SlideShare a Scribd company logo

Healthcare preparedness 2010

D
DataMotion
Education
1 of 6
Download to read offline
DATAMOTION™ With HIPAA audits now randomized, you must be prepared for them every day. And with state regulations requiring compliance‐breach reporting, you must become your own auditor. HIPAA is the Health Insurance Portability and Accountability Act, the 1996 federal regulation that mandated health‐data privacy. This regulation requires compliance by all insurers and health care providers, including physician’s offices, hospitals, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities. But that’s not all. The Act’s Privacy Rule also regulates medical payment history privacy. Simply put, it requires that all health entities take reasonable steps to ensure the confidentiality of all communications that contain patient or customer information. And things could get even more serious very quickly. The passage of the HITECH Act creates mandatory reporting requirements of HIPAA violations, even when the data is lost by a third party. This increases the need for subcontractors to implement the same level of security typically found in larger organizations. The guidelines governing audits have changed. Prior to 2008, an organization was only put through an intense investigation when a routine audit found an egregious problem—and such routine audits were usually scheduled. But in February 2008, the U.S. Department of Health and Human Services, which oversees HIPAA compliance, contracted with the firm PricewaterhouseCoopers to conduct surprise audits of hospitals. If you work at a hospital, or communicate with one, you could be targeted for a surprise audit this year. This changes the stakes for everyone’s need to be ready. And if that’s not enough to worry you, the states are getting into the picture as well. In New York State, the loss or compromise of 10 or more patient records must now be reported to the New York State Department of Health. HEALTHCARE: HOW TO DISAPPOINT YOUR HIPAA AUDITORS AND GAIN THE RESPECT OF YOUR BOARD OF DIRECTORS (not necessarily in that order) Contact Us at: DataMotion, Inc. 35 Airport Road Morristown, NJ 07960 |p| +1 800 672 7233 |f| +1 973 455 0750 www.datamotion.com sales@datamotioncorp.com About DataMotion DataMotion is the first Intelligent Information Transport service that automates key business processes, so you can easily and quickly exchange information with your partners, customers, and colleagues. The DataMotion solution automates key business processes, such as automated billing, credit application processing, or customer outreach, to help you send critical information over the Internet.
So, ask yourself, “Would my company know if we lost 10 patient records?” If you’re in the state of New York, your answer must be “Yes.” HIPAA: Healthcare made difficult. One of the consequences of HIPAA is that it makes all kinds of medical research more difficult. That’s because people are more reluctant to participate as subjects, and it is more difficult to reach the right people to request their participation in research projects. Another noticeable consequence of HIPAA is that doctors are reporting less communicable diseases to state authorities. What’s worse is that even the public HIPAA was designed to protect doesn’t really like it. In a nationwide survey of 2,392 adults quoted in the Oct, 2007 Government Health IT Newsletter, nearly 3 out of 5 Americans agree that privacy of their health information is not well protected by federal and state laws and organizations. Any health provider who has struggled to help someone who needs information but doesn’t have the right identification on the phone, will tell you it gets in the way more than it helps. So what’s the answer? The only thing an organization can do is to fulfill the requirements in a way that allows everyone to get their jobs done in an efficient, cost‐effective manner. And satisfies the auditors. And relieves your board of directors. And satisfies your customers and patients. And keeps you from paying penalties or risking prison time. And the way to do that is to outfit your organization with the technologies it needs to secure information when it travels, as well as when it is used, stored, and communicated both inside and outside your organization. To avoid auditors, and penalties, you have a lot of planning to do. The penalties for failure to conform to HIPAA regulations go far beyond the hundreds of thousands of dollars in fines. They include public humiliation, loss of reputation, brand damage, class‐action lawsuits, and yes, even prison. But there are practical ways to avoid these penalties. The goal is to keep private information private, to keep prying eyes out, and to be able to prove both to auditors. Here are some methods: 1. Take secure measures, in case people make mistakes. One of the most common causes of any kind of security breach is human error. Whether conscious, accidental, or simply due to laziness, human error can result in Personally Identifiable Information (PII) or Personal Health Information (PHI) being sent over the internet as unencoded text unless filters are put in place to detect For more information: http://www.datamotion.com/Solutions/ HealthcareInsurance.aspx For a free 5-user, 30 day trial http://www.datamotion.com/Resources/ FreeTrial.aspx
these messages and encode or reroute them safely. At the same time, you can’t afford to stop communications. Likewise, you can’t afford to handle hundreds of false positive alerts— alarms signaling that a breach has occurred when one hasn’t. No one has time for that. Many companies are hesitant to apply filters to their most important communications— email and attachments. For example, if a filter were to keep every piece of mail from leaving your company that included the word “diabetes” and a person’s name, you couldn’t send out an email message with an attachment that says, “Watch for these symptoms, they may indicate you have diabetes.” On the other hand, you must be sure that the attachments that include a patient’s name, id number, and blood‐test results can never be intercepted accidentally, or be sent outside your company unencrypted. To accomplish this, you need to: • Install smart filters that analyze both the email and its attachments, • Correlate fields in both documents and attempt to match them to known patient databases, • And quarantine or redirect those messages. 2. Make sure the boundaries between systems are secure. Communication security breaches commonly occur where data is transferred between two or more systems. It can happen any time and any place where data is transferred between: • People inside your company’s firewall • People inside and outside your company’s firewall • Your people and your partners • Your people and your customers (or patients) • Two different systems Whenever information passes between systems and people, the data needs to be secured at all times, even when in transit. You must also ensure the data that is sent to people outside your firewall is always sent in encrypted format, so that no one but its intended recipients can read it. For example, should you need to transmit patient data from a doctor’s office to a central database, if it is encrypted, it could be sent automatically as an email attachment. 3. Make sure your internal communications are secure. Your people who work from home provide a specific example of HIPAA boundary issues. It is critical that any data that they transfer to their home computers from work is sent securely, one copy of a database file, one spreadsheet, one PDF attachment, or one presentation that someone works on over the weekend. For more information: http://www.datamotion.com/Solutions /HealthcareInsurance.aspx For a free 5-user, 30 day trial http://www.datamotion.com/Resources/ FreeTrial.aspx
