Posts

The 9 Standards for HIPAA’s Administrative Safeguards

HIPAA’s definition on Administrative Safeguards: “Administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” HHS.gov Continue reading “The 9 Standards for HIPAA’s Administrative Safeguards” »

American Bar Association Webinar: HIPAA Applies to Lawyers?

The full title of the webinar is actually much catchier: You Mean HIPAA Applies to Lawyers? Keeping Data Safe, Clients Happy and Your License Secure.

Hosted by the American Bar Association, this webinar discusses how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act may affect practicing lawyers that may now fall under the definition of “business associate”.

From the webinar description:

It is imperative for lawyers to determine: (1) whether they are a business associate under HIPAA (or, how they might inadvertently become one); and (2) if they are a business associate, what steps must be taken in order to assure their compliance with the new HIPAA requirements under HITECH.

This program provides a foundational background of HIPAA and HITECH and provides an overview of the following:

  • How law firms become business associates (intentionally or inadvertently)
  • What HIPAA requires of law firm business associates
  • How to properly safeguard client data
  • Unauthorized uses and disclosures
  • What constitutes a “breach”
  • Business associate requirements in case of a breach
  • Penalties, criminal, and civil liability associated with HIPAA
  • Potential other ethical conflicts caused by HIPAA as you are forced to execute contractual agreements with clients

While the live webinar already took place on April 21, 2014, an on-demand recording is freely available to American Bar Association members for the next three months. As a bonus, this webinar provides 1.5 credits for Continuing Legal Education (CLE).

If you already have an understanding of how HIPAA may regulate your interaction with your client’s data, and are looking for a HIPAA-compliant way to remotely communicate with your clients, check out how SecureVideo.com provides HIPAA-compliant videoconferencing services. You can also test our services by creating a free account, read more about us in our Support Center, or e-mail your questions to info[at]securevideo.com.

HIPAA Compliance, an In-depth Overview

There are four HIPAA rules any one working with ePHI should know about.  They are:

1. HIPAA Privacy Rule
2. HIPAA Security Rule
3. HIPAA Enforcement Rule
4. HIPAA Breach Notification Rule

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

For reference:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/

Business Associates, like SecureVideo, are directly accountable for uses and disclosures of ePHI that go beyond what’s covered under their BAA or the Privacy Rule itself.

The Privacy Rule asks BAA to do the following:

1. Not allow any off limit uses of ePHI.
2. Provide breach notification to the Covered Entity.
3. Provide either the individual or the Covered Entity access to ePHI.
4. Disclose ePHI to the Secretary of Health and Human Services, if obligated to do so.
5. Provide an accounting of disclosures.

HIPAA Security Rule

HIPAA established the Security Rule to ensure that all covered entities have implemented safeguards to protect the confidentiality, integrity, and access of PHI.

There are two types of implementation specifications: “required” and “addressable.”  Wherever the Security Rule reads “required,” that specification must be implemented; whereas, if it says “addressable,” there is some wiggle room in exactly how you comply with that specific standard.

The HIPAA Security Rule is by far the meatiest.  We’ve devoted a whole article to this rule in a previous blog post.  You can find a quick link to the article here.

HIPAA Enforcement Rule

HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. Since 2003, OCR’s enforcement activities have obtained significant results that have improved the privacy practices of covered entities. The corrective action obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve. HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005. OCR became responsible for enforcing the Security Rule on July 27, 2009.

For reference: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/

OCR enforces the Privacy and Security Rules in a few different ways:

1. By investigating filed complaints
2. Conducting compliance reviews
3. Outreach and education to encourage compliance with HIPAA requirements

HIPAA violations are costly, ranging from $100 to $50,000 per violation, with a maximum of $1.5 million per year on the same infraction. Violations may also carry criminal charges that can develop into jail time.

Violations worsen if there is willful neglect and go uncorrected. To give you a picture, this table shows how much penalty amounts range by level of awareness:

table

For reference:
https://www.federalregister.gov/

Unencrypted Data

A large majority of breaches are due to lost or stolen data that was unencrypted. Please remember that addressable HIPAA regulations do not mean they are optional. Most are best practices in the field, anyway. You still have to implement those standards, only you have the flexibility to create them to tailor fit your workflows.

Employee Error

Employee training and adherence to protocol is very important. Breaches have occurred through employees losing unencrypted portable devices, or accidentally sending vendors sensitive information and it winding up on social media networks. These instances could’ve been avoided.

