HIPAA, PHI and Email. How to Ensure your Email and Other ephi are HIPAA Compliant. www.fusemail.com



Similar documents
HIPAA Compliance Guide

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA and Cloud IT: What You Need to Know

HIPAA Compliance & Privacy. What You Need to Know Now

HIPAA PRIVACY AND SECURITY AWARENESS

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Datto Compliance 101 1

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

HIPAA Compliance Guide

HIPAA. considerations with LogMeIn

White Paper. HIPAA-Regulated Enterprises. Paper Title Here

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

CHIS, Inc. Privacy General Guidelines

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

HIPAA Privacy & Security White Paper

HIPAA Security Rule Compliance

Healthcare Insurance Portability & Accountability Act (HIPAA)

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

OCRA Spring Convention ~ 2014 Phyllis Craver Lykken, RPR, CLR, CCR Court Reporters and HIPAA

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Healthcare Compliance Solutions

HIPAA-compliant Cloud Faxing

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

LogMeIn HIPAA Considerations

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

SECURITY RISK ASSESSMENT SUMMARY

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

itrust Medical Records System: Requirements for Technical Safeguards

How Managed File Transfer Addresses HIPAA Requirements for ephi

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

HIPAA Information Security Overview

My Docs Online HIPAA Compliance

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

HIPAA Compliance: Are you prepared for the new regulatory changes?

New HIPAA regulations require action. Are you in compliance?

Healthcare Compliance Solutions

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

HIPAA Security Alert

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

The CIO s Guide to HIPAA Compliant Text Messaging

HIPAA Security Education. Updated May 2016

HIPAA COMPLIANCE AND

Understanding HIPAA Regulations and How They Impact Your Organization!

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

efolder White Paper: HIPAA Compliance

GoToAssist Remote Support HIPAA compliance guide

Why Lawyers? Why Now?

OCR UPDATE Breach Notification Rule & Business Associates (BA)

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

DGPeterson, LLC. HIPAA Security Auditors Report. Prepared for: Vigilant Medical, LLC Date: January 28, HIPAA Privacy & Security Consulting

HIPAA Security Matrix

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

HIPAA Security COMPLIANCE Checklist For Employers

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

HIPAA 101. March 18, 2015 Webinar

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

HIPAA: In Plain English

Account Restrictions Agreement [ARA] - Required by LuxSci HIPAA Accounts

Building Trust and Confidence in Healthcare Information. How TrustNet Helps

VMware vcloud Air HIPAA Matrix

Security Is Everyone s Concern:

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA compliance audit: Lessons learned apply to dental practices

HIPAA Self-Study Module Patient Privacy at Unity Health Care, Inc HIPAA Hotline

HIPAA Security Compliance Reviews

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Overview of the HIPAA Security Rule

HIPAA Compliance for Students

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

White Paper. From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards

Preparing for the HIPAA Security Rule

What is HIPAA? The Health Insurance Portability and Accountability Act of 1996

HIPAA Compliance and the Protection of Patient Health Information

HIPAA Security Checklist

REMOTE ACCESS TO A HEALTHCARE FACILITY AND THE IT PROFESSIONAL S OBLIGATIONS UNDER HIPAA AND THE HITECH ACT

ACCOUNTABLE HEALTHCARE IPA HIPAA PRIVACY AND SECURITY TRAINING. By: Jerry Jackson Compliance and Privacy Officer

The Security Rule of The Health Insurance Portability and Accountability Act (HIPAA) Security Training

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Getting Hip to the HIPAA and HITECH Act Compliance

VOIP for Telerehabilitation: A Risk Analysis for Privacy, Security, and HIPAA Compliance

How To Write A Health Care Security Rule For A University

Transcription:

How to Ensure your Email and Other ephi are HIPAA Compliant

How to Ensure Your Email and Other ephi Are HIPAA Compliant Do you know if the patient appointments your staff makes by email are compliant with HIPAA s Privacy and Security Rules? Do you have processes to ensure digital copies of your patient records are fully secure both in transit and while in storage? Are you certain your employees are not unknowingly violating any of HIPAA s many required provisions, such as sharing login information to access patient information? With HIPAA s vast and complex set of rules, complying with the act can be difficult, even for organizations genuinely trying to do so. Fortunately, with the right cloud-based emailencryption and security solution, protecting your patients health data and bringing your email practices into full HIPAA compliance can be easier and less expensive than you might think. 2

