Practice</p> <p>While encryption is not mandated under HIPAA its considered addressable we encourage providers to consider it a requirement and adopt it as best practice. </p> <p>For document and data transmissions and storage, encryption in-transit and at-rest should always be considered best practice. This is in addition to the physical security measures the vendor employs at its locations for access to servers, data centers and the like.</p> <p>We believe its best to combine services that either meet the conduit exceptionor have the right levels of security, encryption and protectionwith a well-documented procedural audit of how your organization manages and interacts with data and documents. 21Data Security is Key for Patient RecordsBoth at Rest and in Transit</p> <p>With the Omnibus rule being adopted at the end of last year, a lot of covered entities have focused on the first A in HIPAA Accountability, as well they should. The emphasis has been put on the responsibility of all parties involved--covered entities, health care providers, payors, business associatesto ensure patient data is not compromised.</p> <p>But it is important to remember that the P Portability, was a driving force behind passage of the original HIPAA act in 1996, reaffirmed by language in HITECH and the Affordable Care Act. Not that long ago, patient records were stagnant, usually kept in manila folders at a doctors office. The ability of physicians and providers to share this information with specialists and other caregivers was an onerous task. Patients also had difficulty switching to another primary care physician when they moved or for personal preference.</p> <p>Balancing the Portability and Accountability has always been a challenge, even with Electronic Medical Records (EMRs). This is where the idea of secure (encrypted) at rest and secure in transit PHI comes into view. 22</p> <p>There are no absolute assurances when it comes to HIPAA compliance, but by making yourself aware of the common assumptions, you will be more prepared to provide greater consideration to the compliance of your data and document management processes.</p> <p>23Next StepsRead 7 HIPAA Compliant Assumptionshttp://www.hitechanswers.net/7-hipaa-compliant-assumptions-can-trip/Whitepaper: Is Cloud-based Faxing Right for You?30 day free trial offer.</p> <p>As a follow up to this webinar I encourage you to read an article recently published on HITECH answers that I wrote, about the 7 HIPAA Assumptions.We also have a whitepaper available to you, so in the follow up email well get you a link to this recorded webinar to share with your colleagues, and a pdf of Is cloud-based faxing right for you?Finally, youll have the opportunity to try cloud faxing for yourself with a free 30-day trial.</p> <p>With that we can open the call to questions.24Q&amp;A</p> <p>And with that, I thank you for your attendance and I hope to engage with you soon.25Thank you for your time.enterprise.efax.com</p> <p>And with that, I thank you for your attendance and I hope to engage with you soon.26</p>