Your business information must pass across the Internet securely, even though it will remain inside your company and your firewall. It must never be compromised—or vulnerable. But one mistake is all it takes. How do you ensure that this never happens? Despite your most well intended policies, there is always a chance that someone somewhere will let your guard down. Today you hope it never happens, or if it does, that it won’t cause a problem. But hoping isn’t acting. You must act. You must put a comprehensive filter in place, so that you can implement and enforce business rules to prevent these occurrences. You could either encrypt the file and send it, and email a warning to the sender, or you could quarantine the suspicious file and report the sender to his or her manager, the legal department, or whomever else you chose. 4. Make sure your partner communications are secure. Your people, when working with business partners, bring up another case of boundary issues. It’s likely that they must regularly transfer information back and forth with external partners. In some cases this can contain very sensitive information. Your partners may use different email systems. They often need to send personally identifiable information (PII) and or personal health information (PHI) about clients or patients via email or attachments. Sometimes, attachments can be extremely large. For example, a single mammogram image can reach 500 megabytes. So not only would you need to exchange this file securely, you would need to send it in a way that does not overburden—or stop—your email system. Healthcare‐related institutions must use solutions that make it possible to communicate with anyone, anytime, anywhere, no matter what email system the other party uses. Likewise, you must demand the ability to securely transfer extremely large files with all these same people. 5. Make sure your communications with telecommuters are secure. People who telecommute create another group of boundary issues. Medical professionals, such as radiologists, who choose to work from home, are moving in this direction. When people must transfer large, important, time‐sensitive files such x‐rays or mammograms as email attachments through your company’s email system, they have the potential to bring your email system to a standstill. So you must find the time, the budget, and the resources to set up file‐transfer sites for these large files. And you must For more information: http://www.datamotion.com/Solutions /HealthcareInsurance.aspx For a free 5-user, 30 day trial http://www.datamotion.com/Resources /FreeTrial.aspx
make absolutely sure that they offer unbreakable security. With a sophisticated system in place, you could manage and track the secure transfer of confidential, large files so you’d know they were delivered to, and opened by your intended recipient. 6. Make absolutely sure your communications with customers—or patients—are absolutely secure. When communicating with customers (or patients), your people most likely have no knowledge of the recipient’s email system. Which means that although your company might have created a secure email portal, extensive research shows that customers do not want to use a browser to visit a portal to communicate with—or get information from—you. They want to use email. And they want you to send important information quickly, via email. And if you do, they want it, of course, to be secure. Not just because it’s the law. Because it’s common sense that people don’t want anyone to have access to their private medical information, any more than anyone should have access to their private banking information. Healthcare‐related institutions can now adopt solutions that allow them to communicate securely with anyone— regardless of whether the other party has the same email system or not—without the trouble of using a portal. All they need to do is establish a password. The customer or patient can receive their email replies securely in their inbox without visiting a portal. 7. Make sure when your customers—or patients—communicate with you, everything they do is secure. Your customers and patients must often submit forms, ask questions of specific people and departments, or submit follow up information about an ongoing illness or other matter. For a long time, these needs were served by paper‐based processes, but can now be handled through secure electronic forms on your web site. But the question is how does this data reach the right department or employee to process it? And can this data be integrated into existing knowledge worker software such as the company’s customer relationship management system to track its status? If the request contains sensitive information, is it received from the customer in a secure manner, or did the company’s method of collecting data cause a privacy violation? And if any follow up is needed with the customer, can this be sent securely? With a messaging system in place that provides secure inbound and outbound service, uses email and ad hoc forms for message composition, and provides web service and XML workflow integration, you can streamline your operations and cost effectively serve customers. Such a system eliminates the need to retype data from paper‐based forms—an For more information: http://www.datamotion.com/Solutions /HealthcareInsurance.aspx For a free 5-user 30 day trial http://www.datamotion.com/Resources /FreeTrial.aspx
error prone, time‐consuming and costly way of doing business. 8. Make sure your customer workflow is automated, so there are fewer mistakes. When you enter information into your system, you should only enter patient information once. Multiple entries of the same information are big bright red flags for auditors. To avoid this, you need to make very sure that any time information is entered securely, it is routed to its destinations in your CRM system or case handling systems without the need for humans to unencrypt, read, retype, fax, or otherwise invite errors. Or auditors. 9. Make it easy to transfer files securely— even very large ones. FTP, or file transfer protocol, is the standard way to transfer files across the Internet. However, it requires big investments of time and effort to make it work, and even when it does work, it transmits user login credentials and the contents of files in an unencrypted manner. So while your people face a constantly changing list of partners with whom they must exchange sensitive files, how can you offer them a secure, easy, reliable method of doing so? You need a secure messaging system that automatically routes large files, alerts the recipient that they are available, and that tells you when they’ve been opened and by whom. 10. Make sure that you can demonstrate that your system is compliant and auditable. After an email message is sent, how do you know what happened to it? Did its intended recipient open it? Were its attachments opened? Is there proof that the message was received and was read? Should a question arise about who viewed a message or its attachments, can you prove who read them to an auditor? It’s increasingly obvious that a secure messaging system must be auditable. To make this possible, messages and their attachments, their metadata and the fingerprinting data must be both viewable and traceable. The fingerprint data must record— permanently—the IP addresses of the recipient’s computers, and the system’s time must be synchronized with an atomic clock so that message times are never a point of dispute. Such a system would allow your administrators—and, if necessary, auditors—to easily review and sort through volumes of message information, and quickly retrieve a particular message, as well as all the tracking and fingerprint information associated with it. At DataMotion, we’ve been solving email security and auditing challenges for a long time. We’d be very happy to talk with you about yours. Please call us at 1.800.672.7233 or send an email to sales@datamotioncorp.com