Data Stored on Devices

Be mindful of your laptops, smartphones, external hard drives, etc. Theft has resulted in about half of all breaches.

Business Associates

Be choosy about your partners. About two-thirds of all breaches had a business associate involved and some of the largest reported breaches at that.

Not all data breaches result in a fine, luckily. The key is to make sure you are putting forth reasonable effort to comply with HIPAA laws.

HIPAA Breach Notification Rule

The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. This rule also requires the entities to immediately notify HHS if there is any breach of unsecured ePHI, as well as notify the media and public if the breach affects more than 500 patients.

For reference: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

In summary, HIPAA asks you to do the following:

  • Establish protections to safeguard ePHI.
  • Fairly check that sharing and use of ePHI to a minimum, only enough to accomplish the expected outcome.
  • Establish your Business Associate Agreements (BAAs) to ensure that your service providers will also preserve ePHI and only use it properly.
  • Put your policies and procedures in place to restrict who has access to ePHI.  Enroll yourself and your employees in a training program around ePHI safety.  Periodically review your procedures to assess how you are maintaining your ePHI secure.

There you have it!  It’s a lot to take in.  If after you’ve sat with this information you have questions, please email us at [email protected]  We’re happy to help.

Internet Security, a Daily Concern

Yesterday, the Syrian Electronic Army (SEA) hacked into Skype and Microsoft’s twitter account.  The twitter feed read, “Don’t use Microsoft emails (hotmail,outlook), They are monitoring your accounts and selling the data to governments.”  The same post also appeared on Microsoft’s twitter feed.  Both were swiftly removed.  In a statement today, Skype representatives said, “No user information was compromised.”  What a sigh of relief, for Skype and their customer base!

We at SecureVideo want to reassure you that while internet security concerns heighten at times like these, we will always offer you peace of mind.  We are a company built from the ground up to be HIPAA compliant.  Our one-to-one connection gives you the utmost privacy in your videoconference connection.  We do not route through, record, or store your sessions on any server.  You and your practice are more secure with our videoconferencing solutions.  Because of this, we are proud to offer a system you can trust.

SecureVideo For Any Professional

Did you know that SecureVideo.com is not just for people in the medical field that need to abide by HIPAA laws?

The truth is, anyone looking for an easy, secure, low-cost video conferencing connection could use SecureVideo.  Our meetings are peer-to-peer.   That means your video session isn’t routed through any servers and it can’t be saved or recorded by SecureVideo.com, nor subpoenaed from us.   Your meetings stay confidential, as if you were talking to a person face-to-face.

In general, much of our daily communication is nonverbal.  Unlike phone calls, you can read more of your clients’ or associates’ nonverbal cues through a videoconference call.  This comes in handy, especially since we spend so time communicating electronically, missing the tone and body language that accompany the actual text we read.

SecureVideo customers also benefit from the scheduler included with all SecureVideo plans and branding features you get with the Individual PLUS or Enterprise Plan.   These features enable more of your clients to keep their appointments with you.   Plus, your session invites appear to come from your own videoconferencing platform: YourCompanyNameHere.securevideo.com.   How cool is that?

Video conferencing has become a necessary tool for communication in any field.   For example, lawyers can use it to gather oral statements for a deposition, without involving expensive or lengthy travel.  Or allow loan officers to interview their borrowers remotely and process applications in collaboration with other bank branches.  It could also give Human Resource managers a way to conduct interviews with talented candidates, without restricting their choices to local applicants.

You know your workflow best.  When your business calls for secure, face-to-face communication, you have options.  Try us for free.

Avoiding Migraines Resulting from Changes in Barometric Pressure

So…what do Migraine Headaches induced by Barometric Pressure have to do with SecureVideo.com? A lot, if you’re a clinician who suffers from these nasty pressure-induced Migraines, and you’re considering relocating away from your client base.

I was recently talking to one of our new clinicians, and we discovered that we both happen to suffer from pressure-induced Migraines.  When she told me she lived in Redding, California, which has among the higher atmospheric pressure variations in California, I asked if she had ever considered moving to San Diego, one of the major U.S. cities with the most stable atmospheric pressure.  She told me that indeed she had, and that her hope was that SecureVideo.com could help her transition her practice from her office in Redding, to a virtual practice based in San Diego, where she could see anyone within the State of California, and be free of the migraines that cost her so many days of work and so much misery.

