Author: Jason Gaya

Page 1

6/9/2010

emPower e-Learning Solutions
At emPower e-Learning solutions we make learning a pleasure. To help individuals and organizations learn in the most efficient and effective way by using the latest e-Learning Strategies and state-of-the-art Media, Internet and Information Technologies. About the Company emPower e-learning solutions is one of the leading provider of online health compliance courses in the market. Keeping in mind the needs of the companies to train their employees as per prevalent industry standards, emPower provides variety of e-courses, including those mandated by Government and regulatory bodies such as HIPAA, OSHA, Joint Commission and Red Flag rule. The company has its own Learning Management System which efficiently hosts customized e-learning courses. The real time compliance tracking feature of our LMS, endorses the policy to provide our invaluable customers world class e-learning environment. Our courses are SCORM compliant so that students and employees can easily access and run our courses on other Learning Management System, without any hiccup. emPower’s goal is to provide customized e-learning solutions, so that employees can hone their workplace skills. This creates a safer, better and more productive atmosphere at the facility. As a result the overall productivity increases and propels the company ahead of its competitors. emPower is a leading provider of comprehensive regulatory compliance solutions through Learning management system. Our mission is to provide innovative solutions to enable compliance with applicable laws and regulations and maximize business performance. We provide range of courses to manage compliance required by regulatory bodies such as OSHA, HIPAA, JCAHO, etc. Apart from this empower also offers custom demos and tutorials for your website, business process management and software implementation. As a part of our policy of spreading awareness on various healthcare regulations, we are presenting below a selection of articles, which will provide you useful information on how the computer network, social media and communication technology can be made HIPAA compliant. Media Contact (emPower) Jason Gaya pr@empowerbpo.com emPower 12806 Townepark Way Louisville, KY 40243-2311 Ph: 812 -332-5590 http://www.empowerbpo.com Copyright © 2010. emPower. emPower is a registered trademark. All Rights Reserved.

Author: Jason Gaya

Page 2

6/9/2010

INTRODUCTION TO HIPAA .....................................................................................................................3 UNDERSTANDING HIPAA.........................................................................................................................5 HIPAA- ENFORCING STRICTER REGULATION TO ENSURE GREATER PROTECTION FOR PATIENT HEALTH INFORMATION. ......................................................................................................6 HIPAA SECURITY STANDARD: SELECTING THE RIGHT E-MAIL SERVICE. ..........................8 HIPAA COMPLIANCE: USING ENCRYPTION FOR SAFE AND SECURE MANAGEMENT OF PATIENT HEALTH INFORMATION. ....................................................................................................10 HIPAA SECURITY COMPLIANCE: PROTECTS CONFIDENTIAL PATIENT HEALTH INFORMATION ..........................................................................................................................................11 ENHANCING COMPUTER NETWORK SECURITY TO ACHIEVE HIPAA COMPLIANCE .....14 HIPAA LAW: ENSURING SECURE TRANSMISSION OF PATIENT HEALTH INFORMATION THROUGH FAX .........................................................................................................................................16 BALANCING SOCIAL MEDIA WITH HIPAA ......................................................................................18 TWITTER - TWEETING THE HIPAA WAY .........................................................................................20 HIPAA COMPLIANCE IN FTP HOSTING.............................................................................................22 HIPAA COMPLIANCE IN WIRELESS LOCAL AREA NETWORK ................................................23 HIPAA COMPLIANCE - SIGNING A BUSINESS CONTRACT WITH VENDOR TO ENSURE SAFE DISPOSAL OF MEDICAL RECORDS .........................................................................................25 HIPAA COMPLIANCE: ENSURING SAFE DISPOSAL OF PATIENT HEALTH INFORMATION DOCUMENTS .............................................................................................................................................26 HIPAA COMPLIANCE: SELECTING THE RIGHT SOFTWARE ....................................................27 TELEMEDICINE: EMPLOYING SECURITY FEATURES TO ACHIEVE HIPAA COMPLIANCE ........................................................................................................................................................................29 HIPAA 5010- GRADUATING FROM HIPAA 4010 TO PROVIDE BETTER HEALTH INSURANCE SERVICE .............................................................................................................................30 HIPAA LAW-SELECTING THE RIGHT USER AUTHENTICATION SYSTEM ............................32

Author: Jason Gaya

Page 3

6/9/2010

Introduction to HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its regulations was enacted by congress on August 21, 1996 to protect the privacy and security of patient’s personal health information. The regulation obligates healthcare providers to establish national standards for electronic healthcare transactions and national identifiers for providers, health plans, and employers. The purpose of this security rule is to improve the portability of continuity of health insurance in the group and individual markets, combat fraud, waste and abuse in health insurance and health care delivery. Privacy and security procedures in the administrative simplification section designed to streamline the administration of health insurance by recognizing the efficiencies and cost savings technology. Healthcare entity if fails to comply with these regulations may have to pay million of dollars. Anyone dealing with sensitive data must follow most strict security policy available. HIPAA consists of:
    

Healthcare access, portability and renewability Preventing health-care fraud and abuse Tax related health plan provisions Application and enforcement of group health planned requirements Revenue offsets.

