Can Your

Health IT
Service Provider
Ensure Security
For ePHI?

Outsource Strategies International
www.outsourcestrategies...
Outsourcing your healthcare documentation, medical
coding and billing, and other back office tasks can help
save time and ...
Check whether the IT provider offers encryption for both active (in
use) and inactive (not in use) ePHI. Otherwise, the eP...
Data breaches may occur if the patients’ health information is not

Proper Shredding of

disposed off safely and securely....
Regular Risk

Make sure that your service provider performs risk assessments

Assessment

regularly to address changing th...
The bottom line: when you outsource your
documentation or medical coding or billing
tasks, look for a medical transcriptio...
Upcoming SlideShare
Loading in …5
×

Can Your Health IT Service Provider Ensure Security for ePHI?

258 views

Published on

Breaches in the safety of patient health information (PHI) can lead to costly penalties. So ensure that your health IT service provider can ensure the safety of ePHI.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
258
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Can Your Health IT Service Provider Ensure Security for ePHI?

  1. 1. Can Your Health IT Service Provider Ensure Security For ePHI? Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
  2. 2. Outsourcing your healthcare documentation, medical coding and billing, and other back office tasks can help save time and money and improve your productivity and efficiency. However, as a physician, there’s one question that you should ask yourself – is my health IT service provider conscious about the safety of my data? Poor IT security policies can land you in troublesome and costly penalties for HIPAA (Health Insurance Portability and Accountability Act) violations. Even a well known institution like the Idaho State University was recently penalized for a health information security breach. So before you outsource your back office tasks, it’s important to ensure that your health IT service provider has the following policies in place to ensure security of electronic protected health information: Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
  3. 3. Check whether the IT provider offers encryption for both active (in use) and inactive (not in use) ePHI. Otherwise, the ePHIs are at risk Encryption for ePHI of security breaches and HIPAA violations. Suppose that your medical billing service provider accesses your ePHI via an unencrypted network. There is a chance that someone can intrude the network and access the information when it is being transferred. The same applies to the ePHI stored in a computer, laptop or USB drive. If the device is stolen, misplaced or lost, ePHI confidentiality is at stake. In 2012, BlueCross BlueShield of Tennessee, a leading Health Benefit Plan company in Tennessee paid around $1.5 million to the Department of Health and Human Services (HHS) when 57 unencrypted computer hard drives containing the protected health information of more than 1 million people was stolen. Business Continuity & Disaster Recovery Plans The service provider that you select should have business continuity and disaster recovery plans. Even though most service providers plan how to handle an immediate service interruption, testing usually doesn’t take place until an emergency occurs! This is a bad practice. So ensure that your service provider has a tested and proven disaster recovery plan system in place. This will reduce wait time for updates – for you as well as your patients. Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
  4. 4. Data breaches may occur if the patients’ health information is not Proper Shredding of disposed off safely and securely. For data stored electronically, the ePHI potential for unauthorized access, erasing, altering, or losing, is high. Even if documents are deleted from the recycle bin, they are prone to unauthorized access via hard disk recovery. When disposing of data stored on computer disks, the disks need to be erased several times and it should be ascertained that the data cannot be recovered from them. The service provider should be able to recognize when, how and in what circumstances the ePHIs were destroyed. Identify Data Breaches Most data breaches are difficult to detect. As per the Verizon Data Breach Investigations Report 2013, around 66 percent of data breaches would take even months or years to discover. So you should ensure that your service provider has an efficient system (anti-virus software, malware detection tools, advanced analytic tools) to identify different types of data breaches. Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
  5. 5. Regular Risk Make sure that your service provider performs risk assessments Assessment regularly to address changing threats and policies so that effective and stringent security measures can be implemented. For example, the HIPAA Omnibus Final Rule effective from March, 2013 considers even the risk of data breach as a violation. Changes in technology can bring about new risks. It’s important that your service provider stays up-todate with such changes and conducts regular risk adjustments to detect and deal with security violation threats. HIPAA Business Associate Agreement If your service provider is willing to sign a HIPAA business associate agreement (BBA) with you, this is an indication of their commitment to security for your ePHI. The contract ensures safety for personal health information in accordance with HIPAA guidelines. The agreement should clearly show how your health IT service provider will report and respond to any kind of data breach. Also, make sure that the provider can produce evidence for routine audits such as SSAE 16 reports or PCI certification. Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
  6. 6. The bottom line: when you outsource your documentation or medical coding or billing tasks, look for a medical transcription company or medical billing company that is HIPAA complaint. Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809

×