Author: Jason Gaya Page 1 6/9/2010

emPower e-Learning Solutions

At emPower e-Learning solutions we make learning a pleasure. To help individuals and
organizations learn in the most efficient and effective way by using the latest e-Learning
Strategies and state-of-the-art Media, Internet and Information Technologies.

About the Company

emPower e-learning solutions is one of the leading provider of online health compliance
courses in the market. Keeping in mind the needs of the companies to train their
employees as per prevalent industry standards, emPower provides variety of e-courses,
including those mandated by Government and regulatory bodies such as HIPAA, OSHA,
Joint Commission and Red Flag rule. The company has its own Learning Management
System which efficiently hosts customized e-learning courses. The real time compliance
tracking feature of our LMS, endorses the policy to provide our invaluable customers
world class e-learning environment. Our courses are SCORM compliant so that students
and employees can easily access and run our courses on other Learning Management
System, without any hiccup.

emPower’s goal is to provide customized e-learning solutions, so that employees can

hone their workplace skills. This creates a safer, better and more productive atmosphere
at the facility. As a result the overall productivity increases and propels the company
ahead of its competitors.

emPower is a leading provider of comprehensive regulatory compliance solutions

through Learning management system. Our mission is to provide innovative solutions to
enable compliance with applicable laws and regulations and maximize business
performance. We provide range of courses to manage compliance required by regulatory
bodies such as OSHA, HIPAA, JCAHO, etc. Apart from this empower also offers custom
demos and tutorials for your website, business process management and software
implementation.

As a part of our policy of spreading awareness on various healthcare regulations, we are

presenting below a selection of articles, which will provide you useful information on
how the computer network, social media and communication technology can be made
HIPAA compliant.

Media Contact (emPower)

Jason Gaya
pr@empowerbpo.com

emPower
12806 Townepark Way
Louisville, KY 40243-2311
Ph: 812 -332-5590
http://www.empowerbpo.com

Copyright © 2010. emPower.

emPower is a registered trademark. All Rights Reserved.
Author: Jason Gaya Page 2 6/9/2010

INTRODUCTION TO HIPAA .....................................................................................................................3

UNDERSTANDING HIPAA.........................................................................................................................5
HIPAA- ENFORCING STRICTER REGULATION TO ENSURE GREATER PROTECTION FOR
PATIENT HEALTH INFORMATION. ......................................................................................................6
HIPAA SECURITY STANDARD: SELECTING THE RIGHT E-MAIL SERVICE. ..........................8
HIPAA COMPLIANCE: USING ENCRYPTION FOR SAFE AND SECURE MANAGEMENT OF
PATIENT HEALTH INFORMATION. ....................................................................................................10
HIPAA SECURITY COMPLIANCE: PROTECTS CONFIDENTIAL PATIENT HEALTH
INFORMATION ..........................................................................................................................................11
ENHANCING COMPUTER NETWORK SECURITY TO ACHIEVE HIPAA COMPLIANCE .....14
HIPAA LAW: ENSURING SECURE TRANSMISSION OF PATIENT HEALTH INFORMATION
THROUGH FAX .........................................................................................................................................16
BALANCING SOCIAL MEDIA WITH HIPAA ......................................................................................18
TWITTER - TWEETING THE HIPAA WAY .........................................................................................20
HIPAA COMPLIANCE IN FTP HOSTING.............................................................................................22
HIPAA COMPLIANCE IN WIRELESS LOCAL AREA NETWORK ................................................23
HIPAA COMPLIANCE - SIGNING A BUSINESS CONTRACT WITH VENDOR TO ENSURE
SAFE DISPOSAL OF MEDICAL RECORDS .........................................................................................25
HIPAA COMPLIANCE: ENSURING SAFE DISPOSAL OF PATIENT HEALTH INFORMATION
DOCUMENTS .............................................................................................................................................26
HIPAA COMPLIANCE: SELECTING THE RIGHT SOFTWARE ....................................................27
TELEMEDICINE: EMPLOYING SECURITY FEATURES TO ACHIEVE HIPAA COMPLIANCE
........................................................................................................................................................................29
HIPAA 5010- GRADUATING FROM HIPAA 4010 TO PROVIDE BETTER HEALTH
INSURANCE SERVICE .............................................................................................................................30
HIPAA LAW-SELECTING THE RIGHT USER AUTHENTICATION SYSTEM ............................32
Author: Jason Gaya Page 3 6/9/2010

Introduction to HIPAA
The Health Insurance Portability and
Accountability Act of 1996 (HIPAA) and its
regulations was enacted by congress on August 21,
1996 to protect the privacy and security of
patient’s personal health information. The
regulation obligates healthcare providers to
establish national standards for electronic
healthcare transactions and national identifiers for
providers, health plans, and employers. The
purpose of this security rule is to improve the
portability of continuity of health insurance in the
group and individual markets, combat fraud,
waste and abuse in health insurance and health
care delivery. Privacy and security procedures in
the administrative simplification section designed
to streamline the administration of health insurance by recognizing the
efficiencies and cost savings technology. Healthcare entity if fails to comply with
these regulations may have to pay million of dollars. Anyone dealing with
sensitive data must follow most strict security policy available.

HIPAA consists of:

 Healthcare access, portability and renewability

 Preventing health-care fraud and abuse
 Tax related health plan provisions
 Application and enforcement of group health planned requirements
 Revenue offsets.

Who is covered by HIPAA? The Privacy rule applies only to covered entities.

