By Kitty Dann
The Guardian
Originally published April 2 2015
Where does cyber security fall on your to-do list? If it’s not a priority, it should be because 60% of small businesses suffered a breach in the year leading up to October 2014. The worst of these breaches disrupted operations for an average of seven to 10 days.
We recently held a live Q&A on the topic, with a panel of experts on hand to answer your questions. From risk assessment to keeping your business safe on a budget, here are some of their suggestions:
The entire article is here.
Showing posts with label HIPAA Security Rule. Show all posts
Showing posts with label HIPAA Security Rule. Show all posts
Friday, May 1, 2015
Saturday, April 26, 2014
Practitioner Pointer: Does the use of Skype raise HIPAA compliance issues?
Practitioners should be aware of the risk involved.
By Legal and Regulatory Affairs staff
American Psychological Association - Practice Central
Originally published April 24, 2014
Given the growing use of technology for communication, many practitioners are interested in knowing whether popular options are compatible with Health Insurance Portability and Accountability Act (HIPAA) requirements. Skype, whose basic features are free and easy to use, is one such option of interest to practicing psychologists.
HIPAA does not specify the kinds of technologies that covered entities should use for creating, receiving, storing or transmitting electronic patient health information (ePHI). Under the HIPAA Security Rule, covered entities must conduct individual risk assessments about the technologies (hardware, software, etc.) they use that store or transmit ePHI.
The entire story is here.
By Legal and Regulatory Affairs staff
American Psychological Association - Practice Central
Originally published April 24, 2014
Given the growing use of technology for communication, many practitioners are interested in knowing whether popular options are compatible with Health Insurance Portability and Accountability Act (HIPAA) requirements. Skype, whose basic features are free and easy to use, is one such option of interest to practicing psychologists.
HIPAA does not specify the kinds of technologies that covered entities should use for creating, receiving, storing or transmitting electronic patient health information (ePHI). Under the HIPAA Security Rule, covered entities must conduct individual risk assessments about the technologies (hardware, software, etc.) they use that store or transmit ePHI.
The entire story is here.
Thursday, August 22, 2013
Health, fitness apps pose HIPAA risks for doctors
Physicians should check apps’ privacy protections before suggesting them to patients. A new report says most apps — especially free ones — don’t offer much privacy.
By SUE TER MAAT
amednews.com
Posted Aug. 5, 2013
Physicians might think twice about advising patients to use some mobile health and fitness apps. A July report indicates that many of those apps compromise patients’ privacy. Just recommending apps may put doctors at risk for violations of the Health Insurance Portability and Accountability Act.
“Even suggesting an app to patients — that’s a gray area,” said Marion Neal, owner of HIPAASimple.com, a HIPAA consulting firm for physicians in private practice. “Doctors should avoid recommending apps unless they are well-established to be secure.”
The entire story is here.
By SUE TER MAAT
amednews.com
Posted Aug. 5, 2013
Physicians might think twice about advising patients to use some mobile health and fitness apps. A July report indicates that many of those apps compromise patients’ privacy. Just recommending apps may put doctors at risk for violations of the Health Insurance Portability and Accountability Act.
“Even suggesting an app to patients — that’s a gray area,” said Marion Neal, owner of HIPAASimple.com, a HIPAA consulting firm for physicians in private practice. “Doctors should avoid recommending apps unless they are well-established to be secure.”
The entire story is here.
Thursday, July 11, 2013
WellPoint to pay $1.7 million HIPAA penalty
By Rachel Landen and Joseph Conn
ModernHealthcare.com
Published July 11, 2013
WellPoint, which serves nearly 36 million people through its affiliated health plans, has agreed to pay a $1.7 million penalty to HHS for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996.
Between Oct. 23, 2009, and March 7, 2010, access to personal data for 612,402 people—their names, dates of birth, addresses, Social Security numbers, telephone numbers and health information—was made available to unauthorized users as the result of online security weaknesses, HHS said Thursday.
During an investigation of WellPoint's information systems, HHS' Office for Civil Rights found that the Indianapolis-based insurer had not enacted appropriate administrative, technical and physical safeguards for data as required by HIPAA.
The entire story is here.
ModernHealthcare.com
Published July 11, 2013
WellPoint, which serves nearly 36 million people through its affiliated health plans, has agreed to pay a $1.7 million penalty to HHS for potential violations of the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996.
Between Oct. 23, 2009, and March 7, 2010, access to personal data for 612,402 people—their names, dates of birth, addresses, Social Security numbers, telephone numbers and health information—was made available to unauthorized users as the result of online security weaknesses, HHS said Thursday.
During an investigation of WellPoint's information systems, HHS' Office for Civil Rights found that the Indianapolis-based insurer had not enacted appropriate administrative, technical and physical safeguards for data as required by HIPAA.