Since I’m here to help, and the internet contains a very high ratio of raw to processed barometric pressure information, I decided to compile some lists for her (and me) on best and worst U.S. cities and states for atmospheric pressure change.  For me, a .20 change in the barometric pressure (e.g., from 30.05 to 29.85, or vice versa) triggers a migraine nearly every time, so I used .20 as the threshold, and looked at the number of days per year a city reported a .20 pressure swing in either direction.  I used data from May, 2007 through May, 2013, from 966 USGS weather stations.  The following lists summarize the results, cut in some interesting (and hopefully actionable) ways.

Update: in March 2016 I published a Global List of Barometric Variation

(Disclaimer: I’m not a doctor, and am in no way qualified to give medical advice. I organized this data for myself and for the benefit of those who believe that living in a place with less barometric variation could be good for their health, so that they could see which cities have more or less barometric variation.)

20 Major U.S. Cities with the Least Barometric Variation (days per year of >= .20 changes)

  1. Honolulu (0 days per year)
  2. Miami (4)
  3. San Diego (7)
  4. Los Angeles (7)
  5. Tampa (11)
  6. San Jose (14)
  7. Sacramento (18)
  8. San Francisco (18)
  9. Phoenix (22)
  10. New Orleans (22)
  11. Jacksonville (22)
  12. Birmingham (29)
  13. Houston (29)
  14. Atlanta (37)
  15. San Antonio (37)
  16. Austin (37)
  17. Memphis (44)
  18. Las Vegas (47)
  19. Little Rock (48)
  20. Charleston, SC (48)

Not surprisingly, it is the southern cities which have the fewest days of variation.  The “worst” list reinforces this theme:

20 U.S. Cities with the Most Barometric Variation (days per year of >= .20 changes)

  1. Augusta, Maine (128 days per year)
  2. Rapid City, SD (127)
  3. Montpelier, VT (117)
  4. Bismarck, ND (117)
  5. Boston (116)
  6. Colorado Springs (113)
  7. Denver (110)
  8. Billings, MT (109)
  9. Providence (109)
  10. New Haven (105)
  11. Cheyenne (105)
  12. Anchorage (104)
  13. Detroit (102)
  14. New York City (99)
  15. Buffalo (98)
  16. Minneapolis (98)
  17. Omaha (94)
  18. Chicago (91)
  19. Philadelphia (90)
  20. Baltimore (87)

At the U.S. State Level, here is the complete list:

  1. Hawaii (0)
  2. Florida (14)
  3. California (18)
  4. Alabama (27)
  5. Louisiana (27)
  6. Mississippi (28)
  7. Arizona (33)
  8. Georgia (35)
  9. Texas (45)
  10. Tennessee (46)
  11. Arkansas (46)
  12. South Carolina (48)
  13. Nevada (59)
  14. North Carolina (60)
  15. Oregon (61)
  16. Kentucky (62)
  17. Missouri (68)
  18. New Mexico (72)
  19. West Virginia (73)
  20. Oklahoma (73)
  21. Washington (75)
  22. Illinois (78)
  23. Virginia (78)
  24. Indiana (80)
  25. Utah (81)
  26. Ohio (82)
  27. Kansas (84)
  28. Maryland (85)
  29. Iowa (85)
  30. Idaho (86)
  31. Pennsylvania (89)
  32. Delaware (89)
  33. Wisconsin (92)
  34. New Jersey (96)
  35. Colorado (99)
  36. Michigan (101)
  37. Minnesota (101)
  38. Alaska (101)
  39. New York (102)
  40. Nebraska (103)
  41. Connecticut (106)
  42. Rhode Island (107)
  43. Wyoming (107)
  44. Montana (108)
  45. Massachusetts (111)
  46. Vermont (112)
  47. New Hampshire (115)
  48. South Dakota (119)
  49. North Dakota (120)
  50. Maine (127)

Looking more deeply, we also see major differences by season.  From April 1 to September 30, the national average is only 18 days of high barometric variation.  From October 1 to March 31, the average is 50 days.  This data is consistent with much higher reported incidence of migraines in the winter months.

Here’s a sample distribution of barometric pressure variation for Austin, Texas.  The number of days is the average number of high variation days for that month of the year, from 2007 to 2013.

