In the healthcare industry, patient data is considered sensitive and, as such, is subject to certain privacy and security requirements to ensure it remains confidential. Some employers may find themselves handling this protected health information (PHI) and could be required under federal law to handle that data in a specific way. It is important for all employers to understand the federal law known as HIPAA and how it applies (or doesn’t apply) to them.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes privacy standards by which healthcare organizations are required to protect sensitive patient information. Since it was signed in 1996, HIPAA has been updated periodically to evolve alongside technology, adapting to include cybersecurity standards required of all “covered entities” and their business associates.

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule is the section of the law that specifically relates to the confidential handling and transmission of patient healthcare data. Measures in the Privacy Rule include an enumeration of individuals’ rights under the law, such as how they can control and access their own healthcare information.

Moreover, the Privacy Rule prescribes how healthcare organizations and other covered entities and business associates must handle protected health information. This includes requirements governing both process and technology; not only must protected health information be handled properly, but it must also be stored securely.

“It requires you to protect and maintain the security of PHI, which is a defined term that deals generally with health information that can be identified and tied to a specific individual,” Paul Starkman, an employment attorney for Clark Hill, told businesss.com. “It deals with how the information must be protected in terms of encryption, password protection and things like that. It also deals with transmission … and it has some other requirements too in terms of disposing [of] PHI once it is no longer needed.”

Starkman said this includes information from paper files, digital files and machines and equipment that become outdated or are no longer in service.

“Those need to be disposed of in accordance with HIPAA guidelines,” he said.

Which types of businesses does HIPAA apply to?

The stringent requirements included in HIPAA don’t apply to all employers – just those that fall into a certain category.

The term “covered entities” refers to organizations that are required to comply with the rules set out under HIPAA. Covered entities include doctors’ offices, hospitals, insurance companies, insurance plans and clearinghouses. The U.S. Department of Health and Human Services maintains a full list of covered entities on its website.

“HIPAA is primarily going to apply to covered entities,” said Jarryd Rutter, an HR coach at Paychex. “That is where HIPAA is most impactful: for those industries and obligations, not only to customers but their employees.”

Rutter noted that Paychex does not give its clients legal advice and recommended that businesses consult with legal counsel if they are concerned about their HIPAA obligations.

HIPAA also applies to organizations that do business with covered entities and handle or process patients’ protected health information in some way. These organizations are known as “business associates” under the law and are also required to abide by HIPAA regulations.

“Sometimes we get pushback from a client we are helping because they are hesitant to send documents out of concern they are violating HIPAA when, in fact, they are not,” Rutter said. “A non-covered entity doesn’t have to be concerned with HIPAA; it’s really limited to if they offer health insurance plans and the handling of that health insurance info.”

Other employers are generally not covered by HIPAA and, therefore, are not required to abide by the strict privacy and security regulations included in the law. However, Rutter said, non-covered entities likely have some privacy and security obligations under other federal laws, such as the Americans with Disabilities Act (ADA) or the Family and Medical Leave Act (FMLA).  [Read related article: How the FMLA Applies to Your Small Business]

When does HIPAA apply to non-covered entities?

Although HIPAA doesn’t apply to most businesses, there is one unique circumstance in which employers should be aware of the law’s requirements. Employers that provide a self-funded health insurance plan are technically operating a covered entity: the health plan itself. This means the health insurance plan is subject to all of the requirements in HIPAA, while the primary business is not.

“Because that self-funded plan … is viewed as a covered entity, the health plan falls under HIPAA,” said Matt Fisher, healthcare attorney at Mirick O’Connell. “You end up having to wall off the information used for maintenance and operation of that plan. But, on the whole, HIPAA will really not apply to the general employer and employee relationship.”

Another common way employers come into contact with an employee’s PHI is through workers’ compensation claims, Fisher said. In these instances, clinical documentation from medical appointments might be required to support the workers’ compensation claim, and employers would need access to that information.

However, just because an employer has access to this data, it does not necessarily mean HIPAA applies.

“Generally, the health information employers get through the employment relationship is not going to be covered by HIPAA,” Starkman said. “It may be covered by other state privacy laws.”

In the example of a workers’ compensation claim, HIPAA would govern the healthcare provider’s handling of protected health information and its release to the employer; the employee would be required to consent to this transmission of their healthcare data. Once that consent is given and the information is received by the employer, however, HIPAA no longer applies.

What are examples of HIPAA violations?

HIPAA violations can be costly, so it is important to avoid even unintentional violations. Civil penalties for HIPAA violations can exceed $50,000 per violation. Violations committed with malicious intent could result in criminal charges – in the most egregious cases, up to 10 years in prison and $250,000 in fines.

