Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Tag: HIPAA compliant

Websites – is your data secure?

Posted bySuze Shaffer

 

By Aris Medical Solutions

 

Many healthcare providers have websites, since in today’s digital age nearly everyone searches for goods and services before making a decision, this includes healthcare. However, healthcare providers must ensure their websites are HIPAA compliant if any patient data is transferred or accepted.

Many vendors are targeting healthcare with promises of ease of use, added patient interactions, and the ability to gain more patients. Before you agree to accept patient information through your website, you must ensure the vendor or service you are going to use actually understands HIPAA and the requirements.

Here are some issues to consider:

  1. Do patients complete forms on your website? If yes, your website must be secure by utilizing encryption during transmission. This also includes if you are using appointment scheduling through your website. If your site starts with “https” then the data is securely transmitted. However, your site may require updates to ensure the encryption is up to date. If you have a “contact us” and they can send an email to you and your site is not encrypted you should post a message advising them not to send any personal information.
  2. Who has access to your website? If you work with a third party, they too must be HIPAA compliant and understand how to protect your website. If possible add a two-step authentication to prevent unauthorized access. Make sure you have administrative access to your site as well.
  3. Do you know how and where your data is stored? You must utilize a company that understands HIPAA and security if your website accepts or stores any patient data. If your site is not set up properly, Google can actually index your intake forms. If your web hosting company shares your web server with other clients, this too must be reviewed. Keep in mind, if your data (including your backups) is encrypted, it would not be a reportable breach but you still must have a HIPAA compliant business associate agreement in place.
  4. Do you have a recent backup of your website? This may sound crazy because it’s “in the cloud”. Keep in mind, a cloud is just a term used to explain it is NOT on your physical location. It is located on a server somewhere on someone’s physical site.
  5. Do you know how to properly destroy old data? Whether the data is stored on a web server, an old external hard drive, or computer, all data must be removed in a HIPAA compliant manner. This could be a physical destruction or sanitized so that the data cannot retrieved. Don’t forget to document this process!

 

Websites are a necessity today. If you decide to add features like online forms and/or patient scheduling, only do so if properly setup and secured.

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

File sharing and cloud computing, is it permitted under HIPAA?

Posted bySuze Shaffer

 

By Aris Medical Solutions

 

With all of the new technology that we have access to, many vendors are targeting healthcare with promises of ease of use and the ability to communicate with other healthcare providers. Before you agree to “share” or open your “portal” you must ensure the vendor or service you are going to use actually understands HIPAA and the requirements.

File sharing and cloud computing are here to stay. As we move forward with sharing patient data amongst our peers, you will need to be vigilant with your security.

Here are a few things to review:

  1. Network misconfigurations are very common, review your data flow, including how data is transmitted and stored.
  2. Backup your data!
  3. When access is given to an employee, contractor, or vendor, once the need for access is no longer required, terminate their access credentials immediately.
  4. Although most providers do not think hackers are a problem for them, they are! Your network security is vital and you must use a trained professional to set up your network and your file sharing configuration. If your IT professional does not specialize in network security, then hire a network security auditor to conduct a vulnerability scan after you have implemented your systems. A good vendor will mitigate your risks as they scan your network.
  5. Make sure you have a HIPAA compliant business associate agreement in place.
  6. Review the service agreement. Make sure it includes specific business expectations.
  7. Invest in cyber liability insurance.

File sharing and cloud computing are wonderful tools that can be used in healthcare if setup properly and securely.

 

For more information on how Aris Medical Solutions can help your organization with HIPAA Compliance and Protecting your Practice call 877.659.2467 or click here to contact us.

“Protecting Organizations through Partnership, Education, and Support”

HIPAA investigations to include breaches fewer that 500 patient records

Posted bySuze Shaffer

By Aris Medical Solutions

The Office for Civil Rights announced in August they would be working with their Regional Offices to more widely investigate the causes of breaches that affects less than 500 patient records. The Regional Offices will use their own discretion to prioritize which breaches to investigate.