Who is covered by HIPAA? The Privacy rule applies only to covered entities. Covered entities include: Health care clearing houses, public or private entity that facilitates the processing of nonstandard, health information data elements into standard data elements.  Health care providers-a provider of medical or other health services and any other person furnishing healthcare services or supplies.  Health plans-an individual or group plan that provides or pays the cost of medical care, with the exception of liability and worker‘s compensation plans.

HIPAA has achieved great success in securing and protecting sensitive healthcare information. HIPAA has made considerable contributions resulted into increase in the utilization of electronic medical record systems, to implement secure,

Author: Jason Gaya

Page 4

6/9/2010

industry-wide messaging standards. The future of HIPAA for Healthcare will provide single set of information for all payers, standard coding practices, no human interference required for remittance, posting and billing. Privacy policy may add obstacles for physicians and other employees to access medical information but provide patients with trust willing to share information.

Author: Jason Gaya

Page 5

6/9/2010

Understanding HIPAA
Health Insurance Portability and Accountability Act or HIPAA, as it is popularly known was enacted in 1996 by Congress. It came into force on 1 July, 1997. The main purpose of this act is to manage health care delivery system and regulate health insurance industry so that people are protected from frauds, malpractices and discrimination. The Act provides health insurance coverage to the individuals and their families, who loose or change their jobs. It promotes use of medical saving accounts, frames health insurance procedures and provides access to long term services. The law prohibits discrimination between individuals based on their health conditions and issues guidelines that monitor insurance plans and their providers, so that customers are not cheated and their rights are completely protected. The ongoing process of conversion of health records into electronic data is the part of the strategy to create a health care system that can be managed in a safe and sound manner. For this HIPAA has issued guidelines that advise on how to protect the crucial patient health information, while it is stored or transferred, electronically. The thrust is on protecting the health information of the patients so that it is not misused. The Act prohibits use of medical data of patients for any other purpose, except treatment. The data can not be used for marketing purpose and the patients have the complete right to protect their privacy and written consent is needed from them prior to any disclosure of their information to third party. HIPAA makes it mandatory for all the insurers to document their privacy procedures so that the patients know very well how their privacy will be protected. The health insurers are bound to keep all the details confidential and in case individuals or groups feel that their information has been compromised, they can lodge complain with the Department of Health and Human Services (HHS) for civil rights. In the end it can be rightly said that Health Insurance Portability and Accountability Act acts as guardian of the health care system by efficiently managing health insurance system and placing safeguards in it to make it tamper proof. This all translates into a credible health delivery system that fulfills health care requirements of the patients in a safe and secure manner.

Author: Jason Gaya

Page 6

6/9/2010

HIPAA- Enforcing Stricter Regulation to Ensure Greater Protection for Patient Health Information.
HIPAA is a United States Health Insurance Portability and Accountability Act and consists of HIPAA I and HIPAA II. HIPAA I administer health insurance norms, which are meant for people who loose or change jobs. The HIPAA II is about standardization of healthcare procedure that the health providers are required to follow. The later version is what is talked about the most and also governs the norms that are necessary for protection of the patient health records. This is necessary to protect the patients and the health insurance agencies from the frauds due to stolen identity. HIPAA is enforcing stricter laws and norms to deal firmly with health insurance fraud cases like the one reported in the SUN newspaper about sale of vital health records of patients to attorneys so that they could mint money. There are few steps that have been taken in recent months with sole purpose to make electronic exchange of human health data, foolproof. In November 2009 eight Federal agencies approved a notice approval form. It makes mandatory for the health providers to share with customers how their information is gathered and distributed. This makes it easy for the customers to decide easily whether they want to stay in or opt out of the service.  The new regulations allow the state to sue the defaulter for HIPAA violations, expand criminal prosecution and impose heavy fines.  The final rule of Federal Trade Commission (FTC) issued as per American Recovery and Reinvestment Act makes it necessary for the health providers to report breach in patient health information to the consumer. If the health information of 500 or more people is leaked then it should be brought to notice in media. The rule also clarifies on the timing, content and method of reporting the leak.  The Recovery act makes it necessary for the Department of Health and Human Services (HHS) to conduct a survey on the entities that provide health services but are not covered by HIPAA. The aim is to frame rules on how such entities can discharge their medical services and at same time safeguard vital patient statistics.

In the end new and stricter regulations point out to the effort of the regulatory authorities to clamp down on the fraudulent practices that still exist in the system in spite of safeguards that are placed in it. The sole purpose is to make the

Author: Jason Gaya

Page 7

6/9/2010

electronic sharing of patient health data secure and tamper proof. This will save the State and people from loosing millions of dollar every year due to fraudulent insurance claims. Due to rising frauds in patient health information the regulatory authorities have enforced stricter HIPAA norms to make patient identity safe and secure.