The first step in avoiding HIPAA violations is knowing some of the most common ones.

Unreported data breaches

Healthcare organizations are a major target for cybercriminals attempting to breach the networks and steal sensitive healthcare data. Covered entities must report data breaches to the individuals affected, the secretary of the Department of Health and Human Services and sometimes the media.

To avoid data breaches, ensure that your antivirus software is up-to-date and that all data is encrypted in storage and transmission. Update your software on all connected devices regularly to patch vulnerabilities exploited by hackers. Decommission outdated devices and remove them from your network; dispose of them per HIPAA regulations. Loss of devices

There are thousands of connected medical devices in any given hospital, all of which contain protected health information. The loss or theft of these devices could lead to the loss of sensitive data unless they are properly password-protected and encrypted in accordance with HIPAA. A failure to do so that results in a data breach is a HIPAA violation that could be easily avoided.

Unauthorized access

Employees accessing data they do not need or are not authorized to access usually constitutes a HIPAA violation. To avoid this problem, implement authorization systems that require employees to confirm their identities before accessing restricted information. Establish clear policies and procedures around authorizations and consequences for accessing information fraudulently.

Failure to encrypt data

Under HIPAA, all data must be encrypted. The law does not specify a precise standard, but the National Institute of Standards and Technology recommends Advanced Encryption Standard (AES) 128 at a minimum. Failure to encrypt devices, data in storage and data in transit likely constitutes a HIPAA violation. Avoid this by ensuring that all data in your network is encrypted to the highest possible standard.

HIPAA compliance for employers

If you are a covered entity or a business associate of a covered entity, HIPAA regulations apply to you. To ensure you remain compliant, follow this useful HIPAA compliance checklist from HIPAA Journal:

1. Identify which audits apply to your organization.
2. Conduct those audits internally; then analyze the results and determine corrective measures.
3. Implement the corrective measures and document them. Review compliance annually.
4. Appoint a HIPAA compliance officer. Alternatively, appoint dedicated privacy and security officers.

5. Task the HIPAA compliance officer(s) with training all employees on HIPAA obligations.
6. Document HIPAA training and staff member completion of the training program.
7. Annually perform due diligence assessments on any business associates to ensure HIPAA compliance.
8. Establish processes for reporting breaches and notifying the Department of Health and Human Services Office for Civil Rights.

Following this checklist and establishing a clear set of policies and procedures regarding HIPAA compliance can put your organization in a better position to meet the strict privacy and security requirements included in the law.

Employer HIPAA responsibilities and COVID-19

Although HIPAA applies only to covered entities and business associates, the law offers a good list of guidelines for other employers to follow as they implement employee COVID-19 testing and monitor employees for symptoms.

For example, many employers are requiring COVID-19 tests or on-site temperature checks for employees coming to work. Although HIPAA does not apply, handling or recording that type of health information is risky territory, so it behooves employers to adhere to HIPAA-like steps and to document their activities carefully.

“Most employers are really not specifically covered by HIPAA, but it provides best practices that employers generally tend to follow when keeping PHI about employees,” Starkman said. “It should be kept under lock and key, in separate folders from personnel files.

“If you’re [a non-covered entity] with employee health information, you’re covered by different laws,” Starkman added. “Primarily, the ADA has rules regarding how employers need to keep the medical information of employees. They tend to track the HIPAA requirements in terms of keeping files and computer documents under lock and key and in a secure manner.”

Rutter said employers should turn to the ADA and the Equal Employment Opportunity Commission for guidance on handling employee information related to the COVID-19 pandemic. He said there are three steps every business should take when implementing COVID-19 testing and monitoring procedures:

• Document all policies and procedures.
• Restrict access to employee information to trained employees.
• Establish protocols in the event of a data breach or unauthorized access.

“Even non-covered entities should do this,” Rutter said. “Taking proactive steps is key for any employer.”

Regulatory Outlook

HIPAA

HIPAA, which was enacted in 1996, had many different goals, including making insurance transferable upon leaving employment, enabling electronic billing for medical costs, and, the most famous result, the authorization of federal privacy rules for health information. The Department of Health and Human Services (HHS) then made two regulations: the HIPAA privacy rule, which regulates private health information, and the HIPAA security rule, which regulates the manner in which healthcare providers control and protect health information.

Covered Entities

The organizations controlled by the HIPAA privacy regulation are called covered entities. A covered entity is any healthcare provider that electronically bills for its services. This covers almost all healthcare professionals. It also means that most medical device companies are not covered entities. However, some medical device firms that sell to patients and bill Medicare may qualify as covered entities and be bound by HIPAA. For example, a company that sells insulin pumps to patients and bills Medicare would be a covered entity. Some companies may have a subsidiary that is a covered entity while the rest of the company is not covered; such companies are called hybrids. The company can wall off the subsidiary, which is a covered entity, so that only that part of the company is bound by HIPAA.