Recommended

Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsPYA, P.C.
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016Compliancy Group
 
Compliance
ComplianceCompliance
ComplianceMark Lanterman
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 

Recommended

Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
HIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsHIPAA Security Trends and Future Expectations
HIPAA Security Trends and Future ExpectationsPYA, P.C.
 
The Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTThe Most Wonderful Time of the Year for Health-IT...NOT
The Most Wonderful Time of the Year for Health-IT...NOTCompliancy Group
 
HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...HIPAA compliance for Business Associates- The value of compliance, how to acq...
HIPAA compliance for Business Associates- The value of compliance, how to acq...Compliancy Group
 
HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016HIPAA compliance tuneup 2016
HIPAA compliance tuneup 2016Compliancy Group
 
Compliance
ComplianceCompliance
ComplianceMark Lanterman
 
Cybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryCybercrime and the Healthcare Industry
Cybercrime and the Healthcare IndustryEMC
 
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...
Meeting the Challenges of HIPAA Compliance, Phishing Attacks, and Mobile Secu...Envision Technology Advisors
 
Data Sovereignty and the Cloud
Data Sovereignty and the CloudData Sovereignty and the Cloud
Data Sovereignty and the CloudIESL - The Institution of Engineers, Sri Lanka
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud Compliancy Group
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 
Protecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowProtecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowNetwork 1 Consulting
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Business Associate insurance agency closes doors due to HIPAA violation
Business Associate insurance agency closes doors due to HIPAA violationBusiness Associate insurance agency closes doors due to HIPAA violation
Business Associate insurance agency closes doors due to HIPAA violationMike Ramsby
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training) Elizabeth Baker, JD, CRCMP
 
Lawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt YouLawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt YouOregon Law Practice Management
 
Hitech for HIPAA
Hitech for HIPAAHitech for HIPAA
Hitech for HIPAAdkarpinsky
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 
Enterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEnterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEchoworx
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations OnRamp
 
Intercity technology - GDPR your training toolkit
Intercity technology - GDPR your training toolkitIntercity technology - GDPR your training toolkit
Intercity technology - GDPR your training toolkitjoshquarrie
 
Hippa breaches
Hippa breachesHippa breaches
Hippa breachesViSolve, Inc.
 