Author: Jason Gaya

Page 8

6/9/2010

HIPAA Security Standard: Selecting the Right Email Service.
Internet has taken a center stage in fulfilling the communication needs of the people. The speed, ease and wide reach it provides, makes it the most favored media for communication. An email is a great communication tool of the internet and is widely used by people to communicate with their doctors or medical insurers. To make this exchange of information on the net, safe and secure, it is necessary to follow HIPAA security standard while selecting the right email service. The prime objective is to select the email service that safely carries the health information of the patient through the net. A safe transit and storage is a basic requirement of the HIPAA security standard. There are some essential features that an email service should have and they are:
 

   

The email service should meet or exceed the HIPAA standards It should have the ability to encrypt and decrypt the health data transmitted. This feature protects the confidential health information from unauthorized access as it passes through the public network. During the transit through net the emails are stored on server and the chances of unwanted intercept increase considerably. To counter this threat it is necessary to encrypt the message before transmitting it. The service should provide a secure back up plan to safely recover the data in case of a natural or manmade calamity. Provide unlimited document or email transfer and at same time protect the data integrity. It should have an inbuilt security feature that automatically logs off the system after some time of inactivity. Personal or entity authentication is required as it confirms the identity of the person or the entity that access the personal health information, an important requirement of HIPAA security standard. The software used should be user friendly and there should be no third party involved in any form. The email service should have security provisions that inhibit unauthorized exchange of information with the third party. The service should have security feature that provides feedback to the auditors about the time, place and IP nos. through which the protected health information had been accessed. This helps the auditor to keep track of the health information and ensure that it is accessed only, by authorized people and the safety of information has not been compromised at any stage of storage or transmission.

Author: Jason Gaya

Page 9

6/9/2010

Assign unique tracking number or username that is protected by strong password to control the access of the patient health information in a safe and secure manner.

The main objective of adopting HIPAA security standard while selecting an email service is to protect the patient health information. This prevents patient identity theft and saves the State and people from financial losses incurred due to insurance frauds.

Author: Jason Gaya

Page 10

6/9/2010

HIPAA Compliance: Using Encryption for Safe and Secure Management of Patient Health information.
The rapid rise in use of computer networks to process, store and exchange the patient health information has made it easy for the health providers to speed up and improve the quality standards of their services. The seamless connectivity that internet provides, makes it easy for patients to access their medical information and process it as per, their own convenience, without wasting their precious time. But there are risks associated with this form of electronic exchange of protected health information. Once the information is transmitted out of the private domain like a laboratory, hospital, clinic, insurance provider, billing service and patient network, into public network, it becomes vulnerable to theft and unauthorized intercept. To protect the loss of crucial patient health data it is necessary to adopt the right encryption procedure before the sensitive data is sent out to the receiver, through the public network. The purpose of encryption is assure the sender that he or she is sending the information to the receiver in foolproof manner and the information safely reaches the receiver without getting intercepted during its journey. To achieve HIPAA compliance it is necessary to maintain complete secrecy of the information whether it stored, processed or exchanged between two or more, different health entities. Any lapse can invite strict regulatory fines and convictions. Hence it necessary to protect the information as it travels through the internet between the sender and the receiver, by adopting the right encryption procedure. This can be done by adopting the Secure Socket Layer(SSL) technology that uses both, symmetric and asymmetric forms of encryption. The patient health information is ciphered into a meaningless or senseless statement, which is of no use to any body who steals it. This is again converted back into original form by the receiver with the help of a secret key that has been provided by the sender. In this way the information routed is safe and secure, and there is no possibility of identity theft, which is in line with HIPAA compliance.

Author: Jason Gaya

Page 11

6/9/2010

HIPAA Security Compliance: Protects Confidential Patient Health Information
The stringent HIPAA security compliance norms make it mandatory for the all the entities like hospitals, insurance providers, payers, billing services, insurance plans and medical personnel to strictly adhere to the laws relating to the safe transfer and storage of confidential patient health information. To achieve HIPAA security compliance it is necessary to implement few steps that have been categorized below: Establish Physical Safeguards: Computer networks play a crucial role in processing, storage and exchange of health records of patients between different health care entities. The physical access to crucial information can be safely managed by following these steps: Creating and implementing a policy that authorizes only limited and trusted people to access the confidential patient health data.  Install workstations and computers in safe areas of the facility, which is accessed by authorized personnel. Devices like computers, fax, printers and copiers should be placed in such a manner so that unwanted people view data inside them.  All the computer programs should be protected by passwords and user ids to prevent, unauthorized access. The passwords should be securely managed so that unwanted people cannot access them.  A security system should be in place so that it manages passwords efficiently and guarantees the safety of patient health information when the staff members change positions or somebody leaves the organization.  All the storage devices, backup tapes and computer equipment should be accounted for by maintaining a proper log book that keeps track on them.  All paper documents that contain critical information, but not needed in the office should be shredded so that no body else can lay hand on it.

Author: Jason Gaya

Page 12

6/9/2010

Enhance Computer Network Security It is necessary to maintain a proper record of the hardware and software employed in the facility, and understand their role in processing the patient health information, safely. Risk analysis should be done by creating a flow diagram of the work process so that loopholes in the system can be identified and removed. The computer network should be protected from virus attack or hacking by adopting some security measures mentioned below:  Appropriate gateway security with capacity to deeply inspect the web content and filter out unwanted elements like debilitating software and virus should be, placed.  Anti virus solutions, digital signatures, firewalls should be in place to negate any debilitating online threat.  Proper encryption procedure should be followed, while sending out crucial health data from the organization network to the public network. The information should be strongly encrypted to protect it from unauthorized access or intercept.  The network security system should continuously monitor the network for any suspicious activity that indicates an unexplained deviation from the standard procedure and raise an alarm. Educate Staff on HIPAA Security Compliance A well trained staff forms the backbone of the successful organization. It is of utmost importance for an organization to increase the awareness about the importance of safe handling the patient health information. It protects the healthcare facility from lawsuits due to non compliance of HIPAA norms by an employee or employees. The organization should:  Provide staff access to HIPAA compliant training courses and seminars to increase awareness about importance of compliance norms.  Provide training in password management and virus protection.  Train on how to efficiently maintain logs and audits.  Carry out periodic review of employees' HIPAA security compliance and update their training to hone their skills in managing safely, the patient health information.

