https://enterprise.efax.com/resources/webinars - Transmission of sensitive, electronic protected healthcare information (PHI and ePHI) is a critical activity for healthcare providers, especially with increasingly stringent HIPAA regulations, and the ever present threat of cyber-attacks. Adding to this challenge, Health IT thought leaders and practice managers are increasingly burdened with managing multiple platforms for transmission of PHI/ePHI - from BYOD and Fax to email and messaging.
What are the common communication methods used to transmit PHI
What is considered a secure transmission
What are some common misconceptions about security and transmission of PHI
What the HIPAA Standard on Encryption and Integrity of Transmission is
Several compliance pitfalls to avoid in 2016
How a cloud fax model can enhance security and compliance with HIPAA
Contact eFax Corporate Today to Learn More
https://enterprise.efax.com/
or
Call (888) 532-9265
3. 3
Agenda
1 The Minimum Requirements for a “Secure Transmission”
2 Common Methods for Transmitting ePHI
3 Industry Misconceptions About Secure ePHI Transmissions
4 What the HITECH Act and Omnibus Rule Say About ePHI
5 The HIPAA Standard on Transmission Encryption and Integrity
6 How a Cloud Fax Model Can Enhance Compliance with HIPAA
4. 4
HIPAA 101 Review:
What Addresses the Security of ePHI?
Security Standards:
…Ensure the confidentiality, integrity and
availability of all electronic protected health
information…a CE or BA creates…or transmits.
…with Specifications that are either
“Required or Addressable”Security Rules of HIPAA:
Address the Administrative, Physical and
Technical Safeguards for protection of PHI in
digital form (aka “ePHI”).
45 CFR S164.306
General Rules…
The Final Rule requires
Covered Entities (CEs)
and Business
Associates (BAs) to…
5. 5
What’s our Responsibility?
Covered Entity and Business Associate Considerations
HIPAASecurity Rule:
…must reasonably safeguard ePHI from any
unintentional disclosure or use… to limit
incidental uses or disclosures…
TechnicalSafeguards
Standard: Flexibility of Approach
A CE or BA must “take reasonable and
appropriate measures” taking into account:
• Size, Complexity, Capabilities
• Technical Infrastructure & Capabilities
• Costs of the Security Measures
• Probability & Risks to ePHI
45 CFR S164.306
General Rules
Implementation
Specification:
6. 6
Technical Safeguards – Where is Encryption Addressed?
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
Access Control and Transmission Security:
Section 4 of the Tech Standards
Standard Implementation Spec. Required or Addressable?
Access Control
§ 164.312(a)(1)
User ID, Emergency Access, Auto Logoff, Encryption
and Decryption
(R), (R )
(A), (A)
Audit Controls
§ 164.312(b)
(A)
Integrity
§ 164.312(c)(1)
Mechanism to Authenticate ePHI (A)
Person or Entity Authentication
§ 164.312(d)
-
Transmission Security
§ 164.312(e)(1)
Integrity Controls and Encryption (A), (A)
7. 7
So is Encryption Required?
HIPAASecurity Rule:
“Implement a mechanism to
encrypt and decrypt electronic
protected health information.”
Technical Safeguards…Encryption
• Access Control
• Transmission Security
(Integrity Controls and Encryption)
45 CFR §
164.312(a)(2)(iv)
Required?
No - but the Standard states that it’s an
‘Addressable’ issue…
Source: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/techsafeguards.pdf
8. 8
What is a “Secure” ePHI Transmission?
TLS 1.2 encryption
AES 256-bit encryption
NIST
encryption standards
for ePHI in motion…
NIST
encryption standards
for ePHI at rest…
AES
TLS
9. 9
How Do Covered Entities
Access and Disclose ePHI?
Secure messaging apps
(e.g., TigerText)
Desktop
Virtualization
Roaming
desktop/SSO
Email
(via corporate
network or personal
email client)
EHRs
(e.g., Cerner,
Athena Health)
Secure fax by email
(with TLS encryption)
BYOD
(text, email, cloud fax)
Paper
Voice
Health
Information
Exchange
@
10. 10
Secure ePHI Transmission Myths
”As long as a healthcare
provider keeps their mobile
device secure, it’s okay to
text another co-worker info
containing PHI.”
