.

Call Now 703-327-1800

Contact    Blog       About     Resources      Medical Billing Services

  

HIPAA Privacy and Security Changes in the HITECH Act

Health Insurance Companies Process 1 in 5 Claims Wrong

HIPAA and HITECH Act: What You Need to Know

HIPPA Privacy and Security ChangesI was talking to Jonathan Krasner from Business Engineering, Inc (BEI) this past week about HIPAA and the need to make sure that we are doing everything possible to safeguard our clients’ information, especially through data encryption.  The following is an article from BEI that Jonathan sent me. I would like to pass it along to all of you because it has a lot of great information.

HITECH Act: Suggested IT Policies & Procedures

Congress passed and President Barack Obama signed the American Recovery & Reinvestment Act (ARRA) in February, 2009. The healthcare IT component of the ARRA is commonly referred to as the HITECH (Health Information Technology for Economic and Clinical Health) Act. The HITECH Act covers a broad range of healthcare IT initiatives including providing over $20 billion in funding towards implementation of healthcare IT. The HITECH Act also includes “Subtitle D” which focuses on privacy and modifies and broadens portions of the HIPAA Privacy and Security laws and regulations.
What you need to do
All of our privacy rules and laws (not just in the medical field) need to be updated to reflect the increasingly connected electronic world we live in. The electronic security measures mandated in HITECH are not that much different than what would be recommended for any business that needs to protect proprietary or confidential information. Technologies that render Electronic Protected Health Information (EPHI) unusable and unreadable to unauthorized individuals are necessary for EPHI to be considered secured. Secured EPHI is not subject to fines under the new HIPAA regulations. All of the recommendations below can be implemented with no or low additional cost, and with standard IT systems and services.
Encrypt your data:
The new HIPAA regulations frown on unsecured EPHI. EPHI can be unsecured when it is considered “data at rest” (i.e. stored on a hard drive) or “data in motion” (i.e. data moving from one device to another). To solve the “data at rest” issue, all workstations, laptops, servers, flash drives, or any other device that stores data, should utilize data encryption technology. It is easier to encrypt everything (e.g. entire hard drive) as opposed to encrypting selectively (e.g. just certain files/folders).
There is no real harm in encrypting data that is not EPHI. Encryption is a capability built into most new operating systems (Windows10, Windows8 Windows7, Windows Server 2013), so turning on encryption is just a matter of re-configuring some settings. You should not use devices using older operating systems (e.g. Windows XP, Windows Server 2003, etc.) becasue they are no longer supported by Microsoft and will have security vulnerabilities.
In the event that an encrypted device is compromised (i.e. a laptop is lost), the data will be inaccessible and therefore no breech of any HIPAA regulations would have occurred.
The National Institute of Standards (NIST) provides guidance on storage encryption through their Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
 