Author: Jason Gaya

Page 13

6/9/2010

 Provide training on operating the backup system as per contingency plan in case of natural or manmade disaster with the aim to protect the health data and keep crucial operations running. Hence for an organization to achieve the requisite HIPAA security compliance, it is necessary to integrate smoothly the software, hardware and personnel so all of them work in a cohesive manner, ably guided by an administration that continuously monitors, provides feedback and places safeguards to ensure safe handling of the crucial health information of the patient.

Author: Jason Gaya

Page 14

6/9/2010

Enhancing Computer Network Security to Achieve HIPAA Compliance
Secure Computer networks are intrinsic part of the HIPAA strategy to completely convert the national patent health records into an electronic format that can be easily

Author: Jason Gaya

Page 15

6/9/2010

exchanged between different agencies like health care providers, insurance providers, and administrators. As a result the health care organizations can manage documentation process efficiently in minimal time and provide better service to the patients. But the present day computer system is prone to hacking and virus attacks, which steal or destroy the crucial data. To protect the patient health information there are network security rules that need to be followed so that the organization is able to achieve HIPAA compliance. There are two main sections of HIPAA that relate to computer network security and they are: Administrative Safeguards To achieve HIPAA compliance, it necessary for the provider to identify, guard and report against malicious software program in the system. The infected email carry with them worms, virus and Trojans and there should be a security system in place that checks for such unwanted entry. To manage the computer networks smoothly, it is necessary to maintain a vigil by installing special safeguards mentioned below: Gateway and desktop anti–virus products should be used. The security gateway should be able carry out, deep-packet-penetration, inspection and provide appropriate web filtering capabilities to the network.  Signature files that update at every 30 minutes should be used, as they are best form of defense against the fast moving worms.  All the security services and subsystem should be proactive with IPS (Intrusion Protection System) instead of IDS (Intrusion Detection System). This is necessary to protect the network from being infected with virus.  The installed firewall should provide protection from the top 50 Dos and DDos well known attacks and at same time maintain a proper record of them.
 

Security Safeguards: For a computer network to attain HIPAA compliance it is necessary for the organization to frame security policy that make it mandatory for only the authorized personnel or software programs to have the access rights to protected health information. The security device should support native form of authentication. For web related applications, Transparent Authentication should be used so that a same user who moves to different secure applications does not have to signin, his or her, username and password, every time he or she makes a jump.  The security system should support email content filtration process with keywords and regular expression string features.  To prevent, unauthorized access or intercept, of the patient health information when it on journey between sender and receiver, proper encryption techniques should be used. The transport of the PHI to public

Author: Jason Gaya

Page 16

6/9/2010

network should be done in strong encryption mode and received by authenticated users, who should have the requisite deciphering codes.  The security system should continuously monitor for any unwanted or suspicious deviation from the standard procedure and report anomalous activity immediately to IT manager.  Special security features like email content filtering application and digital signatures should be added in the system to prohibit dispatch of safe data to unverified receivers. In the end it is necessary for all the entities that are involved in health care system like, health service providers, insurance companies, transcription service providers, payers, labs, internet service providers, hospitals and billing services to build a chain of trust so that any patient health information routed between them is kept high confidential. This can be done through a network of computer systems that strictly adhere to HIPAA compliance norms to facilitate a safe and secure transmission of confidential health information on public network.

HIPAA Law: Ensuring Secure Transmission of Patient Health Information through Fax
Fax machine is a great asset, which organizations count on, to quickly send and receive information. It plays a significant role in managing well, the communication needs of the office. But with arrival of HIPAA law, it is mandatory for the covered entities and their business associates to install HIPAA complaint faxing systems so that protected health information of patients is not leaked out or exposed to unauthorized people during the transmission process.

Author: Jason Gaya

Page 17

6/9/2010

As non-compliance of HIPAA law can invite penalties and criminal prosecution, it necessary to put in place few safeguards that make the daily use of the fax machine, safe and secure.  Fax systems, which support email encryption, should be installed. The protected health information system should be encrypted before it is faxed. This will protect the information from unauthorized access, because only receiver has the key to decrypt the message back into original form.  The fax machine should be configured in such a way that no copy of received fax is saved.  The Fax machine should have inbuilt copying system, which can print as many as copies needed. This eliminates the need of external document copier like, Photostat machine and prevents exposure of the confidential patient health information to unauthorized persons.  The fax machine should be placed in a secure place and accessed by only authorized personnel. On receipt of the fax, the message should be delivered straightaway to the intended recipient.  The fax numbers which are used regularly should be properly saved, and the speed dialing option should be used to prevent misdialing of the numbers.  There should be a sound policy in place, which manages efficiently the storage, duplication and disposal of the faxed protected health information, as per HIPAA law. The policy should also be able to address effectively, the wrong delivery of the PHI.  Before faxing to a new recipient, the number should be checked by sending a test message. This will ensure dispatch of crucial PHI to the intended receiver only. Fax machine is integral part of the office communication system. Covered entities like clinics, hospitals, clearing houses, insurance companies and other health provider depend on it for their daily communication needs. With the advent of HIPAA law, the fax machine should be installed and used in a very secure manner. HIPAA compliant fax machine should be used and have special encryption features, which allows the sender to encrypt the protected health information and send it as an email through the net. The PHI is encrypted into sequence of codes and transmitted to the fax machine of receiver also connected to the internet. The receiver has a key which decodes the encrypted email and prints back the information in the original form. Thus the message is faxed in a safe and secure manner over the net. These precautions help the health organizations to store and exchange the protected health information of the patient as per HIPAA law.