Covered entities include:

 Health care clearing houses, public or private entity that facilitates the
processing of nonstandard, health information data elements into standard
data elements.
 Health care providers-a provider of medical or other health services and any
other person furnishing healthcare services or supplies.
 Health plans-an individual or group plan that provides or pays the cost of
medical care, with the exception of liability and worker‘s compensation plans.

HIPAA has achieved great success in securing and protecting sensitive healthcare
information. HIPAA has made considerable contributions resulted into increase
in the utilization of electronic medical record systems, to implement secure,
Author: Jason Gaya Page 4 6/9/2010

industry-wide messaging standards. The future of HIPAA for Healthcare will

provide single set of information for all payers, standard coding practices, no
human interference required for remittance, posting and billing. Privacy policy
may add obstacles for physicians and other employees to access medical
information but provide patients with trust willing to share information.
Author: Jason Gaya Page 5 6/9/2010

Understanding HIPAA
Health Insurance Portability and
Accountability Act or HIPAA, as it is
popularly known was enacted in 1996 by Congress. It came into force on 1 July,
1997. The main purpose of this act is to manage health care delivery system and
regulate health insurance industry so that people are protected from frauds,
malpractices and discrimination.

The Act provides health insurance coverage to the individuals and their families,
who loose or change their jobs. It promotes use of medical saving accounts,
frames health insurance procedures and provides access to long term services.
The law prohibits discrimination between individuals based on their health
conditions and issues guidelines that monitor insurance plans and their
providers, so that customers are not cheated and their rights are completely
protected.

The ongoing process of conversion of health records into electronic data is the
part of the strategy to create a health care system that can be managed in a safe
and sound manner. For this HIPAA has issued guidelines that advise on how to
protect the crucial patient health information, while it is stored or transferred,
electronically. The thrust is on protecting the health information of the patients
so that it is not misused.

The Act prohibits use of medical data of patients for any other purpose, except
treatment. The data can not be used for marketing purpose and the patients have
the complete right to protect their privacy and written consent is needed from
them prior to any disclosure of their information to third party. HIPAA makes it
mandatory for all the insurers to document their privacy procedures so that the
patients know very well how their privacy will be protected. The health insurers
are bound to keep all the details confidential and in case individuals or groups
feel that their information has been compromised, they can lodge complain with
the Department of Health and Human Services (HHS) for civil rights.

In the end it can be rightly said that Health Insurance Portability and
Accountability Act acts as guardian of the health care system by efficiently
managing health insurance system and placing safeguards in it to make it tamper
proof. This all translates into a credible health delivery system that fulfills health
care requirements of the patients in a safe and secure manner.
Author: Jason Gaya Page 6 6/9/2010

HIPAA- Enforcing Stricter Regulation to Ensure

Greater Protection for Patient Health
Information.
HIPAA is a United States Health
Insurance Portability and Accountability
Act and consists of HIPAA I and HIPAA
II. HIPAA I administer health insurance
norms, which are meant for people who
loose or change jobs. The HIPAA II is
about standardization of healthcare
procedure that the health providers are
required to follow. The later version is
what is talked about the most and also
governs the norms that are necessary for
protection of the patient health records. This is necessary to protect the patients
and the health insurance agencies from the frauds due to stolen identity.

HIPAA is enforcing stricter laws and norms to deal firmly with health insurance
fraud cases like the one reported in the SUN newspaper about sale of vital health
records of patients to attorneys so that they could mint money. There are few
steps that have been taken in recent months with sole purpose to make electronic
exchange of human health data, foolproof.

 In November 2009 eight Federal agencies approved a notice approval form. It

makes mandatory for the health providers to share with customers how their
information is gathered and distributed. This makes it easy for the customers
to decide easily whether they want to stay in or opt out of the service.
 The new regulations allow the state to sue the defaulter for HIPAA violations,
expand criminal prosecution and impose heavy fines.
 The final rule of Federal Trade Commission (FTC) issued as per American
Recovery and Reinvestment Act makes it necessary for the health providers to
report breach in patient health information to the consumer. If the health
information of 500 or more people is leaked then it should be brought to
notice in media. The rule also clarifies on the timing, content and method of
reporting the leak.
 The Recovery act makes it necessary for the Department of Health and
Human Services (HHS) to conduct a survey on the entities that provide health
services but are not covered by HIPAA. The aim is to frame rules on how such
entities can discharge their medical services and at same time safeguard vital
patient statistics.

In the end new and stricter regulations point out to the effort of the regulatory
authorities to clamp down on the fraudulent practices that still exist in the system
in spite of safeguards that are placed in it. The sole purpose is to make the
Author: Jason Gaya Page 7 6/9/2010

electronic sharing of patient health data secure and tamper proof. This will save
the State and people from loosing millions of dollar every year due to fraudulent
insurance claims.

Due to rising frauds in patient health information the regulatory authorities have
enforced stricter HIPAA norms to make patient identity safe and secure.
Author: Jason Gaya Page 8 6/9/2010

HIPAA Security Standard: Selecting the Right E-

mail Service.
Internet has taken a center stage in fulfilling the
communication needs of the people. The speed,
ease and wide reach it provides, makes it the most
favored media for communication. An email is a
great communication tool of the internet and is
widely used by people to communicate with their
doctors or medical insurers. To make this
exchange of information on the net, safe and
secure, it is necessary to follow HIPAA security
standard while selecting the right email service.