  • January – 6 days
  • February – 8 days
  • March – 5 days
  • April – 4 days
  • May – 2 days
  • June, July, August, September – 0 days
  • October – 3 days
  • November – 4 days
  • December – 7 days

So, if you live in Austin, more than half of your bad migraine days will be in the three winter months December to February.  This seasonal pattern seems to hold true for most of the country.

The final cut of the data I looked at was to answer the question, “is this getting worse?”  The answer is no, the data appear from year to year within the bounds of normal random variation.

So, what does it all mean?  Mostly, that if you suffer from pressure-induced migraines, and you live in the northern U.S. states, you may be able to significantly improve your quality of life by relocating to one of the southern states, especially to southern California or Florida.  And, that if you do that and work in a medical field, SecureVideo.com is standing ready to help you telecommute in a HIPAA-compliant way.

UPDATE:

Full list of cities is here: http://blog.securevideo.com/2014/09/23/u-s-cities-barometric-pressure-variation-full-list/

 

What is a HIPAA Business Associate Agreement, and Why Do I Need One?

If your practice is currently using a medical teleconferencing service (telemed), or if you are considering using one, you should know that the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the recently-finalized (March 2013) Rules promulgated thereunder, consider the provider of such service to be a “business associate.”

HIPAA defines a business associate as a person or entity, not a member of the workforce of a covered entity (that’s your practice), who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. SecureVideo.com is such an entity.  We are, in short, a Business Associate to each and every practice that uses our service.  To view our privacy policy, please see our privacy policy.

The final version of the HIPAA Rules require that covered entities (that would be you) enter into contracts with their business associates (that would be us) to ensure that the business associates will appropriately safeguard protected health information.  This Business Associate Agreement also serves to specify the permissible uses and disclosures of protected health information by the business associate, based on the relationship between the parties and the activities or services being performed by the business associate.  A business associate may use or disclose protected health information only as permitted or required by its business associate contract, or as required by law.

A business associate is directly liable under the HIPAA Rules and subject to civil and, in some cases, criminal penalties for making uses and disclosures of protected health information that are not authorized by its contract or required by law. A business associate also is directly liable and subject to civil penalties for failing to safeguard electronic protected health information in accordance with the HIPAA Security Rule.

If you’ll pardon my side trip into the legal weeds, a Business Associate Agreement must be written, and must:
(1) establish the permitted and required uses and disclosures of protected health information by the business associate; 
(2) provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law; 
(3) require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule with regard to electronic protected health information; 
(4) require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information; 
(5) require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals’ requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings; 
(6) to the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation; 
(7) require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule; 
(8) at termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity; 
(9) require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information; and 
(10) authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.
Elsewhere on this site, my colleagues and I have noted that Skype® is owned by Microsoft, and that Microsoft has not been forthcoming regarding the use to which they might put any information gleaned from the popular VOIP service for which they paid $8.5 Billion two years ago.  Microsoft does enter into Business Associate Agreements with users of its cloud services, but when it comes to Skype, the company has been evasive.  In fact, Erik Kangas Ph.D., a blogger who follows this issue, says flatly:

Skype does not claim any kind of HIPAA compliance and will not sign a required Business Associate Agreement and does not provide the tools to use Skype in a way that allows you to meet your own HIPAA compliance requirements (e.g. auditing). – http://luxsci.com/blog

Not only does SecureVideo.com gladly provide you with a Business Associate Agreement, we take pride in the fact that we are fully HIPAA-compliant when it comes to patient health information.  Visit our website at www.securevideo.com, check out our privacy policy, and sign up for a free trial.  We think you’ll be convinced.

Stephen C. Taylor
General Counsel

Skype and Microsoft: a HIPAA nightmare

SecureVideo.com

Heise Security, a top German internet security firm, has done some research that will be somewhat frightening to Skype users, especially those who believe their Skype sessions retain any promise of privacy.

A recent H-online article detailed research showing that Microsoft servers are programmed to visit HTTPS (SSL) URLs typed into the Skype instant messaging application. When questioned about this, Microsoft’s response was not believable, from a technical or business standpoint.

“A spokesman for the company confirmed that it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.”

The most troubling aspect here to me, is that Microsoft requires users, in order to use Skype, to accept that their information may be accessed by Microsoft; but then, Microsoft will not disclose exactly how the information will be used.

This untrustworthy approach is one of the reasons we started SecureVideo.com. And I don’t think you want Microsoft in your therapy session any more than I do.