Tag Archives: Encryption

The Audits are Coming! The Audits are Coming!

Ever since the Woodrow Wilson and the 16th Amendment gave us a Federal income tax back in 1913, Americans have had to worry about being audited by the government. The modern IRS was born in the 1950s and they get very busy every year after April 16th, pouring through millions of income tax filings, looking for mistakes and potential revenue.35078610 - file folders with patient health records label and private stamp

This year, starting March 21st, another government agency started its second round of audits. These audits however have nothing to do with taxes. The Depart of Health and Human Services’ Office of Civil Rights (OCR) is conducting audits on healthcare providers and facilities that focus on HIPPA violations.

This second round of audits identifies 180 areas of focus for HIPPA compliance by healthcare providers. If you want to review all 180 of them (and you probably should), there is a not-so-easy to navigate webpage that explains them all at HHS.gov here.

Of course we all benefit from the security of our private medical information. Medical identity fraud is on the rise, so much that there is even a Medical Identity Fraud Alliance dedicated to addressing it. Of course healthcare facilities and providers are already concerned and are taking precautions to avoid private patient information falling into the wrong hands, but the added pressure of an audit and potential fines and sanctions raise the stakes even more.

With that, I’d like to offer 3 areas you may want to evaluate in your facility or practice to make sure you are compliant.

Confidential Communications- There is a delicate balance in play when it comes to patient communications. HIPPA has guidelines that require providers to facilitate access to a patient’s Private Health Information (PHI) in case they need access to it. This means Electronic Health Records (EHR) and other PHI cannot just be locked down in a vault. This makes things trickier as providers need to figure out how to provide secure access without compromising privacy. This confidentiality extends beyond verbal and written communications to electronic forms of communication as well. Healthcare providers should not only be evaluating their server client and storage area networks, but also their phone and video patient interactions. Providers should be choosing telemedicine platforms and hardware that make the “best effort” to secure patient information. Consumer grade cloud based teleconferencing may not be seen to fit this definition by the auditor looking into your procedures. Make sure you are confident in the encryption method and secure transmission and storage of any remote health care services you are providing via telemedicine.

Business Associate Contracts- As a healthcare provider, you most likely work with several other business to provide the best care for your patients. These associates could include pharmaceutical manufacturers, staffing companies, or even outsourced IT and data centers. They may also include technology providers that install and manage technology within your facility. HIPPA requires not only that you take the best effort to protect your patients’ PHI, but that you also choose partners that do the same. Make sure to enter business associate contracts with companies that understand the healthcare space and HIPPA requirements. This is your best bet in mitigating liability and avoiding sanctions and fines that may not even be your fault.

Facility Access Controls- One area of HIPPA compliance that may or may not be on your radar is physical access to your facility. Healthcare providers have a responsibility to limit access to information in the form of EHR and physical specimens (blood, DNA, Urine, etc) that may compromise a patient’s privacy. There is also a HIPPA guideline that states that a provider has a responsibility to verify the identity of anyone requesting access to a patient’s PHI. This is not only electronic access, but also physical access. The best way to control physical access and verify identity is to implement an access control system similar to that which would be used in a data center. Access control systems can use a combination of verification methods like key cards, PINs, and even biometric devices like fingerprint scanners, hand geometry readers or retinal scanners to assure the right people are accessing the appropriate patient information.

At the end of the day, you still may find an HHS auditor contacting you from the OCR. However, doing a proactive review of the technology within your facility may just help you avoid fines and sanctions by eliminating issues before the real audit ensues.

 

Avidex AV is revolutionizing the way healthcare facilities and doctors are delivering care. Their 20 years of experience is being leveraged to drive down the cost of care while promoting positive healthcare outcomes. Is your organization looking for a new kind of technology partner? Connect with one of our Account Executives today to learn more.

Resources:

#1: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html

#2: http://medidfraud.org/

#3: http://blog.avidex.com/theres-more-to-hippa-than-encryption-choosing-the-right-vtc-platform/

#4: http://blog.avidex.com/choosing-the-right-av-partner-for-healthcare-facility-design/

Anthony Paoletti

About Anthony Paoletti

Anthony brings over 23 years of audiovisual experience and has worn nearly every "hat" in the industry; from Consultant to End User; Account Representative to Install Technician; Project Manager to Systems Engineer. Contact Anthony at apaoletti@avidexav.com

There’s more to HIPAA than encryption: Choosing the right VTC platform

thhbp4If you are a regular reader of this blog, you already understand the amazing opportunities telemedicine presents to the modern day medical facility. You also know that the environment for implementing telemedicine is better than ever given changes in the way that telemedicine services are now being categorized. Given all this, you may be primed to implement a telemedicine system in your facility to start to take advantage of these trends.