Covered Information

HIPAA defines the covered information as PHI, which is any health-related information that may identify a patient. HIPAA takes an expansive view of what may identify a person. There is a list of 18 identifiers. Besides the traditional identifiers such as name, address, phone number, social security number, etc., there are some device-related identifiers, such as serial number or date of service when the device was used, that have proven quite to difficult to deidentify.

Almost any information from a patient file has to be carefully scrutinized to be sure it is not PHI. The definition is wider in the United States than it is in the European Union (EU), where more-traditional identifiers are used. Member nations of the EU are governed by the EU Directive on Data Privacy.

Disclosure of PHI

Authorization is the term used for a patient to allow some disclosure or use of PHI. HIPAA determines authorized uses of PHI by covered entities and what disclosures of PHI may be made. The HIPAA privacy regulation outlines when a covered entity must obtain authorization from the patient or approval from an institutional review board (IRB) or privacy board.

Note that the EU uses the term consent for this document while HIPAA uses authorization. For device companies, there may be an informed consent document created to comply with FDA clinical rules or the HHS Common Rule. This consent document may have a HIPAA authorization built into it, but the HIPAA authorization is not called a consent.

With several exceptions, a covered entity may use PHI within its organization without restriction by HIPAA. However, when it discloses information outside its boundaries, the covered entity must comply with the HIPAA privacy regulation's limitations and authorization requirements. The covered entity may disclose to third parties without authorization for three HIPAA-specified activities: treatment, payment, or healthcare operations (TPO).

Treatment. Treatment refers to communication of PHI needed to treat the patient, such as information flow between the covered entity and another healthcare provider, e.g., another doctor who is treating the patient. A general practitioner and a specialist may discuss their joint patient for the purpose of treatment without activating any authorization requirements under HIPAA. This treatment exception could involve a medical device company. For example, if a technical representative from a medical device company takes part in a surgery to help use or train surgeons on the company's equipment, that participation is part of treatment and does not require an authorization. Although it is wise to notify the patient before exposing his or her data or personal information to a company representative, there is no specific HIPAA requirement to do so under these circumstances.

Payment. Payment refers to the process of obtaining payment from payers such as insurance carriers. Although covered entities routinely ask for consent to disclose information to payers, and there may be consent requirements at the state level, there is no need for a HIPAA authorization for billing.

Healthcare Operations. The term healthcare operations refers to the internal mechanics of running the covered entity. PHI may be transmitted as part of normal business operations. For example, the covered entity may use PHI for internal quality assurance improvement practice.

Business Associates

Sometimes a covered entity receives assistance in performing activities that involve the use or disclosure of PHI under HIPAA. The person or entity providing the help is called a business associate. A covered entity may enter a business associate agreement (BAA) with another person or company that is providing services to the covered entity with regard to TPO. For example, the covered entity might outsource its billing department to a third party. In such a case, the covered entity would engage that biller with a BAA.

It is very unusual for a medical device company to need a BAA with any covered entity. In the early days of HIPAA, covered entities were wholesale shipping BAAs to everyone they purchased from. Since then, HHS has made it clear that the normal relationship between a medical device provider and a covered entity does not require a BAA.

It is only when a medical device company is acting on behalf of a covered entity that it needs a BAA. One narrow example is when a covered entity is prescreening patient records in preparation for research. It can do that without an authorization. However, if the covered entity allows a third party, such as a device company, onto its property to do such preliminary searching on the covered entity's behalf, it may then need a BAA to protect the PHI that the device company will access.

Access to PHI

There are a number of access points to PHI for a device company. Some information is necessary for the device company to have and some is thrust upon it. Common ways to be exposed to PHI include the following.

Treatment. As a device company, you have a role in treatment. For example, as previously discussed, a device company representative may attend the actual use of a device. Or, a doctor may call the OEM's technical services staff with questions about how a particular patient's anatomy or medical symptoms could affect the use of the company's device. Even though no name is given, the medical data may include HIPAA identifiers. Such treatment interactions between the medical device company and the covered entity are part of the treatment exception to HIPAA and therefore require no special authorization.

Accidental Exposure. A device company field representative may accidentally be exposed to PHI while at the site of a covered entity. For example, the representative might inadvertently see a patient chart while in a doctor's office. HIPAA calls this incidental disclosure. HIPAA allows such action without any repercussions under the regulation. Remember that PHI is still private and the company representative should not disclose what is accidentally seen to anyone else.

