You already know that you need to have a signed BAA with anyone that handles your Protected Health Information (PHI), but can you explain the key reasons why? Here are 10 need-to-know items before you sign yours.
The full title of the webinar is actually much catchier: You Mean HIPAA Applies to Lawyers? Keeping Data Safe, Clients Happy and Your License Secure.
Hosted by the American Bar Association, this webinar discusses how the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act may affect practicing lawyers that may now fall under the definition of “business associate”.
From the webinar description:
It is imperative for lawyers to determine: (1) whether they are a business associate under HIPAA (or, how they might inadvertently become one); and (2) if they are a business associate, what steps must be taken in order to assure their compliance with the new HIPAA requirements under HITECH.
This program provides a foundational background of HIPAA and HITECH and provides an overview of the following:
- How law firms become business associates (intentionally or inadvertently)
- What HIPAA requires of law firm business associates
- How to properly safeguard client data
- Unauthorized uses and disclosures
- What constitutes a “breach”
- Business associate requirements in case of a breach
- Penalties, criminal, and civil liability associated with HIPAA
- Potential other ethical conflicts caused by HIPAA as you are forced to execute contractual agreements with clients
While the live webinar already took place on April 21, 2014, an on-demand recording is freely available to American Bar Association members for the next three months. As a bonus, this webinar provides 1.5 credits for Continuing Legal Education (CLE).
If you already have an understanding of how HIPAA may regulate your interaction with your client’s data, and are looking for a HIPAA-compliant way to remotely communicate with your clients, check out how SecureVideo.com provides HIPAA-compliant videoconferencing services. You can also test our services by creating a free account, read more about us in our Support Center, or e-mail your questions to info[at]securevideo.com.…Read More
Before we delve into this topic, a note: this article is not an exhaustive list of all that is required for HIPAA compliance. You may decide to contact an attorney or Privacy Officer to help you examine each rule thoroughly and put an action plan in place. Our intention is to get you started with what you need to know to hit the ground running.
As a Mental Health or Medical Provider, you will be handling protected health information (PHI). Under HIPAA rules individual practitioners are referred to as a Covered Entity because you transmit health information during your sessions. SecureVideo would be known as your Business Associate, because we help carry out your health services.
Four rules apply to you. Links are provided here should you want to delve in deeper:
You will need to follow all these rules above. Consider the first two proactive and the remaining, reactive. The first two you must follow and create action items around. If there is a security breach, as per the HIPAA Breach Notification Rule, you will need to notify your clients immediately following a security breach of their PHI. The HIPAA Enforcement Rule kicks in if you do not comply to the other three rules.
In a nutshell, HIPAA asks you to do the following:
- Establish protections to safeguard PHI.
- Fairly check that sharing and use of PHI to a minimum, only enough to accomplish the expected outcome.
- Establish your Business Associate Agreements (BAAs) to ensure that your service providers will also preserve PHI and only use it properly.
- Put your policies and procedures in place to restrict who has access to PHI. Enroll yourself and your employees in a training program around PHI safety. Periodically review your procedures to assess how you are maintaining your PHI secure.
Please check in for more articles related to HIPAA laws in the near future. Do you have a specific question? Please ask! We may be able to help.…Read More
In a story that has been developing over the past several weeks, The Guardian disclosed last week that Microsoft has been providing the National Security Agency with access to recorded data collected on Skype, which was purchased by Microsoft for $8.5 billion in 2011.
The files provided by Edward Snowden illustrate the scale of cooperation between a number of Silicon Valley companies and the intelligence agencies over the last three years. They also shed new light on the workings of the top-secret Prism program, which was disclosed by the Guardian and the Washington Post last month.
Microsoft has collaborated closely with US intelligence services to allow users’ communications to be intercepted, including helping the National Security Agency to circumvent the company’s own encryption, according to top-secret documents obtained by the Guardian. In the past, Microsoft has been evasive when asked about the privacy of communications over its popular VOIP platform, but these disclosures have blown the lid off Microsoft’s credibility on the issue. In fact, the recent statement by Microsoft’s general counsel, attempting to rebut the Guardian’s reporting, stated that, “going forward, it assumes Skype calls will be regarded just like any other phone call – mobile or landline.”
It should now be perfectly clear that using Skype for any telemedical communications involving Protected Health Information (PHI) is a prima facie violation of the HIPAA Security Rule.
As our Chief Technical Officer has pointed out, both here and on our website, securevideo.com, we do not record any communications which use our service. All contact between practitioner and patient is direct and unmediated, so there is no way that it can be intercepted or reproduced. Your Protected Health Information is truly protected here.
Stephen C. Taylor
In June of 2012, the Alaska Department of Health and Social Services agreed to pay $1.7 million to the United States Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule arising out of the loss of a portable USB thumb drive containing electronic protected health information (ePHI).
