Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Similar documents
Dissecting New HIPAA Rules and What Compliance Means For You

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

COMPLIANCE ALERT 10-12

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

My Docs Online HIPAA Compliance

HIPAA Omnibus Rule Overview. Presented by: Crystal Stanton MicroMD Marketing Communication Specialist

HIPAA Omnibus Rule Practice Impact. Kristen Heffernan MicroMD Director of Prod Mgt and Marketing

HIPAA and HITECH Compliance for Cloud Applications

BUSINESS ASSOCIATE AGREEMENT ( BAA )

HIPAA, HIPAA Hi-TECH and HIPAA Omnibus Rule

HIPAA Security Rule Compliance

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Business Associates, HITECH & the Omnibus HIPAA Final Rule

HIPAA PRIVACY AND SECURITY AWARENESS

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Trust 9/10/2015. Why Does Privacy and Security Matter? Who Must Comply with HIPAA Rules? HIPAA Breaches, Security Risk Analysis, and Audits

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA Compliance and the Protection of Patient Health Information

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Name of Other Party: Address of Other Party: Effective Date: Reference Number as applicable:

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Compliance Guide

Data Breach, Electronic Health Records and Healthcare Reform

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Vendor Management Challenges and Solutions for HIPAA Compliance. Jim Sandford Vice President, Coalfire

New HIPAA regulations require action. Are you in compliance?

The Impact of HIPAA and HITECH

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

This presentation focuses on the Healthcare Breach Notification Rule. First published in 2009, the final breach notification rule was finalized in

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

Security Is Everyone s Concern:

Overview of the HIPAA Security Rule

HIPAA Compliance Guide

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Bridging the HIPAA/HITECH Compliance Gap

HIPAA/HITECH: A Guide for IT Service Providers

BUSINESS ASSOCIATE AGREEMENT

M E M O R A N D U M. Definitions

BUSINESS ASSOCIATE AGREEMENT. Recitals

HIPAA COMPLIANCE AND

Preparing for the HIPAA Security Rule

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

HIPAA BUSINESS ASSOCIATE AGREEMENT

Business Associate Agreement Involving the Access to Protected Health Information

SCHOOL DISTRICT OF BLACK RIVER FALLS HIPAA PRIVACY AND SECURITY POLICY

Business Associates and HIPAA

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

University Healthcare Physicians Compliance and Privacy Policy

Health Information Privacy Refresher Training. March 2013

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Ethics, Privilege, and Practical Issues in Cloud Computing, Privacy, and Data Protection: HIPAA February 13, 2015

HIPAA and the HITECH Act Privacy and Security of Health Information in 2009

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

Am I a Business Associate? Do I want to be a Business Associate? What are my obligations?

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

BUSINESS ASSOCIATE AGREEMENT

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

Use & Disclosure of Protected Health Information by Business Associates

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Datto Compliance 101 1

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Business Associate Agreement

HHS Finalizes HIPAA Privacy and Data Security Rules, Including Stricter Rules for Breaches of Unsecured PHI

Nine Network Considerations in the New HIPAA Landscape

OCR UPDATE Breach Notification Rule & Business Associates (BA)

Business Associate Management Methodology

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

POLICY AND PROCEDURE MANUAL

OCR s Anatomy: HIPAA Breaches, Investigations, and Enforcement

BUSINESS ASSOCIATE ADDENDUM

The HITECH Act: Implications to HIPAA Covered Entities and Business Associates. Linn F. Freedman, Esq.

Transcription:

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Table of Contents Introduction... 3 1. Data Backup: The Most Critical Part of any IT Strategy... 4 2. Hosted Email and Automatic Encryption... 5 3. File Sync and Share: Balancing Accessibility and Security... 6 4. Proactive Maintenace and Monitoring: Keeping Systems Running... 7 5. HIPAA Compliance: A Health Care Must... 8 Conclusion... 11

Introduction The health care industry is presented with a unique set of IT challenges. Central to these are several areas in which CMIT Solutions specializes: data backup, hosted email that comes with automatic encryption processes, file sync and share that provides the perfect balance between employee accessibility and data security, and proactive monitoring and maintenance that can ensure that your business is not affected by system downtime. Baked into all of these options is compliance procedures that meets the rigorous standards set forth by the HIPAA Omnibus Rule. HIPAA the Health Insurance Portability and Accountability Act was enacted in 1996 to protect health insurance coverage for workers and their families and establish national standards for electronic health care transactions pertaining to providers, employers, employees, and plans. HIPAA includes several facets, including the Privacy Rule, Security Rule, Enforcement Rule, Transactions and Code Sets Rule, and Unique Identifiers Rule. With health care technology changing rapidly, however, several amendments, enhancements, and changes were made to HIPAA, the most important of which the new Omnibus Rule took effect on September 23, 2013. But while all of CMIT Solutions health care-specific offerings satisfy HIPAA requirements, our clients require more than just checking a box. They require a trusted IT partner that can handle all aspects of technology infrastructure, leaving them free to focus on what s important to them: Acquiring and retaining clients. Managing costs in today s competitive environment. Hiring quality employees. And, above all, delivering a superior level of patient care. Read on for more on the custom-tailored services CMIT Solutions employs for those in the health care industry.