Clinical Trial or Other Research Information. There are three main routes for obtaining PHI from a covered entity for research: authorization, partial waiver from an IRB, or deidentification.

The most common way to obtain research data is through patient authorization. An authorization is built into the informed consent document in most medical device clinical trials. Once a company is in the process of having a patient sign a consent form, it is not much extra work to include the additional elements required for a HIPAA-compliant authorization. This method makes it possible to obtain wider access to use of the data. Most device companies want to harness the data to Strengthen future generations of devices and not just the immediate use. Such usage can be accounted for in a signed authorization.

A partial waiver means asking an IRB to allow PHI of a limited nature to be disclosed without a patient's authorization. For example, the site could strip out all directly identifiable information such as names, addresses, etc. The remaining identifiers might technically identify the patient, but the IRB may determine that the risk is low and allow disclosure without patient authorization. However, this process has proven difficult in practice simply due to the bureaucracy that has to be managed; companies have found the IRB interface to be too slow and laborious to use often.

Deidentification requires removing all 18 identifiers from the PHI, which can be difficult for device research. For example, because device serial numbers are often needed to correlate to other records, they are a hard identifier to do without. Similarly, dates of visits are often needed to correlate to device performance over time. However, deidentification is still a viable option for some research.

Compliance with FDA Regulations. A specific section of the HIPAA privacy regulation allows a covered entity to disclose information to a device manufacturer in order for the manufacturer to report to a public health agency, such as FDA. This exception is crucial because it allows a covered entity to communicate with a manufacturer to follow up on a complaint, provide data for a medical device report, track devices, or use information needed for quality system regulation compliance.

PHI after Disclosure

Once outside a covered entity, HIPAA rules no longer apply to this information. In fact, this must be stated in every HIPAA authorization. However, there are myriad state laws that control PHI in different forms, and if the PHI is obtained under a BAA, there are contractual obligations as well. Therefore, a device company should only take PHI when needed and must safeguard it, i.e., only those who truly need access to PHI should be allowed to see it. Device companies must also establish procedures to prevent accidental disclosure.

Conclusion

HIPAA has definitely made research more difficult for device companies. Each time that a company considers accessing PHI, it needs a thorough HIPAA analysis. Initially, device companies feared that the public health exemption was not broad enough and that covered entities would resist releasing the necessary PHI. However, over time, covered entities have cooperated and have generally allowed access to PHI that device companies need for compliance with FDA regulations. Therefore, life is more difficult with HIPAA, but certainly not impossible.

Copyright ©2009 Medical Device & Diagnostic Industry

AUSTIN, Texas, Oct. 7, 2022 /PRNewswire/ -- 360training has officially stepped into providing regulatory and compliance training for Healthcare after acquiring HIPAA Exams in April of 2022. It has launched 46 HIPAA, Nursing, and Infection Control courses as part of its new Healthcare Vertical. Their up-to-date, comprehensive catalog of IACET-approved courses safeguard patient privacy, meeting HIPAA, OSHA, and CDC standards.

Hospitals looking to stay HIPAA compliant can find training suited for various medical and healthcare-adjacent services.

Hospitals looking to stay HIPAA compliant can find training suited for various medical and healthcare-adjacent services, with courses on HIPAA Privacy and Security Rules that will reduce exposure to violations.

In addition to courses for healthcare workers, 360training's healthcare vertical has courses for business associates and administrators, sales professionals, and general staff members. Businesses that provide healthcare safety training ensure occupational safety, prevent infectious transmissions, and protect the overall health of employees.

About HIPAA Exams

HIPAA Exams, a division of Engaging Training Solutions Inc, is an IACET accredited business. They specialize in professional and management development training with primary focuses on health care, workplace safety, and legislative compliance. HIPAA Exams began in 2008 as an online learning system for hospitals. The company soon expanded when Massachusetts General, Scripps, and the U.S. Air Force asked HIPAA Exams to develop content for Registered Nurses specific to Joint Commission (JC) compliance.

About 360training

360training is an integrated digital training and compliance platform for highly regulated industries. Through a unique combination of differentiated technology and deep regulatory expertise, 360training enables professionals to attain jobs and maintain industry-mandated requirements while helping organizations develop their workforces and remain compliant. 360training's robust, proprietary content library offers over 6,000 courses across major business verticals: Environment Health & Safety, Food & Beverage, Real Estate, Healthcare, Financial Services, and more.

Story continues

Since 1997, 360training.com, Inc. has delivered over 11 million training plans across multiple brands, including HIPAA Exams, Meditec, AgentCampus, VanEd, TIPS, OSHAcampus, OSHA.com, and Learn2Serve. Please visit www.360training.com or their social media accounts on Facebook, Twitter, and LinkedIn to learn more.

