Guest Post: This is a sponsored guest post written by James Taylor and provided by GFI FaxMaker.

HIPAA requirements are becoming a part of every technology discussion, especially within the healthcare industry. One of the biggest pain points for both doctors and dentists is faxing. The HIPAA requirements for faxing EMR/EHR records are fairly straightforward, and also fairly onerous and time consuming, and healthcare organizations are looking for better ways to do faxing. This is where GFI’s fax server software, GFI FaxMaker, steps into the scene.

Installation

Installation is easy, though it does require a domain admin account (more on that below). It can use a fax modem, FoIP SaaS service from Brooktrout, or ISDN lines, and can be installed right on your Exchange server or integrate with Exchange (or other email systems) using an SMTP connector. Install gets a 9/10.

Integration

GFI FaxMaker almost sells itself just in how easily it can be integrated into practically any client’s existing infrastructure, whether they are a private practice, or part of a huge hospital network. The email to fax and print to fax capabilities make it easy for end-users to send faxes, and helps to ensure HIPAA compliance in several ways; these include:

1. Fax numbers can be pulled from the email client address book (GAL),
2. Delivery confirmation reports can be automatically generated and stored with the sent faxes,
3. Incoming faxes are delivered directly to the recipient; no paper left lying around, and no need for the user to go stand by the fax machine waiting for an incoming fax,
4. Faxes can be stored as PDF or TIFF, and routed to network shares. Practically any client’s medical records program for EMH/EHR can consume these with no need for extra work making this another way to plug directly in to programs without needing to write any code.
5. The ability to ‘print to fax’ makes every Windows program my clients use ‘fax capable’
   
   Share the printer and clients can just double-click it to start faxing from any application.

making it so easy to plug into existing infrastructure earns this a 9/10.

Fax routing flexibility

GFI FaxMaker’s routing capabilities are its best feature. You can automatically deliver faxes to users, network folders, or printers, based on several different attributes including:

If your senders’ fax machines identify themselves by CSID, you can route using that, or you can set up extensions for each user without having to get dedicated lines. Of course, it can use dedicated lines too. OCR rocks, since it can scan for the recipient’s name and deliver the fax by ‘reading’ the To: line on a cover page or finding a keyword in the body of the fax. Just don’t expect it to decipher a doctor’s handwriting.

It can also automatically archive inbound and outbound faxes as PDF or TIFF format, making it easy to import faxes into other programs or to keep a secured archive.

Most organizations are very big on electronic archiving, and they don’t have the budget to get every single doctor and PA in the practice their own fax number, so I give this a 9/10.

What I like

GFI FaxMaker installs very easily, integrates with every email environment without having to install anything on the mail server, and sets up a shared printer so users can simply print to fax. It is easy to setup, easy to understand, and just works. Getting rid of the fax machines, the stocks of ink, and all the paper left lying around that goes along with a traditional fax is great, and with no more incoming faxes hitting the output tray, there’s no chance of confidential patient information (EMR/EHR) being at risk. Considering how big a concern that is for HIPAA compliance, and how little space most offices have to ‘secure’ a traditional fax machine, this is a huge benefit and earns GFI FaxMaker a 10/10 for convenience and compliance.

What I don’t like

The one thing I don’t care for is that GFI FaxMaker wants to run under the account of a domain admin. Small offices running SBS don’t seem to care, but hospitals with Information Security departments take exception to this. Two things; no software should want to run as a domain admin, and any software that isn’t going to run as system ought to run under a service account. If you let it run under your user account, it will break in a couple of months when you change your password. In terms of how I rate this product, that counts off more than anything else.

I would also prefer the print drivers to be signed by Microsoft; I know that takes time, but it is a jarring warning in bold red when you go to install it on a Windows server.

The bottom line

GFI FaxMaker is an excellent faxing solution for health care organizations, whether they are private practice or attached to major medical centers. It’s easy to use, is able to integrate into existing systems, and contributes to HIPAA compliance – making itself a great solution on its own merits; the amount of time, money, and administrative support it saves your IT support helps it pay for itself in no time. I rate it a very strong 9/10, and bet you will too.

With all that it has to offer, GFI FaxMaker may be the best new application your healthcare practice has ever seen. But don’t just base it on my great experience, see for yourself.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

So far we’ve covered Information System Activity Review & Sanction Policy.

The next item to tackle for the HIPAA side of Meaningful Use is the Risk Analysis.  This may also be referred to by some as the Risk Assessment also.

