http://Enterprise.efax.com - On the heels of an expected increase in OCR audits starting this year, we still have more questions than answers as it relates to the Business Associate Agreements (BAA's), encryption requirements and the Conduit Exception. Join eFax Corporate® for this informative Webinar to learn the key HIPAA misconceptions to avoid in 2015, compliance and BAA requirements related to outside vendors, and ePHI compliance requirements related to documents shared over email and fax.
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
HIPAA IT Pitfalls to Avoid in 2015 - eFax Corporate
1. HIPAA IT Pitfalls to Avoid in 2015
Understanding Compliance & Exceptions
Brad Spannbauer
Director, Product Development
eFax Corporate®
brad.spannbauer@j2.com
2. The information provided in this presentation does not
constitute, and is no substitute for, legal or other
professional advice. We strongly encourage you to consult
your own legal or other professional advisors for
individualized guidance regarding the application of the law
to your particular situations, and in connection with any
compliance-related concerns.
4. Today’s Agenda
• 7 common incorrect HIPAA assumptions
• Putting it all together:
– The Conduit Exception
– The BAA: Does it transfer your responsibility?
– The Encryption requirement
• So, are you compliant or not?
• Q & A
With the adoption of the Omnibus Final Ruling in September, 2013, many healthcare IT directors were faced with a seemingly simple question by their organizations’ senior management: “Are we or aren't we HIPAA Compliant?”
It seems like a simple question, but ever since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, hospitals, group practices and other covered entities have struggled with their response. Even with seventeen years to prepare, many providers were still scrambling to meet all the requirements defined in the Omnibus Rule.
With the adoption of the Omnibus Final Ruling in September, 2013, many healthcare IT directors were faced with a seemingly simple question by their organizations’ senior management: “Are we or aren't we HIPAA Compliant?”
It seems like a simple question, but ever since the Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996, hospitals, group practices and other covered entities have struggled with their response. Even with seventeen years to prepare, many providers were still scrambling to meet all the requirements defined in the Omnibus Rule.
This webinar will cover the most common incorrect HIPAA assumptions, and provide a detailed examination of the Conduit Exception, one of the most misunderstood provisions of HIPAA and the Final Rule.
Earlier this year we conducted a survey of our customers in the healthcare industry and the results, while not exactly surprising, were enlightening. Our Healthcare IT Pulse survey revealed top concerns related to transferring sensitive healthcare information, technology usage patterns, and top security and compliance issues.
As it relates to documents, Changes brought on by legislation such as the Affordable Care Act, including the new healthcare exchanges, often means a sudden influx of added paperwork for healthcare organizations. We found that 54 percent of organizations surveyed cited HIPAA compliance as their top concern, even more important than document management, organization and record keeping.
Even after publication of the Omnibus Rule, HIPAA contains few absolute measures that must be implemented to achieve compliance. And once you have deployed the technology solutions, implemented the policies and trained your personnel, there is still no federal certification or stamp of approval to reassure you.
IT departments’ efforts are often undertaken with little understanding of what's actually required in order to achieve HIPAA compliance and frequently result in processes that are lacking in small but important ways. From my conversations with customers regarding their compliance needs and solutions, I hear several recurring incorrect assumptions that can spell trouble. Here are seven of the most common incorrect HIPAA assumptions I've encountered.
I frequently encounter IT managers who firmly believe that deploying a software package touted as “HIPAA compliant” is all that’s required to achieve compliance. They’re wrong.
Compliance with HIPAA requirements is not transferable; while your vendor’s status is important, your organization should implement its own comprehensive HIPAA compliance program. You’ll want to make sure that your processes are HIPAA compliant, then select vendors that fit your organization’s security framework.
Vendor selection should be guided by established protocols in your overall HIPAA compliance program. When entering into a relationship with a vendor, it’s like the old adage says: trust, but verify.
Even if a vendor willingly offers to sign a Business Associate Agreement (BAA), you should always perform due diligence to ensure their product or service is a match for your organization. Consider the BAA be the starting point of your discussion, not the end point.
This assumption is no more true than concluding that on-site solutions are always secure.
Cloud services offer a number of advantages – cost savings, increased efficiency, lower infrastructure overhead – over their traditional counterparts, and many offer HIPAA compliant services tailored to the needs of healthcare customers.
While policies and procedures are key to any HIPAA compliance program, these elements are nothing without rigorous ongoing monitoring, enforcement, and adjustments.
Your organization should always be on the lookout for security breaches, both technological and procedural, to ensure Protected Health Information (PHI) is secure. HIPAA requires that your compliance policies and procedures be living documents – your organization should be regularly re-evaluating and updating your compliance program, and conducting training sessions with employees to reinforce policies and procedures.
Fax servers can help ensure the security of PHI during transmission, but often fall short in protecting the same data while stored on your network.
Fax servers often hand-off PHI data to email or file servers that may be vulnerable to unauthorized access from within your network.
Encryption of stored PHI is an addressable implementation specification, so you’ll want to seek solutions that offer “at rest” encryption of PHI stored within your systems.
An audit trail is great, but it only covers data while it lives within your EHR system. What happens once a record is printed?