Author: Jason Gaya

Page 18

6/9/2010

Balancing Social Media with HIPAA
Social media is completely changing the way people communicate with each. The online networking platform that social media provides has made it quite easy for the people to converse, exchange ideas, share opinions and distribute information, to shape mass opinion about an individual, product, policy, healthcare, education, etc. The list runs long. An organized and credible healthcare system is crucial for well being of the human society. Health insurance also falls under purview of healthcare system and patient health information is of great significance. Insecure and a compromised patient health information system can have severe implications on the health and financial condition of the patients. HIPAA plays a pivotal role by enforcing strict regulations, which provide complete protection to confidential patient health information. The covered entities like the hospitals, clinics, billing

Author: Jason Gaya

Page 19

6/9/2010

and insurance companies and their workforce are governed by HIPPA compliance laws. Any lapse on their part can invite strict penalties and convictions. Doctors, nurses, medics, paramedics, surgeons, etc are nowadays using social media tools like Facebook, Twitter, Flickr, etc, to communicate with each other. The patients also use social media to search for the right physicians or surgeons who can address their specific healthcare needs. This is the positive aspect of the social media in the healthcare settings. Also increased accessibility gives the patients the opportunity to share and improve their knowledge about a disease and treatment. The use of social media, word-of-mouth testimonial benefits the patients by providing them reliable information, which they can count on to conclude successfully, their pending health issues. But there are also some threats, which social media poses to the privacy of patients. Lack of proper social media usage policies for healthcare workers and the human lapses can seriously put the integrity and confidentiality of the patient health information at risk. The intentional or unintentional display of the patient health information will surely invite strict penalties and convictions as per HIPAA regulations. Instead of creating friction or conflict between HIPAA with social media through irresponsible use, the health care organizations should administer a sound social media management policy, which ensures that no leakages occur and what ever goes on the net is not detrimental to healthcare rights of the patient. If some how the information does manage to slip through, strict vigilance should ensure timely removal of the content from the net. The medical staff should be trained to handle social media in such a manner that both, organization and patients are benefited through its constructive use. Instead of opposing each other, the social media and HIPAA must be harmonized in such a manner so that the vast reach, which social media provides, is used effectively to address the healthcare issues, without compromising the individual or collective healthcare privacy rights.

Author: Jason Gaya

Page 20

6/9/2010

Twitter - Tweeting the HIPAA Way
The increased use of the social media, especially Twitter, is a cause for concern for many people, keeping in the mind, the strict HIPAA compliance norms pertaining to patient health information. Twitter, is turning out to be the most favored communication tool, for healthcare professionals who want to maintain, quick and easy, connectivity with their patients. The increased use of social media in healthcare settings points towards the strategy of the healthcare organizations to advertise their services especially through Twitter, because of the vast reach, which it provides. To cut down advertisement costs in face of increased competition and economic downturn, healthcare professionals and organizations find Twitter, a cheap and effective advertising media. Some surgeons tweet from operating rooms to the relatives of patient and keep them updated on the condition of the patient. For a marketing perspective, this might be a good way to woo more patients to the hospital by advertising about service, which reflects the customer-centric policy of the organization. But Twitter in healthcare settings, is fraught with dangers. The HIPAA norms make it mandatory for all the covered entities like hospitals, health insurance providers, billing services and other health providers along with their business associates to ensure complete protection of patient health information, which they store, process and exchange between themselves. Irresponsible use of Twitter might result is leakage of sensitive health information of the patient and

Author: Jason Gaya

Page 21

6/9/2010

invite heavy fines and criminal convictions, which can ruin careers of the medical personnel, and tarnish image and business prospects of the health care organizations. Use of Twitter from the operating room should be discouraged as it might affect the electronic signals of the machines installed in the room. Further a wrong or premature information tweeted from the room can damage the reputation of the organization. Any tweet, which leaks the identity of the patient or information, will surely invite legal troubles for the personnel and the organization. It is necessary regulate the use of Twitter through a well managed healthcare social media policy. Vigilance should be maintained on what is being tweeted into the social media from the organization and all the medical personnel should be made aware of the regulations pertaining to the right use of Twitter. The tweeting rights should be given too authorized and reliable personnel. They should be made aware of the legal and financial implications of any lapse, which results in unauthorized display of confidential patient health information, knowingly or unknowingly. Increased awareness, collective and individual accountability, sound social media management policy and sharp vigilance can make it easy for the healthcare organizations to use Twitter safely without leaking patient health information as per HIPAA laws.

