HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Transcription

1 How to Ensure your and Other ephi are HIPAA Compliant

2 How to Ensure Your and Other ephi Are HIPAA Compliant Do you know if the patient appointments your staff makes by are compliant with HIPAA s Privacy and Security Rules? Do you have processes to ensure digital copies of your patient records are fully secure both in transit and while in storage? Are you certain your employees are not unknowingly violating any of HIPAA s many required provisions, such as sharing login information to access patient information? With HIPAA s vast and complex set of rules, complying with the act can be difficult, even for organizations genuinely trying to do so. Fortunately, with the right cloud-based encryption and security solution, protecting your patients health data and bringing your practices into full HIPAA compliance can be easier and less expensive than you might think. 2

3 First, the bottom line: Not all systems including many of those designed for professional-level, enterprise use are HIPAA compliant. Assuming that within your practice you are sending between employees using a secure server, on a secure network, those messages do not need to be encrypted as your workforce is a part of your Covered Entity status and authorized under HIPAA to send, receive and view your organization s confidential Electronic Patient Health Information (ephi). But what about all of the other messages your practice sends to and receives from third parties every day, messages that would qualify as ephi? These types of s would include: Payment claims submitted to insurance providers for patient services Authorizations for procedures and treatments Patient referrals to specialists or other third-party providers Patient appointment scheduling Answers to patients questions via Any containing ephi stored in your staff s inboxes and on your servers Such messages, and any other containing ephi sent out of your network to a doctor, insurance company, any other third party, or even sent remotely to a member of your own staff must be encrypted, according to HIPAA s Omnibus Rule. In this paper we ll discuss HIPAA s -security requirements as they relate to your practice, the steps you must take to comply, and why simply encrypting your messages isn t sufficient. Then we ll offer a solution that can make the entire compliance process easy and costeffective. Not all systems including many of those designed for professional-level, enterprise use are HIPAA compliant. But before getting into the details of HIPAA s specific rules, here is a brief overview of the act and how it regulates Covered Entities protection of their patients electronic data. 3

4 A Brief Overview of HIPAA Passed by Congress in 1996, The Health Insurance Portability and Accountability Act (HIPAA) is a set of rulings that set national standards to protect the privacy of patients health information. The act secures patients rights regarding their health-related data, including when and with whom it can be shared. HIPAA also requires doctors, pharmacists, health insurers and other providers to explain to patients their rights under the act regarding use of their health information. The Privacy Rule, a regulation implemented to help enforce HIPAA, establishes rules for the use and disclosure of patient data called Protected Health Information (PHI) for Covered Entities. The Privacy Rule applies to all forms of PHI, whether electronic, written, or verbal. A related provision, called the Security Rule, sets security standards for managing health information in electronic form. More recently, the Health Information Technology for Economic and Clinical Health, or HITECH Act, and the HIPAA Omnibus Rule, have been enacted which strengthen HIPAA s Privacy and Security Rules and increase the severity of penalties for violating patients rights under HIPAA. These rules are administered and enforced by The Department of Health and Human Services Office for Civil Rights (OCR). 4

5 HIPAA and Security Scattered among HIPAA s hundreds of pages of rules and regulations are provisions specifically relating to a Covered Entity s use of to transmit (and store) ephi. Among the various aspects of security covered throughout the act are references to the following: Access Control: (a)(1) Person or Entity Authentication (d) Integrity (c)(1) Transmission Security (e)(1) Audit Controls: (b) So, Are You Fully Compliant With HIPAA s Privacy, Security and HITECH Rules? Taking into account the umbrella of HIPAA-related rulings (including the Privacy Rule, Security Rule, HITECH and the Omnibus Rule), Covered Entities like yours face a difficult task determining how to ensure they are fully compliant. In fact, according to a report by the Healthcare Billing & Management Association (HMBA), the majority of Covered Entities and their Business Associates remain noncompliant with HIPAA. Let us examine what HIPAA has to say about each of the provisions above. Then we will offer you a comprehensive -security and encryption service that can address them all, and bring your practice into full compliance with HIPAA. 5