The Risk Analysis is simply a look at the way your practice operates as it pertains to PHI and your computer network.

Your risk analysis shouldn’t be a handful of questions.  It should be a set of targeted questions – partly to see that your practice is doing things correctly and partly to invoke conversation to ensure you fix other areas of how your practice does business.

The risk analysis we use is just north of 100 questions…and it continually grows as technology changes and new phishing scams arrive on the scene.

How often should a risk analysis be accomplished?

Once a year is reasonable for most practices.  An additional risk analysis should be accomplished anytime there is a major technological or physical change.

A technological change would include: a new EHR, a new component to your EHR new computer network architecture, and even something as innocent as a new photocopier (more on this later).

Physical change would include any remodeling that might change the layout to the waiting area or a complete location change for the office.

Can I accomplish the risk analysis?

Sure, you or your staff may accomplish the risk analysis.  Be aware though, the risk analysis can become quite technical, so you may need to have your IT staff involved, at least in part of this analysis.

But don’t be fooled, this risk analysis is not just technology based.  Your risk analysis should cover areas including:

• Does the practice have a privacy window at the sign in station?
• Does the practice close the privacy window to the lobby except when speaking to a patient directly?
• Does the practice use an acceptable procedure to hide patient names on the sign-in form?
  • What is acceptable?  Here are a few examples:
    • Individual sign-in slips that are handed to the receptionist
    • Peel-off name labels that are removed by the receptionist and stuck to the file (yes, even in the electronic world paper still exists)
    • An electronic sign-in system – this is a fancy way of saying a computer in the lobby on which the patient signs in.
• Who has keys to the office?
• Where is the list of who has keys to the office?
• Who has the alarm code to the office?
• Where is the list of who has the alarm code?
• Is the door from the waiting area always locked?
• Does the facility have a sprinkler fire system?
• Does the server have a fire system sprinkler above it?
• Are all computers at least 3 inches off the ground?

Now we’ve hit 3 of the 4 HIPAA items in the required Risk Analysis in the Meaningful Use Core Objectives.

Next time we’ll at least start on Risk Management.

Guest Poster: John Brewer is the founder of HIPAAaudit.com.  He and his team help physicians run HIPAA Compliant practices in the simplest, most pain free way.

As previously mentioned, the Sanction Policy is an integral part of Meaningful Use.

What exactly is a Sanction Policy?

Quite simply, it is clarification to your staff…all staff…yes, this includes the physicians, that there are ramifications for breaking company computer policies, specifically HIPAA violations.

First, your practice must have policies.  Without knowing the rules, nobody will know if they are breaking them or not.

The computer policies of a practice are the foundation on which your office will operate.  The computer policies are different than human resource company policies…actually, they are different, but enhance the HR policies.

For example:

• Which websites can staff go to during business hours?
• Which websites are completely banned?
• Is your staff allowed to check their personal email on office computers?

These are all policies you may think are understood by your staff, but if you do not have these policies in writing AND ensure all staff has signed a document of understanding AND have them sign this document of understanding every year…you will run into trouble

So, this sanction policy will generally be in addition to any Human Resources sanction policy that exists (it does exist, right?).  Remember, this Sanction Policy is geared toward HIPAA violations and computer use violations.

This Sanction Policy should cover:

• Initial reaction to a violation
  • Document the violation
  • Detail the exact violation to the offender
  • Document this communication
  • Initiate any company checklists that may be required depending on the specific violation
• Secondary reaction to a violation
  • Retraining
    • Re-attend Annual Awareness Training
    • Document this re-training
  • Document understanding of the violation
• Repeat violations
  • Repeat violations need to be dealt with in a solid and consistent way
  • How many repeat violations before termination?
  • Is any HIPAA violation a “counter” toward termination or should it be an exact repeat violation?
  • Is the training for repeat violations different?

As you can see, there are many parts to what appears to be a “single line” requirement within the Core Requirements for Meaningful Use.

Also note, this Sanction Policy originally reared its head in the HIPAA regulations, and yes, it is still a HIPAA requirement.  As I expected, the feds are using Meaningful use to push you toward HIPAA compliance.

Next time, the Risk Analysis (you guessed it, another HIPAA requirement).

Trent Peters from Umbrella Medical Systems added an interesting comment on my previous post about Domain Controlled Networks and HIPAA that I thought really added to my original post. Plus, Trent goes into a nice list of other benefits of having a “Management” server in an office. It gets a little technical for some of my readers I’m sure, but is valuable if you’re office is embarking on this adventure.