1. Data Backup: The Most Critical Part of any IT Strategy In the health care industry, strong backups are a necessity losing your data means losing protected health information, which not only breaks the professional and ethical duty doctors and other practitioners have to their patients but could also expose you to civil and criminal penalties. That s why, at CMIT Solutions, we specialize in regular, remote, and redundant storage of your data with elite levels of security automatically built in. We recommend automated backups with an offsite host. This approach requires little to no human involvement, resulting in decreased human error and overhead. This can also help to avoid situations where data backups are located in the same physical location as the primary data, which in the event of fire, flood, or other disaster can result in loss of information. CMIT Guardian, our backup solution, fulfills the following needs: Image-based backups that can support multiple versions of older software. Legacy applications still carry significant weight in the health care industry, and our backups can ensure that stored data is compatible with the many different programs you re required to run. Extra encryption to satisfy stringent industry regulations and potential audits. In general, our client s data is encrypted for secure online transmission (ensuring its safety during transfer from your office to the data center) and encrypted again in storage. And since health-care professionals handle protected health information and deal with sensitive medical data, they are held to extremely high standards under HIPAA. Disaster recovery plans that can eliminate downtime and keep you working. Working at such a fast pace means health care businesses have to be ready for anything. A good disaster recovery plan is critical to long-term success most of the time, it s not a matter of if but when something will go wrong.

2. Hosted Email and Automatic Encryption CMIT Solutions hosted email goes above and beyond the competition, offering a cloud-based service that is HIPAA compliant and operated out of US-based data centers that are certified using the National Institute of Standards in Technology. Our email service provider abides by a Business Associate Agreement, completes required HIPAA training, and submits to annual security and privacy reviews. Our optional email archiving service differs from most other vendors in that it complies with HIPAA requirements that data cannot be tampered with. It also employs a user-friendly policy-based encryption service that automatically scans every email to detect whether protected health information is included. When that of information is present, our hosted email service automatically encrypts the email before transmitting it, instead of tasking busy staff members or unwieldy third-party tools to manually encrypt emails. According to a Kaiser Permanente survey cited by the USA Today in July, 1/3rd of US patients contact their doctors via email, and doctors get the majority of their emails between 10:00 and 11:00 AM. Every one of those emails carries with it a potential HIPAA violation and litigation threat. If you re not encrypting and archiving your emails, you are making yourself vulnerable. Necessary encryption to protect information from disclosure. This does more than just satisfy you and your clients need for privacy it also keeps you in line with federal and state regulations while, if followed properly, also shielding you from potential legal action. Automated administrative processes to pre-screen communications. Because basic content filters can t catch everything even if they could, they are not well-versed in the language of the health-care industry. Evolving functionality to meet mobility needs. Employees of small to medium-sized businesses now average three devices per person. It takes a fresh approach to satisfy those needs. Robust archiving and search functionality to satisfy compliance audits. HIPAA can require health care operations to produce every email sent in a certain time upon demand. That means your email of choice must be protected, encrypted, archived, and searchable.

3. File Sync and Share: Balancing Accessibility and Security One of the biggest challenges in the health care industry is balancing availability to data with its security. To do their jobs properly and efficiently, employees need to be able to access patient records, scheduling software, and other protected information all day, every day. But under HIPAA regulations, that data must also be protected at levels higher than usual. That's where good file sync and share comes in. CMIT s unique hybrid approach leverages both on-premises and cloud storage, allowing for seamless access to file from any location, on any device. Secure file access. We can help you maintain security and compliance over the access and sharing of files, with updated protocols, protected networks, and stringent controls. File sharing that gets the job done. Health care practices often require several different levels of data access for doctors, nurses, assistants, and administrative employees. Our services allow for 100% visibility to all storage devices, allowing co-workers to view, access, edit, and share files to complete all required tasks. Centralized permission controls. This allows for access permissions that are uniformly enforced across all folders, devices, and systems. We can also provide robust audit reporting to monitor usage and access changes across the entire user base. Single sign-on and password management. Say your office takes 15 different types of insurance that s 15 different sign-on credentials your employees have to memorize in order to efficiently share documents and data. We offer single sign-on and password management to make access easier and to prevent any inadvertent data breaches because of lost or compromised passwords.