View original content to get multimedia:https://www.prnewswire.com/news-releases/healthcare-courses-by-hipaa-exams-now-available-on-360training-301643798.html

SOURCE 360training.com

PALO ALTO, Calif., Sept. 22, 2022 /PRNewswire/ -- RabbitSign, Inc., a company that provides unlimited free e-signing, is pleased to announce it has launched free HIPAA-compliant e-signing. This was accomplished by taking all necessary steps to prove its good faith effort to achieve compliance with the Health Insurance Portability and Accountability Act (HIPAA). Through the use of Compliancy Group's proprietary HIPAA solution, The Guard™, RabbitSign can track their compliance program and has earned their Seal of Compliance™. The Seal of Compliance is issued to organizations that have implemented an effective HIPAA compliance program through the use of The Guard.

HIPAA is made up of a set of regulatory standards governing the security, privacy, and integrity of sensitive healthcare data called protected health information (PHI). PHI is any individually identifiable health care–related information. If vendors who service healthcare clients come into contact with PHI in any way, those vendors must be HIPAA compliant.

RabbitSign has completed Compliancy Group's Implementation Program, adhering to the necessary regulatory standards outlined in the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, Omnibus Rule, and HITECH. Compliancy Group has Tested RabbitSign's good faith effort to achieve HIPAA compliance through The Guard.

"Free HIPAA-compliant e-signing is something our users have been asking for," says Stanley Zhong, Founder & CEO of RabbitSign, "I founded RabbitSign in response to COVID in order to lower the price of e-signing to zero for as many businesses, nonprofits, and government entities as possible. Providing HIPAA-compliant e-signing for free is RabbitSign's way to help lower healthcare costs in the US. Compliancy Group has been a crucial partner in making that happen."

"Compliancy Group congratulates RabbitSign on the successful completion of Compliancy Group's Implementation Program, showing their good faith effort to achieve HIPAA Compliance and differentiating them in the e-signing industry," says Charlotte Barenz, VP Implementation, Compliancy Group.

Story continues

About RabbitSign:

RabbitSign provides unlimited free e-signing. It was founded in response to the COVID pandemic in order to lower the cost of e-signing to zero for as many businesses, nonprofits, and government entities as possible. RabbitSign's goal is to work towards social good, NOT maximize profits. To try out RabbitSign, visit https://www.rabbitsign.com. RabbitSign can be reached at contact@rabbitsign.com.

About Compliancy Group:

HIPAA should be simple. That's why Compliancy Group is the only software with Compliance Coaches™ walking you through HIPAA to simplify compliance. Built by auditors, Compliancy Group gives you confidence in your compliance plan to reduce risk, increase patient loyalty, and profitability of your organization. Visit https://www.compliancy-group.com or call 855.854.4722 to learn how simple compliance can be.

Contact:
Stanley Zhong
650-842-0282
345125@email4pr.com

View original content to get multimedia:https://www.prnewswire.com/news-releases/rabbitsign-launches-free-hipaa-compliant-e-signing-301630146.html

SOURCE RabbitSign, Inc.

If you’re old enough to remember the 1980s, you might recall seeing patients’ notes cataloged in files, faxed, sealed in A4 manilla envelopes, or left on desks for filing. Today, electronic health records (EHRs) must abide by Health Insurance Portability and Accountability Act (HIPAA) precautions, known as the HIPAA Security Rule, to ensure higher levels of patient confidentiality and security.

HIPAA injunctions ensure that only approved individuals can access patients’ health records. For medical practitioners and health institutions, HIPAA-compliant records protect against prohibitive fines, lawsuits, loss of jobs, or premises lockdowns. Appropriately regulated EHRs help people who come into contact with electronic protected health information (ePHI) conform to the HIPAA rules.

We’ll explore HIPAA compliance rules and best practices all healthcare organizations should implement.

What are HIPAA compliance rules?

All healthcare institutions and guardians of HIPAA-protected records are expected to follow four injunctions.

1. HIPAA privacy: Healthcare entities must implement safeguards to protect the privacy of patients’ electronic protected health information (ePHI). This privacy rule applies to electronic information about the patient, details on their physical or mental health, conversations between a doctor and medical staff, billing information, medical charts, and prescriptions.
2. HIPAA security: Confidential information can be shared only with authorized stakeholders directly involved with patient care.
3. HIPAA enforcement: Every person who comes into contact with ePHI must protect this patient data. The HIPAA enforcement rule mainly deals with penalties and investigations when entities are found to be noncompliant.
4. HIPAA breach notifications: HIPAA breach notifications provide guidelines on what you must do if a breach occurs. Breaches include unauthorized access to ePHI, inadvertent disclosures, stolen or misplaced data, and digital hacks.

