There are four HIPAA rules any one working with ePHI should know about.  They are:

1. HIPAA Privacy Rule
2. HIPAA Security Rule
3. HIPAA Enforcement Rule
4. HIPAA Breach Notification Rule

The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

For reference:
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/

Business Associates, like SecureVideo, are directly accountable for uses and disclosures of ePHI that go beyond what’s covered under their BAA or the Privacy Rule itself.

The Privacy Rule asks BAA to do the following:

1. Not allow any off limit uses of ePHI.
2. Provide breach notification to the Covered Entity.
3. Provide either the individual or the Covered Entity access to ePHI.
4. Disclose ePHI to the Secretary of Health and Human Services, if obligated to do so.
5. Provide an accounting of disclosures.

HIPAA Security Rule

HIPAA established the Security Rule to ensure that all covered entities have implemented safeguards to protect the confidentiality, integrity, and access of PHI.

There are two types of implementation specifications: “required” and “addressable.”  Wherever the Security Rule reads “required,” that specification must be implemented; whereas, if it says “addressable,” there is some wiggle room in exactly how you comply with that specific standard.

The HIPAA Security Rule is by far the meatiest.  We’ve devoted a whole article to this rule in a previous blog post.  You can find a quick link to the article here.

HIPAA Enforcement Rule

HHS’ Office for Civil Rights is responsible for enforcing the Privacy and Security Rules. Enforcement of the Privacy Rule began April 14, 2003 for most HIPAA covered entities. Since 2003, OCR’s enforcement activities have obtained significant results that have improved the privacy practices of covered entities. The corrective action obtained by OCR from covered entities have resulted in systemic change that has improved the privacy protection of health information for all individuals they serve. HIPAA covered entities were required to comply with the Security Rule beginning on April 20, 2005. OCR became responsible for enforcing the Security Rule on July 27, 2009.

For reference: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/

OCR enforces the Privacy and Security Rules in a few different ways:

1. By investigating filed complaints
2. Conducting compliance reviews
3. Outreach and education to encourage compliance with HIPAA requirements

HIPAA violations are costly, ranging from $100 to $50,000 per violation, with a maximum of $1.5 million per year on the same infraction. Violations may also carry criminal charges that can develop into jail time.

Violations worsen if there is willful neglect and go uncorrected. To give you a picture, this table shows how much penalty amounts range by level of awareness:

table

For reference:
https://www.federalregister.gov/

Unencrypted Data

A large majority of breaches are due to lost or stolen data that was unencrypted. Please remember that addressable HIPAA regulations do not mean they are optional. Most are best practices in the field, anyway. You still have to implement those standards, only you have the flexibility to create them to tailor fit your workflows.

Employee Error

Employee training and adherence to protocol is very important. Breaches have occurred through employees losing unencrypted portable devices, or accidentally sending vendors sensitive information and it winding up on social media networks. These instances could’ve been avoided.

Data Stored on Devices

Be mindful of your laptops, smartphones, external hard drives, etc. Theft has resulted in about half of all breaches.

Business Associates

Be choosy about your partners. About two-thirds of all breaches had a business associate involved and some of the largest reported breaches at that.

Not all data breaches result in a fine, luckily. The key is to make sure you are putting forth reasonable effort to comply with HIPAA laws.

HIPAA Breach Notification Rule

The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. This rule also requires the entities to immediately notify HHS if there is any breach of unsecured ePHI, as well as notify the media and public if the breach affects more than 500 patients.

For reference: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

In summary, HIPAA asks you to do the following:

  • Establish protections to safeguard ePHI.
  • Fairly check that sharing and use of ePHI to a minimum, only enough to accomplish the expected outcome.
  • Establish your Business Associate Agreements (BAAs) to ensure that your service providers will also preserve ePHI and only use it properly.
  • Put your policies and procedures in place to restrict who has access to ePHI.  Enroll yourself and your employees in a training program around ePHI safety.  Periodically review your procedures to assess how you are maintaining your ePHI secure.

There you have it!  It’s a lot to take in.  If after you’ve sat with this information you have questions, please email us at [email protected]  We’re happy to help.…

Read More

HIPAA established the Security Rule to ensure that all covered entities have implemented safeguards to protect the confidentiality, integrity, and access of PHI.