The prime objective is to select the email service

that safely carries the health information of the
patient through the net. A safe transit and storage
is a basic requirement of the HIPAA security
standard. There are some essential features that
an email service should have and they are:

 The email service should meet or exceed the HIPAA standards

 It should have the ability to encrypt and decrypt the health data transmitted.
This feature protects the confidential health information from unauthorized
access as it passes through the public network. During the transit through net
the emails are stored on server and the chances of unwanted intercept
increase considerably. To counter this threat it is necessary to encrypt the
message before transmitting it.
 The service should provide a secure back up plan to safely recover the data in
case of a natural or manmade calamity.
 Provide unlimited document or email transfer and at same time protect the
data integrity.
 It should have an inbuilt security feature that automatically logs off the
system after some time of inactivity.
 Personal or entity authentication is required as it confirms the identity of the
person or the entity that access the personal health information, an important
requirement of HIPAA security standard.
 The software used should be user friendly and there should be no third party
involved in any form. The email service should have security provisions that
inhibit unauthorized exchange of information with the third party.
 The service should have security feature that provides feedback to the
auditors about the time, place and IP nos. through which the protected health
information had been accessed. This helps the auditor to keep track of the
health information and ensure that it is accessed only, by authorized people
and the safety of information has not been compromised at any stage of
storage or transmission.
Author: Jason Gaya Page 9 6/9/2010

 Assign unique tracking number or username that is protected by strong

password to control the access of the patient health information in a safe and
secure manner.

The main objective of adopting HIPAA security standard while selecting an email
service is to protect the patient health information. This prevents patient identity
theft and saves the State and people from financial losses incurred due to
insurance frauds.
Author: Jason Gaya Page 10 6/9/2010

HIPAA Compliance: Using Encryption for Safe and

Secure Management of Patient Health
information.
The rapid rise in use of computer networks to
process, store and exchange the patient health
information has made it easy for the health providers
to speed up and improve the quality standards of
their services. The seamless connectivity that
internet provides, makes it easy for patients to access
their medical information and process it as per, their
own convenience, without wasting their precious
time.

But there are risks associated with this form of

electronic exchange of protected health information.
Once the information is transmitted out of the
private domain like a laboratory, hospital, clinic,
insurance provider, billing service and patient
network, into public network, it becomes vulnerable
to theft and unauthorized intercept.

To protect the loss of crucial patient health data it is necessary to adopt the right
encryption procedure before the sensitive data is sent out to the receiver, through
the public network. The purpose of encryption is assure the sender that he or she
is sending the information to the receiver in foolproof manner and the
information safely reaches the receiver without getting intercepted during its
journey.

To achieve HIPAA compliance it is necessary to maintain complete secrecy of the

information whether it stored, processed or exchanged between two or more,
different health entities. Any lapse can invite strict regulatory fines and
convictions. Hence it necessary to protect the information as it travels through
the internet between the sender and the receiver, by adopting the right
encryption procedure. This can be done by adopting the Secure Socket
Layer(SSL) technology that uses both, symmetric and asymmetric forms of
encryption.

The patient health information is ciphered into a meaningless or senseless

statement, which is of no use to any body who steals it. This is again converted
back into original form by the receiver with the help of a secret key that has been
provided by the sender. In this way the information routed is safe and secure, and
there is no possibility of identity theft, which is in line with HIPAA compliance.
Author: Jason Gaya Page 11 6/9/2010

HIPAA Security Compliance: Protects Confidential

Patient Health Information
The stringent HIPAA security
compliance norms make it mandatory
for the all the entities like hospitals,
insurance providers, payers, billing
services, insurance plans and medical
personnel to strictly adhere to the laws
relating to the safe transfer and
storage of confidential patient health
information. To achieve HIPAA
security compliance it is necessary to
implement few steps that have been
categorized below:

Establish Physical Safeguards:

Computer networks play a crucial role in processing, storage and exchange of

health records of patients between different health care entities. The physical
access to crucial information can be safely managed by following these steps:

Creating and implementing a policy that authorizes only limited and trusted
people to access the confidential patient health data.

 Install workstations and computers in safe areas of the facility, which is

accessed by authorized personnel. Devices like computers, fax, printers and
copiers should be placed in such a manner so that unwanted people view data
inside them.

 All the computer programs should be protected by passwords and user ids to
prevent, unauthorized access. The passwords should be securely managed so
that unwanted people cannot access them.

 A security system should be in place so that it manages passwords efficiently

and guarantees the safety of patient health information when the staff
members change positions or somebody leaves the organization.

 All the storage devices, backup tapes and computer equipment should be
accounted for by maintaining a proper log book that keeps track on them.

 All paper documents that contain critical information, but not needed in the
office should be shredded so that no body else can lay hand on it.
Author: Jason Gaya Page 12 6/9/2010

Enhance Computer Network Security

It is necessary to maintain a proper record of the hardware and software

employed in the facility, and understand their role in processing the patient
health information, safely. Risk analysis should be done by creating a flow
diagram of the work process so that loopholes in the system can be identified and
removed. The computer network should be protected from virus attack or
hacking by adopting some security measures mentioned below:

 Appropriate gateway security with capacity to deeply inspect the web content
and filter out unwanted elements like debilitating software and virus should
be, placed.

 Anti virus solutions, digital signatures, firewalls should be in place to negate

any debilitating online threat.

 Proper encryption procedure should be followed, while sending out crucial

health data from the organization network to the public network. The
information should be strongly encrypted to protect it from unauthorized
access or intercept.

 The network security system should continuously monitor the network for any
suspicious activity that indicates an unexplained deviation from the standard
procedure and raise an alarm.