Author: Jason Gaya

Page 22

6/9/2010

HIPAA Compliance in FTP Hosting
The HIPAA compliance laws make it mandatory for the covered health entities, like hospitals, clinics, billing and insurance companies, and their business

Author: Jason Gaya

Page 23

6/9/2010

associates to use completely HIPAA compliant computer network systems. FTP or File transfer Protocol also falls under this purview. HIPAA covered health entities exchange large amount of confidential patient health information. The business associates of the covered entities, like the transcription companies also come under the purview of the HIPAA compliance laws. For safe and secure transfer of large volumes of electronic patient health information, through the public network it is necessary to employ HIPAA compliant FTP. The file transfer protocol has two components, namely server and client. The FTP user gets a unique username and password through which he or she can easily upload or download electronic file from the FTP server. HIPAA compliance rules make it necessary for the FTP servers of the health organizations and insurance companies to adopt security measures, so that the electronic health information of the patient is safely transferred from sender to the intended receiver. HIPAA compliant servers have following security features:

 

The FTP servers are protected by 128 SSL encryption technology. The file is loaded on the server in an encrypted form and can be downloaded, only by an authorized person or entity in the original form, through a unique key, which the sender and the receiver share amongst them. HIPAA compliant server offers a very secure and fast transfer of large volumes of digital data through Multi-thread file transfer system. This is quite faster than the normal FTP transfer. HIPAA compliance in FTP server enables the user to continue their use of the existing firewall service. The unique username and password protects the system from unauthorized intrusion. HIPAA compliant servers are user friendly and make it easy to download/upload large files without any complications. Special Intrusion detection system provides foolproof security and thwarts any rogue entry into the system.

The encryption feature of the FTP server makes it impossible for the intruder to access the sensitive information and this completely falls in the line with requirements of HIPAA compliance norms.

HIPAA Compliance in Wireless Local Area Network

Author: Jason Gaya

Page 24

6/9/2010

The rapid growth of communication technology and the need for connectivity during mobility has resulted in inclusion of Wireless Local Area networks in the modern communication network. WLAN provides the freedom to access, exchange, store and process the information from any point in the network. Because of Wireless LAN, increasing number of doctors, nurses, paramedics and caregivers can process the patient data conveniently in large settings of the healthcare setting. The increased mobility, which it provides makes it easy for the medical personnel to exchange information while on move. This saves time, increases productivity and raises the quality of patient care. But with this benefit of WLAN, comes an underlying security threat which can seriously compromise the ability of the health care facility to follow the HIPAA compliance laws pertaining to electronic exchange of confidential patient health information. The wired network, as it requires physical access, is safer compared to the wireless network. The open network architecture feature of the WLAN makes it easy for any unauthorized person to get behind the firewall and access the network. This poses a serious threat to the safety of the confidential patient health information, which is stored, exchanged or processed by the network. To achieve HIPAA compliance the WLAN should have security features that are mentioned below:
       

Unique user identification. Emergency access procedure. Automatic logoff. Encryption and Decryption system that creates tamper proof communication channel between the sender and authenticated receiver. Ability to authenticate electronic health information and maintain integrity of the information. The network should maintain its integrity through continuous monitoring and shut out any unauthorized access from any rogue entry point. Clients associating with rogue entry points should be shut off from the network, unless they approach from the authorized access point. Any change in the configuration of the access points, which points to unauthorized access should be immediately brought to the notice of the IT manager through proper communication channel. Able to maintain a audit log of the time, nature and resolution of the intrusion and steps taken to avert it.

Author: Jason Gaya

Page 25

6/9/2010

In the end the WLAN in any healthcare setting should be securely configured in manner so that it becomes safe for the organization to store and exchange the confidential patient health information in line with HIPAA compliance laws.

HIPAA Compliance - Signing a Business Contract with Vendor to Ensure Safe Disposal of Medical Records
HIPAA compliance makes it mandatory for the covered entities like healthcare clinics, doctors, clearinghouses, health plan providers, hospitals and billing companies to take complete responsibility of the protection of patient health information. The HIPAA law makes them accountable for any lapse, which results into unauthorized display of the protected information. The covered entities have their business associates who provide variety of services to them.

Author: Jason Gaya

Page 26

6/9/2010

The waste paper re-cycler is one such business associate who takes care of waste paper disposal. HIPAA compliance regulations put emphasis on conversion of patient health records from paper to electronic format. For medical records which are still in paper format, the covered entities need to develop an effective disposal strategy so that unneeded patient health information can be safely shredded or disposed off, without exposing it. The covered entity is accountable for the protected health information, it important that it enters signs a business contract with professional and certified paper recycler or shredder. As per contract the vendor should perform following tasks: Provide complete details on how the waste paper will be disposed off, safely. Indicate the time taken towards disposal. It should clearly point out the time lapsed between collection and its destruction.  Ensure availability of specific sum of liability insurance, which provides risk coverage risk to the covered entity. This is because the covered entity is ultimately responsible for privacy of patient health records.  Provide complete information on all the safeguards placed in waste paper management plan so that covered entity can rest assured of no safety breaches, from collection to disposal of the paper records.  Provide proof of record destruction, whether it is by shredding, paper recycling or burning.
 