4. Proactive Maintenace and Monitoring: Keeping Systems Running When conducting a HIPAA risk assessment, CMIT Solutions finds that health care practices already employing proactive monitoring and maintenance have up to 25% of their compliance requirements already satisfied. That s a major edge in a crowded, competitive field. What does proactive mean? Everything you need to keep your systems running: Monitoring Software. Installed on each device on your network, monitoring agents alert qualified domain engineers whenever an outof-tolerance condition is observed and needs to be handled. Network Operations Center (NOC). Staffed by over 300 engineers looking to outsmart tech problems, the NOC is available 24/7 to remotely remediate issues and respond to alerts. NOC engineers also perform a comprehensive preventative maintenance schedule and apply all appropriate white-listed software updates. A detailed log is maintained so problems may be diagnosed and corrected in the context of a company s complete IT history. Help Desk. A fully staffed US-based help desk responds to a wide range of end-user issues and questions. From helping to get a new printer set up to helping a novice spreadsheet user solve a problem, this phone resource is responsive and service-oriented. On-Site Support. The above three elements of CMIT Marathon dramatically reduce the need for on-site support. But when the problem demands an on-site technician, a local tech is dispatched to save the day. Once on-site, the local tech is backed up by both the NOC and Help Desk staff.

5. HIPAA Compliance: A Health Care Must The most significant change associated with the HIPAA Omnibus Rule, which went into effect in 2013, concerns who must now comply with the Privacy and Security Rules that govern Protected Health Information (PHI). The Privacy Rule establishes national standards to protect individuals medical records and other information in regards to health plans, health care clearinghouses, and health care providers that conduct transactions electronically. The Rule also requires appropriate safeguards to protect the privacy of PHI, sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, and gives patients rights to access and request corrections of their health records. The Security Rule establishes national standards to protect individuals electronic PHI that is created, received, used, or maintained by a Covered Entity (CE). The Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. In the past, only Covered Entities any organization that accepts payments from insurance companies, Medicare, or Medicaid were required by law to follow rules pertaining to PHI. But now, Business Associates (BAs) of those CEs IT service providers, lawyers, accountants, data processers, and others who may be privy to PHI are also held to the same standard. Additionally, thirdparty subcontractors of those BAs are now defined as BAs, as well. These new regulations even apply to organizations that simply maintain PHI data and may never access it. Additionally, the Omnibus Rule implements revised policies and procedures pertaining to data breaches. Gone is the old harm standard that defined how breaches of PHI were handled, replaced by a new standard that states any impermissible use or disclosure of PHI, generally defined as a breach, is presumed to automatically require notification. There are three exceptions to this rule:

1) If the PHI is unintentionally acquired, accessed, or used by an employee acting under the authority of a Covered Entity or Business Associate. 2) If PHI is inadvertently disclosed from one person authorized to access it by his or her CE or BA to another person authorized to access it. 3) And if the CE or BA has a good faith belief that the unauthorized individual to whom the impermissible disclosure was couldn t have retained the information. Otherwise, breaches must be announced as follows: Covered Entities responsible for breaches affecting less than 500 people must notify the affected individuals and the CE s Business Associates within 60 days of the discovery of the breach. Breaches of this size must be reported to the HHS on an annual basis, no later than 60 days after the end of the calendar year in which the breaches occurred. In addition to the above methods, breaches affecting more than 500 people must also be reported to prominent media outlets serving the state or jurisdiction where the breach happened. Also, all notifications must be made within 60 days of the discovery of the beach. Penalties for PHI breaches have been significantly enhanced, as well. The American Recovery and Reinvestment Act of 2009 established a tiered civil penalty structure that remains subject to the discretion of the Secretary of HHS. Civil penalties can range from $100 per violation up to annual maximums of $1.5 million, with differing levels of assessment depending on the willful neglect exhibited by the HIPAA violation. In addition, criminal penalties are now a possibility for Covered Entities and specified individuals who knowingly obtain or disclose Protected Health Information. Prison terms can reach ten years for particularly egregious examples, including using individually identifiable health information for commercial advantage, personal gain, or malicious harm. 3 Remember not all incidents involving PHI are breaches. But all breaches begin as innocuous incidents, making diligence in the field of HIPAA compliancy a must. Other HIPAA compliance requirements include the following:

Updated Business Associate Agreements between covered entities, business associates, suppliers, vendors, and subcontractors that specifically protect the privacy and security of health information. Updated risk and security assessments that ensure your company and all business associates are HIPAA compliant. Conducting an analysis like this represents the first step in identifying and implementing policies and procedures that comply with and carry out the standards set out by the Omnibus Rule. A HIPAA risk assessment will also determine whether your company could pass an independent audit of the hundreds of HIPAA citations and components up for examination. Policies and procedures that maintain the integrity of login credentials and access; encrypt any and all data accessed on behalf of a covered entity; outline the proper storage and transmission of encryption keys; and dictate physical security for any systems that access personal health information. Ongoing training and education that satisfies HIPAA requirements for keeping employees up to speed on the changing compliance landscape. CMIT Solutions offers module-based training that employees can complete at their leisure, as their schedule permits. This checks required boxes while also helping business owners, employees, and patients.

Conclusion Technology is difficult enough for any small to medium-sized business owner but in the health care realm, it provides extra challenges. Our goal at CMIT Solutions is to make things easier for you by making technology simpler and easier to use. We aim to take the IT burden off your shoulders while helping you save time and money and we work to prioritize any major changes required under HIPAA compliance requirements so that you can budget your resources accordingly. Contact us today if you re ready to make your practice operate faster, smarter, and more secure.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information