In September of 2012, Massachusetts Eye and Ear Infirmary agreed to pay HHS $1.5 million to settle potential violations of the Security Rule arising out of the theft of a laptop computer which contained a large amount of patient information.
In each case, the HHS Office of Civil Rights charged that the providers had failed to take necessary steps to comply with certain requirements of the Security Rule, including:
-conducting a thorough analysis of the risk to the confidentiality of electronic protected health information (ePHI) maintained on portable devices;
-implementing security measures sufficient to ensure the confidentiality of ePHI that they created, maintained, and transmitted using portable devices; and
-adopting and implementing policies and procedures to restrict access to ePHI to authorized users of portable devices.
Both of these cases involved the theft of devices which contained massive amounts of unencrypted patient data. There was no evidence that any patients sustained any actual damages as a consequence of the theft of any of this information, but damages are not an essential element of the violation, and as one can see, the settlements were substantial.
And lest anyone think that the HHS watchdogs only go after the big players, in January of 2013, Hospice of Northern Idaho agreed to pay $50,000 to settle potential violations of the HIPAA Security Rule in another laptop theft case. This is the first settlement involving a breach of unsecured ePHI affecting fewer than 500 patients. It is unlikely to be the last.
The American Telemedicine Association, which advocates for wider use of telemedical technology, has projected enormous growth in the field over the next few years, and the number of companies with links on its principal website is long and varied. Most of these companies fall under the HIPAA definition of “business associates.”
A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate (emphasis added). The HIPAA Rules generally require that covered entities and business associates enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. To learn more about business associate agreements, and see a template for what HHS believes such an agreement ought to contain, visit http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html?gclid=CO3k4sTB17YCFe4DOgodT0QAkw.
It seems to me that any prudent practitioner thinking about using telemed conferencing ought to be asking her or himself at this point, “What are the risks to me and my practice of using a free VOIP technology like Microsoft’s Skype®, especially if, in the future, Microsoft decides to change the company’s Terms of Service to allow them to target advertising to users based upon the content of their communications?”
It seems clear that, to be HIPAA-compliant, a videoconferencing service must be willing and able to sign a business associate agreement. Skype and other free services do not offer this. SecureVideo.com does. We also offer live technical support, which free services can’t provide. And free services simply can’t offer the superior video quality and features needed for a professional office–we can.
To learn more about SecureVideo.com, visit our website at http://securevideo.com/.
Stephen C. Taylor
By Stephen C. Taylor, General Counsel
HIPAA – or as it is formally known, the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191 – substantially codified the way health information for virtually all Americans must be handled. Sections 261-264 of the law require the Secretary of Health and Human Services (HHS) to promulgate standards for, among other things, the electronic exchange, privacy and security of health information by those subject to its provisions (what the law and regulations call “covered entities”).
Virtually every health care provider in America who electronically transmits health information is a covered entity.
Nothing in the law proscribes videoconferencing, which – as my colleagues elsewhere on this site have described – can, in many instances, be a vastly more efficient method of conferring with a patient in a remote location, or with another provider in a distant location. But such teleconferencing, which has acquired the popular sobriquet of telehealth, is nevertheless subject to the requirements of HIPAA.
Some health care practitioners have considered using the popular VOIP (voice-over internet protocol) videoconferencing software known as Skype ®, which has grown swiftly in the last five years or so. One of the reasons for this spectacular growth could very well have been that its developers in Luxembourg had taken steps to make the service one of the most locked-down and encrypted services available for such communication.
But, as reported by Eric Jackson in Forbes last July, when Microsoft (MS) acquired Skype in May of 2011 for $8.5 billion, observers wondered how MS could justify paying so much for a service that most users pay nothing to use and lets them communicate for free with other users. MS responded by saying that they simply wanted to own the world leader in VOIP.
Well and good. But in June of 2011, MS was granted a patent for “legal intercept” technology designed to be used with VOIP services (like Skype) which would allow “silent copying of communication transmitted via the communication system.”
Perhaps this is pure coincidence. But the point is that, if Microsoft has changed the architecture of Skype – which they have neither confirmed nor denied, but which anecdotal evidence suggests has occurred – the use of Skype to transmit medical and health information could expose the practitioner who unwittingly does so to significant civil and criminal liability under HIPAA.
Civil penalties begin at $100 per individual instance of violation, and are capped at $25,000 per calendar year for multiple violations of the same type. Criminal penalties are tiered, depending upon the willfulness of the violation and the use to which the information is put, but the lowest tier carries a fine of $50,000 and imprisonment of up to one year.
SecureVideo.com offers a securely-encrypted environment for telehealth videoconferencing which is completely HIPAA-compliant. You can investigate further at http://securevideo.com. But don’t take my word for it. Practitioners are urged to consult your own attorney. But for heavens sake, do it before you decide to use Skype for telemedical conferencing. You could be taking a big risk.…Read More