Blog

Medicus Solutions HIPAA Security Series – Volume 1

August 1st, 2013

Over the past few months, Medicus Solutions has received a number of questions from our practices over the release of the new security rules.  Because of this, we are releasing our HIPAA Security Article Series over the next eight (8) weeks.  The intent of these articles is to educate practices on what they should be doing and provide information on how Medicus Solutions is addressing HIPAA security for our clients.  We have added a count-down timer with the Omnibus Rule compliance date for your convenience. 

[ujicountdown id=”Time Remaining until New HIPAA Compliance Required” expire=”2013/09/23 00:00″ hide = “true”]

 

Medicus Solutions HIPAA Security Article Series (1 of 8)

HIPAA Security:  What you should know!

 …..  Over the years, there really hasn’t been an enforcement body, or at least never one with a presence which has been seen.  The HIPAA Privacy and Security final rule, also known as the HIPAA Omnibus Rule, has been put in place by The Department of Health and Human Services (HHS) and the Office of Civil Rights (OCR) who are enforcing HIPAA security.  The Omnibus Rule went into effect March 26, 2013, and compliance is required no later than September 23, 2013.  Below is part of an article on HealthcareITNews.com in reference to the HIPAA Omnibus Rule.

HIPAAPrepare

 “According to Jorge Rey, an associate principal and the director of information security and compliance for Kaufman, Rossin, the biggest difference in the new rule is a change in breach notification. Under the old rule, providers were presumed innocent of harming patients when a breach occurred – until they proved otherwise. Under the new rule, providers are presumed guilty of harming patients when data is breached. They will have to prove their innocence.  According to Rey, OCR has already prosecuted five covered entities, with the settlements ranging from $50,000 to $1.7 million. The smallest OCR enforcement action involved the breach of fewer than 500 records. “I think they are putting out the message that they are serious about enforcement. They are going after small and large cases,” Rey says….He said he had received emails from OCR indicating the agency is starting to hire enforcement officials. “There’s going to be a lot of enforcement going forward,” he says…The main reason covered entities ran into big problems with OCR last year, was they didn’t conduct risk assessments,” he says. “Providers should identify all of their vendors with access to personal health records and ensure they are protecting it according to the new HIPAA rule”.1

There is a lot of information to process.  Below we are going to bullet out each item in an effort to make it easy to follow the topics and make any action lists which you need.  These items are items you should start to do immediately.

What do you need to know?

    • Are your vendors compliant?  – Any vendor partner you have which has access to ePHI, a business associate, falls under the new rules and should be compliant by September, 26, 2013.  As many practices know, meeting HIPAA requirements is time consuming and costly for the business to put in appropriate policies and procedures. 
      • Many IT companies, big and small, are not even aware that they fall under the new law and requirements.  Our goal is to educate practices that your IT partner is one of the largest risks to the practice as they hold the keys to the kingdom so to speak.  Talk to your Business Associates about their responsibilities. Let them know that:
        • HIPAA requires them to appoint someone who will be responsible for their compliance
        • They must implement policies, procedures, and end user training
        • They are to protect your data from loss or unauthorized access
        • They must create evidence of compliance as they work with you
          1)      Computer / Server Security Patching
          2)      Antivirus Updating
          3)      Backup Logs
          4)      Firewall Logs
          5)      Hardware Reports
          6)      Equipment Destruction Certificates
          7)      Etc
        • None of your patient data may be moved or disposed of without your prior authorization
        • They MUST make sure all of their subcontractors are compliant with the protection of your data
        • They MUST report any loss or unauthorized access of your protected data, no matter how small, as soon as they are aware of the loss.
      • It is the responsibility of the Covered Entity, the practice, to ask the right questions to ensure that the business associate is meeting these requirements to protect the practice and the patient’s ePHI.
      • Below is information from the bill:

(a) Application of Security Provisions – Sections 163.008, 164.310, 164.312, and 164.316 of title 45, Code 45, Code of Federal Regulations, shall apply to a business associate of a covered entity in the same manner that such sections apply to the covered entity.  The additional requirements of this title that relate to security and that are made applicable with respect to covered entities shall also be applicable to such a business associate and shall be incorporated into the business associates agreement.

  • NEW Updated HIPAA Business Associate Agreements – Ensure that you have NEW updated BAA’s in place with all vendors who may have access to patient ePHI by 9/23/2013.  Create a list of every organization and individual you work with that comes in contact with patient data. Think hard so you include equipment providers, utilization review consultants, revenue cycle management consultants, regulatory agencies, records storage warehouses, IT companies, EMR providers, transcriptionists, collections agencies, etc.  Below is a list of items to consider
  • IT Partner / Company
  • Shredding Companies
  • Consultants
  • Accountants
  • Independent Transcriptionist
  • Attorney
  • Collection Companies
  • Healthcare Equipment Companies
  • (new in the 2013 Final Rule) Companies that provide storage for paper and electronic data, even if they never access the data.
  • PM / EMR Company
  • Lab Company
  • RHIEs
  • Radiology Facilities
  • Data Backup Companies
  • Regulatory Agencies (like JCAHO)
  • Cleaning Company (Recommend Confidentiality Agreement due to access to patient ePHI throughout the office)
  • Etc.
  • Update Notice of Privacy Policies and distribute according to the new rule requirements
  • Update Privacy & Security Manuals – Update all policy and security manuals which are affected by the new rule prior to 9/23/2013; specifically forms, breach notification, policies and processes, patient authorization forms, deceased patient release of information form and processes, friends and caregiver communication forms and policies, etc.

How is Medicus Solutions Helping Our Customers?

For years Medicus Solutions has been helping ambulatory practices with IT support and more!  We keep up with the industry requirements so that you don’t have too.  What separates us from other vendors is our understanding of the healthcare arena and the compliance requirements associated with HIPAA Security.  Medicus Solutions is happy to announce the release of our HIPAA Security Packs, HIPAA Pack 1 and HIPAA Pack 2.  For all Medicus Practice++ Support customers, HIPPA Pack 1 is included in your standard monthly support agreement with no extra charge and below is a summary of what this includes:

Medi-HIPAA Pack 1
  • Security Patch Reports
  • Global Security Policy Review / Recommendations
  • Network Security Policies
  • Computer Screensavers / Lockout Policies
  • Backup Reports (Medi-Vault Backup Customers)
  • Backup Testing  (Medi-Vault Backup Customers)
  • Hard Drive Shredding Services + Certificates of Destruction*
  • Antivirus Reports
  • User Security Audits / Reports
  • Terminal Server Sessions Security Restrictions
  • Removable Storage Policies
  • Password Policies
  • Security Audit Policies
  • Wireless Network Security Policies

*$25 cost per hard drive for drive shredding services

Medi-HIPAA Pack 2
  • Vulnerability Scanning Annually
  • Network Mapping

 
  • Firewall Logging & Reporting (requires Sonicwall firewall w/ current security subscription)

You ask….what do I need to do to get going with Medi-HIPAA Pack 2?  Some additional information will be sent to all Medicus Practice++ customers directly on how to sign up for Medi-HIPAA Pack 2 by the end of the week.

To ensure our customers security and success, Medicus Solutions is happy to communicate that we have

  • Completed our own HIPAA Security Policies and Procedures,
  • Completed full background checks on all members on our team,
  • Completed HIPAA security training for all members on our team,
  • Completed our security risk assessment,
  • Completed our vulnerability scanning,
  • Created full network mapping,
  • Encrypted all laptops in our fleet,
  • Implemented Two-Factor Authentication for access to computers and critical systems,
  • Full security operational logs and forms for all HIPAA required items,
  • Logged all A/V, security patching, firewall security logs, backup logs,
  • Enforced all security policies internally,
  • Logged connections to customers systems linked to support tickets in our system per member of our team,
  • And executed HIPAA Business Associate Subcontractor agreements in place with our secure email provider, backup and disaster recovery provider, and all other partners with potential access to our systems or customer data. 

Medicus Solutions is committed to our client’s success and will continue to stay ahead of changes related to HIPAA security.  Please keep an eye out for our HIPAA Security Article 2 which will be released next week; the week of August 5th.  We will also begin an FAQ’s section on our website to post commonly asked items in our effort to help continue to streamline communication to all of our clients.

– Medicus Solutions Team

1  http://www.healthcareitnews.com/news/get-set-new-hipaa-has-teeth