Data Protection Audit Checklist
Data Protection Audit ChecklistData Protection Audit Checklist
Data Protection Audit ChecklistDigital Guardian
 
Data protection act
Data protection act Data protection act
Data protection act Iqbal Bocus
 
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs costProtecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs costUlf Mattsson
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...Jack Pringle
 
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratchTechugo
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxwlynn1
 

More Related Content

What's hot

How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud Compliancy Group
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?Power Admin LLC
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskJohn Loveland
 
Protecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowProtecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowNetwork 1 Consulting
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachEMC
 
Business Associate insurance agency closes doors due to HIPAA violation
Business Associate insurance agency closes doors due to HIPAA violationBusiness Associate insurance agency closes doors due to HIPAA violation
Business Associate insurance agency closes doors due to HIPAA violationMike Ramsby
 
Lawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt YouLawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt YouOregon Law Practice Management
 
Hitech for HIPAA
Hitech for HIPAAHitech for HIPAA
Hitech for HIPAAdkarpinsky
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast- Mark - Fullbright
 
Enterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEnterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEchoworx
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations OnRamp
 
Intercity technology - GDPR your training toolkit
Intercity technology - GDPR your training toolkitIntercity technology - GDPR your training toolkit
Intercity technology - GDPR your training toolkitjoshquarrie
 
Data Protection Audit Checklist
Data Protection Audit ChecklistData Protection Audit Checklist
Data Protection Audit ChecklistDigital Guardian
 
Data protection act
Data protection act Data protection act
Data protection act Iqbal Bocus
 
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs costProtecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs costUlf Mattsson
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...Jack Pringle
 

What's hot (19)

Data Sovereignty and the Cloud
Data Sovereignty and the CloudData Sovereignty and the Cloud
Data Sovereignty and the Cloud
 
How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud How to safeguard ePHIi in the cloud
How to safeguard ePHIi in the cloud
 
What is HIPAA Compliance?
What is HIPAA Compliance?What is HIPAA Compliance?
What is HIPAA Compliance?
 
ZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info RiskZoomLens - Loveland, Subramanian -Tackling Info Risk
ZoomLens - Loveland, Subramanian -Tackling Info Risk
 
Protecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to KnowProtecting ePHI: What Providers and Business Associates Need to Know
Protecting ePHI: What Providers and Business Associates Need to Know
 
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic ApproachRole-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
Role-Based Access Governance and HIPAA Compliance: A Pragmatic Approach
 
Business Associate insurance agency closes doors due to HIPAA violation
Business Associate insurance agency closes doors due to HIPAA violationBusiness Associate insurance agency closes doors due to HIPAA violation
Business Associate insurance agency closes doors due to HIPAA violation
 
EU GDPR (training)
EU GDPR (training) EU GDPR (training)
EU GDPR (training)
 
Lawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt YouLawyers: What You Don't Know About HIPAA Could Hurt You
Lawyers: What You Don't Know About HIPAA Could Hurt You
 
Hitech for HIPAA
Hitech for HIPAAHitech for HIPAA
Hitech for HIPAA
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
Enterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey ReportEnterprise Encryption and Authentication Usage: Survey Report
Enterprise Encryption and Authentication Usage: Survey Report
 
HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations HIPAA eBOOK: Avoid Common HIPAA Violations
HIPAA eBOOK: Avoid Common HIPAA Violations
 
Intercity technology - GDPR your training toolkit
Intercity technology - GDPR your training toolkitIntercity technology - GDPR your training toolkit
Intercity technology - GDPR your training toolkit
 
Hippa breaches
Hippa breachesHippa breaches
Hippa breaches
 
Data Protection Audit Checklist
Data Protection Audit ChecklistData Protection Audit Checklist
Data Protection Audit Checklist
 
Data protection act
Data protection act Data protection act
Data protection act
 
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs costProtecting phi and pii - hipaa challenges and solutions - privacy vs cost
Protecting phi and pii - hipaa challenges and solutions - privacy vs cost
 
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
We Have Met the Enemy, and He is Us: The Role of the "Human Factor" in Protec...
 