 Encrypt your network transmissions:
Any time you transmit EPHI between locations (examples: from your PM to a clearinghouse, or from a workstation in an office to a server in another office or data center), the transmission should be encrypted. Several technologies are available today and they are commonly used to transmit other secure information such as banking transactions and credit card authorizations over the Internet.
The most common technologies used are Secure Sockets Layer (SSL), IPSecurity (IPSec) and Transport Layer Security (TLS). Most people are familiar with SSL since any website session that is accessed with the prefix “https://” is being managed by a security protocol, which is typically SSL, and the transmission is encrypted to and from the Web server. To implement HTTPS you have to purchase a digital certificate from a trusted authority (such as Verisign) and install it on your secure server(s).
Your IT vendor should be able to configure any of these secure connections that you may require. NIST also provides guidance in three documents:
  1. Special Publication 800-113, Guide to SSL VPNs
  2. Special Publication 800-77, Guide to IPsec VPNs
  3. Special Publication 800-52, Guidelines for the Selection and Use of Transport Layer Security (TLS)
Utilize encryption on wireless access points:
Transmission on a private local area network within the organizational confines of the covered entity (i.e. which does not traverse the public Internet) and that occurs over standard cabling is generally considered protected and these links do not have to be encrypted.
However many medical offices use laptops and tablets that communicate through wireless access points (WAPS). Make sure that all your WAPS use encryption, and that a security key is required to access your network. Do not leave your network open – that will allow anyone to logon and potentially access or intercept your data.
Encrypt your copiers:
It may come as a surprise to some people, but digital copiers have hard drives (just like the ones used on PCs) built-in. If you dispose of a copier, by returning it to a leasing company or selling it, the data on the hard drive (i.e. all the copies that were made on the machine) may be unencrypted and therefore, unprotected. Make sure to contact your copier vendor and ask how you can get the hard drive encrypted. This is a feature that is available for free on newer machines from major manufacturers.
Use secure email or patient portals:
Many providers use email to discuss patient cases between themselves or to converse with patients. Email transmissions are generally unencrypted, especially when dealing with a third party who is not a member of your organization. Secure email is an available alternative, as it encrypts all the information in each message.
Using secure email is not as straightforward as regular email. It may require additional action on the part of the sender or receiver. An alternative to secure email is the use of a patient portal. When using a patient portal, standard email is used between parties to communicate that a message is available for viewing on the portal. The receiving party logs into the portal to receive (and possibly reply) to the message.
Since the EPHI is totally contained within the portal website, and since that information is encrypted, the problem of securing the email is eliminated.
Ensure terminals used for teleworking/remote access are secure:
Many covered entities now allow their employees and contractors to conduct work from locations other than the organization’s facilities. This is commonly referred to as teleworking. Most teleworkers use remote access, which is the ability of an organization’s users to access its nonpublic computing resources from locations other than the organization’s facilities.
Organizations have many options for providing teleworkers remote access, including virtual private networks, remote system control, and individual application access (e.g., Web-based email). In addition, teleworkers use various devices, such as desktop and laptop computers, cell phones, and personal digital assistants (PDAs), to read and send email, access Web sites, review and edit documents, and perform many other tasks.
Teleworkers should ensure that all the devices on their wired and wireless home networks are properly secured and protected, as well as the home networks themselves. This includes properly configuring the account control of the PC, utilizing business-class antivirus/antimalware software and using a broadband router or separate firewall device or software. NIST provides guidance for this in Special Publication 800-114, User’s Guide to Securing External Devices for Telework and Remote Access.
Check your firewalls:
Any local network that is connected to the Internet should use a device called a firewall to provide external access to the network only to authorized users and processes. Conversely, it should also be configured to guard against and reject unauthorized incoming external traffic (i.e. hackers).
It is best practice to make sure that your firewall is properly configured to allow access and transmission for applications and users that you have approved. Improperly configured firewalls will have open ports that could possibly allow unauthorized access to your network.
Develop and implement a backup/disaster recovery plan:
Although not new to HIPAA under HITECH, the HIPAA security rule does require all EPHI to be subject to a backup/disaster recovery plan.
Think of all the EPHI that was lost when Katrina struck; what would be the effect on your practice if a disaster occurred? How would you recover? In the past, tape backup was often used. However, newer technologies and techniques are now available that are more cost effective and provide better outcomes.
At first glance, all of this would appear to be a tall order to implement for any private practice. In reality, these types of security and privacy measures are commonly implemented for small businesses. Consult your IT support vendor on how to proceed. Also remember that these measures do not insure HIPAA compliance for your practice; rather they are a component of your overall HIPAA plan.

Want to join the thousands of Doctors, Managers, Billers & Coders that get our blog updates sent directly to their inbox? Well, you can. Subscribe Here

Please leave a comment and let me know what you think.  I want to hear your thoughts.  Thanks.
Print Post & Download PDF
is a 20 year veteran of healthcare having managed medical practices. He advises medical practices, physicians and practice administrators on how to run their practice and manage their medical billing and revenue cycle management. Manny speaks, blogs and makes videos at www.CaptureBilling.com, a blog that is tops in the medical billing and coding field. READ MORE

If You Liked This Post You Will Love These

6 Responses to HIPAA Privacy and Security Changes in the HITECH Act

  1. Your article, tho enlightening, was incomplete. NO computer system/webb site is safe from skilled hackers… just ask Bank of America, the VA, Target. As a patient, I do not like my PHI being broadcast thru out a computer system or put on a thumb drive and placed in my MD’s pocket as he leaves the room. And as a nurse with 32 years experience, I have seen our healthcare system go down the toilet since EMRs were mandated by the government and electronic billing has become the norm.

  2. Great article…

    I’m a small practice of one person. Just me. I’m an acupuncturist.