First, the bottom line: Not all email systems including many of those designed for professional-level, enterprise use are HIPAA compliant. Assuming that within your practice you are sending email between employees using a secure server, on a secure network, those messages do not need to be encrypted as your workforce is a part of your Covered Entity status and authorized under HIPAA to send, receive and view your organization s confidential Electronic Patient Health Information (ephi). But what about all of the other messages your practice sends to and receives from third parties every day, messages that would qualify as ephi? These types of emails would include: Payment claims submitted to insurance providers for patient services Authorizations for procedures and treatments Patient referrals to specialists or other third-party providers Patient appointment scheduling Answers to patients questions via email Any email containing ephi stored in your staff s inboxes and on your email servers Such messages, and any other email containing ephi sent out of your network to a doctor, insurance company, any other third party, or even sent remotely to a member of your own staff must be encrypted, according to HIPAA s Omnibus Rule. In this paper we ll discuss HIPAA s email-security requirements as they relate to your practice, the steps you must take to comply, and why simply encrypting your messages isn t sufficient. Then we ll offer a solution that can make the entire compliance process easy and costeffective. Not all email systems including many of those designed for professional-level, enterprise use are HIPAA compliant. But before getting into the details of HIPAA s specific email rules, here is a brief overview of the act and how it regulates Covered Entities protection of their patients electronic data. 3

A Brief Overview of HIPAA Passed by Congress in 1996, The Health Insurance Portability and Accountability Act (HIPAA) is a set of rulings that set national standards to protect the privacy of patients health information. The act secures patients rights regarding their health-related data, including when and with whom it can be shared. HIPAA also requires doctors, pharmacists, health insurers and other providers to explain to patients their rights under the act regarding use of their health information. The Privacy Rule, a regulation implemented to help enforce HIPAA, establishes rules for the use and disclosure of patient data called Protected Health Information (PHI) for Covered Entities. The Privacy Rule applies to all forms of PHI, whether electronic, written, or verbal. A related provision, called the Security Rule, sets security standards for managing health information in electronic form. More recently, the Health Information Technology for Economic and Clinical Health, or HITECH Act, and the HIPAA Omnibus Rule, have been enacted which strengthen HIPAA s Privacy and Security Rules and increase the severity of penalties for violating patients rights under HIPAA. These rules are administered and enforced by The Department of Health and Human Services Office for Civil Rights (OCR). 4

HIPAA and Email Security Scattered among HIPAA s hundreds of pages of rules and regulations are provisions specifically relating to a Covered Entity s use of email to transmit (and store) ephi. Among the various aspects of email security covered throughout the act are references to the following: Access Control: 164.312(a)(1) Person or Entity Authentication 164.312(d) Integrity 164.312(c)(1) Transmission Security 164.312(e)(1) Audit Controls: 164.312(b) So, Are You Fully Compliant With HIPAA s Privacy, Security and HITECH Rules? Taking into account the umbrella of HIPAA-related rulings (including the Privacy Rule, Security Rule, HITECH and the Omnibus Rule), Covered Entities like yours face a difficult task determining how to ensure they are fully compliant. In fact, according to a report by the Healthcare Billing & Management Association (HMBA), the majority of Covered Entities and their Business Associates remain noncompliant with HIPAA. Let us examine what HIPAA has to say about each of the provisions above. Then we will offer you a comprehensive email-security and encryption service that can address them all, and bring your practice into full email compliance with HIPAA. 5

Five HIPAA Email-Security Provisions: 1 Access Control HIPAA s section 164.312(a)(1) states the Covered Entity must Assign a unique name and/or number for identifying and tracking user identity. What this means: Your organization s workforce must use unique usernames and passwords for each staff member s account. That means shared logins are not allowed. 2 Person or Entity Authentication Section 164.312(d), Person or Entity Authentication, states that a Covered Entity must Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. What this means: Your organization must also strictly govern (and then control) which users within your practice are granted access to ephi. This also means that data must be both secured and encrypted both in transit and then in storage, to ensure only the intended recipients (e.g., your authorized staff members) are allowed to access the data. 3 Integrity The Integrity provision, section 164.312(c)(1), demands the Covered Entity Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. 4 Transmission Security HIPAA s section 164.312(e)(1), relating to Transmission Security, calls for Covered Entities to Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network, and to Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. What this means: You will need SSL-based encryption for any ephi transmitted out of your network to patients, insurance providers, other healthcare providers, or any third party authorized to receive your patients data. 5 Audit Controls Section 164.312(b), regarding Audit Controls, states a Covered Entity must Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. What this means: You will need a system that produces detailed login audit trails, including date, time and IP address of each login, as well as all trails of all sent and received messages. What this means: Your practice must have a process in place to protect ephi in transit and in storage, to keep unauthorized third parties from accessing, altering or destroying such data. 6