How do you apply HIPAA rules to EHRs?

You’ll need to follow some best practices to keep ePHI confidential.

Best privacy practices for HIPAA compliance

• Thoroughly shred printouts of any patient information. Paper-shredding services can make this process easier and more secure.
• Encrypt ePHI to make it unreadable.
• Implement an audit trail, recording whenever someone logged in to ePHI, the place and time they accessed ePHI, and any changes they made.

Best security practices for HIPAA compliance

• Technical safeguards for securing electronic data include firewalls, antivirus software, a data backup plan and a network security program. Perform all necessary system updates and patches.

• Administrative safeguards center on collecting, accessing, managing and auditing data. Ensure only authorized users with access controls (e.g., passwords or PINs) can access patient data.

• Physical safeguards concern how or where you store data to protect it from accidental or deliberate intrusion and environmental or natural disasters.

Best practices to enforce HIPAA rules and prevent ePHI breaches

• Conduct risk assessments to identify and analyze risks to patients’ information so you can implement safeguards to reduce those risks. Cybersecurity risk assessments include vulnerability scans and penetration tests that scan systems to root out network vulnerabilities.

• Enforce rules through standardized HIPAA contracts with covered entities (CEs) and stakeholders.

• Draft policies and procedures. When CEs draft written policies and procedures on HIPAA compliance and train their staff on how to follow these rules, they can avoid HIPAA breach notifications. Update your policies and procedures periodically and redraft written documents every six years.

Did you know? While HIPAA laws impact employers who are CEs, other employers have privacy and security obligations under federal laws like the Americans with Disabilities Act and the Family and Medical Leave Act (FMLA).

What is an electronic health record (EHR)?

When doctors, medical practitioners, healthcare insurers, billers, or anyone involved with patient care and payment processing document and review a patient’s case, they create and add to the patient’s medical records. An electronic health record, or EHR, is a digital version of these patient documents.

EHRs are computer logs containing sensitive patient health information (PHI), including patient-related billing, conversations, forms, charts and prescriptions – anything related to the patient’s medical treatment and mental or physical health.

Practitioners refer to the EHR to schedule or revise consultations, order prescriptions, or educate themselves on the patient’s history. Medical billing and coding departments refer to ePHIs to pay doctors and healthcare institutions.

Who must comply with HIPAA rules?

HIPAA injunctions apply to all CEs who electronically transmit healthcare information:

• Any healthcare provider or health plan that uses EHRs and technical devices to process ePHI is subject to HIPAA injunctions.
• Healthcare clearinghouses mediate between healthcare providers and insurers. If they’re involved with billing, repricing, or overseeing community health management information services, they’re subject to HIPAA injunctions.
• Business associates that provide services to healthcare entities – and may therefore be exposed to ePHI – are subject to HIPAA injunctions.
• Contracted business associates or similar non-workforce members who perform tasks for healthcare entities and are exposed to ePHI are subject to HIPAA injunctions.

Tip: To use telemedicine and stay HIPAA compliant, choose a secure telehealth solution, limit access to sensitive information, and develop a cybersecurity strategy.

6 essential HIPAA practices for EHRs

Follow these best practices to ensure compliance with HIPAA EHR rules:

1. Use safe storage. Store all electronic systems and patient-related records in a locked, monitored area.
2. Power down devices. Turn off electronic devices when not in use, or implement a robust medical records management system with an automatic time-out setting.
3. Use a firewall. Install firewall protection to deter hackers from accessing patient records.
4. Have a backup system. Make backups of your ePHIs, and consider storing them with one of the best cloud storage and online backup services.
5. Shred old records. Shred dated medical records to reduce the risk of breaches.
6. Train your staff. Train any staff members who work with your EHRs to handle these confidential records correctly.

Tip: If you’re considering implementing a medical records management system, check out our reviews of the best medical software offering HIPAA compliance tools and strong security.

HIPAA-EHR compliance tips for remote workers

More employees are processing confidential information from their homes. To avoid HIPAA-compliant violations, remote workers should adhere to these best practices:

1. Work in a private, secure place. Don’t work on HIPAA-sensitive projects in public. People could snoop over your shoulders and read the data. Even worse, malicious actors use wireless devices and powerful antennas to pick up unsecured wireless networks. They could hack into the confidential electronic data in your care and gain unrestricted access to private medical information.
2. Use a VPN. Use a virtual private network (VPN), particularly if you work in a public place such as a hospital or airport. VPNs encrypt your public data, scrambling it from snooping individuals.
3. Keep patient data off the calendar. Take care not to misuse patient data when using a digital calendar or drafting digital notes. A Google task reminder to process Jane Doe’s July appointment could land you in hot water.
4. Take precautions when faxing. To protect private data, use a cover sheet when faxing patient information.
5. Ensure a secure internet connection. To ensure a secure internet connection, you need the WPA3 encryption protocol with its Wi-Fi Enhanced Open Mode option for increased security on unsecured networks.
6. Create strong passwords. Use strong passwords a crook can’t crack. Experts recommend using passwords with upper- and lower-case numbers, symbols and letters. Create different passwords for personal and business devices; if you write them down, keep them in a safe place, like your wallet.
7. Use up-to-date antivirus software. Keep your antivirus and anti-malware software up to date. Some of the best antivirus software includes Kaspersky, Bitdefender, Avast, Norton and ESET.
8. Use a firewall. Install firewalls on computers, devices and routers to protect your ePHI. You may also want to use software scanners, like Vistumbler or Airodump-ng, to search the airwaves of your home for foreign Wi-Fi signals that could pick up this ePHI.
9. Think before you click. Foil phishing attempts by not clicking on suspicious email links. Double-check seemingly familiar email addresses for subtle irregularities. Steer clear of suspicious ads, websites, links and messages. Any promotion that sounds too good to be true probably is.
10. Change or conceal your SSID (service set identifier). Your Wi-Fi network SSID is listed among other local networks on your wireless-enabled device. Either change its name to mislead would-be hackers or remove your SSID from the network list. At the very least, disable the SSID in public settings when anyone with wireless technology can pick up your signals.

Alycia Schlesinger was finally getting the help she needed more than a year ago after living on the streets. 

After a 2 on Your Side report by CBSLA Investigative Reporter Kristine Lazar, Schlesinger received the medical attention and financial assistance she needed and was once again reunited with her family while working as a personal assistant. 

"There was a part of me that was always holding my breath, but I thought yes, that this was it," Schlesinger's sister Cassie Godwin told Lazar. "She was back to my sister. She was helping other people, she was working, she was with us on holidays. It was like nothing had happened."

Unfortunately, the 50-year-old woman and former motivational speaker had her medication discontinued by her doctor and since then, Godwin said she has regressed. 

Before that happened, Schlesinger had hopes of getting back to working as a motivational speaker. 

But her family is trying to figure out why the doctor opted to discontinue the medication Schlesinger was using. Her family has gotten little to no answers from Schlesinger's former doctor.

Schlesinger was required to attend therapy multiple times a week by the courts, because she had two outstanding felonies. One was from a car chase that we covered in 2017.

But since the doctor discontinued Schlesinger's medication, she has wound up back on the streets in San Fernando Valley. She has been photographed and caught on camera spitting on people's doorbells. 

"Her cycle this time went from 0 to 1000. Before it took 2 to 3 months for her to get into her psychosis. This time it was like 2 weeks," Godwin said. 

Godwin attempted to contact her sister's doctor's office. She told them, "Please let the doctor know Alycia is spiraling and she is going to lose it, and nobody responded."

Kathy Day with the treatment advocacy center told Lazar that family members like Godwin are often cut out of the conversation due to what she calls "HIPAA handcuffs." 

The Health Insurance Portability and Accountability Act (HIPAA) is a nation wide medical privacy law.

"The HIPAA handcuffs, that's our inability to get through to provide help to our loved ones when they're in a treatment center, hospital or a jail," Day said.

Stacey Tovino, a medical privacy expert and director of healthcare law at the University of Oklahoma, said that more likely than not the issue isn't HIPPA, it's how medical professionals treat the law.

"A lot of people use HIPAA as a shield. They don't want to disclose something so they blame it on HIPAA but HIPAA may actually allow the disclosure," Tovino said to Lazar. "Usually you don't have a health and privacy law that, if broken can result in a person going to jail and paying criminal penalties. So they don't want to mess with it, so they just blame HIPAA."

Unfortunately, that has left Schlesinger and her family in a tough spot. 

She is now in jail after failing to report to one of her court-mandated therapy sessions. A judge ruled that she is not mentally capable to stand trial and is now waiting for a bed at a state hospital. 

"The last I heard a couple months ago there is a wait list of 1700 inmates to get into these hospitals. We have 5 state hospitals for that," Godwin said. "I have a lot of friends who say when are you going to give up and let her live the life she chose. My sister did not choose this."  

TAMPA BAY, Fla., Sept. 27, 2022 /PRNewswire/ -- KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, today launched a new version of its Compliance Audit Readiness Assessment (CARA) that now covers select requirements for the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to address healthcare privacy requirements.