    I just started using Quickbooks for accounting (I was using excel before that) and transferring to some form of EHR soon (most likely Office Ally)

    As I was setting up my Quickbooks I started entering in CPT codes to print out receipts for my patients so they can submit for reimbursement and my biller. And at that same time I started to think about if what I’m doing is ok under PHI/HIPAA.

    I did some searching online regarding Quickbooks and the advice I read was it’s not HIPAA compliant. Not sure exactly what that means? I’m not accessing the internet via Quickbooks I’m printing things out at my office…I’m encrypted.

    I read your article above. And since it’s just me I encrypt my laptop (mac) I have it locked via passcode…I print direct to a USB connected printer. I’m password protected via my router/firewall up/virus protection on. My Quickbook does not transmit patient data over the internet.

    What else is needed for me to run a small practice and be in compliance with HIPAA/PHI regs?

    Also does the picture change if i email the receipts from Quickbooks to my biller. I would think that is not secure? And then would have to fax them to her…if that is secure? Would I then need to move my email to a HIPAA certified provider to be able to email from Quickbooks to my biller…or would I need to pay an EHR company to do that?

    Thanks in advance,
    Brian

  3. Hi Manny,

    This article is awesome.

    By the the way can you tell us is it really necessary to encrypt servers? If we have other proper security measures for the servers then encryption on file server is not a must, right? I agree with Desktops and Laptops need encryption.

    If we need encryption on the servers how can we get it working: Scenario:

    I have Windows 2008 Server, I have shared folders on this (shared drives) Drives are mapped to the users PCs, and they access PHI using mapped drives, how can we implement encryption in this environment, any Ideas?

    • I have clients who use your services and are extremely happy, just wanted to let you know it makes my job as a HIPAA consultant that much easier.

      I also wanted to just add that Covered Entities and Business Associates should be focusing on the true merits of HIPAA compliance, and that’s putting in place documented HIPAA information security and operational policies, procedures, and processes.

      I’ve worked with so many healthcare providers that lack the basic and fundamental documentation for HIPAA compliance, therefore it’s easy to see why non-compliance issues are still a major factor with HIPAA. I also hear healthcare companies express cost concerns about developing such documents, along with implementing risk assessment and security training initiatives, but with all the free and cost-effective tools available (some of them straight from hhs.gov!), there’s really no excuse for not being HIPAA compliant.

      Everyone needs to be ensuring the safety and security of PHI, it’s really that simple.

Leave a reply

Who Are We?

Capture Billing helps medical practices by reducing their insurance accounts receivable and getting claims paid faster, allowing doctors to focus on providing quality healthcare to their patients without the stress of doing their own medical billing.

That’s why we developed Capture Billing’s Rapid Revenue Recovery System to keep our clients’ Accounts Receivables down and their revenue flowing.

Learn More

Disclaimer

The analysis of any medical billing or coding question is dependent on numerous specific facts -- including the factual situations present related to the patients, the practice, the professionals and the medical services and advice. Additionally, laws and regulations and insurance and payer policies (as well as coding itself) are subject to change. The information that has been accurate previously can be particularly dependent on changes in time or circumstances. The information contained in this web site is intended as general information only. It is not intended to serve as medical, health, legal or financial advice or as a substitute for professional advice of a medical coding professional, healthcare consultant, physician or medical professional, legal counsel, accountant or financial advisor. If you have a question about a specific matter, you should contact a professional advisor directly. CPT copyright American Medical Association. All rights reserved. CPT is a registered trademark of the American Medical Association.

Learn how to outsource your Medical Billing today

CALL NOW  703-327-1800

Client Testimonials

Bob Laird

OBGYN COO

I would recommend Capture Billing to anyone who needs a billing company they can trust.

Bob Laird

Steve Rex

Family Practice

In a six month period Capture Billing increased our Practice’s income by over $100,000.

Steve Rex

Julie Reed-Humeniuk

Family Practice

Capture Billing goes over and beyond the call of duty for their clients to maximizing reimbursement.

Julie Reed-Humeniuk

CaptureBilling.com - Medical Billing Services

Capture Billing is a Medical Billing Company based in South Riding Virginia.

Join the other Doctors and Practice Managers that have benefited from our expert medical billing services.


Capture Billing & Consulting Inc.
25055 Riding Plaza #160
South Riding, VA 20152
Phone: (703) 327-1800

MENU