Consider implementing a clear, comprehensive document sharing policy that addresses handling of PHI both within and outside of your EHR system.
Think of the document sharing policy as a complement to your EHR audit trail, not a redundancy.
TLS encryption is a great tool to help secure emails in transit, but it works only if both sides of the email transaction are configured properly.
Many consumer email providers aren’t equipped to support TLS encryption for their subscribers. If your email provider is only using opportunistic TLS and the recipient doesn’t support TLS, emails with PHI could be transmitted with no encryption at all.
You may want to think twice about sending PHI over email, particularly when other, more secure methods are available.
So now that we’ve discussed some of the common misconceptions, let’s put this information into practice.
One of the key findings from the survey that we cited earlier is that fax continues to be a favored approach for communication, as 61 percent of healthcare organizations surveyed cited fax as one of the top approaches to exchanging critical information with nonemployees, with 26 percent citing fax as the No. 1 approach to exchanging critical information.
Meanwhile, other methods, for example digital file transfer was ranked No. 1 by only six percent of respondents, and email was cited by 12 percent of healthcare organizations as one of their two least used methods of communication for exchanging critical information with nonemployees.
Yet there are still some misunderstandings about how faxing is treated for HIPAA compliance.
Consider the often misunderstood HIPAA Conduit Exception and related comments in the Omnibus Final Ruling. The conduit exception applies to vendors—either off-line or on-line—that provide a service that acts as a transport to ePHI but does not necessarily access or store the information.
To illustrate, Let’s consider two usages of the same basic hosted fax service, with one key difference: document archival.
One version of the hosted fax service does not store sent or received faxes, it simply transports them from sender to receiver (certainly with Transport Layer Security (TLS) encryption while in-transit)…
There is no electronic archival or storage involved with this service. Users can’t go back a day, week or month later and retrieve or search by keyword for faxes they sent and received. This service would fall under the conduit exception .
Now, if the same service offers an on-line storage function for the faxes your users send or receive, it would most likely not be subject to the conduit exception, and as a covered entity you would need assurances from the vendor –the Business Associate—that those documents are secure.
This assurance would most likely come in the form of a Business Associate Agreement (BAA).
Looking at these two examples, where problems can occur is if the vendor doesn’t understand these differences. As a covered entity you may rely on the vendor to know these differences. But if a vendor simply says we always sign BAAs, for example, you might enable or disable a security feature, not realizing that it changes the nature of the HIPAA compliance requirements for that service.
It is important for Covered Entities to remember, a BAA does not transfer all responsibility from you to your vendor, it establishes a shared responsibility. So if you rely on a BAA from a vendor, you still have responsibility for the privacy and security of your PHI.
Let’s go back to the second scenario where you use an electronic faxing service and you want on-line archival access.
You may have a BAA with the vendor. But we also recommend that instead of sending or receiving documents containing PHI to and from a personal productivity application like MS Outlook, that the service instead sends encrypted notifications to an email address. The user would then use a password to log in to the on-line service to access their electronic faxes. This could certainly be a HIPAA compliant service.
Not subject to the conduit exception, but one where—since the vendor is storing PHI as part of the overall service—may offer both encrypted in transit and encrypted at rest security.
While encryption is not mandated under HIPAA – it’s considered addressable – we encourage providers to consider it a requirement and adopt it as best practice.
For document and data transmissions and storage, encryption in-transit and at-rest should always be considered best practice. This is in addition to the physical security measures the vendor employs at its locations for access to servers, data centers and the like.
We believe it’s best to combine services that either meet the conduit exception—or have the right levels of security, encryption and protection—with a well-documented procedural audit of how your organization manages and interacts with data and documents.
With the Omnibus rule being adopted at the end of last year, a lot of covered entities have focused on the first A in HIPAA – Accountability, as well they should. The emphasis has been put on the responsibility of all parties involved--covered entities, health care providers, payors, business associates—to ensure patient data is not compromised.
But it is important to remember that the P – Portability, was a driving force behind passage of the original HIPAA act in 1996, reaffirmed by language in HITECH and the Affordable Care Act. Not that long ago, patient records were stagnant, usually kept in manila folders at a doctor’s office. The ability of physicians and providers to share this information with specialists and other caregivers was an onerous task. Patients also had difficulty switching to another primary care physician when they moved or for personal preference.
Balancing the Portability and Accountability has always been a challenge, even with Electronic Medical Records (EMRs). This is where the idea of secure (encrypted) at rest and secure in transit PHI comes into view.
There are no absolute assurances when it comes to HIPAA compliance, but by making yourself aware of the common assumptions, you will be more prepared to provide greater consideration to the compliance of your data and document management processes.
As a follow up to this webinar I encourage you to read an article recently published on HITECH answers that I wrote, about the 7 HIPAA Assumptions.
We also have a whitepaper available to you, so in the follow up email we’ll get you a link to this recorded webinar to share with your colleagues, and a pdf of “Is cloud-based faxing right for you?”
Finally, you’ll have the opportunity to try cloud faxing for yourself with a free 30-day trial.
With that we can open the call to questions.
And with that, I thank you for your attendance and I hope to engage with you soon.
And with that, I thank you for your attendance and I hope to engage with you soon.