Similar to Healthcare preparedness 2010

Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudCheryl Goldberg
 
Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratchTechugo
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxwlynn1
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentationProvider Resources Group
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?Stephen Cobb
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Hybrid Cloud
 
Healthcare data breach
Healthcare data breachHealthcare data breach
Healthcare data breachhealthsoftware
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Druva
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants- Mark - Fullbright
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101SecurityMetrics
 
Privacy Information You NEED to Know | Dental Products Report
Privacy Information You NEED to Know | Dental Products ReportPrivacy Information You NEED to Know | Dental Products Report
Privacy Information You NEED to Know | Dental Products ReportDaniel Allemeier
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industryNumaan Huq
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowThe Capital Network
 
MHA 690-Confidentiality
MHA 690-ConfidentialityMHA 690-Confidentiality
MHA 690-Confidentialitysuzettedavis
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsSarah Fane
 
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docxambersalomon88660
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business- Mark - Fullbright
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA ComplianceRaffa Learning Community
 

Similar to Healthcare preparedness 2010 (20)

Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_CloudPerspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
Perspecsys_Best_Practices_Guide_for_Protecting_Healthcare_Data_in_the_Cloud
 
Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch Constructing a HIPAA-compliant healthcare app from scratch
Constructing a HIPAA-compliant healthcare app from scratch
 
Running head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docxRunning head Information security threats 1Information secur.docx
Running head Information security threats 1Information secur.docx
 
how to really implement hipaa presentation
how to really implement hipaa presentationhow to really implement hipaa presentation
how to really implement hipaa presentation
 
The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?The mobile health IT security challenge: way bigger than HIPAA?
The mobile health IT security challenge: way bigger than HIPAA?
 
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
Protecting Data in the Healthcare Industry - Storage Made Easy - Osterman Res...
 
Healthcare data breach
Healthcare data breachHealthcare data breach
Healthcare data breach
 
Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?Where In The World Is Your Sensitive Data?
Where In The World Is Your Sensitive Data?
 
Responding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for MerchantsResponding to a Data Breach, Communications Guidelines for Merchants
Responding to a Data Breach, Communications Guidelines for Merchants
 
Medical Data Encryption 101
Medical Data Encryption 101Medical Data Encryption 101
Medical Data Encryption 101
 
Privacy Information You NEED to Know | Dental Products Report
Privacy Information You NEED to Know | Dental Products ReportPrivacy Information You NEED to Know | Dental Products Report
Privacy Information You NEED to Know | Dental Products Report
 
wp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industrywp-analyzing-breaches-by-industry
wp-analyzing-breaches-by-industry
 
Privacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to KnowPrivacy and Information Security: What Every New Business Needs to Know
Privacy and Information Security: What Every New Business Needs to Know
 
MHA 690-Confidentiality
MHA 690-ConfidentialityMHA 690-Confidentiality
MHA 690-Confidentiality
 
Master Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security FundamentalsMaster Data in the Cloud: 5 Security Fundamentals
Master Data in the Cloud: 5 Security Fundamentals
 
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
 
Accounting
AccountingAccounting
Accounting
 
Data Breach Response: A Guide for Business
Data Breach Response: A Guide for BusinessData Breach Response: A Guide for Business
Data Breach Response: A Guide for Business
 
Hcc week 1dq2
Hcc week 1dq2Hcc week 1dq2
Hcc week 1dq2
 
2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance2017-01-24 Introduction of PCI and HIPAA Compliance
2017-01-24 Introduction of PCI and HIPAA Compliance
 

Recently uploaded

ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationAadityaSharma884161
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatYousafMalik24
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxthorishapillay1
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxiammrhaywood
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Jisc
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersSabitha Banu
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxDr.Ibrahim Hassaan
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxOH TEIK BIN
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfUjwalaBharambe
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Celine George
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentInMediaRes1
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfMr Bounab Samir
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Mark Reed
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17Celine George
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfphamnguyenenglishnb
 
Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........LeaCamillePacle
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxSherlyMaeNeri
 

Recently uploaded (20)

ROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint PresentationROOT CAUSE ANALYSIS PowerPoint Presentation
ROOT CAUSE ANALYSIS PowerPoint Presentation
 
Earth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice greatEarth Day Presentation wow hello nice great
Earth Day Presentation wow hello nice great
 
Proudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptxProudly South Africa powerpoint Thorisha.pptx
Proudly South Africa powerpoint Thorisha.pptx
 
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptxECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
ECONOMIC CONTEXT - PAPER 1 Q3: NEWSPAPERS.pptx
 
Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...Procuring digital preservation CAN be quick and painless with our new dynamic...
Procuring digital preservation CAN be quick and painless with our new dynamic...
 