Some of the factors they will be considering include:

  1. The number of records affected
  2. Intrusions of the IT systems
  3. The sensitivity of the data
  4. Whether the data was unencrypted or disposed of improperly
  5. Number of breaches from the same entity including business associates
  6. The lack of reported breaches when comparing similar situations with specific covered entities and business associates

Here are some helpful tips to avoid data breaches:

  • Confirm fax numbers and email address BEFORE sending.
  • Do not permit ANYONE access to your systems without confirming their identity and verifying they are still employed with that particular company.
  • Do not click on links in emails, instead, open your browser and go to the website.
  • Make sure all accesses to ePHI utilizes strong passwords, preferably passphrases.
  • Change your passwords/phrases at least every 90 days. This includes your EHR, PM software, workstation operating system, and email access.
  • If a two-step authentication is available, make sure it is engaged.
  • Use encryption whenever possible, depending on the operating system you use, it may be FREE!
  • Request a network security audit to be performed that includes remediation.
  • Do not retain records longer than necessary, why have that exposure if it is not required!
  • Make sure everyone involved with Patient Data is HIPAA Compliant.

As we mentioned last month, enforcement of HIPAA is here and you must ensure that if you are audited or investigated you have all of the appropriate documentation in place. Remember… if it is not documented, it doesn’t exist!

If you are one of the many organizations that simply do not have the time to do this, you are not alone. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package. Call Aris at 877.659.2467 or click here to schedule a demo.

HIPAA Enforcement is HERE!

Posted bySuze Shaffer

 

By Aris Medical Solutions

I am sure you have seen the recent HIPAA fines from the Office for Civil Rights (OCR). HIPAA enforcement is like never before and the fines are fierce. We knew this day would come and it has.

We are encouraging all medical practices and business associates to make sure you have all of your HIPAA compliance policies, procedures, and documentation implemented. When you are audited is not the time to discover you forgot something. The OCR is not being very kind.

When you are reviewing your HIPAA policies and procedures and deciding whether or not to implement the “Addressable” standards, be careful. Addressable is NOT optional; you must have reasonable and appropriate safeguards in place. Since there is not enough case law on record, this is a gray area. Just be careful you do not fall into the big black hole! Also, do not skip over any “Required” standards. These are required no matter what size your organization is.

We are seeing fines like $750K for neglecting to have a Business Associate Agreement (BAA) in place before data was released and a $650K fine for a lost IPhone that was not encrypted. Make sure you not only have BAAs in place but the business associate is in fact HIPAA compliant. This the responsibility of each practice. HIPAA enforcement is here and it is not going away anytime soon.

If you are one of the many organizations that simply do not have the time to do this, you are not alone. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package. Call Aris at 877.659.2467 or click here to schedule a demo.

“Protecting Organizations through Partnership, Education, and Support”

Storing Patient Records

Posted bySuze Shaffer

 

By Aris Medical Solutions

 

Since most medical practices are going electronic, it may be time to free up some of that precious space in your office. Make sure when, how, and where you decided to store your data is secure.

Some practices move excess patient charts to a self storage unit. It’s cheap and if you have an patient chart inventory list you should be safe… right?
What happens if the facility burns down?
What if someone breaks in and it is not discovered for months?
What if you don’t have an inventory list of which records are in there?

  • Did you know that PHI is considered PHI until after a person has been deceased for 50 years! That means even if the person isn’t alive, it is still a reportable breach!
  • Did you know that if you can’t determine if ANY records or WHICH records were stolen, you would have to report all of them.

Self storage units may sound like a good deal. That good deal could cost you more in the end. If the unit burns or if it is vandalized, you could be charged for wilful neglect for NOT securing the records. Not to mention, you may be required to report this as a data breach and cost you nearly $350.00 per record! Are you willing to accept that risk? After all, the OCR doesn’t specifically state what is or is not HIPAA compliant. If you suffer a data breach, THEN they will determine if you had reasonable and appropriate safeguards in place.

Now I will ask you.. Wouldn’t it make sense to spend about the same amount of money and have a professional company store your records? That’s right; for about $50.00 per month you can store approximately 100 boxes of records! Of course pricing will depends on your location and how many you need to store. When organizing the records, we suggest by year and alphabetize them. This makes it much easier when the time comes to destroy them!

If you need assistance with a Risk Analysis, Risk Management Plan, or implementing a full set of HIPAA Policies and Procedures, call Aris at 877.659.2467 or click here to schedule a demo. We offer a full range of services from a Do-It-Yourself HIPAA program to a Full HIPAA Implementation package.

“Protecting Organizations through Partnership, Education, and Support”

©2024 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC