Embedded from HIPPOmsg.com
Thanks goes out to HIPPOmsg for putting the infographic together!
Microsoft has announced that they have updated their Business Associate Agreement (BAA) for Microsoft Office 365. The new BAA addresses the requirements in the HIPAA Omnibus Rule that went into effect on March 26, 2013.
Addressing HIPAA is embedded in the DNA of Microsoft’s cloud solutions, and Microsoft updated its BAA to help healthcare organizations address compliance for the final omnibus HIPAA rule, which went into effect March 26. Microsoft’s updated BAA covers Office 365, Microsoft Dynamics CRM Online and Windows Azure Core Services.
The new BAA focuses in on the changes to Business Associates.
The refreshed BAA aligns with new regulatory language included in the final omnibus HIPAA rule, such as the new definition of a Business Associate, which includes any entity that maintains protected health information on behalf of a HIPAA-covered entity and has access to such data, even if it does not view the data. It also covers important data protections, such as Microsoft’s reporting requirements in accordance with the HIPAA Breach Notification Rule, and Microsoft’s obligation to require its subcontractors who create, receive, maintain or transmit protected health information to agree to the same restrictions and conditions imposed on Microsoft pursuant to the applicable requirements of the HIPAA Security Rule.
Microsoft Office 365 is one of the products in our HIPAA Technology Suite. Click here to find out more about our cost effective HIPAA compliant suite of products to help you comply with HIPAA and protect patient information.
There is a very good article over at HealthData Management called Want to Impress OCR During a HIPAA Audit? Write a Book
The author discusses the benefits of creating a “Book of Evidence” that your organization is in HIPAA compliance if you were to get audited by the HHS Office of Civil Rights (OCR).
Creating a Book of Evidence on an organization’s compliance with HIPAA privacy, security and breach rules is not difficult, only takes a couple of weeks, and helps an organization not be overwhelmed if it’s selected by the HHS Office for Civil Rights for a random HIPAA audit, says Mark Dill, director of information security at Cleveland Clinic.
Mark Dill goes on to make a very good point:
“If you look disorganized, HHS will think you are.” An organization may be able to avoid an on-site visit just by the quality of data it sends to OCR, or at least can minimize the time spent on site, which avoids auditors finding more issues.
Dill gives some good example of what should be in a Book of Evidence (BOE):
A BOE will show proof of updating the risk analysis with introduction of business changes or new information systems; an incident response system that is quick, effective and a repeatable process; that all employees have received timely HIPAA training with their scores available; that appropriate authentication controls are in place; and can even show the receipts for security technology buys such as encrypted hard drives, Dill says.
At HIPAA Secure Now! we have been thinking about a Book of Evidence for years. Our HIPAA Compliance Portal can be your Book of Evidence. If you were to get audited by OCR, you can give them a userid to access your HIPAA Compliance Portal. All of your “evidence” of HIPAA compliance is in one place. Let’s take a look.
HIPAA Compliance Portal
HIPAA Security Policies and Procedures
All your HIPAA privacy and security policies are stored in our Compliance Portal. All employees have access to the Compliance Portal and access to your policies and procedures. You can even upload OHSA policies, your employee handbook and HR policies and procedures that employees can access online.
HIPAA Risk Assessment, Business Associate Agreements, Disaster Recovery Procedures
The Compliance Portal contains your Risk Assessment reports, tracks Business Associates and allows you to upload Business Associate Agreements, Disaster Recovery Plans and also allows you to upload other contracts or documents. Only administrators have access to this section. Employees do not have access to this sensitive information.
HIPAA Security Training
All training is done online via our Compliance Portal. The administrator training report is accessible only to the administrator(s). The reports shows each of your employees, when they took the HIPAA security training and what grade they received on their HIPAA compliance quiz. There is no better way to prove you have provided HIPAA security training to your employees! Employees also have access to our HIPAA Security Tips and Reminders which helps show that you are in compliance with the requirement to provide periodic security reminders to employees.
HIPAA Security Incidents, Server Room Access, Track ePHI Removed and Received
The Compliance Portal allows you to track HIPAA security incidents and what your response was to each of those incidents. You can also track who has accessed the server room, and ePHI that has left your organization (i.e. USB drives) and any ePHI that has been received by your organization (i.e. DVD drives with x-rays or ultrasound images given to you by patients).
As you can see, the HIPAA Secure Now! Compliance Portal can be your “Book of Evidence” in the event OCR audits your organization. If you would like a live demo of our HIPAA Secure Now! Compliance Portal, fill out the form below and we will be happy to schedule a demo with you.
The Harvard Business Review has an excellent article on how some Boston companies handled the Boston metro lockdown situation. The article points out that proper planning for emergencies is the best way to prepare in the event of a real emergency.
The Cambridge-based company, HubSpot, had an emergency operations plan in place and executed the plan.
Making sure employees know what to do in a fast-breaking emergency isn’t as easy as just sending a text or an email. It takes preparation as well as rapid execution. One Cambridge-based company, HubSpot, talked to me about how they coordinated their response, with people in IT, security, and HR all working together to first identify employees in the Watertown area who might be in harm’s way, and then reaching out to those people “to make sure they had heard the news and didn’t plan to go outside,” said Katie Burke, from the company. They phoned, texted, and as a last resort, emailed them individually. Then, says Burke, “Our Chief Security Officer notified all employees early [Friday] morning that the office would be closed so people wouldn’t drive or try to train into work and get stranded.” Finally, they made sure everyone knew there’d be no penalty for staying home, and encouraged them to reach out if they needed help.
EHR vendor athenahealth highlighted that their emergency operations plans were critical being that they are a HIPAA regulated company.
“As a HIPAA-regulated organization, we have a heightened sense of responsibility for business continuity and crisis management,” she told me. Their crisis plan was enviable.
The HIPAA Security Rule states:
EMERGENCY ACCESS PROCEDURE (R) – § 164.312(a)(2)(ii)
This implementation specification requires a covered entity to:
“Establish (and implement as needed) procedures for obtaining necessary
electronic protected health information during an emergency.”
Let’s look at athenahealth’s emergency operations plan
Every employee, when they first join the company, is handed a wallet card with Reckman’s phone number and other emergency contact numbers. At 4:30 in the morning on Friday, Reckman was awoken by a Watertown-based employee who’d called the number on that card to tell her that he had heard gunshots outside his home, and was now following the unfolding events on the news and listening to a police scanner. It sounded, he said, like this might go on for a while. Reckman jumped out of bed and activated their emergency notification system. The first alert went out to the firm’s crisis-management team, a group of about 15 or 20 people from around the company. Closing for the day “was a no-brainer,” Reckman said. So within another few minutes, they’d activated the automated emergency contact system that goes out to all employees — reaching their home phones, cell phones, work phones, work email accounts, and personal email accounts. They got the message out by 5:30 am.
“I was asleep until 6 a.m.,” said Amanda Guisbond, who works in the communications department. “I woke up and had a voicemail on my cell phone telling me the offices were closed, and I also had an email in my gmail account, which was good because I wouldn’t have been checking work email right away.”
What worked and what didn’t work?
What is your organization’s emergency operations plan? Take a step back and run the scenario of a Boston metro lockdown. How would you notify your employees? What steps would you take? Start by ensuring that you have multiple contact information for each of your employees. Make sure that employees can contact management and other employees.
Emergency operations plans do not have to be complicated or technology sophisticated but they do need to be properly planned for.
We know you know about HIPAA security. HIPAA breaches are in the news on a weekly basis. The new HIPAA Omnibus Rule has been finalized and there is a lot of buzz about it. So the question is why haven’t you gotten serious about HIPAA security? We think we know some of the reasons.
These are valid reasons for not addressing HIPAA security. But times are changing and it is more and more important to take HIPAA security seriously. HIPAA breaches and government regulatory fines can put you out of business.
Take the first step and find out 5 simple and inexpensive tips to protecting patient information. Our guide gives easy to understand and inexpensive tips for addressing HIPAA security. Learning what you need to do to protect patient information is the best first step. Download your guide now!
Dr. Farzad Mostashari, the National Coordinator for Health Information Technology at the U.S. Department of Health and Human Services, participated in an excellent interview. He gave insight into:
It was a very good interview and I urge everyone to read it.
He concluded the interview by looking at protecting patient information.
One last thing I want to talk about is, we talked about safety issues, I think we should also always have on top of mind is around security of patient information. I think healthcare really needs to wake up to the need for them to meet their patients’ expectations that healthcare providers really do everything they need to do to keep that patient information private and secure. So many of the breaches we see, the failure to encrypt laptops and give data to business associates without having the assurances in terms of how they’re going to treat it … it just shows a lack of attention.
I think that’s changing. I think there’s a lot of education that can be done. I think there’s more we can do with the vendors to make them default settings and strengthen and harden our systems. More than anything, we have to always keep the security of patient information at top of mind and not relegate it to an also-ran, or after all the other issues are taken care of then we’ll see if we can do something about security. We really can’t. We’ve got to build it in.
Dr Mostashari hits on a very good point. A lot of the patient data breaches we are seeing are due to the lack of knowledge on properly protecting patient data. Download our 5 simple and inexpensive tips to protect patient information. It will help you understand what you should do to properly secure patient information and how surprisingly inexpensive it can be.
In a very interesting article titled Why Gang Members Want Your Identity Fox Business News reporter Kate Rogers examines a disturbing trend of stealing electronic patient records and using them to commit crimes.
Gang members are stealing patient records and using them to file false tax returns.
Detective Craig Catlin of the North Miami Beach Police Department Gang Unit goes so far as to call it an “epidemic” among the city’s street gangs. “Every gang member is doing this,” Catlin says. “It’s a business to them—they’re doing burglaries and then having other members commit the fraud.”
The practice is very lucrative
Why sling dope on the corner of an apartment building, when you can rent a room at a hotel nearby and have a tax return party? You can make up to $40,000 or $50,000 in one night,” he says.
Another disturbing aspect of this crime is that gang members are getting their girlfriends to get jobs at healthcare organizations with the sole purpose of stealing electronic patient information.
“If you get a job as an administrator or data person, you have access to all of this information. And with medical it’s a double hit—it’s not only about the money, but also the health insurance. That is a valuable commodity in the marketplace—it’s big dollars.”
Levin says the girlfriends show up to work, steal a sizable amount of data and then never return. The larger the medical practice, the longer it will take for the company to realize.
“It’s not so much people hacking into files anymore–it’s an inside job,” he says. “Also, a lot of these medical facilities have their technology shipped offshore or stored with a third-party vendor. This means you have easier access to medical files in an emergency, but the downside is that more people have access to your files, and they may not have your best intentions at heart.”
Catlin adds that he has seen cases of this sort ranging from $30,000 to $30 million, depending on the depth of the fraud. Florida in particular had been a hotbed for this type of crime, but in recent years the District Attorney’s office has moved more quickly to prosecute tax fraud and more cases have reached the federal level.
What can healthcare organizations do?
I spoke with Kate Rogers before her on air interview with Fox Business News (see clip below). We discussed what individuals and healthcare organizations can do to prevent this type of crime. I told her that except for some of the advice that she provided in her article there is not a lot that patients can do to protect themselves. If they want treatment they need to provide personal information such as name, address, insurance information, etc. The real burden is on the healthcare organizations to ensure that this information is properly protected.
Here are 6 steps that organizations can do to protect electronic patient information:
Below is Kate Rogers’ on air interview for Fox Business News.
An article over at Healthcare IT News titled Get set: New HIPAA has teeth gives insight into the increased HIPAA enforcement that is looming.
Diana Manos interviewed Jorge Rey, an associate principal and the director of information security and compliance for Kaufman, Rossin for the article. Rey provides some insight into some of the changes that the HIPAA Omnibus Rule presents and some recommendations to help with compliance.
The HIPAA Omnibus Rule went into effect on March 26, 2013 and covered entities and business associates have 180 days to comply. Rey warns not to be lulled by the 6 month delay in enforcement
Providers and their vendors and subcontractors have “in theory,” 180 days to comply before the Office for Civil Rights begins enforcement of the Omnibus Rule, beginning Sept. 23, 2013, Rey warns. But this doesn’t mean providers shouldn’t beware. They still will be held accountable under the old HIPAA rules until then, he says.
Enforcement increasing
Rey goes on to warn that OCR has given notice that they are serious about HIPAA enforcement.
According to Rey, OCR has already prosecuted five covered entities, with the settlements ranging from $50,000 to $1.7 million. The smallest OCR enforcement action involved the breach of fewer than 500 records. “I think they are putting out the message that they are serious about enforcement. They are going after small and large cases,” Rey says.
He also warns that OCR is stepping up their enforcement efforts
He said he had received emails from OCR indicating the agency is starting to hire enforcement officials. “There’s going to be a lot of enforcement going forward,” he says.
Good advice
Rey provides good advice for all covered entities and business associates and especially smaller provider groups.
“Don’t take this lightly. The main reason covered entities ran into big problems with OCR last year, was they didn’t conduct risk assessments,” he says. “Providers should identify all of their vendors with access to personal health records and ensure they are protecting it according to the new HIPAA rule.”
He also recommends implementing encryption and protecting servers
Encrypt data in laptops and determine if data might best be kept safer in a centralized location. He points out that PCs and servers are also vulnerable to breaches.
Organizations need to perform a Risk Assessment to determine the likelihood of risks and what additional security measures should be put in place to protect patient information. Download our free guide to better understand the HIPAA Risk Assessment process.
We have put together some useful information on Microsoft’s HIPAA compliant cloud based Office 365 service. The Office 365 suite of products enables communication and collaboration while providing the required HIPAA security to protect patient information. Microsoft is the only leading cloud provider that will sign a HIPAA Business Associate Agreement.
Our Microsoft Office 365 resource page provides insight into each of the products. There are product descriptions and videos that fully describe the benefits and how healthcare organizations can benefit by migrating to Office 365.
Click to access the Microsoft Office 365 for Healthcare Resources
Be sure to read why HIPAA Business Associate Entegration, Inc. migrated to Microsoft Office 365 and recommends that other organizations follow their lead.
This is a guest post from C. Patrick Felicetta. Patrick is the Entegration, Inc. Chief Operating Officer (COO). He gives some good insight into some of the advantages of Microsoft’s cloud based Office 365 service.
For the past 13 years Entegration, Inc., a computer networking company, has specialized in meeting the IT needs of healthcare organizations. We have installed hundreds of servers and network devices to support our clients’ computing needs including electronic health records (EHRs), Practice Administration, Microsoft Exchange for email, and document storage. Installing and managing servers is a core part of the service we provide to our clients. So our recent move to Microsoft Office 365 represents quite a shift in direction.
Over the past 4 months we have migrated Entegration from onsite Microsoft Exchange and SharePoint servers to Microsoft’s cloud-based Office 365 service. You may ask yourself, “If your company installs and supports servers, why would you migrate to a cloud solution?” The answer is simple: Microsoft has built a service that provides the functionality, stability, security and redundancy that would be cost prohibitive to build ourselves.
It is very expensive to build geographically distributed redundant datacenters. Having a datacenter with servers on the East Coast and another datacenter running servers on the West Coast and having the servers constantly synchronize information would be very costly for Entegration. The other issue is that while we are very busy focusing on providing our clients with advanced networking solutions, EHR implementations and high quality support, we don’t have time to invest in continuously upgrading our own infrastructure. Finally, as a HIPAA Business Associate to our clients we require a secure HIPAA compliant infrastructure and that needs dedicated resources to ensure compliance. The resources needed to build, maintain and monitor that infrastructure are all resources that would not be working on supporting our clients.
Microsoft Office 365 provides a solution for all of these issues. Microsoft has built a cloud based platform that provides the geographically distributed and redundant network that we require. They manage the servers and provide the back-end infrastructure maintenance and product upgrades. And, perhaps most importantly they have built a scalable HIPAA compliant platform and are willing to sign a Business Associate agreement to ensure that our information is protected and secure.
The economics of Microsoft Office 365 are hard to argue with. With Exchange Online email starting at $4/month per user, it is affordable to all organizations. Office 365 small and midsize business packages range from $5/month to $15/month per user and include all the services to provide a feature rich communication and collaboration environment. The small business package is targeted for organizations with 25 or less employees and the midsize package is for organizations with 300 or less employees. Even at $20/month per user, the price of the Office 365 Enterprise platform service is affordable when you consider that you get Microsoft Office, Exchange, SharePoint and Lync and never have to worry about purchasing product upgrades or replacing server infrastructure.
Our experience with Microsoft Office 365 has been so positive, we have now begun migrating our clients from on-site servers to Microsoft Office 365. Feedback from our clients regarding the service has been overwhelmingly positive. Moving some of their core messaging and communication services to Microsoft’s Office 365 provides us the opportunity to focus on our clients’ critical EHR, imaging, and patient care systems. We have even calculated considerable year-over-year cost savings for our clients by using Microsoft Office 365 versus onsite servers and Microsoft software licensing.
It is not often that organizations have the opportunity to move to a feature rich, redundant, scalable and HIPAA compliant platform and save money in the process. Microsoft has made their Office 365 cloud service very attractive and we are excited to not only continue utilizing the service ourselves, but also to move our clients to it whenever it can provide the same benefits to them.
We have put together resources that explain the benefits of Microsoft Office 365. Find out more about Microsoft Office 365 for Healthcare.