Educate Staff on HIPAA Security Compliance

A well trained staff forms the backbone of the successful organization. It is of

utmost importance for an organization to increase the awareness about the
importance of safe handling the patient health information. It protects the
healthcare facility from lawsuits due to non compliance of HIPAA norms by an
employee or employees. The organization should:

 Provide staff access to HIPAA compliant training courses and seminars to

increase awareness about importance of compliance norms.

 Provide training in password management and virus protection.

 Train on how to efficiently maintain logs and audits.

 Carry out periodic review of employees' HIPAA security compliance and

update their training to hone their skills in managing safely, the patient health
information.
Author: Jason Gaya Page 13 6/9/2010

 Provide training on operating the backup system as per contingency plan in

case of natural or manmade disaster with the aim to protect the health data
and keep crucial operations running.

Hence for an organization to achieve the requisite HIPAA security compliance, it

is necessary to integrate smoothly the software, hardware and personnel so all of
them work in a cohesive manner, ably guided by an administration that
continuously monitors, provides feedback and places safeguards to ensure safe
handling of the crucial health information of the patient.
Author: Jason Gaya Page 14 6/9/2010

Enhancing Computer Network Security to Achieve

HIPAA Compliance
Secure Computer networks are
intrinsic part of the HIPAA strategy
to completely convert the national
patent health records into an
electronic format that can be easily
Author: Jason Gaya Page 15 6/9/2010

exchanged between different agencies like health care providers, insurance

providers, and administrators. As a result the health care organizations can
manage documentation process efficiently in minimal time and provide better
service to the patients. But the present day computer system is prone to hacking
and virus attacks, which steal or destroy the crucial data. To protect the patient
health information there are network security rules that need to be followed so
that the organization is able to achieve HIPAA compliance.
There are two main sections of HIPAA that relate to computer network security
and they are:

Administrative Safeguards

To achieve HIPAA compliance, it necessary for the provider to identify, guard

and report against malicious software program in the system. The infected email
carry with them worms, virus and Trojans and there should be a security system
in place that checks for such unwanted entry. To manage the computer networks
smoothly, it is necessary to maintain a vigil by installing special safeguards
mentioned below:

 Gateway and desktop anti–virus products should be used.

 The security gateway should be able carry out, deep-packet-penetration,
inspection and provide appropriate web filtering capabilities to the network.
 Signature files that update at every 30 minutes should be used, as they are
best form of defense against the fast moving worms.
 All the security services and subsystem should be proactive with IPS
(Intrusion Protection System) instead of IDS (Intrusion Detection System).
This is necessary to protect the network from being infected with virus.
 The installed firewall should provide protection from the top 50 Dos and
DDos well known attacks and at same time maintain a proper record of them.

Security Safeguards:

For a computer network to attain HIPAA compliance it is necessary for the

organization to frame security policy that make it mandatory for only the
authorized personnel or software programs to have the access rights to protected
health information.

 The security device should support native form of authentication. For web
related applications, Transparent Authentication should be used so that a
same user who moves to different secure applications does not have to sign-
in, his or her, username and password, every time he or she makes a jump.
 The security system should support email content filtration process with
keywords and regular expression string features.
 To prevent, unauthorized access or intercept, of the patient health
information when it on journey between sender and receiver, proper
encryption techniques should be used. The transport of the PHI to public
Author: Jason Gaya Page 16 6/9/2010

network should be done in strong encryption mode and received by

authenticated users, who should have the requisite deciphering codes.
 The security system should continuously monitor for any unwanted or
suspicious deviation from the standard procedure and report anomalous
activity immediately to IT manager.
 Special security features like email content filtering application and digital
signatures should be added in the system to prohibit dispatch of safe data to
unverified receivers.

In the end it is necessary for all the entities that are involved in health care
system like, health service providers, insurance companies, transcription service
providers, payers, labs, internet service providers, hospitals and billing services
to build a chain of trust so that any patient health information routed between
them is kept high confidential. This can be done through a network of computer
systems that strictly adhere to HIPAA compliance norms to facilitate a safe and
secure transmission of confidential health information on public network.

HIPAA Law: Ensuring Secure Transmission of

Patient Health Information through Fax
Fax machine is a great asset, which
organizations count on, to quickly
send and receive information. It
plays a significant role in managing
well, the communication needs of the
office. But with arrival of HIPAA law,
it is mandatory for the covered
entities and their business associates
to install HIPAA complaint faxing
systems so that protected health
information of patients is not leaked
out or exposed to unauthorized people during the transmission process.
Author: Jason Gaya Page 17 6/9/2010

As non-compliance of HIPAA law can invite penalties and criminal prosecution,

it necessary to put in place few safeguards that make the daily use of the fax
machine, safe and secure.

 Fax systems, which support email encryption, should be installed. The

protected health information system should be encrypted before it is faxed.
This will protect the information from unauthorized access, because only
receiver has the key to decrypt the message back into original form.

 The fax machine should be configured in such a way that no copy of received
fax is saved.

 The Fax machine should have inbuilt copying system, which can print as
many as copies needed. This eliminates the need of external document copier
like, Photostat machine and prevents exposure of the confidential patient
health information to unauthorized persons.

 The fax machine should be placed in a secure place and accessed by only
authorized personnel. On receipt of the fax, the message should be delivered
straightaway to the intended recipient.

 The fax numbers which are used regularly should be properly saved, and the
speed dialing option should be used to prevent misdialing of the numbers.
 There should be a sound policy in place, which manages efficiently the
storage, duplication and disposal of the faxed protected health information, as
per HIPAA law. The policy should also be able to address effectively, the
wrong delivery of the PHI.