Full Stack Web Development Course for Beginners
Full Stack Web Development Course for BeginnersFull Stack Web Development Course for Beginners
Full Stack Web Development Course for Beginners
 
Gas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptxGas measurement O2,Co2,& ph) 04/2024.pptx
Gas measurement O2,Co2,& ph) 04/2024.pptx
 
Raw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptxRaw materials used in Herbal Cosmetics.pptx
Raw materials used in Herbal Cosmetics.pptx
 
Solving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptxSolving Puzzles Benefits Everyone (English).pptx
Solving Puzzles Benefits Everyone (English).pptx
 
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdfFraming an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
Framing an Appropriate Research Question 6b9b26d93da94caf993c038d9efcdedb.pdf
 
Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17Difference Between Search & Browse Methods in Odoo 17
Difference Between Search & Browse Methods in Odoo 17
 
Alper Gobel In Media Res Media Component
Alper Gobel In Media Res Media ComponentAlper Gobel In Media Res Media Component
Alper Gobel In Media Res Media Component
 
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdfLike-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
Like-prefer-love -hate+verb+ing & silent letters & citizenship text.pdf
 
Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)Influencing policy (training slides from Fast Track Impact)
Influencing policy (training slides from Fast Track Impact)
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17How to Configure Email Server in Odoo 17
How to Configure Email Server in Odoo 17
 
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdfAMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
AMERICAN LANGUAGE HUB_Level2_Student'sBook_Answerkey.pdf
 
Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........Atmosphere science 7 quarter 4 .........
Atmosphere science 7 quarter 4 .........
 
Judging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptxJudging the Relevance and worth of ideas part 2.pptx
Judging the Relevance and worth of ideas part 2.pptx
 