Here’s Trent’s comment:

This is an interesting question and can be argued either way, but again it comes down to what’s “reasonable and appropriate”. A little background, my company is a IT Consultant group that works specifically in the healthcare arena offering services to medium-sized and small healthcare organizations, we have plenty of EMR implementation experience. Over 95% of our clients are in a domain environment and we always push for an Active Directory environment if one is not present. However, in the small offices (1 – 2 providers) this can be difficult because of the initial cost and the fact it’s “server” based. Many small offices will choose a “hosted” emr solution for the low up front cost and adding on the extra 5 -7K is not a valid option as the cost outweighs the benefits (from their perspective). The other 5% simply do not have the same security and manageability as the domain environments.

Any networks Security solution is only as strong as the weakest link. While not having a domain controller doesn’t necessarily equate to not being HIPAA compliant, it sure helps secure the environment to IT best practices. We call the Domain / Active Directory server the “Management” server because it provides more functions than just AD. For instance, WSUS patch management to make sure all computers have the latest security patches and don’t have the updates that may conflict with the EMR (some EMR software are not compatible with IE8 or SQL 2005 SP3, etc), centralized backup and client folder redirection for non-EMR critical data, centralized monitoring platform for servers (hardware + software), workstations, UPS, networks, VPN, etc, centralized AntiVirus protection is also important to notify the support team of malicious software and vulnerabilities. Group Policies is a big part of the overall security that can manage (if properly configured) all aspects of the network including password policies, computer and user permission rights, power setting, audit controls, etc. There are many benefits to a DC / Management and is the choice to achieve IT best practices (I believe MS recommend 3+ computers to be on a domain environment, although this is aggressive).

It’s nice to be able to bundle server roles (such as SQL or FAX) in order to justify the management server, but generally it comes down to cost. We hold our HIT practices to the highest standard, so our rule is that if the organization has +5 computers, you must have a Domain Controller / Management Server in order to qualify for our full support program. We can’t justify the extra effort required to properly manage the environment without it. In those rare cases where a small organization choses to not invest in a Domain Controller when we feel it’s required, then unfortunately we wish them the best of luck and turn down their business.

Anyone that has worked in healthcare has the palpable fear of the word HIPAA. Any time the word’s mentioned, I have this visceral emotion shoot threw my body. I’m sure it’s the same for many people. HIPAA is like the nasty word that no one can argue with. Just say something is a HIPAA violation and no one can argue with you (assuming you’re right).

In the clinics I’ve worked in, there really is a desire to try and follow the HIPAA rules as best as possible. They all hate it, but they all try in good faith to follow the HIPAA rules. They likely do this because of fear of the dreaded HIPAA audit. Check out this interesting comment made on a previous post I did which puts the HIPAA audit in a new light:

Same goes for the HIPAA rules. We all spend so much effort and time to comply, yet the handful of cases arise when a disgrunted, recently fired employee becomes a whistleblower to screw their past boss and “tells all” to the feds who then pounce on the poor unsuspecting doctor to showcase their enforcement muscle. I’ve heard of anecdotal cases s.a. this, but I have never actually seen an office raided for an HIPAA violation or a major article on the subject in my medical journal reading. Considering that, if say, there are a dozen cases, then 12/780000 practicing doctors, my chances of an HIPAA audit are about 0.002%.

It’s a crazy world we live in. I agree that the risk of a HIPAA audit is pretty small and I think most people acknowledge this internally. Yet, people are afraid to say this publicly, because it sends a message that they don’t care about patient privacy. I think most clinics go through this amazing internal conflict. Basically, they want to support patient privacy, but they also don’t want HIPAA to get in the way of caring for patients and running their business.

The solution I believe most clinics employ: If I don’t talk or acknowledge it, then I don’t have to worry about it. Basically, ignorance is bliss. So, they address any privacy issues that come out and they try to maintain privacy generally, but few of them take it head on and make sure that they are HIPAA compliant. Should they? There’s only a 0.002% chance they’ll have a HIPAA audit.

Note 1: Hospitals are different than clinics. There’s other issues related to HIPAA at hospitals.

Note 2: See, I do occasionally write about HIPAA. That’s why this website is named EMR and HIPAA. Every 6 months is about right, no?

Note 3: Patient Privacy is very important to me, so this post isn’t meant as an excuse for people to not protect their patients’ privacy. It is an attempt to discuss openly what I think is really happening with HIPAA in clinics.