13 Oct 2015

Conforming to HIPAA

Email Compliance in Healthcare.

Email supports quick communication among those that might be worlds apart, enabling users to attach, transmit and access messages as well as other assets. However, depending upon the industry in which an organization operates, there may be specific rules that govern their email’s use. Healthcare is among the most prominent examples.

Hospitals, doctors and other practitioners are privy to sensitive patient information which they must keep safe. The Fox Group noted that healthcare providers are increasingly using email to connect with patients and discuss medical conditions and treatments. These providers must use email in a way that is compliant with industry rules.

For companies in the US, the most important standard is the Health Insurance Portability and Accountability Act, or HIPAA, which outlines the proper treatment of sensitive patient details and digital records.

What does HIPAA say about email?

The Fox Group noted that HIPAA guidelines don’t prohibit the use of email, but ask that healthcare providers observe certain considerations when transmitting sensitive information. According to the HIPAA FAQs page, “The Privacy Rule allows covered healthcare providers to communicate electronically, such as through email, with their patients, provided they apply reasonable safeguards when doing so. For example, certain precautions may need to be taken when using email to avoid unintentional disclosures, such as checking the email address for accuracy before sending, or sending an email alert to the patient for address confirmation prior to sending the message.”

“Healthcare organizations must use encryption to safely transmit sensitive e-PHI over an open network.”

Tweet this quote

HIPAA also notes that when patients initiate email contact with the provider, the healthcare organization assumes the responsibility for ensuring that messages are acceptable and that the patient understands the potential risks of using an unencrypted platform. The provider can make the patient aware of these possible threats and let him or her decide whether or not to continue communicating in this manner.

The HIPAA Privacy Rule isn’t the only standard that applies here, however. The Fox Group noted that The Security Rule can also come into play, particularly when it comes to sending electronically protected health information, or e-PHI. According to HIPAA, “The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control, integrity, and transmission security require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.” This includes not only policies, but encryption as well. Healthcare organizations must use encryption to safely transmit sensitive e-PHI over an open network.

Mobile Outlook support

Considerations for compliant email.

While much of compliance depends upon usage, the email platform itself must also be compliant. Not all email systems are by default aligned with HIPAA guidelines. In fact, most free services – including Gmail, Yahoo Mail and others – do not have the proper protections in place to be used for e-PHI, either within the body of the email or as an attachment. You should not use these within a healthcare setting.

There are hosted platforms, however, that are HIPAA-compliant. These implement top security measures, including encryption and message expiry to ensure protection of sensitive health information. A message expiry date can be attached to communications that contain e-PHI, allowing them to be remotely deleted after a certain period of time. This prevents protected data from being stored or accessed inappropriately.

But using a compliant email solution isn’t just about aligning an organization with HIPAA. This strategy comes with its share of benefits as well, such as streamlined delivery of lab results, enhanced communications among doctors and staff, access to e-PHI while away from the office, and better connections with patients.

Top-tier HIPAA compliant hosting.

One of the best ways you can ensure compliance is to leverage services of a HIPAA-compliant hosting provider like Hostway. Our service allows healthcare providers to have granular management control, view daily reviews of security event log files, and to deploy a robust firewall and intrusion detection and prevention system.

Guest post by Chris Kruck, Product Manager, Hostway Corporation

20 Aug 2013

ACO – Accountable Care Organizations

Come join us for a webinar: Tuesday, August 29th from 2:00-3:30 EST http://ow.ly/o5CRh 

Accountable Care Organizations (ACOs) are groups of doctors, hospitals, and other health care providers, who come together voluntarily to give coordinated high quality care to their Medicare patients. The goal of coordinated care is to ensure that patients, especially the chronically ill, get the right care at the right time, while avoiding unnecessary duplication of services and preventing medical errors. When an ACO succeeds in both delivering high-quality care and spending health care dollars more wisely, it benefits the Medicare program as a whole.

The cooperation doesn’t come without a price. The price is potential security threats and breaches. As more organizations get involved, the potential for information sharing across these organizations and disparate networks increases. Complying to HIPAA regulations is already a pressing issue which becomes even more intensified when more and more sensitive patient information or PHI is exchanged. HIPAA Omnibus has already increased the role the enforcement community can play in rectifying HIPAA violations. Come join our webinar on August 29th which we are jointly running with the Compliancy Group on ACOs and the increased need for security. 

15 Aug 2013

HIPAA Omnibus

The HIPAA Omnibus Rule is a final rule issued by the U.S. Department of Health and Human Services on January 17, 2013.  The Rule aims to strengthen existing privacy protections within the Health Insurance Portability and Accountability Act of 1996 (HIPAA), improve the government’s ability to enforce those protections, and give individuals greater access to their health information. One of the biggest changes associated with Omnibus is the application of HIPAA’s requirements to business associates of health care providers and health care claim processors. HHS broadened HIPAA’s application to these groups after a significant amount of breaches were tied to business associates. This means that the necessity to protect information as it is traveling from primary provider to business associate is even more essential. Protecting information especially as it travels over the public Internet using best of breed encryption technologies is essential.

More and more providers and business associates use mobile devices for secure communications. Organizations have to make sure that they are implementing technology that addresses the insecure nature of mobile devices as well.