“Email is secure as long as
it goes only to the
appropriate Covered Entity,
Business Associate or
authorized recipient.”
“If our BA suffers a breach of
our ePHI, they’re liable —
not us.”
“After a device that
contained ePHI is disposed
of, our organization is no
longer liable for the ePHI on
it.”
12. 12
The HIPAA Standard:
Security Standards:
• May use any security measures that comply
• Measures must reflect…
• Company’s size and capabilities
• Cost
• Probability and criticality of risks
45 CFR 164.306
Flexibility of Approach
• Ensure ePHI confidentiality
• Protect from reasonably anticipated threats
• Ensure workforce compliance
45 CFR 164.306
General Requirements
Security Standards:
Encryption and Integrity of ePHI Transmissions
TIP: Treat Addressable Standards as Required
HIPAA’s Technical Safeguards don’t
define specific solutions…
But they do require CEs and BAs
“reasonably and appropriately”
implement security measures.
13. 13
The HIPAA Standard:
2 secure-Transmission Requirements:
Encryption and Integrity
ePHI Encryption:
The covered entity must:
“Implement a mechanism to
encrypt and decrypt electronic
protected health information.”
ePHI Integrity:
The covered entity must:
“Implement security measures
to ensure that electronically
transmitted electronic
protected health information is
not improperly modified
without detection until
disposed of.”
14. 14
Compliance Pitfalls to Avoid
Failing to implement and
document data-security and
privacy policies and
procedures
Exposing ePHI to non-
authorized personnel (verbally,
exposing screen to others,
etc.)
Losing electronic devices
(or having them stolen)
without protections installed or
remote wipe capability
Failing to conduct security risk
assessment (SRA) on staff
devices for rogue apps or
vulnerabilities to jail-breaking
Ineffective BYOD policies —
the big risk for any CE or BA.
(40% of firms say
mismanaging mobile devices
has resulted in HIPAA
noncompliance and/or
regulatory violations.)
15. 15
The HIPAA Solution for Faxing ePHI
The “Cloud Fax” Model
Virtually No
IT administration,
maintenance and
troubleshooting
Your staff can fax anywhere
Deploys in minutes
Easy to use
Requires no training
Highly secure
Compliant
Provides clear audit trails
Cost-effective
16. 16
The Hosted, Cloud-Fax Model
Inbound /
Outbound
Faxes
Hosted Fax Service
Encrypted Fax Storage
via eFax Secure
(optional)
Email, Secure Browser,
Mobile App & eFax
Messenger User
Interfaces
Encrypted in
Transit with
TLS
PSTN Telco
Service
17. 17
eFax Corporate®
The world’s #1 online fax
company – and the
industry’s most experienced
hosted
fax service
The most widely deployed
online fax service for the
Fortune 500
Trusted by more major
healthcare, legal,
financial and other highly-
regulated firms trust than
any other online fax
provider to transmit
sensitive documents
Inbound /
Outbound
Faxes
Hosted Fax Service
Encrypted Fax Storage
via eFax Secure
(optional)
Email, Secure Browser,
Mobile App & eFax
Messenger User
Interfaces
Encrypted in
Transit with
TLS
PSTN Telco
Service
18. 18
NIST’s encryption guidelines for
ePHI in motion.
(Transport Layer Security)
HHS Report: Security 101 for
Covered Entities
Ponemon.org Survey: 40% of
HIPAA Noncompliance from
Ineffective BYOD
The American Bar Association’s
Interpretation of the HIPAA
Security Rule and Protecting ePHI
on BYOD Devices
HIPAA Privacy Rule
The HIPAA Security Rule Toolkit
NIST’s encryption guidelines for
ePHI in storage.
(Advanced Encryption Standard)
Helpful Resources