There are two types of implementation specifications: “required” and “addressable.”  Wherever the Security Rule reads “required,” that specification must be implemented; whereas, if it says “addressable,” there is some wiggle room in exactly how you comply with that specific standard.

The HIPAA Security Rule is multifaceted.  For a close read, please check out the article in our Support Center article here.…

Read More

An overview

Before we delve into this topic, a note: this article is not an exhaustive list of all that is required for HIPAA compliance.  You may decide to contact an attorney or Privacy Officer to help you examine each rule thoroughly and put an action plan in place.  Our intention is to get you started with what you need to know to hit the ground running.

As a Mental Health or Medical Provider, you will be handling protected health information (PHI).  Under HIPAA rules individual practitioners are referred to as a Covered Entity because you transmit health information during your sessions.  SecureVideo would be known as your Business Associate, because we help carry out your health services.

Four rules apply to you.  Links are provided here should you want to delve in deeper:

  1. HIPAA Privacy Rule
  2. HIPAA Security Rule
  3. HIPAA Enforcement Rule
  4. HIPAA Breach Notification Rule

You will need to follow all these rules above.  Consider the first two proactive and the remaining, reactive.   The first two you must follow and create action items around.  If there is a security breach, as per the HIPAA Breach Notification Rule, you will need to notify your clients immediately following a security breach of their PHI.  The HIPAA Enforcement Rule kicks in if you do not comply to the other three rules.

In a nutshell, HIPAA asks you to do the following:

  • Establish protections to safeguard PHI.
  • Fairly check that sharing and use of PHI to a minimum, only enough to accomplish the expected outcome.
  • Establish your Business Associate Agreements (BAAs) to ensure that your service providers will also preserve PHI and only use it properly.
  • Put your policies and procedures in place to restrict who has access to PHI.  Enroll yourself and your employees in a training program around PHI safety.  Periodically review your procedures to assess how you are maintaining your PHI secure.

Please check in for more articles related to HIPAA laws in the near future.  Do you have a specific question?  Please ask!  We may be able to help.…

Read More

Yesterday, the Syrian Electronic Army (SEA) hacked into Skype and Microsoft’s twitter account.  The twitter feed read, “Don’t use Microsoft emails (hotmail,outlook), They are monitoring your accounts and selling the data to governments.”  The same post also appeared on Microsoft’s twitter feed.  Both were swiftly removed.  In a statement today, Skype representatives said, “No user information was compromised.”  What a sigh of relief, for Skype and their customer base!

We at SecureVideo want to reassure you that while internet security concerns heighten at times like these, we will always offer you peace of mind.  We are a company built from the ground up to be HIPAA compliant.  Our one-to-one connection gives you the utmost privacy in your videoconference connection.  We do not route through, record, or store your sessions on any server.  You and your practice are more secure with our videoconferencing solutions.  Because of this, we are proud to offer a system you can trust.…

Read More

Did you know that SecureVideo.com is not just for people in the medical field that need to abide by HIPAA laws?

The truth is, anyone looking for an easy, secure, low-cost video conferencing connection could use SecureVideo.  Our meetings are peer-to-peer.   That means your video session isn’t routed through any servers and it can’t be saved or recorded by SecureVideo.com, nor subpoenaed from us.   Your meetings stay confidential, as if you were talking to a person face-to-face.

In general, much of our daily communication is nonverbal.  Unlike phone calls, you can read more of your clients’ or associates’ nonverbal cues through a videoconference call.  This comes in handy, especially since we spend so time communicating electronically, missing the tone and body language that accompany the actual text we read.

SecureVideo customers also benefit from the scheduler included with all SecureVideo plans and branding features you get with the Individual PLUS or Enterprise Plan.   These features enable more of your clients to keep their appointments with you.   Plus, your session invites appear to come from your own videoconferencing platform: YourCompanyNameHere.securevideo.com.   How cool is that?

Video conferencing has become a necessary tool for communication in any field.   For example, lawyers can use it to gather oral statements for a deposition, without involving expensive or lengthy travel.  Or allow loan officers to interview their borrowers remotely and process applications in collaboration with other bank branches.  It could also give Human Resource managers a way to conduct interviews with talented candidates, without restricting their choices to local applicants.

You know your workflow best.  When your business calls for secure, face-to-face communication, you have options.  Try us for free.…

Read More