The vendor is also responsible for patient health privacy. To develop long term business relations with covered entity it is essential that the vendor should practice safe disposal of medical records The covered entity should get a written commitment in form of a signed contract to ensure HIPAA compliance during waste paper disposal.

HIPAA Compliance: Ensuring Safe Disposal of Patient Health Information Documents
The HIPAA compliance norms lay stress on the safe transaction and storage of the patient health information, whether on paper or in electronic format. The patient health information stored as electronic file in computer and protected by a system of username and password is much safer than paper documents. As medical documents are being converted into electronic health records, it has become necessary to dispose off the paper records in a safe and secure manner. The safe disposal of the unneeded patient health documents is crucial because the health service provider is accountable for any breach, during information processing, exchange, storage or disposal. Any paper disposal vendor or recycler who seeks to enter into business alliance with any of the health service provider

Author: Jason Gaya

Page 27

6/9/2010

should employ the right waste paper management techniques that are in line with HIPAA compliance norms. The covered entity and the vendor should together work in tandem to chalk out a good strategy, which ensure safe disposal of the paper documents. The following points should form the backbone of this joint strategy: The health providers should train their staff to generate less paper wastage. The organization should switch to electronic mode of information processing from paper documents. This will greatly reduce the waste paper generation at source. The facility should maintain a list of the staff members who are responsible for generation, storage and safe handing over of the waste paper documents to the vendor. This brings in accountability into the system.  Paper should be trashed in locked bins and stored in safe areas of the facility, away from the busy areas. If the health providers want they can shred the documents in there own facility but it requires additional labor and capital.  If a vendor is given the task of shredding or recycling the documents then the covered entity should enter into a binding agreement that ensures that there is no lapse on the part of vendor right from collection of waste to its disposal in shredding machine or a recycling plant, because ultimately health provider is accountable for any safety lapse.  The vendor can shred the documents on the site or transport them to bulk shredding center. It should provide certificate of disposal so that time, place and proof of safe disposal are available to the covered entity.

Thus a well though out waste disposal scheme protects the covered entity from liability due to any breach in confidentiality of patient health information during its disposal.

HIPAA Compliance: Selecting the Right Software
The covered entities like hospitals, clearing houses, billing and coding companies, physicians, health insurance providers and multi-location clinics are bound by HIPAA compliance norms. It is essential that their business associates like medical transcription service providers also follow HIPAA regulations while they process, exchange or store the confidential patient health information. Majority of the health information is processed electronically. It is necessary for covered entities and their business associates to use the right kind of software that processes the health information of the patient as per HIPAA compliance norms. The software should be such that it has security features, which protects the privacy of the patient health information. It should have following security features:

Author: Jason Gaya

Page 28

6/9/2010

  

Able to track the user, whether a service provider or client and maintain a complete record of date, time and nature of access through a system of usernames and passwords. It should provide information on who accessed the data and what was viewed, updated or deleted. Restrict the user access, to the required information only. It should allow the authorized user to view or process the patient information, which falls under his or her scope of job. The user cannot access any other information, which does not pertain to his or her work or department. Provide override function, which grants special access or emergency rights to the staff member in case of emergency so that patient health care is not compromised in any way. But at same time, the in built messaging system should inform other users about such access and this includes the identity of the person and the information accessed. This is a part of security review, associated with override function and ensures accountability in the system through continued vigilance. Anti-virus Firewall defense and a system of usernames and passwords to protect the health information system from virus and hackers. Support e-mail encryption, so that the patient health information sent through mail is tamperproof. The software should support internal messaging system, which updates the user about entry or exit of messages or other information, without having to leave the security of the organizational network. The software should have online patient authorization system, which grants the health service providers the rights to use the patient health information for the good of patient. The online authorization for should have expiration date and clearly indicate for what purpose the patient health information will be used. The software should keep track on the expiration of the authorizations, so that they can be revalidated as and when required by the patient and the health service provider. The software should support coding and billing procedures so that patient health transactions can be easily conducted electronically between different health service providers as per HIPAA compliance norms.

The main objective of the HIPAA compliance software is to protect the health information of the patient processed, exchanged or stored at various health entities. The software should facilitate smooth flow of the patient information through different networks in secure way. The security features should thwart hostile access and at same time, not hinder authorized users like providers or patients, so that the health of the patient is compromised in any way.

Author: Jason Gaya

Page 29

6/9/2010

Telemedicine: Employing Security Features to Achieve HIPAA compliance
Telemedicine is a branch of modern medicine in which patient health information is exchanged over a great distance, through a series of local and wireless networks. The remote settings of the patients make the exchange of health information with health providers, highly vulnerable to hostile intrusion. The HIPAA compliance norms makes it mandatory all the covered entities like hospitals, clinics, clearinghouses, physicians, medical insurance companies and other health service providers to employ secure computer network systems, which follow stringent security codes. Any failure in HIPAA compliance on part of health provider, will surely invite strict regulatory action, in form of heavy fines or criminal prosecution.

