Clicky

EMR Daily News

News of the day in Electronic Medical Records, EHR and HIT

What You Need to Know for HIPAA Compliance in Public Clouds

By

The following is a guest post by Phil Cox, Director of Security and Compliance for RightScale

With the January 2013 release of the Omnibus Rule, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is complete. The rule builds on top of the Health Information Technology for Economic and Clinical Health (HITECH) Act that followed HIPAA in 2009 to provide the enforcement provisions that gave HIPAA teeth. The Omnibus Rule comes at a time when many organizations in the healthcare industry are turning to public and private cloud adoption to meet their business needs, taking advantage of the cloud’s cost advantages and its ability to unleash greater agility and innovation in healthcare IT.  If your organization is considering the cloud, your due diligence should extend not only to the relevant provisions of the Omnibus Rule, but also to the practices you and your business associates must implement to meet its requirements.

Your organization must be in compliance with the Omnibus Rule by September 23, 2013. As you consider how its provisions apply to your cloud computing projects, you need to pay particular attention to three of the Administrative Simplification Rules in Title II: the Privacy Rule, the Security Rule, and the Breach Notification Rule.

The Privacy Rule regulates the use and disclosure of information held by “covered entities” (generally, health care clearinghouses, employer-sponsored health plans, health insurers, and medical service providers). It establishes regulations designed to prevent unauthorized use and disclosure of Protected Health Information (PHI), which is any information held by a covered entity that concerns health status, provision of healthcare, or payment for healthcare that can be linked to an individual.

The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all PHI, including paper and electronic, the Security Rule [Read more…]

Aprima Partners with ClearDATA to Host EHR/PM Solutions on HIPAA Compliant Cloud Computing Platform

By

ClearDATA has announced a partnership with Aprima Medical Software to provide HIPAA-compliant cloud hosting of Aprima’s EHR/PM/RCM software and services solutions.

ClearDATA fully supports the new HIPAA Omnibus Rule which states that all companies providing services associated with hosting, storage, backup, or transmission of patient information must sign a Business Associate Agreement along with the covered entity. ClearDATA security and privacy experts have been signing Business Associate Agreements as standard practice since 2009.

“Aprima is pleased to have our products as a hosted solution on the ClearDATA Cloud Computing Platform,” stated Michael Nissenbaum, Aprima president and CEO. “As more of our customers look to move to the cloud, we are pleased to partner with ClearDATA. They have the extensive healthcare experience, unmatched [Read more…]

Secure and Mobile, the Future of Patient Data

By

The following is a guest post by Ashley Perry Rodrigue, Healthcare Ambassador for Lenovo.

The number one priority for physicians will always be patient care. With modern technology and legislation that requires digital records the definition of patient care has expanded beyond the traditional medical meaning and now also must include the protection of patient privacy.

Physician use of mobile devices is quickly evolving from a trend to a necessity: in 2012, 44 percent of doctors reported using tablets in the workplace daily. Mobile devices like tablets allow caregivers access to their applications whether they are in a patient room, their office or at home – and if optimized for input, can result in a positive user and patient experience.

However, tablets present a different set of security concerns than PCs, including easier opportunity for physical theft, data vulnerability, user access to uncontrolled apps, and more. Yet security is something that hospitals and health systems simply cannot sacrifice. If patient files are misplaced, misused or stolen, consequences can include job and reputation loss. The results of Ponemon Institute’s 2012 Study on Patient Privacy and Data Security found that almost every hospital surveyed suffered one data breach, and 45 percent suffered more than five over the past two years. Of those, breaches due to lost or stolen mobile devices such as tablets or phones accounted for 18 percent, up from 7 percent in 2011.

At the same time, the Department of Health & Human Services is expanding its information security provisions. In January 2013, HIPAA introduced the “final omnibus rule,” a new, tiered penalty structure [Read more…]

HIPAA Compliance using Amazon Web Services

By

Dave Rocamora

Dave Rocamora

The following is a guest post by Dave Rocamora, VP of DevOps, Control Group

A lot of businesses are looking to cloud computing to increase flexibility, to reduce infrastructure costs, and to innovate their IT practices. If you aren’t already evaluating cloud computing as part of your next solution, it’s time to at least take a look.

There are a number of benefits to going with a public cloud provider like Amazon Web Services (AWS). But when it comes to privacy, is the public cloud capable of meeting the HIPAA physical and technical safeguards?

At Control Group, I do a lot of work with the cloud and HIPAA compliance. AWS provides clear documentation, strong infrastructure building blocks, and plenty of third party tools and integration that make it an excellent choice for HIPAA compliant applications.

AWS is an Infrastructure As A Service (IAAS) provider. They provide the cloud computing building blocks for their customers to use when putting together their solutions. With a shared responsibility approach, AWS is responsible for security of the physical world from the data centers filled with servers all the way up to the hypervisor. AWS customers are responsible for security from the operating system and up. This frames the AWS approach to HIPAA: since AWS only interfaces with things at a low level, they don’t have access to the data. This makes them more like the post office than a party that is working with the PHI. It’s for this reason that AWS doesn’t sign Business Associate Agreements (BAA).

Amazon’s position of HIPAA compliance is that their platform can support HIPAA compliant applications if they are created properly. Amazon’s policies handle the physical safeguards pretty well. Their data centers are secured and compliant with a lot of certifications. They separate people with physical access to the computers from those who have logical access to the things running on them.  Most people at AWS don’t even know where the data centers are located!

