Tag: ePHI

Keeping ePHI Data Secure On Mobile Devices

By Ken Lynch, founder and CEO, Reciprocity Labs.

Ken Lynch

Healthcare providers are among the long list of service providers that have embraced the mobile technology revolution. Some healthcare providers are supplying mobile healthcare devices to their staff, and others have introduced the Bring Your Own Device (BYOD) program that allows their staff to bring their devices and use them at work. Whichever the case, mobile technology enables staff to work remotely, which presents several benefits to healthcare providers.

Risks Associated with Use of Mobile Devices for PHI

While there’s no denying that mobile technology has revolutionized how people work, healthcare providers cannot turn a blind eye on the risks that come with the use of mobile devices. Owing to their small size and portability, mobile devices are at a greater risk of being stolen or lost compared to their immobile/fixed counterparts.

In the unfortunate event that a mobile device containing unsecured electronic protected health information (ePHI) is lost or stolen, there’s an increased risk of a data breach that can trigger HIPAA breach notification obligations for a HIPPA-covered entity and/or their business associates.

HIPAA Standards for Securing ePHI Data Secure on Mobile Devices

The HIPAA in 1996 mandated the Secretary of the U.S. Department of Health and Human Services to come up with regulations that would protect the security and privacy of certain health information in the year 1996. In compliance with this requirement, HHS published the HIPAA Security Rule and the HIPAA Privacy Rule.

The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information that can be linked to a particular person. The HIPAA Security Rule, on the other hand, establishes national standards for protecting ePHI, particularly how it’s transmitted, maintained, or stored.

For your healthcare facility to be HIPAA-compliant, you must fulfill specific requirements. For the most part, you must ensure that physical, administration, and technical safeguards are put in place and adhered to, as follows:

Technical Safeguards

Require User Authentication

User authentication is the process of verifying the identity of a user before accessing a mobile device and the information stored in it. One of the ways to secure ePHI is to ensure that mobile devices are configured to require user passwords, passcodes, or personal identification number (PIN) to gain access. Doing so can help to prevent unauthorized users from gaining access to devices, which can help to restrict access to ePHI.

Enable Encryption

It’s vital that you buy and install an encryption tool for mobile devices that are used to access ePHI. In the event that any of the devices is stolen or lost, encryption makes it impossible to read the information stored on the device. With some devices, it is recommended to enable encryption on device backups as well.

Update Your Security Software Regularly

Hackers usually take advantage of vulnerabilities in common applications such as browsers and operating systems. To keep your network safe, it’s vital that you keep your security software and operating systems up to date. By doing so, you’ll also prevent unauthorized access to ePHI on or through your mobile devices.

Physical Safeguards

Here are some of the physical safeguards to adhere to:

Administrative Safeguards

Besides adhering to the above HIPAA requirements for compliance, there are various other best practices for keeping ePHI data secure on mobile devices. They include:

The implementation of mobile devices will undoubtedly add a lot of value to your organization on the condition that the proper balance between usability and security is achieved. Taking the right measures to keep ePHI data secure shouldn’t be a matter of meeting compliance only. It should also be a matter of safeguarding the integrity of your patients and your organization at large. 

HIPAA Audit Provides Lessons On Risk and Implementation

By Carol Amick, manager of healthcare services, CompliancePoint.

Carol Amick

According to the United States Department of Health and Human Services, approximately 70 percent of organizations are not HIPAA Compliant. The Health Insurance Portability and Accountability Act, known as HIPAA mandates industry wide standards for healthcare information and electronic billing, and requires protection as well as confidential handling of protected health information.

According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance. It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcements and compliance. As a result, the number of organizations that fail to meet compliance each year remain the majority. To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations.

Analyze the past, to avoid making the same mistake twice

It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews. HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes impermissible uses and disclosures of protected health information, lack of safeguards to protect health information, lack of patient access to their personal health information, lack of administrative safeguards on electronic protected health information, and use or disclosure of more than the minimum protected health information. Protecting valuable data by analyzing past mistakes is an important step in the compliance process.

Perform a risk assessment and GAP analysis

One preventative measure in assessing an organization’s compliance with HIPAA is a risk analysis and a GAP analysis. The confusion and lack of understanding around the two examinations has been common among healthcare professionals in the marketplace for some time. Not understanding the differences can be detrimental to an organization, and puts them at a significantly higher risk. According to HHS and OCR guidelines, all healthcare organizations must specifically conduct a risk analysis to be deemed within HIPAA compliance.

A HIPAA GAP analysis can be used to measure the organizations information security standing against HIPAA, which is part of HHS audit protocol. Comparing the organization’s current practices to the HHS OCR audit protocol will identify the strengths and weakness of the security program. From there, the organization can determine whether they have reasonable and appropriate administrative, physical and technical safeguards in place to protect patient health. Performance of the GAP analysis also allows the organization to develop an audit response toolkit, which includes the data and documentation that would be able to support compliance with the HIPAA regulations to regulatory agencies.

Continue Reading

HIPAA: A Primer And A Reminder For Those In Healthcare

By Vikash Kumar, manager, Tatvasoft.

A relentless parade of fronts from communication to banking, shopping seems to be unfolded, all thanks to the emerging technology. But somehow healthcare used to stay behind because many of you believed it was too complicated to be fixed. Well, that’s just not true! Now, more than ever, technology has not just succeeded in improving the consumer experience but also has removed the unnecessary cost from the entire healthcare system.

In order to maintain standards of care and improved outcomes for patients, hospitals and medical centers, technology is providing ever-smarter ways like never before. Enacted by the U.S. Congress in 1996, HIPAA was introduced because of the increasing need to address growing technological changes and problems. According to the HIPAA Privacy rule, saving, accessing and sharing of medical and personal information is prohibited. Moreover, it specifically outlines national security standards to protect health data created, received, maintained or transmitted electronically (ePHI — electronic protected health information).

Apart from this, there are a few primary components one needs to be concerned with:

Privacy rules emphasize on what qualifies as PHI (protected health information) and who is mainly responsible for ensuring that nothing would get disclosed improperly. It includes covered entities ranging from health plans to health care clearinghouse, health care providers who have the right to transmit any health information electronically regarding the Department of Health and Human Services (HHS). Other than covered entities, privacy rules even encompass of business associates (anyone who stores, collects, maintains, or transmits protected information on behalf of a covered entity).

On the other hand, security rules relate specifically to electronic information and set guidelines for how to secure PHI. Administrative, physical and technical are the three main categories in which it is broken down. As the name implies, administrative revolves around access control and training, physical safeguards are for actual devices, and technical relates to the data itself.

HIPAA Breach Notification Rule is basically a set of standards that covered entities and business associates must follow in the event of a data breach containing PHI and ePHI. This rule, in particular, emphasizes on two kinds of breaches; minor breaches and meaningful breaches. As a result, organizations are required to report all type of breaches, regardless of size to HHS OCR, but the specific protocols for reporting change depending on the type of breach.

Omnibus Rule: This rule was enacted in order to apply HIPAA to business associates, in addition to covered entities. According to the rule, business associates must be HIPAA compliant.

Continue Reading