 Before faxing to a new recipient, the number should be checked by sending a

test message. This will ensure dispatch of crucial PHI to the intended receiver
only.

Fax machine is integral part of the office communication system. Covered entities
like clinics, hospitals, clearing houses, insurance companies and other health
provider depend on it for their daily communication needs. With the advent of
HIPAA law, the fax machine should be installed and used in a very secure
manner.

HIPAA compliant fax machine should be used and have special encryption
features, which allows the sender to encrypt the protected health information and
send it as an email through the net. The PHI is encrypted into sequence of codes
and transmitted to the fax machine of receiver also connected to the internet. The
receiver has a key which decodes the encrypted email and prints back the
information in the original form. Thus the message is faxed in a safe and secure
manner over the net. These precautions help the health organizations to store
and exchange the protected health information of the patient as per HIPAA law.
Author: Jason Gaya Page 18 6/9/2010

Balancing Social
Media with HIPAA
Social media is completely
changing the way people
communicate with each. The
online networking platform that
social media provides has made it quite easy for the people to converse, exchange
ideas, share opinions and distribute information, to shape mass opinion about an
individual, product, policy, healthcare, education, etc. The list runs long.

An organized and credible healthcare system is crucial for well being of the
human society. Health insurance also falls under purview of healthcare system
and patient health information is of great significance. Insecure and a
compromised patient health information system can have severe implications on
the health and financial condition of the patients. HIPAA plays a pivotal role by
enforcing strict regulations, which provide complete protection to confidential
patient health information. The covered entities like the hospitals, clinics, billing
Author: Jason Gaya Page 19 6/9/2010

and insurance companies and their workforce are governed by HIPPA

compliance laws. Any lapse on their part can invite strict penalties and
convictions.

Doctors, nurses, medics, paramedics, surgeons, etc are nowadays using social
media tools like Facebook, Twitter, Flickr, etc, to communicate with each other.
The patients also use social media to search for the right physicians or surgeons
who can address their specific healthcare needs. This is the positive aspect of the
social media in the healthcare settings. Also increased accessibility gives the
patients the opportunity to share and improve their knowledge about a disease
and treatment. The use of social media, word-of-mouth testimonial benefits the
patients by providing them reliable information, which they can count on to
conclude successfully, their pending health issues.

But there are also some threats, which social media poses to the privacy of
patients. Lack of proper social media usage policies for healthcare workers and
the human lapses can seriously put the integrity and confidentiality of the patient
health information at risk. The intentional or unintentional display of the patient
health information will surely invite strict penalties and convictions as per
HIPAA regulations.

Instead of creating friction or conflict between HIPAA with social media through
irresponsible use, the health care organizations should administer a sound social
media management policy, which ensures that no leakages occur and what ever
goes on the net is not detrimental to healthcare rights of the patient. If some how
the information does manage to slip through, strict vigilance should ensure
timely removal of the content from the net. The medical staff should be trained to
handle social media in such a manner that both, organization and patients are
benefited through its constructive use.

Instead of opposing each other, the social media and HIPAA must be harmonized
in such a manner so that the vast reach, which social media provides, is used
effectively to address the healthcare issues, without compromising the individual
or collective healthcare privacy rights.
Author: Jason Gaya Page 20 6/9/2010

Twitter - Tweeting the HIPAA Way

The increased use of the social media, especially Twitter, is a cause for concern
for many people, keeping in the mind, the strict HIPAA compliance norms
pertaining to patient health information. Twitter, is turning out to be the most
favored communication tool, for healthcare professionals who want to maintain,
quick and easy, connectivity with their patients. The increased use of social media
in healthcare settings points towards the strategy of the healthcare organizations
to advertise their services especially through Twitter, because of the vast reach,
which it provides. To cut down advertisement costs in face of increased
competition and economic downturn, healthcare professionals and organizations
find Twitter, a cheap and effective advertising media.

Some surgeons tweet from operating rooms to the relatives of patient and keep
them updated on the condition of the patient. For a marketing perspective, this
might be a good way to woo more patients to the hospital by advertising about
service, which reflects the customer-centric policy of the organization.

But Twitter in healthcare settings, is fraught with dangers. The HIPAA norms
make it mandatory for all the covered entities like hospitals, health insurance
providers, billing services and other health providers along with their business
associates to ensure complete protection of patient health information, which
they store, process and exchange between themselves. Irresponsible use of
Twitter might result is leakage of sensitive health information of the patient and
Author: Jason Gaya Page 21 6/9/2010

invite heavy fines and criminal convictions, which can ruin careers of the medical
personnel, and tarnish image and business prospects of the health care
organizations.

Use of Twitter from the operating room should be discouraged as it might affect
the electronic signals of the machines installed in the room. Further a wrong or
premature information tweeted from the room can damage the reputation of the
organization. Any tweet, which leaks the identity of the patient or information,
will surely invite legal troubles for the personnel and the organization.

It is necessary regulate the use of Twitter through a well managed healthcare

social media policy. Vigilance should be maintained on what is being tweeted into
the social media from the organization and all the medical personnel should be
made aware of the regulations pertaining to the right use of Twitter. The tweeting
rights should be given too authorized and reliable personnel. They should be
made aware of the legal and financial implications of any lapse, which results in
unauthorized display of confidential patient health information, knowingly or
unknowingly.