The technical safeguards require a little more customer involvement. The shared responsibility model means that AWS will only handle things from the hypervisor down– it’s up to the customer to implement the proper safeguards [Read more…]

CalHIPSO Partners with CleraDATA to Provide HIPAA-Compliant Cloud Hosting & Security Services to its Members

By

ClearDATA Networks has announced that it has signed an agreement with CalHIPSO, the largest federally designated Regional Extension Center in the United States. Under the agreement, ClearDATA will offer HIPAA-compliant cloud hosting, offsite backup, disaster recovery, and HIPAA privacy and security services to health care providers in California, including CalHIPSO’s membership of over 8,500 providers in 56 counties throughout California.

“Reducing IT costs, improving system reliability, and ensuring security and privacy of patient information is critically important to all healthcare providers and organizations,” said Speranza Avram, CalHIPSO CEO. “Partnering with ClearDATA for its cloud computing solutions and HIPAA security services provides [Read more…]

Tech-Time Selects ClearDATA HIPAA-Compliant Offsite Backup & Recovery Service for 25 Hospitals

By

ClearDATA Network has announced that Tech-Time, Inc., a Billings, Montana- based IT service provider for rural healthcare providers, has selected ClearDATA’s HIPAA-compliant Offsite Backup and Recovery service for its client base of 25 hospitals and additional healthcare providers Tech-Time specializes in meeting the processing needs of rural health care providers, small and rural hospitals, nursing homes, and clinic facilities.

“As healthcare organizations face ever increasing storage needs, tighter IT budgets, and stricter regulatory requirements, cloud-based offsite backup and recovery offers the most cost effective, secure, and reliable solution available with today’s technology,” said Jim Moore, VP Sales and Marketing at Tech-Time, Inc. “Tech-Time selected ClearDATA for this service based on the company’s exclusive healthcare focus, HIPAA security expertise, and excellent reputation with customers large and small in the industry.”

“ClearDATA is excited to partner with Tech-Time and provide HIPAA-compliant offsite backup and recovery services to their numerous healthcare [Read more…]

Verizon Introduces Cloud Portfolio to Help Health Care Industry Meet HIPAA Security Requirements

By

Verizon Enterprise Solutions has announced a cloud and data center infrastructure portfolio specifically designed to help the health care industry meet the federal Health Insurance Portability and Accountability Act (HIPAA) requirements for safeguarding electronic protected health information.

These services will include the secure storing of electronic protected health information (ePHI) in Verizon’s Terremark data centers.

Available immediately, the new services offer Verizon clients in the health care, insurance, pharmaceutical and supporting industries a full range of public and private cloud services that meet applicable physical, administrative and technical security controls under HIPAA.

The new health-care-enabled services are:

  • Colocation
  • Managed Hosting
  • Enterprise Cloud
  • Enterprise Cloud Express Edition and Enterprise Cloud Private Edition

Along with each service, Verizon also provides a HIPAA Business Associate Agreement, through which Verizon works closely with clients to safeguard their patients’ ePHI, though they obviously do require that client’s remains responsible for ensuring that they comply with HIPAA and all other applicable laws and regulations.

“Today’s health care provider is faced with the enormous and costly burden of protecting personal health information for patients,” said Dr. Peter Tippett, chief medical officer and vice president of Verizon’s health IT practice. “To address this need, we are bringing to market a suite of cloud services that enables health care providers to secure patient data while offloading the burden of building and managing their own data centers.  By enabling a connected health care system, we intend to transform U.S. health care delivery.”

“Health industry CIOs have a pressing need for reliable, financially secure third parties or business associates that will help address the technical, physical and administrative safeguard requirements under HIPAA security rules,” said Lynne Dunbrack, program director, Connected Health IT at IDC.  “Offering a secure computing capability backed by strong performance-level agreements will be compelling to these CIOs.”

InfoGraphic: The Hight Cost of HIPAA Violations

By

As a follow-up to our article discussing the importance of securing mobile technology in medical practices I thought you might find this InfoGraphic, titled the High Cost of HIPAA Violations to be of interest.  Pay particular attention to the number of investigations over each of the past two years.


HIPAA Violation Infographic
Infographic authored by Inspired eLearning, a leading provider of online HIPAA compliance training solutions. To view the original post, check out the original HIPAA violation infographic.

HIPAA-friendly Faxing Can be Made Easy with Fax Server Software

By

The following is a  guest post was provided by Casper Manes on behalf of GFI Software Ltd.

Health care practices, laboratories, and insurance agencies all found their worlds radically changed with the passage of HIPAA. Years later, people are still trying to figure out whether or not what they do meets the requirements of HIPAA because the legislation has several requirements, but does not provide specific guidance on how to meet those. Faxing, which is one of the most interoperable ways for those in healthcare to exchange information, is often a pain point because the technology was developed without considering the security requirements that HIPAA now imposes. Fortunately, fax server software can both modernize your faxing services, and make it easy to fax in a HIPAA-friendly way. [Read more…]

New HIPAA Tool Helps Organizations Meet Security Requirements

By

English: The emblem of Recovery.gov, the offic...

A new tool, developed by the National Institute of Standards and Technology (NIST) and offered for free, can help public and private organizations, large and small, to understand and implement the requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Congress enacted HIPAA to, among other things, promote efficiency in the health care industry through the use of standardized electronic transactions, while protecting the privacy and security of health information.

The Secretary of Health and Human Services (HHS) published the HIPAA Security Rule, a national set of standards for protecting electronic protected health information (EPHI) that is created, transmitted, or maintained by covered entities and their business associates. HHS recognizes the value of NIST’s information security standards and guidelines, and has recommended these as valuable resources for organizations to consider as they implement the HIPAA Security Rule. [Read more…]