" omnibus Archives - HIPAA News, Web & Email Security Tips & News - Plus More | LuxSci
LuxSci

Posts Tagged ‘omnibus’

What exactly is ePHI? Who has to worry about it? Where can it be safely located?

Friday, September 15th, 2017

There is often a great deal of confusion and misinformation about what, exactly, constitutes ePHI (electronic protected health information) which must be protected due to HIPAA requirements.  Even once you have a grasp of ePHI and how it applies to you, the next question becomes … where can I put ePHI and where not?  What is secure and what is not?

We will answer the “what is ePHI” question in general, and the “where can I put it” question in the context of web and email hosting, and SecureForm processing at LuxSci.

Read the rest of this post »

Opt-out email security: A step towards better HIPAA Privacy Rule compliance

Tuesday, August 22nd, 2017

Breaches of electronic Personal Health Information (ePHI) from email communications amongst HIPAA covered entities, their business associates, and health care consumers reveals a common pattern. Patient records are often emailed unencrypted (see here, here and here), or sent to unintended recipients (examples here and here).  Poor email practices might also cause bulk emails (e.g., health newsletters, office closing notices etc.) to be sent without masking the names/emails of the recipients (see here). All of these can be breaches of HIPAA.

Email Breach

Email breaches continuously leak ePHI from healthcare

While not as prominently exposed by the media as hacking incidents, where large numbers of records can be compromised in a single attack, HIPAA violations owing to poor email practices proceed at steady rate. However, the consequences can be as just as problematic for the healthcare provider, despite the smaller number of exposed individuals. The insidious drip-drip-drip leakage of ePHI via improper email usage is often harder to handle and the sort of ePHI exposed can be subtle.

Read the rest of this post »

HIPAA Law and HITECH/Omnibus Conformance – Small Medical Practice

Monday, August 14th, 2017

As the owner of a small to medium-sized medical business (a 1-19 physician practice, say, with 5-50 employees) you have many concerns – how to hire and retain competent staff, how to deal with your vendors such as office payroll, billing and collection services, and, above all, how to serve your patients’ needs in the most economical and expeditious way.  I.e., by speeding up scheduling, quickly accessing medical records, coordinating treatment with other doctors, etc. Time spent managing your information and communications infrastructure for HIPAA or HITECH compliance may not seem to be the most critical aspect of your work.

HIPAA / HITECH

However, the use of ICT – information and communications technologies –  in the healthcare industry has become increasingly pervasive and has special relevance for every medical practitioner, given the provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which adds more substance to the original Health Insurance Portability and Accountability Act (HIPAA)  privacy and security rules.  HITECH also incentivizes medical practitioners to step up their use of electronic health records (EHR) to “exchange electronic health information with, and integrate such information from, other sources.”

Read the rest of this post »

Opt-In Email Encryption is Too Risky for HIPAA Compliance

Tuesday, July 11th, 2017

A majority of companies and hospitals that offer email encryption for HIPAA compliance allow senders to “opt in” to encryption on a message-by-message basis.  E.g., if the sender “does nothing special” then the email will be sent in the normal/insecure manner of email in general.  If the sender explicitly checks a box or adds some special content to the body or subject of the message, then it will be encrypted and HIPAA compliant.

Opt-in encryption is desirable because it is “easy” … end users don’t want any extra work and don’t want encryption requirements to bog them down, especially if many of their messages do not contain PHI.  It is “good for usability” and thus easy to sell.

Cybersecurity opt-in email encryption

However, opt-in encryption is a very bad idea with the inception of the HIPAA Omnibus rule.  Opt-in encryption imposes a large amount of risk on an organization, which grows exponentially with the size of the organization.  Organizations are responsible for the mistakes and lapses of their employees; providing an encryption system where inattention can lead to a breach is something to be very wary of.

Read the rest of this post »

HIPAA Compliance Checklist: What You Need To Do

Thursday, January 29th, 2015

LuxSci provides HIPAA-compliant services and must itself maintain HIPAA-compliant business operations in order to comply with HIPAA HITECH and Omnibus regulations.  As such, many of our customers and leads look to us to find out exactly what they need to do to be compliant.