Increased awareness, collective and individual accountability, sound social media

management policy and sharp vigilance can make it easy for the healthcare
organizations to use Twitter safely without leaking patient health information as
per HIPAA laws.
Author: Jason Gaya Page 22 6/9/2010

HIPAA Compliance in FTP Hosting

The HIPAA compliance laws make it mandatory for the covered health entities,
like hospitals, clinics, billing and insurance companies, and their business
Author: Jason Gaya Page 23 6/9/2010

associates to use completely HIPAA compliant computer network systems. FTP

or File transfer Protocol also falls under this purview.

HIPAA covered health entities exchange large amount of confidential patient

health information. The business associates of the covered entities, like the
transcription companies also come under the purview of the HIPAA compliance
laws. For safe and secure transfer of large volumes of electronic patient health
information, through the public network it is necessary to employ HIPAA
compliant FTP. The file transfer protocol has two components, namely server and
client. The FTP user gets a unique username and password through which he or
she can easily upload or download electronic file from the FTP server.

HIPAA compliance rules make it necessary for the FTP servers of the health
organizations and insurance companies to adopt security measures, so that the
electronic health information of the patient is safely transferred from sender to
the intended receiver. HIPAA compliant servers have following security features:

 The FTP servers are protected by 128 SSL encryption technology. The file is
loaded on the server in an encrypted form and can be downloaded, only by an
authorized person or entity in the original form, through a unique key, which
the sender and the receiver share amongst them.
 HIPAA compliant server offers a very secure and fast transfer of large volumes
of digital data through Multi-thread file transfer system. This is quite faster
than the normal FTP transfer.
 HIPAA compliance in FTP server enables the user to continue their use of the
existing firewall service. The unique username and password protects the
system from unauthorized intrusion.
 HIPAA compliant servers are user friendly and make it easy to
download/upload large files without any complications.
 Special Intrusion detection system provides foolproof security and thwarts
any rogue entry into the system.

The encryption feature of the FTP server makes it impossible for the intruder to
access the sensitive information and this completely falls in the line with
requirements of HIPAA compliance norms.

HIPAA Compliance in Wireless Local Area Network

Author: Jason Gaya Page 24 6/9/2010

The rapid growth of communication technology

and the need for connectivity during mobility has
resulted in inclusion of Wireless Local Area
networks in the modern communication network.
WLAN provides the freedom to access, exchange,
store and process the information from any point in
the network.

Because of Wireless LAN, increasing number of

doctors, nurses, paramedics and caregivers can
process the patient data conveniently in large
settings of the healthcare setting. The increased
mobility, which it provides makes it easy for the
medical personnel to exchange information while
on move. This saves time, increases productivity
and raises the quality of patient care.

But with this benefit of WLAN, comes an underlying security threat which can
seriously compromise the ability of the health care facility to follow the HIPAA
compliance laws pertaining to electronic exchange of confidential patient health
information. The wired network, as it requires physical access, is safer compared
to the wireless network. The open network architecture feature of the WLAN
makes it easy for any unauthorized person to get behind the firewall and access
the network. This poses a serious threat to the safety of the confidential patient
health information, which is stored, exchanged or processed by the network.

To achieve HIPAA compliance the WLAN should have security features that are
mentioned below:

 Unique user identification.

 Emergency access procedure.
 Automatic logoff.
 Encryption and Decryption system that creates tamper proof communication
channel between the sender and authenticated receiver.
 Ability to authenticate electronic health information and maintain integrity of
the information.
 The network should maintain its integrity through continuous monitoring and
shut out any unauthorized access from any rogue entry point.
 Clients associating with rogue entry points should be shut off from the
network, unless they approach from the authorized access point.
 Any change in the configuration of the access points, which points to
unauthorized access should be immediately brought to the notice of the IT
manager through proper communication channel.
 Able to maintain a audit log of the time, nature and resolution of the intrusion
and steps taken to avert it.
Author: Jason Gaya Page 25 6/9/2010

In the end the WLAN in any healthcare setting should be securely configured in
manner so that it becomes safe for the organization to store and exchange the
confidential patient health information in line with HIPAA compliance laws.

HIPAA Compliance - Signing a Business Contract

with Vendor to Ensure Safe Disposal of Medical
Records
HIPAA compliance makes it mandatory for the covered entities like healthcare
clinics, doctors, clearinghouses, health plan providers, hospitals and billing
companies to take complete responsibility of the protection of patient health
information. The HIPAA law makes them accountable for any lapse, which
results into unauthorized display of the protected information. The covered
entities have their business associates who provide variety of services to them.
Author: Jason Gaya Page 26 6/9/2010

The waste paper re-cycler is one such business associate who takes care of waste
paper disposal.

HIPAA compliance regulations put emphasis on conversion of patient health

records from paper to electronic format. For medical records which are still in
paper format, the covered entities need to develop an effective disposal strategy
so that unneeded patient health information can be safely shredded or disposed
off, without exposing it. The covered entity is accountable for the protected health
information, it important that it enters signs a business contract with
professional and certified paper recycler or shredder. As per contract the vendor
should perform following tasks:

 Provide complete details on how the waste paper will be disposed off, safely.
 Indicate the time taken towards disposal. It should clearly point out the time
lapsed between collection and its destruction.
 Ensure availability of specific sum of liability insurance, which provides risk
coverage risk to the covered entity. This is because the covered entity is
ultimately responsible for privacy of patient health records.
 Provide complete information on all the safeguards placed in waste paper
management plan so that covered entity can rest assured of no safety
breaches, from collection to disposal of the paper records.
 Provide proof of record destruction, whether it is by shredding, paper
recycling or burning.