Healthcare preparedness 2010

  • 1. DATAMOTION™ With HIPAA audits now randomized, you must be prepared for them every day. And with state regulations requiring compliance‐breach reporting, you must become your own auditor. HIPAA is the Health Insurance Portability and Accountability Act, the 1996 federal regulation that mandated health‐data privacy. This regulation requires compliance by all insurers and health care providers, including physician’s offices, hospitals, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities. But that’s not all. The Act’s Privacy Rule also regulates medical payment history privacy. Simply put, it requires that all health entities take reasonable steps to ensure the confidentiality of all communications that contain patient or customer information. And things could get even more serious very quickly. The passage of the HITECH Act creates mandatory reporting requirements of HIPAA violations, even when the data is lost by a third party. This increases the need for subcontractors to implement the same level of security typically found in larger organizations. The guidelines governing audits have changed. Prior to 2008, an organization was only put through an intense investigation when a routine audit found an egregious problem—and such routine audits were usually scheduled. But in February 2008, the U.S. Department of Health and Human Services, which oversees HIPAA compliance, contracted with the firm PricewaterhouseCoopers to conduct surprise audits of hospitals. If you work at a hospital, or communicate with one, you could be targeted for a surprise audit this year. This changes the stakes for everyone’s need to be ready. And if that’s not enough to worry you, the states are getting into the picture as well. In New York State, the loss or compromise of 10 or more patient records must now be reported to the New York State Department of Health. HEALTHCARE: HOW TO DISAPPOINT YOUR HIPAA AUDITORS AND GAIN THE RESPECT OF YOUR BOARD OF DIRECTORS (not necessarily in that order) Contact Us at: DataMotion, Inc. 35 Airport Road Morristown, NJ 07960 |p| +1 800 672 7233 |f| +1 973 455 0750 www.datamotion.com sales@datamotioncorp.com About DataMotion DataMotion is the first Intelligent Information Transport service that automates key business processes, so you can easily and quickly exchange information with your partners, customers, and colleagues. The DataMotion solution automates key business processes, such as automated billing, credit application processing, or customer outreach, to help you send critical information over the Internet.
  • 2. So, ask yourself, “Would my company know if we lost 10 patient records?” If you’re in the state of New York, your answer must be “Yes.” HIPAA: Healthcare made difficult. One of the consequences of HIPAA is that it makes all kinds of medical research more difficult. That’s because people are more reluctant to participate as subjects, and it is more difficult to reach the right people to request their participation in research projects. Another noticeable consequence of HIPAA is that doctors are reporting less communicable diseases to state authorities. What’s worse is that even the public HIPAA was designed to protect doesn’t really like it. In a nationwide survey of 2,392 adults quoted in the Oct, 2007 Government Health IT Newsletter, nearly 3 out of 5 Americans agree that privacy of their health information is not well protected by federal and state laws and organizations. Any health provider who has struggled to help someone who needs information but doesn’t have the right identification on the phone, will tell you it gets in the way more than it helps. So what’s the answer? The only thing an organization can do is to fulfill the requirements in a way that allows everyone to get their jobs done in an efficient, cost‐effective manner. And satisfies the auditors. And relieves your board of directors. And satisfies your customers and patients. And keeps you from paying penalties or risking prison time. And the way to do that is to outfit your organization with the technologies it needs to secure information when it travels, as well as when it is used, stored, and communicated both inside and outside your organization. To avoid auditors, and penalties, you have a lot of planning to do. The penalties for failure to conform to HIPAA regulations go far beyond the hundreds of thousands of dollars in fines. They include public humiliation, loss of reputation, brand damage, class‐action lawsuits, and yes, even prison. But there are practical ways to avoid these penalties. The goal is to keep private information private, to keep prying eyes out, and to be able to prove both to auditors. Here are some methods: 1. Take secure measures, in case people make mistakes. One of the most common causes of any kind of security breach is human error. Whether conscious, accidental, or simply due to laziness, human error can result in Personally Identifiable Information (PII) or Personal Health Information (PHI) being sent over the internet as unencoded text unless filters are put in place to detect For more information: http://www.datamotion.com/Solutions/ HealthcareInsurance.aspx For a free 5-user, 30 day trial http://www.datamotion.com/Resources/ FreeTrial.aspx
  • 3. these messages and encode or reroute them safely. At the same time, you can’t afford to stop communications. Likewise, you can’t afford to handle hundreds of false positive alerts— alarms signaling that a breach has occurred when one hasn’t. No one has time for that. Many companies are hesitant to apply filters to their most important communications— email and attachments. For example, if a filter were to keep every piece of mail from leaving your company that included the word “diabetes” and a person’s name, you couldn’t send out an email message with an attachment that says, “Watch for these symptoms, they may indicate you have diabetes.” On the other hand, you must be sure that the attachments that include a patient’s name, id number, and blood‐test results can never be intercepted accidentally, or be sent outside your company unencrypted. To accomplish this, you need to: • Install smart filters that analyze both the email and its attachments, • Correlate fields in both documents and attempt to match them to known patient databases, • And quarantine or redirect those messages. 2. Make sure the boundaries between systems are secure. Communication security breaches commonly occur where data is transferred between two or more systems. It can happen any time and any place where data is transferred between: • People inside your company’s firewall • People inside and outside your company’s firewall • Your people and your partners • Your people and your customers (or patients) • Two different systems Whenever information passes between systems and people, the data needs to be secured at all times, even when in transit. You must also ensure the data that is sent to people outside your firewall is always sent in encrypted format, so that no one but its intended recipients can read it. For example, should you need to transmit patient data from a doctor’s office to a central database, if it is encrypted, it could be sent automatically as an email attachment. 3. Make sure your internal communications are secure. Your people who work from home provide a specific example of HIPAA boundary issues. It is critical that any data that they transfer to their home computers from work is sent securely, one copy of a database file, one spreadsheet, one PDF attachment, or one presentation that someone works on over the weekend. For more information: http://www.datamotion.com/Solutions /HealthcareInsurance.aspx For a free 5-user, 30 day trial http://www.datamotion.com/Resources/ FreeTrial.aspx