The entire story is here.
Saturday, February 2, 2013
HHS Releases Final HIPAA Privacy and Security Update Final Rule
U.S. Department of Health & Human Services
FOR IMMEDIATE RELEASE
Thursday, January 17, 2013
The U.S. Department of Health and Human Services (HHS) moved forward today to strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The final omnibus rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law.
“Much has changed in health care since HIPAA was enacted over fifteen years ago,” said HHS Secretary Kathleen Sebelius. “The new rule will help protect patient privacy and safeguard patients’ health information in an ever expanding digital age.”
The changes in the final rulemaking provide the public with increased protection and control of personal health information. The HIPAA Privacy and Security Rules have focused on health care providers, health plans and other entities that process health insurance claims. The changes announced today expand many of the requirements to business associates of these entities that receive protected health information, such as contractors and subcontractors. Some of the largest breaches reported to HHS have involved business associates. Penalties are increased for noncompliance based on the level of negligence with a maximum penalty of $1.5 million per violation. The changes also strengthen the Health Information Technology for Economic and Clinical Health (HITECH) Breach Notification requirements by clarifying when breaches of unsecured health information must be reported to HHS.
Individual rights are expanded in important ways. Patients can ask for a copy of their electronic medical record in an electronic form. When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan. The final omnibus rule sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
“This final omnibus rule marks the most sweeping changes to the HIPAA Privacy and Security Rules since they were first implemented,” said HHS Office of Civil Rights Director Leon Rodriguez. “These changes not only greatly enhance a patient’s privacy rights and protections, but also strengthen the ability of my office to vigorously enforce the HIPAA privacy and security protections, regardless of whether the information is being held by a health plan, a health care provider, or one of their business associates.”
The final rule also reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes. The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school and gives covered entities and business associates up to one year after the 180-day compliance date to modify contracts to comply with the rule.
The final omnibus rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The Rulemaking announced today may be viewed in the Federal Register at https://www.federalregister.gov/public-inspection.
The final document is here.
Friday, October 19, 2012
To Encrypt Email or Not to Encrypt Email? Practical Answers to a Question That Is Surprisingly Complex
by Elizabeth H. Johnson
Poyner Spruill LLP
Originally posted on October 5, 2012
Health care providers frequently ask us whether they have to encrypt emails, particularly those sent to patients who have asked for an emailed copy of their health records. Since patients have a right to receive electronic copies of their health records, emailing them a copy when they ask for it seems like the right thing to do.
Unfortunately, the decision actually is more complicated. HIPAA requires that all electronic transmissions of protected health information (PHI) be encrypted. That means ALL of them … fax, email, web-based and otherwise. The requirement applies regardless of the identity of the recipient or patient, and the recipient cannot “undo” or waive the requirement by consenting to the receipt of unencrypted emails.
(cut)
One more time in English? Health care providers are allowed to send PHI in unencrypted emails but only after they engage in the analysis described above and document their determination. It is a violation of the HIPAA Security Rule to send unencrypted emails containing PHI without first having performed and documented that analysis. A single violation can carry a penalty as high as $50,000, a useful figure to contemplate if you think encryption is too expensive to implement. Encryption also carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements. A security incident that would otherwise require notification is not considered a breach if the PHI affected were encrypted and the encryption key has not been compromised.
The entire article is here.
Thanks to Marlene Maheu for this article via LinkedIn.
Poyner Spruill LLP
Originally posted on October 5, 2012
Health care providers frequently ask us whether they have to encrypt emails, particularly those sent to patients who have asked for an emailed copy of their health records. Since patients have a right to receive electronic copies of their health records, emailing them a copy when they ask for it seems like the right thing to do.
Unfortunately, the decision actually is more complicated. HIPAA requires that all electronic transmissions of protected health information (PHI) be encrypted. That means ALL of them … fax, email, web-based and otherwise. The requirement applies regardless of the identity of the recipient or patient, and the recipient cannot “undo” or waive the requirement by consenting to the receipt of unencrypted emails.
(cut)
One more time in English? Health care providers are allowed to send PHI in unencrypted emails but only after they engage in the analysis described above and document their determination. It is a violation of the HIPAA Security Rule to send unencrypted emails containing PHI without first having performed and documented that analysis. A single violation can carry a penalty as high as $50,000, a useful figure to contemplate if you think encryption is too expensive to implement. Encryption also carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements. A security incident that would otherwise require notification is not considered a breach if the PHI affected were encrypted and the encryption key has not been compromised.
The entire article is here.
Thanks to Marlene Maheu for this article via LinkedIn.
Subscribe to:
Posts (Atom)