The vendor is also responsible for patient health privacy. To develop long term
business relations with covered entity it is essential that the vendor should
practice safe disposal of medical records The covered entity should get a written
commitment in form of a signed contract to ensure HIPAA compliance during
waste paper disposal.

HIPAA Compliance: Ensuring Safe Disposal of

Patient Health Information Documents
The HIPAA compliance norms lay stress on the safe transaction and storage of
the patient health information, whether on paper or in electronic format. The
patient health information stored as electronic file in computer and protected by
a system of username and password is much safer than paper documents. As
medical documents are being converted into electronic health records, it has
become necessary to dispose off the paper records in a safe and secure manner.

The safe disposal of the unneeded patient health documents is crucial because the
health service provider is accountable for any breach, during information
processing, exchange, storage or disposal. Any paper disposal vendor or recycler
who seeks to enter into business alliance with any of the health service provider
Author: Jason Gaya Page 27 6/9/2010

should employ the right waste paper management techniques that are in line with
HIPAA compliance norms.

The covered entity and the vendor should together work in tandem to chalk out a
good strategy, which ensure safe disposal of the paper documents. The following
points should form the backbone of this joint strategy:

 The health providers should train their staff to generate less paper wastage.
The organization should switch to electronic mode of information processing
from paper documents. This will greatly reduce the waste paper generation at
source. The facility should maintain a list of the staff members who are
responsible for generation, storage and safe handing over of the waste paper
documents to the vendor. This brings in accountability into the system.
 Paper should be trashed in locked bins and stored in safe areas of the facility,
away from the busy areas. If the health providers want they can shred the
documents in there own facility but it requires additional labor and capital.
 If a vendor is given the task of shredding or recycling the documents then the
covered entity should enter into a binding agreement that ensures that there
is no lapse on the part of vendor right from collection of waste to its disposal
in shredding machine or a recycling plant, because ultimately health provider
is accountable for any safety lapse.
 The vendor can shred the documents on the site or transport them to bulk
shredding center. It should provide certificate of disposal so that time, place
and proof of safe disposal are available to the covered entity.

Thus a well though out waste disposal scheme protects the covered entity from
liability due to any breach in confidentiality of patient health information during
its disposal.

HIPAA Compliance: Selecting the Right Software

The covered entities like hospitals, clearing houses, billing and coding companies,
physicians, health insurance providers and multi-location clinics are bound by
HIPAA compliance norms. It is essential that their business associates like
medical transcription service providers also follow HIPAA regulations while they
process, exchange or store the confidential patient health information.

Majority of the health information is processed electronically. It is necessary for

covered entities and their business associates to use the right kind of software
that processes the health information of the patient as per HIPAA compliance
norms. The software should be such that it has security features, which protects
the privacy of the patient health information. It should have following security
features:
Author: Jason Gaya Page 28 6/9/2010

 Able to track the user, whether a service provider or client and maintain a
complete record of date, time and nature of access through a system of
usernames and passwords. It should provide information on who accessed the
data and what was viewed, updated or deleted.
 Restrict the user access, to the required information only. It should allow the
authorized user to view or process the patient information, which falls under
his or her scope of job. The user cannot access any other information, which
does not pertain to his or her work or department.
 Provide override function, which grants special access or emergency rights to
the staff member in case of emergency so that patient health care is not
compromised in any way. But at same time, the in built messaging system
should inform other users about such access and this includes the identity of
the person and the information accessed. This is a part of security review,
associated with override function and ensures accountability in the system
through continued vigilance.
 Anti-virus Firewall defense and a system of usernames and passwords to
protect the health information system from virus and hackers.
 Support e-mail encryption, so that the patient health information sent
through mail is tamperproof.
 The software should support internal messaging system, which updates the
user about entry or exit of messages or other information, without having to
leave the security of the organizational network.
 The software should have online patient authorization system, which grants
the health service providers the rights to use the patient health information
for the good of patient. The online authorization for should have expiration
date and clearly indicate for what purpose the patient health information will
be used. The software should keep track on the expiration of the
authorizations, so that they can be revalidated as and when required by the
patient and the health service provider.
 The software should support coding and billing procedures so that patient
health transactions can be easily conducted electronically between different
health service providers as per HIPAA compliance norms.

The main objective of the HIPAA compliance software is to protect the health
information of the patient processed, exchanged or stored at various health
entities. The software should facilitate smooth flow of the patient information
through different networks in secure way. The security features should thwart
hostile access and at same time, not hinder authorized users like providers or
patients, so that the health of the patient is compromised in any way.
Author: Jason Gaya Page 29 6/9/2010

Telemedicine: Employing Security Features to

Achieve HIPAA compliance
Telemedicine is a branch of modern medicine in which patient health
information is exchanged over a great distance, through a series of local and
wireless networks. The remote settings of the patients make the exchange of
health information with health providers, highly vulnerable to hostile intrusion.