On the surface, implementation looks fairly intuitive. You invest in some PC hardware, monitors, HD cameras, and quality microphone equipment. You dedicate space in your facility for practitioners to be able to sit and converse with patients. Finally you go about the task of determining which hardware and software platform to use for video teleconferencing.

Here is where things get very confusing.

How do you determine which platforms are actually compliant and assure that the combination of hardware and software you have put in place do not create liability for your organization?

There is a temptation to standardize on a platform already familiar to the patient base as a whole. Given that temptation, solutions like GoToMeeting, Skype, and even FaceTime may initially look attractive. In fact, all of these platforms claim to meet HIPAA compliance in one way or another. They all claim 128 bit AES encryption to protect data to support their cases. However HIPAA requires more than just encryption of the data as it flows through the web.

Anything that is stored in a server is also applicable to HIPAA encryption, and although video is not saved and stored in most cases by these types of providers, things like chat sessions are, and these services do not store those in a HIPAA compliant manner.

There are also requirements for HIPAA Business Associate Agreements between companies, auditing tools to assure compliance, emergency notifications, and encryption of stored data as well, that is suspect at best in these platforms.

Skype has gone so far as to claim that they donot need to be a vehicle that enables compliance  just like your cell phone provider and the postal mail service are not.”

So if they are not the compliance vehicle, who is? Where does the liability lie if a breach happens? Some believe it then lies then on the healthcare provider.

“Since it is relatively easy to choose a Safeguard that allows you to be more fully compliant with HIPAA when video conferencing, it would be neglectful to instead use Skype for this purpose…you must be able to justify your decision in your internal HIPAA compliance reviews and be prepared to answer pointed questions from auditors, should the need arise.”

The bottom line is that better options exist that are fully compliant and that mitigate the liability of non-compliance with HIPAA. These solutions may utilize more reliable encryption methods through dedicated hardware that also enables audits and emergency notifications. These companies also offer the Business Associate Agreements required as well.

Of course, as with any innovative hardware technology solution, working with a trusted partner who is well versed in both the hardware and the specifics of HIPAA compliance is invaluable as well.

Avidex AV is revolutionizing the way healthcare facilities and doctors are delivering care. Their 20 years of experience is being leveraged to drive down the cost of care while promoting positive healthcare outcomes. Is your organization looking for a new kind of technology partner? Connect with one of our Account Executives today to learn more.

Resources:

#1: http://www.telehealthtechnology.org/sites/default/files/documents/HIPAA%20for%20TRCs%202014.pdf

#2: http://www.zdnet.com/article/facetime-calls-are-encrypted-and-hipaa-compliant-when-using-proper-encryption/

#3: http://l1.osdimg.com/online/dam/pdf/en/resources/wp/GoToMeeting-HIPAA-Compliance-Guide-brief.pdf

#4: http://onlinetherapyinstitute.com/2011/03/01/videoconferencing-secure-encrypted-hipaa-compliant/

#5: https://luxsci.com/blog/is-skype-hipaa-compliant-if-not-what-is.html

#6: http://telehealth.org/video/

Bob Higginbotham

About Bob Higginbotham

Bob Higginbotham, CTS-I, CTS-D, is the Avidex National Manager of Healthcare AV. Bob has spent his 30 year career in leadership positions in the AV industry including extensive design and build work in healthcare facilities. He owned and operated a successful AV business in Texas with multiple offices in several cities where he managed a staff of over 100 employees. Bob has served as a technical consultant for a major AV manufacturer, led the technical sales team for a national video conferencing provider and provided technology auditing services for several private education facilities. He has a unique working knowledge of audiovisual technology as well as multiple certifications in audio engineering, acoustics, AV design, CQT system commissioning and video transmission systems. Bob holds a BA in communications and has recently served as board chair for a large private school. He brings his years of technical knowledge and leadership experience to Avidex where he leads the national healthcare AV team. Contact Bob at bobh@avidexav.com