Healthcare organizations around the world continue to inadequately protect sensitive protected health information (PHI). Between 2009 and 2021, 4,419 healthcare data breaches of 500 or more records have been reported to the U.S. Health and Human Services' (HHS) Office for Civil Rights. Those breaches have resulted in the loss, theft, exposure or impermissible disclosure of 314,063,186 healthcare records.

CARA is a complimentary, web-based tool that helps organizations assess their readiness for meeting compliance requirements. With this new version, IT and security professionals are guided through specific select requirements from the Health Insurance Portability and Accountability Act (HIPAA) Security Rule outlined by HHS. CARA asks security professionals to rate their readiness for each requirement and then provides an analysis of the results to help them define the controls they need in place before a compliance audit.

"Accessing confidential patient data is the cybercriminal's equivalent to discovering buried treasure, but it happens far more often than imaginable due to antiquated healthcare systems and security practices," said Stu Sjouwerman, CEO, KnowBe4. "Security professionals are overwhelmed with trying to comply with all of the healthcare security requirements through HIPAA. Our CARA tool now has the capability to help healthcare organizations become better prepared for compliance requirements related to the HIPAA Security Rule. This refreshed tool goes a long way towards simplifying the process of getting healthcare organizations adequately equipped for compliance audits."

The HIPAA Security Rule contains the standards to safeguard and protect electronically created, accessed, processed or stored PHI. The rule applies to any organization or system that has access to confidential patient data.

For more information on CARA, visit https://www.knowbe4.com/compliance-audit-readiness-assessment.

About KnowBe4
KnowBe4, the provider of the world's largest security awareness training and simulated phishing platform, is used by more than 52,000 organizations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Kevin Mitnick, an internationally recognized cybersecurity specialist and KnowBe4's Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Tens of thousands of organizations rely on KnowBe4 to mobilize their end users as their last line of defense.

The MarketWatch News Department was not involved in the creation of this content.

Oct 13, 2022 (The Expresswire) -- According to this latest study, In 2022 the growth of HIPAA-compliant Email Market is projected to reach Multimillion USD by 2029, In comparison to 2021, Over the next Seven years the HIPAA-compliant Email Market will register a magnificent spike in CAGR in terms of revenue, In this study, 2021 has been considered as the base year and 2022 to 2029 as the forecast period to estimate the market size for HIPAA-compliant Email.

The MarketWatch News Department was not involved in the creation of this content.

AUSTIN, Texas, Oct. 7, 2022 /PRNewswire/ -- 360training has officially stepped into providing regulatory and compliance training for Healthcare after acquiring HIPAA Exams in April of 2022. It has launched 46 HIPAA, Nursing, and Infection Control courses as part of its new Healthcare Vertical. Their up-to-date, comprehensive catalog of IACET-approved courses safeguard patient privacy, meeting HIPAA, OSHA, and CDC standards.

Hospitals looking to stay HIPAA compliant can find training suited for various medical and healthcare-adjacent services.

Hospitals looking to stay HIPAA compliant can find training suited for various medical and healthcare-adjacent services, with courses on HIPAA Privacy and Security Rules that will reduce exposure to violations.

In addition to courses for healthcare workers, 360training's healthcare vertical has courses for business associates and administrators, sales professionals, and general staff members. Businesses that provide healthcare safety training ensure occupational safety, prevent infectious transmissions, and protect the overall health of employees.

About HIPAA Exams

HIPAA Exams, a division of Engaging Training Solutions Inc, is an IACET accredited business. They specialize in professional and management development training with primary focuses on health care, workplace safety, and legislative compliance. HIPAA Exams began in 2008 as an online learning system for hospitals. The company soon expanded when Massachusetts General, Scripps, and the U.S. Air Force asked HIPAA Exams to develop content for Registered Nurses specific to Joint Commission (JC) compliance.

About 360training

360training is an integrated digital training and compliance platform for highly regulated industries. Through a unique combination of differentiated technology and deep regulatory expertise, 360training enables professionals to attain jobs and maintain industry-mandated requirements while helping organizations develop their workforces and remain compliant. 360training's robust, proprietary content library offers over 6,000 courses across major business verticals: Environment Health & Safety, Food & Beverage, Real Estate, Healthcare, Financial Services, and more.

Story continues

Since 1997, 360training.com, Inc. has delivered over 11 million training plans across multiple brands, including HIPAA Exams, Meditec, AgentCampus, VanEd, TIPS, OSHAcampus, OSHA.com, and Learn2Serve. Please visit www.360training.com or their social media accounts on Facebook, Twitter, and LinkedIn to learn more.

View original content to get multimedia:https://www.prnewswire.com/news-releases/healthcare-courses-by-hipaa-exams-now-available-on-360training-301643798.html

SOURCE 360training.com