This article provides you with a quick and easy-to-read overview of the various things needed for compliance.  The items given below should not be considered a complete or formal list for compliance, nor will doing all of these things guarantee that you are compliant.  As always, we recommend that you consult a lawyer to determine the compliance needs specific to your particular situation

Read the rest of this post »

ePHI in Text Messages and Insecure Email: Does HIPAA allow Mutual Consent?

Sunday, January 18th, 2015

“Lets just agree that insecurely texting or emailing your medical appointments or lab results to your is OK….”  Can you actually have such a discussion and agreement with a patient or organization?

HIPAA is pretty adamant that email messages containing ePHI must be properly handled, and that includes transport encryption and archival.  However, encrypting all routine communications between doctor and patient is excessively tedious in some situations.

Enter the idea of “Mutual Consent” where doctor and patient both agree that email containing ePHI can be sent from the doctor to the patient’s regular email account without any special considerations or encryption.  This is a small “holy grail” that doctors like to imagine as “if all their patients consent then the doctors do not have to worry about secure email.”

It’s really not that simple, though.  Here we explain way.  Note that this is not intended as legal advice … you should always contact your lawyer for advice on how HIPAA applies specifically to your situation and for clarification on grey areas of the law such as this.

Read the rest of this post »

HIPAA Resellers Make LuxSci Services Their Own

Monday, March 17th, 2014

HIPAASmall web or IT shops specializing in services for the medical segment often subscribe to LuxSci to provide HIPAA-complaint email and/or web services to their customers.  We take care of providing the services, support, and compliance.  They take care of getting the customers setup, providing direct support, integrating with customers’ other services, etc.  These businesses effectively resell LuxSci security services, charging their customers for our services plus the value add that they provide.

Aggressive resellers like to present LuxSci’s email and web security services as their own product offering, to a large extent.  This is easily accomplished with LuxSci’s Private Labeling service.

Read the rest of this post »

How to Setup HIPAA Mutual Consent for Insecure Email at LuxSci

Friday, January 10th, 2014

We have recently discussed how mutual consent may be used to send individuals ePHI via insecure email under HIPAA in certain cases.

If you have decided to use mutual consent in your organization and are properly informing and warning your patients of the privacy risks, getting proper written waivers from them, and well documenting everything in preparation for a HIPAA audit, then all you’re all set to send the ePHI insecurely.

Right?  Well, there is a little more to it than that.

Read the rest of this post »

Willful Negligence of HIPAA Costs a Dermatology Company $150,000

Thursday, January 9th, 2014

HITECH and Omnibus put teeth in HIPAA.  These teeth are starting to take serious bites out of organizations that are willfully neglectful of their responsibilities under HIPAA.

On December 28, 2013, Concord, Massachusetts-based Adult & Pediatric Dermatology (APDerm) agreed to pay $150,000 to settle potential violations of  HIPAA rules and agreed to implement corrective actions.

This organization lost ePHI for about 2,200 individuals that was located on an unencrypted thumb drive.  We have talked before about the dangers of thumb drives in the context of HIPAA.  We have also noted other cases where companies where charged due to the loss of ePHI.  The notable difference here is that investigation showed that APDerm: (ref)

…had not conducted an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality of ePHI as part of its security management process.  Further, APDerm did not fully comply with requirements of the Breach Notification Rule to have in place written policies and procedures and train workforce members.

This settlement is the first ever for charges against a covered entity or business associate for failing to adopt required policies and procedures for breach notification.  APDerm was willfully negligent in not bothering to develop and follow the required HIPAA policies and procedures and that negligence resulted in a breach. 

Read the rest of this post »

What exactly does HIPAA say about Email Security?

Friday, August 30th, 2013

Performing daily business transactions through electronic technologies is accepted, reliable, and necessary across the nation’s healthcare sectors. Therefore, electronic communications and email have become a standard in the healthcare industry as a way to conduct business activities that commonly include:

  • Interacting with web-savvy patients;
  • Real time authorizations for medical services;
  • Transcribing, accessing and storing health records;
  • Appointment scheduling;
  • Referring patients; and
  • Submitting claims to health plan payers for payment of the services provided.

Read the rest of this post »