Author: Jason Gaya

Page 30

6/9/2010

The nomadic or remote settings of the patients make it a challenging task for the health providers to maintain the privacy of patient health information. A series of wireless and local area networks make the system vulnerable to hackers. Further lack of proper vigilance at remote settings attracts hostile intrusion from both, hackers and virus. To fortify the Telemedicine network against unauthorized access, the health service providers should incorporate stringent security features in the network and they are:

 

 

All the email communications should be in encrypted form. The email content is encrypted into strings of codes and transmitted over the network. At the receiving end, the coded message is assembled back into original form with help of a key. Even if someone manages to access it illegally during course of transmission, the coded message will make no sense to the hacker. Facial recognition system helps the service providers to clearly identify the patients on the network, especially in the case of video conferencing. Digital identity card is provided to the remote patients after identity verification by authorities. The encryption features and digital signature of the patients in the card authenticates the users and allows them access online health services. The access to all the point-of-service computers should be user authenticated, to ensure that only authorized personnel access the system. The computer network should be protected by firewall and should be constantly monitored to detect any intrusion. There should be an audit system, which maintains a record of time, frequency and nature of the hostile attacks made, on the network.

The security features in the network enable the health service providers to provide quality healthcare services to remote patients in a safe and secure way. The patient health privacy is protected and this is in line with HIPAA compliance norms. Telemedicine and EMR can safely deliver customized health solutions to remote communities.

HIPAA 5010- Graduating From HIPAA 4010 to Provide Better Health Insurance Service
Health Insurance Portability and Accountability Act (HIPAA) of 1996, addresses healthcare issues like, patient health information protection, insurance portability and simplification of health insurance administration. The voluminous health insurance data involved, makes the insurance administration process, cumbersome. The covered entities like physicians, hospitals, clinics, clearing houses, plan providers and their business associates need seamless connectivity, to synchronize their transactions in smooth manner. This will reduce processing time, cut operating cost and increase the overall productivity of the system. As a result the patients can enjoy better, safer and cheaper health insurance service.

Author: Jason Gaya

Page 31

6/9/2010

The complete conversion of the paper records into electronic format is a time consuming task. The real challenge lies in creating seamless connectivity between different health services so that the patient health information is used safely to settle insurance claims, remittances and eligibility issues in time bound manner and to complete satisfaction of the customers. This is where HIPAA 5010 will take over from HIPAA 4010. HIPAA 5010 overcomes the shortcomings of HIPAA 4010 by adopting a well a defined policy which supports structural and technical changes to provide a consistent and uniform content that creates a common platform for different health service providers. As a result covered entities like physicians, hospitals, payers, clearinghouses, dentists and pharmacies can easily share and process the patient health information in minimal time and cost. HIPAA 5010 addresses drawbacks in HIPAA 4010, by providing solutions to the critical health care issues like claims attachment, quality and cost of treatment, patient health records and safety, pay for performance and pay consumerism. The ICD-10 diagnostics and procedural codes, which are missing in HIPAA 4010, make HIPPA 5010 highly accurate and flexible for the payers to capture more and better information about patients. This will enhance functional areas like: Administration of Claims Management of contract with Health service provider Medical Management that includes referral and pre-authorization, disease and case management.  Assessment of Eligibility and Enrolment  Customer service in handling the appeals and providing claim related support.
  

In the end, HIPAA 5010 with 1000 plus changes, from its predecessor, will greatly help increase interoperability and portability between the different health providers and their business associates. This will translate into huge savings in operational costs of the national healthcare system and enable the patients to receive better health insurance services at reduced prices, compared to what is available to them, today.

Author: Jason Gaya

Page 32

6/9/2010

HIPAA Law-Selecting the Right User Authentication System
The main objective of the HIPAA law is to streamline health insurance system and provide continuous coverage to the people who change or loose their jobs. To do this effectively, special emphasis is laid on complete conversion of patient health records from paper to electronic format. This will make it convenient for the covered health providers and their business associates, to safely manage the voluminous patient health information in a cost-effective manner.

Author: Jason Gaya

Page 33

6/9/2010

The HIPAA law advocates a very strong security policy, which guarantees the protection of the confidential health information from unauthorized access on the net. Password enabled access, is the most common type of the security system. But such a system is not reliable as the passwords can be easily hacked. Also when there are many passwords to remember, it becomes very cumbersome for the user to remember all of them. The patient or user writes them down on paper and this is an unsafe practice because if it falls in wrong hands it can result in financial losses for patient and the health service provider. The smart card system provides a better option as it works on combination of the security card and a pin number. But there is a loophole in it. Incase of loss of smart card or if the pin number is cracked open by hacker, the secrecy of patient health information can be severely compromised. Further Smart card based authentication systems are costly and hence it becomes expensive for the small health providers to install. A strong user authentication, which provides exceptionally strong defense against unauthorized access or intrusion, should be incorporated into the computer networks. Biometric authentication offers the best available solution to health service providers, as it integrates unique characteristics of the patient or the user, like fingerprints, iris scan, voice prints, signatures and keystrokes dynamics with a user password to create a highly secure access system. As this technology uses costly equipments, the health providers need to spend more, compared to other available options. Under HIPAA law, all the covered entities like hospitals, clinics, clearing houses and other health service providers are responsible and accountable for the safety of the patient health information. Hence it is necessary, to put in place an impenetrable security wall, in form of reliable user authentication, which successfully neutralizes any intrusion. This protects the health organization from non compliance of HIPAA law due to poor network security.

Author: Jason Gaya

Page 34

6/9/2010

Sign up to vote on this title
UsefulNot useful