6 Five HIPAA -Security Provisions: 1 Access Control HIPAA s section (a)(1) states the Covered Entity must Assign a unique name and/or number for identifying and tracking user identity. What this means: Your organization s workforce must use unique usernames and passwords for each staff member s account. That means shared logins are not allowed. 2 Person or Entity Authentication Section (d), Person or Entity Authentication, states that a Covered Entity must Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. What this means: Your organization must also strictly govern (and then control) which users within your practice are granted access to ephi. This also means that data must be both secured and encrypted both in transit and then in storage, to ensure only the intended recipients (e.g., your authorized staff members) are allowed to access the data. 3 Integrity The Integrity provision, section (c)(1), demands the Covered Entity Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. 4 Transmission Security HIPAA s section (e)(1), relating to Transmission Security, calls for Covered Entities to Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network, and to Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. What this means: You will need SSL-based encryption for any ephi transmitted out of your network to patients, insurance providers, other healthcare providers, or any third party authorized to receive your patients data. 5 Audit Controls Section (b), regarding Audit Controls, states a Covered Entity must Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. What this means: You will need a system that produces detailed login audit trails, including date, time and IP address of each login, as well as all trails of all sent and received messages. What this means: Your practice must have a process in place to protect ephi in transit and in storage, to keep unauthorized third parties from accessing, altering or destroying such data. 6

7 How to Bring Your Practice into Full Compliance With HIPAA s -Security Rules Given all of the HIPAA-related provisions noted above, you can see that merely encrypting your is not sufficient to bring your practice into compliance. A Covered Entity must also deploy a solution that can restrict access and authenticate users, protect electronic messages both in storage and while in transit, and produce ongoing records of all transmissions of protected ephi. One solution that a Covered Entity can quickly and cost-effectively deploy to address all of these issues, and become fully compliant with HIPAA s -security rules, is Fus , a leading managed solutions provider from cloud services pioneer j2 Global. Fus s two related services CypherSMART and SecureSMART can deliver your practice a comprehensive program for encryption and security that is fully HIPAA compliant. Let s review each of the major areas in which HIPAA regulates security of ephi, and how Fus s solutions address them all. Given all of the HIPAA-related provisions noted above, you can see that merely encrypting your is not sufficient to bring your practice into compliance. 7

8 HIPAA REQUIRES Access Control: The business must implement unique IDs for accessing ephi, for identifying and tracking user actions. Person or Entity Authentication: The business must implement procedures to verify a person or entity seeking access to electronic protected health information is the one claimed. Integrity Control: The business must implement policies to secure electronic protected health information from improper alteration or destruction. Transmission Security: The business must implement technical security to guard against unauthorized access to electronic protected health information transmitted electronically. Audit Controls: The business must implement procedures that record and examine activity in information systems that contain or use electronic protected health information. FUS DELIVERS Fus s SecureSMART allows Covered Entities administrators to implement and enforce granular policies, including defining settings that allow or deny senders, domains and IPs for any . Fus s SecureSMART gives administrators username and password controls, to restrict access to ephi stored in Fus s data security systems to authorized users, and to track and verify access at each attempt. The system also employs strict physical security of data protected at Fus s facilities. Fus s CypherSMART encryption service provides end-to-end encryption using industrystandard S/MIME and 2048-bit public key/private key encryption. Fus s CypherSMART service provides the highest levels of encryption for any message transmitted, which can be triggered manually or automatically based on message content, to ensure all ephi records are indeed ed securely. Fus s SecureSMART provides full reporting on user access and transmission of ephi stored in Fus s systems, producing a detailed audit trail and which administrators can access anytime via their Fus web dashboard. 8

9 Conclusion The Right Solution for Encryption and Security Can Quickly Bring Your Practice into Full HIPAA Compliance. One of the simplest, most cost-effective ways to bring your practice into compliance with HIPAA s various provisions regarding ephi is to implement an security and encryption solution. The CypherSMART and SecureSMART solutions from managed solutions provider Fus operate entirely in the cloud, require no hardware or software installations at your site, and can be deployed in minutes with virtually any standard program. By implementing these easy-to-use, low-cost additions to your existing system, you can quickly ensure your practice is compliant with HIPAA s complex rules. That s why we at Fus call our CypherSMART and SecureSMART solutions Worry-Free Compliance. 9

10 COMPANY OVERVIEW Fus provides a comprehensive suite of cloud based hosted security solutions for businesses, including CypherSMART and SecureSMART to help Covered Entities comply with HIPAA. Fus is the managed solutions division of j2 Global, Inc. (NASDAQ: JCOM), the world s leading provider of cloud based, business critical communications and storage services. j2 s Global network spans more than 49 countries on six continents. Serving more than 12 million subscribers worldwide, j2 has offices in nine cities around the world, accepts payment in twelve currencies, and provides customer support in more than seven languages. To learn more about Fus and our Worry-Free Compliance solutions for HIPAA, visit us at or contact us at To learn more about j2 Global, please visit 10