The HIPAA compliance norms makes it mandatory all the covered entities like
hospitals, clinics, clearinghouses, physicians, medical insurance companies and
other health service providers to employ secure computer network systems,
which follow stringent security codes. Any failure in HIPAA compliance on part
of health provider, will surely invite strict regulatory action, in form of heavy
fines or criminal prosecution.
Author: Jason Gaya Page 30 6/9/2010

The nomadic or remote settings of the patients make it a challenging task for the
health providers to maintain the privacy of patient health information. A series of
wireless and local area networks make the system vulnerable to hackers. Further
lack of proper vigilance at remote settings attracts hostile intrusion from both,
hackers and virus. To fortify the Telemedicine network against unauthorized
access, the health service providers should incorporate stringent security features
in the network and they are:

 All the email communications should be in encrypted form. The email content
is encrypted into strings of codes and transmitted over the network. At the
receiving end, the coded message is assembled back into original form with
help of a key. Even if someone manages to access it illegally during course of
transmission, the coded message will make no sense to the hacker.
 Facial recognition system helps the service providers to clearly identify the
patients on the network, especially in the case of video conferencing.
 Digital identity card is provided to the remote patients after identity
verification by authorities. The encryption features and digital signature of the
patients in the card authenticates the users and allows them access online
health services.
 The access to all the point-of-service computers should be user authenticated,
to ensure that only authorized personnel access the system.
 The computer network should be protected by firewall and should be
constantly monitored to detect any intrusion. There should be an audit
system, which maintains a record of time, frequency and nature of the hostile
attacks made, on the network.

The security features in the network enable the health service providers to
provide quality healthcare services to remote patients in a safe and secure way.
The patient health privacy is protected and this is in line with HIPAA compliance
norms. Telemedicine and EMR can safely deliver customized health solutions to
remote communities.

HIPAA 5010- Graduating From HIPAA 4010 to

Provide Better Health Insurance Service
Health Insurance Portability and Accountability Act (HIPAA) of 1996, addresses
healthcare issues like, patient health information protection, insurance
portability and simplification of health insurance administration. The
voluminous health insurance data involved, makes the insurance administration
process, cumbersome. The covered entities like physicians, hospitals, clinics,
clearing houses, plan providers and their business associates need seamless
connectivity, to synchronize their transactions in smooth manner. This will
reduce processing time, cut operating cost and increase the overall productivity of
the system. As a result the patients can enjoy better, safer and cheaper health
insurance service.
Author: Jason Gaya Page 31 6/9/2010

The complete conversion of the paper records into electronic format is a time
consuming task. The real challenge lies in creating seamless connectivity between
different health services so that the patient health information is used safely to
settle insurance claims, remittances and eligibility issues in time bound manner
and to complete satisfaction of the customers.

This is where HIPAA 5010 will take over from HIPAA 4010. HIPAA 5010
overcomes the shortcomings of HIPAA 4010 by adopting a well a defined policy
which supports structural and technical changes to provide a consistent and
uniform content that creates a common platform for different health service
providers. As a result covered entities like physicians, hospitals, payers,
clearinghouses, dentists and pharmacies can easily share and process the patient
health information in minimal time and cost.

HIPAA 5010 addresses drawbacks in HIPAA 4010, by providing solutions to the

critical health care issues like claims attachment, quality and cost of treatment,
patient health records and safety, pay for performance and pay consumerism.
The ICD-10 diagnostics and procedural codes, which are missing in HIPAA 4010,
make HIPPA 5010 highly accurate and flexible for the payers to capture more and
better information about patients. This will enhance functional areas like:

 Administration of Claims
 Management of contract with Health service provider
 Medical Management that includes referral and pre-authorization, disease
and case management.
 Assessment of Eligibility and Enrolment
 Customer service in handling the appeals and providing claim related
support.

In the end, HIPAA 5010 with 1000 plus changes, from its predecessor, will
greatly help increase interoperability and portability between the different health
providers and their business associates. This will translate into huge savings in
operational costs of the national healthcare system and enable the patients to
receive better health insurance services at reduced prices, compared to what is
available to them, today.
Author: Jason Gaya Page 32 6/9/2010

HIPAA Law-Selecting
the Right User
Authentication
System
The main objective of the HIPAA law
is to streamline health insurance
system and provide continuous
coverage to the people who change or
loose their jobs. To do this effectively, special emphasis is laid on complete
conversion of patient health records from paper to electronic format. This will
make it convenient for the covered health providers and their business associates,
to safely manage the voluminous patient health information in a cost-effective
manner.
Author: Jason Gaya Page 33 6/9/2010

The HIPAA law advocates a very strong security policy, which guarantees the
protection of the confidential health information from unauthorized access on the
net. Password enabled access, is the most common type of the security system.
But such a system is not reliable as the passwords can be easily hacked. Also
when there are many passwords to remember, it becomes very cumbersome for
the user to remember all of them. The patient or user writes them down on paper
and this is an unsafe practice because if it falls in wrong hands it can result in
financial losses for patient and the health service provider.

The smart card system provides a better option as it works on combination of the
security card and a pin number. But there is a loophole in it. Incase of loss of
smart card or if the pin number is cracked open by hacker, the secrecy of patient
health information can be severely compromised. Further Smart card based
authentication systems are costly and hence it becomes expensive for the small
health providers to install.

A strong user authentication, which provides exceptionally strong defense against

unauthorized access or intrusion, should be incorporated into the computer
networks. Biometric authentication offers the best available solution to health
service providers, as it integrates unique characteristics of the patient or the user,
like fingerprints, iris scan, voice prints, signatures and keystrokes dynamics with
a user password to create a highly secure access system. As this technology uses
costly equipments, the health providers need to spend more, compared to other
available options.

Under HIPAA law, all the covered entities like hospitals, clinics, clearing houses
and other health service providers are responsible and accountable for the safety
of the patient health information. Hence it is necessary, to put in place an
impenetrable security wall, in form of reliable user authentication, which
successfully neutralizes any intrusion. This protects the health organization from
non compliance of HIPAA law due to poor network security.
Author: Jason Gaya Page 34 6/9/2010