  • 4. Your business information must pass across the Internet securely, even though it will remain inside your company and your firewall. It must never be compromised—or vulnerable. But one mistake is all it takes. How do you ensure that this never happens? Despite your most well intended policies, there is always a chance that someone somewhere will let your guard down. Today you hope it never happens, or if it does, that it won’t cause a problem. But hoping isn’t acting. You must act. You must put a comprehensive filter in place, so that you can implement and enforce business rules to prevent these occurrences. You could either encrypt the file and send it, and email a warning to the sender, or you could quarantine the suspicious file and report the sender to his or her manager, the legal department, or whomever else you chose. 4. Make sure your partner communications are secure. Your people, when working with business partners, bring up another case of boundary issues. It’s likely that they must regularly transfer information back and forth with external partners. In some cases this can contain very sensitive information. Your partners may use different email systems. They often need to send personally identifiable information (PII) and or personal health information (PHI) about clients or patients via email or attachments. Sometimes, attachments can be extremely large. For example, a single mammogram image can reach 500 megabytes. So not only would you need to exchange this file securely, you would need to send it in a way that does not overburden—or stop—your email system. Healthcare‐related institutions must use solutions that make it possible to communicate with anyone, anytime, anywhere, no matter what email system the other party uses. Likewise, you must demand the ability to securely transfer extremely large files with all these same people. 5. Make sure your communications with telecommuters are secure. People who telecommute create another group of boundary issues. Medical professionals, such as radiologists, who choose to work from home, are moving in this direction. When people must transfer large, important, time‐sensitive files such x‐rays or mammograms as email attachments through your company’s email system, they have the potential to bring your email system to a standstill. So you must find the time, the budget, and the resources to set up file‐transfer sites for these large files. And you must For more information: http://www.datamotion.com/Solutions /HealthcareInsurance.aspx For a free 5-user, 30 day trial http://www.datamotion.com/Resources /FreeTrial.aspx
  • 5. make absolutely sure that they offer unbreakable security. With a sophisticated system in place, you could manage and track the secure transfer of confidential, large files so you’d know they were delivered to, and opened by your intended recipient. 6. Make absolutely sure your communications with customers—or patients—are absolutely secure. When communicating with customers (or patients), your people most likely have no knowledge of the recipient’s email system. Which means that although your company might have created a secure email portal, extensive research shows that customers do not want to use a browser to visit a portal to communicate with—or get information from—you. They want to use email. And they want you to send important information quickly, via email. And if you do, they want it, of course, to be secure. Not just because it’s the law. Because it’s common sense that people don’t want anyone to have access to their private medical information, any more than anyone should have access to their private banking information. Healthcare‐related institutions can now adopt solutions that allow them to communicate securely with anyone— regardless of whether the other party has the same email system or not—without the trouble of using a portal. All they need to do is establish a password. The customer or patient can receive their email replies securely in their inbox without visiting a portal. 7. Make sure when your customers—or patients—communicate with you, everything they do is secure. Your customers and patients must often submit forms, ask questions of specific people and departments, or submit follow up information about an ongoing illness or other matter. For a long time, these needs were served by paper‐based processes, but can now be handled through secure electronic forms on your web site. But the question is how does this data reach the right department or employee to process it? And can this data be integrated into existing knowledge worker software such as the company’s customer relationship management system to track its status? If the request contains sensitive information, is it received from the customer in a secure manner, or did the company’s method of collecting data cause a privacy violation? And if any follow up is needed with the customer, can this be sent securely? With a messaging system in place that provides secure inbound and outbound service, uses email and ad hoc forms for message composition, and provides web service and XML workflow integration, you can streamline your operations and cost effectively serve customers. Such a system eliminates the need to retype data from paper‐based forms—an For more information: http://www.datamotion.com/Solutions /HealthcareInsurance.aspx For a free 5-user 30 day trial http://www.datamotion.com/Resources /FreeTrial.aspx
  • 6. error prone, time‐consuming and costly way of doing business. 8. Make sure your customer workflow is automated, so there are fewer mistakes. When you enter information into your system, you should only enter patient information once. Multiple entries of the same information are big bright red flags for auditors. To avoid this, you need to make very sure that any time information is entered securely, it is routed to its destinations in your CRM system or case handling systems without the need for humans to unencrypt, read, retype, fax, or otherwise invite errors. Or auditors. 9. Make it easy to transfer files securely— even very large ones. FTP, or file transfer protocol, is the standard way to transfer files across the Internet. However, it requires big investments of time and effort to make it work, and even when it does work, it transmits user login credentials and the contents of files in an unencrypted manner. So while your people face a constantly changing list of partners with whom they must exchange sensitive files, how can you offer them a secure, easy, reliable method of doing so? You need a secure messaging system that automatically routes large files, alerts the recipient that they are available, and that tells you when they’ve been opened and by whom. 10. Make sure that you can demonstrate that your system is compliant and auditable. After an email message is sent, how do you know what happened to it? Did its intended recipient open it? Were its attachments opened? Is there proof that the message was received and was read? Should a question arise about who viewed a message or its attachments, can you prove who read them to an auditor? It’s increasingly obvious that a secure messaging system must be auditable. To make this possible, messages and their attachments, their metadata and the fingerprinting data must be both viewable and traceable. The fingerprint data must record— permanently—the IP addresses of the recipient’s computers, and the system’s time must be synchronized with an atomic clock so that message times are never a point of dispute. Such a system would allow your administrators—and, if necessary, auditors—to easily review and sort through volumes of message information, and quickly retrieve a particular message, as well as all the tracking and fingerprint information associated with it. At DataMotion, we’ve been solving email security and auditing challenges for a long time. We’d be very happy to talk with you about yours. Please call us at 1.800.672.7233 or send an email to sales@datamotioncorp.com