How to Bring Your Practice into Full Compliance With HIPAA s Email-Security Rules Given all of the HIPAA-related email provisions noted above, you can see that merely encrypting your email is not sufficient to bring your practice into compliance. A Covered Entity must also deploy a solution that can restrict access and authenticate users, protect electronic messages both in storage and while in transit, and produce ongoing records of all transmissions of protected ephi. One solution that a Covered Entity can quickly and cost-effectively deploy to address all of these issues, and become fully compliant with HIPAA s email-security rules, is FuseMail, a leading managed email solutions provider from cloud services pioneer j2 Global. FuseMail s two related services CypherSMART and SecureSMART can deliver your practice a comprehensive program for email encryption and security that is fully HIPAA compliant. Let s review each of the major areas in which HIPAA regulates email security of ephi, and how FuseMail s solutions address them all. Given all of the HIPAA-related email provisions noted above, you can see that merely encrypting your email is not sufficient to bring your practice into compliance. 7

HIPAA REQUIRES Access Control: The business must implement unique IDs for accessing ephi, for identifying and tracking user actions. Person or Entity Authentication: The business must implement procedures to verify a person or entity seeking access to electronic protected health information is the one claimed. Integrity Control: The business must implement policies to secure electronic protected health information from improper alteration or destruction. Transmission Security: The business must implement technical security to guard against unauthorized access to electronic protected health information transmitted electronically. Audit Controls: The business must implement procedures that record and examine activity in information systems that contain or use electronic protected health information. FUSEMAIL DELIVERS FuseMail s SecureSMART allows Covered Entities administrators to implement and enforce granular email policies, including defining settings that allow or deny senders, domains and IPs for any email. FuseMail s SecureSMART gives administrators username and password controls, to restrict access to ephi stored in FuseMail s data security systems to authorized users, and to track and verify access at each attempt. The system also employs strict physical security of data protected at FuseMail s facilities. FuseMail s CypherSMART email encryption service provides end-to-end encryption using industrystandard S/MIME and 2048-bit public key/private key encryption. FuseMail s CypherSMART service provides the highest levels of email encryption for any message transmitted, which can be triggered manually or automatically based on message content, to ensure all ephi records are indeed emailed securely. FuseMail s SecureSMART provides full reporting on user access and transmission of ephi stored in FuseMail s systems, producing a detailed audit trail and which administrators can access anytime via their FuseMail web dashboard. 8

Conclusion The Right Solution for Email Encryption and Security Can Quickly Bring Your Practice into Full HIPAA Email Compliance. One of the simplest, most cost-effective ways to bring your practice into compliance with HIPAA s various provisions regarding ephi email is to implement an email security and encryption solution. The CypherSMART and SecureSMART solutions from managed email solutions provider FuseMail operate entirely in the cloud, require no hardware or software installations at your site, and can be deployed in minutes with virtually any standard email program. By implementing these easy-to-use, low-cost additions to your existing email system, you can quickly ensure your practice is compliant with HIPAA s complex email rules. That s why we at FuseMail call our CypherSMART and SecureSMART solutions Worry-Free Compliance. 9

COMPANY OVERVIEW FuseMail provides a comprehensive suite of cloud based hosted email security solutions for businesses, including CypherSMART and SecureSMART to help Covered Entities comply with HIPAA. FuseMail is the managed email solutions division of j2 Global, Inc. (NASDAQ: JCOM), the world s leading provider of cloud based, business critical communications and storage services. j2 s Global network spans more than 49 countries on six continents. Serving more than 12 million subscribers worldwide, j2 has offices in nine cities around the world, accepts payment in twelve currencies, and provides customer support in more than seven languages. To learn more about FuseMail and our Worry-Free Compliance solutions for HIPAA, visit us at www.fusemail.com, or contact us at 877-563-4078. To learn more about j2 Global, please visit www.j2global.com 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information