HIPAA Security

What Do Healthcare Third-Party Vendors Do

What Do Healthcare Third-Party Vendors Do? Healthcare providers and dentists, referred to by the Department of Health and Human Services as Covered Entities (CEs), and their third-party vendors, referred to as Business Associates (BAs) are required to comply with the HIPAA Privacy, Security, and Breach Notification Rules. Third-party vendors may be an individual or an organization, other than an employee of a provider, that performs certain functions on behalf of or provides certain services to, a CE that involves access to Protected Health Information (PHI). A third-party vendor could be a subcontractor responsible for creating, receiving, maintaining, or transmitting PHI on behalf of the provider (45 CFR 160.103). Some of the activities of healthcare third-party vendors may include: Consultants Managed Service Provider Management Administration Revenue Cycle Management (RCM) Billing, Coding, Transcription Marketing Companies Accreditation Utilization Review Information technology contractors Data Analysis Data storage or document destruction companies Data transmission companies or vendors who routinely access PHI Third Party Administrators (TPA) Lawyers Accountants Malpractice insurers Note: A provider could be a third-party vendor of another provider. Third-Party Vendor Decision Tree Are still unsure whether you are a healthcare third-party vendor? If so, the good folks at Holland & Hart have put together the following handy Business Associate decision tree to help you determine if an entity is a third-party vendor (Business Associate) under HIPAA, as defined in 45 CFR § 160.103.  (Included screenshot of page 1 of 2: Business Associate Decision Tree, link provided above. Why Does It Matter? Providers, it is your responsibility to identify their third-party vendors and confirm there is a Business Associate Agreement (BAA) in place that holds them to the same standards of Privacy and Confidentiality as yourself. The BAA must be current and signed and limit the third-party vendor’s access to only allow access to PHI necessary to carry out its activities for the provider. Healthcare organizations of all sizes and third-party vendors should understand patients are entrusting them with their most private and intimate details. They do expect it to remain secure!

HIPAAKTR

Healthcare Third-Party Vendors – HIPAA Security Rule Applies To YOU Too!

Did You Know? The HIPAA Security Rule requires Covered Entities (CEs) and Business Associates (BAs) to “implement a security awareness and training program for ALL members of its workforce (including management)” 45 C.F.R. § 164.308(a)(5)(i). Note: the emphasis on ALL members of the workforce, because ALL workforce members can either be guardians of the entity’s Protected Health Information (PHI) or can, knowingly or unknowingly, be the cause of HIPAA violations or data breaches. In order to implement this standard, the Security Rule requires CEs and BAs to implement periodic security updates, or reasonable equivalents. 45 C.F.R. § 164.308(a)(5)(ii)(A).     An organization’s training program should be an ongoing, evolving process and flexible enough to educate workforce members on new cybersecurity threats and how to respond to them.     As such, CEs and BAs should consider: • How often to train ALL their workforce members on security issues, given the risks and threats to their organization, and how often to send security updates to their workforce members. Many entities have determined that bi-annual training, and monthly security updates are necessary, given their risks analyses. • Using security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys (e.g., fake tech support requests and new phishing scams) and malicious software attacks including new ransomware variants. • What type of training to provide to workforce members on security issues, given the risks and threats to their enterprises. Computer-based training, classroom training, monthly newsletters, posters, email alerts, and team discussions are all tools that different organizations use to fulfill their training requirements. • How to document that training to workforce members was provided, including dates and types of training, training materials, and evidence of workforce participation. Any investigator or auditor will ask for documentation, as required by the HIPAA Rules, to ensure compliance with the requirements of the Rules. See 45 C.F.R. §§ 164.316(b) and 164.530(j). Covered Entities and Business Associates your patients are entrusting YOU with their most private and intimate details, they expect it to remain secure! Besides, it is YOUR practice, YOUR patients, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?     Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat – schedule a call with HIPAA alli today!

Mobile Health Application

Mobile Health Application So you want to download the next latest, greatest mobile health application but before you do there are a few things you should know. Here are some safety tips to practice when you download your first or next mobile health application: 1. Research mobile health application (software programs that perform one or more specific functions) BEFORE you download and install any of them. Recommendation: Use known app websites or trusted sources.   2. Actually READ the End Users License Agreement (EULA) before acknowledgement during installation. Review the privacy & security notice of the mobile health application to verify the application will perform ONLY the functions you approve.     3. Consider installing or using encryption software for your device. 4. Install and activate remote wiping and/or remote disabling on your mobile devices. The remote wipe feature allows you to permanently delete data stored on a lost or stolen mobile device. Remote disabling allows the user to lock stored data on the lost or stolen mobile device, and unlock the data if the device is recovered. Mobile Health Application & HIPAA There is something you should know about hand held data trackers, similar to Fitbit. They are not considered medical devices and are not regulated by the FDA. Why you ask … Because these devices are purchased and the data is requested by the wearer it is not protected by HIPAA. However, if a healthcare covered entity requests a patient to wear one, collects its data, then the data is protected by HIPAA. FINDINGS Pew Research Center’s Internet and American Life Project · 85%% of U.S. Adults own a cell phone, and more than half are smartphone users. · One-fifth of all smartphone users have downloaded a health app, and half of smartphone users seek health information from their mobile devices.

Does Your Doctor Keep Your Protected Health Information Secure?

Notice of Privacy Practices Today, I visited my local dentist office for a new patient consultation and to interview them before selecting them as my Covered Entity (CE). After examining the waiting room and completing the necessary paperwork, I was called into the treatment room. During my appointment I met several different staff members, including their office manager responsible for HIPAA followed by the provider. After asking the office manager different questions about their Notice of Privacy Practices (NPP), I decided the practice DID NOT understand their HIPAA Privacy and Security responsibilities. I’d like to tell you I only had to do this once before I found a CE I trusted my care and my HIPAA Privacy and Security information to but say NO. I interviewed four (4) different practices and only one (1) of them would I trust and recommend with my information and care. I share this with you to help you learn what to look for when you visit your next provider of care. CE’s are required to provide their patient’s with a Notice of Privacy Practices in plain language that describes the following: ▶️ Did your CE provide you with their Notice of Privacy Practices? ▶️ Does the Notice of Privacy Practices include a description of how the practice uses or discloses (share) your PHI? ▶️ The CE’s legal duties with respect to the information, including a statement that the CE is required by law to maintain the privacy and security of PHI. ▶️ A CE must let you know promptly if a breach occurs that may have compromised the privacy or security of your information. ▶️ A CE must follow the duties and privacy practices described in the Notice of Privacy Practices and give you a copy of it. ▶️ A CE must not use or share your information other than as described in the Notice of Privacy Practices unless you instruct them they can in writing. If you allow it, you may change your mind at any time, in writing. ▶️ The individual’s rights with respect to the information and how the individual may exercise these rights, including how the individual may complain to the CE. ▶️ Whom individuals can contact for further information about the CE’s privacy policies. ▶️ A CE must make its notice available to anyone who asks for it. You can ask for a paper copy of this notice at any time, even if you have agreed to receive the notice electronically. ▶️ A CE must prominently post and make available its notice on any website it maintains that provides information about its customer services or benefits. ▶️ The Notice of Privacy Practices must include an effective date. For more information see 45 CFR 164.520(b) for the all Notice of Privacy Practices requirements: https://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/pdf/CFR-2011-title45-vol1-sec164-520.pdf Also see: Frequently Asked Questions about the Privacy Rule