Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Proving HIPAA Compliance

Posted on September 9, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Given the name of this blog, I get a lot of people asking me about HIPAA compliance. Many of them that are new to the industry are looking for some sort of regulating or certifying body that they can go to in order to be HIPAA compliant.

Unfortunately, there is no body that can audit you and basically certify that you’re HIPAA compliant. HIPAA is basically a self certification, so you can just claim “compliance.” However, if a real audit happens, you better make sure your ducks are all in a row and that you are actually complying. While there is no body that certifies HIPAA compliance, there are pretty specific guidelines on what you need to do to be HIPAA compliant.

When companies and organizations ask me what they need to do to be HIPAA compliant, I usually suggest they start with these HIPAA trainings from one of my partner companies, 4MedApproved: http://bit.ly/191zR9N (20% discount if you use the code healthcare20 since I’m a partner). The HIPAA compliance officer training will teach you what you need to do and it includes HIPAA documentation templates you can use along with business associate agreement forms. Then, the HIPAA workforce trainings are good to train the rest of your staff. With this training and documentation, you’ll feel much more comfortable saying you’re HIPAA compliant and having something to show for it. You’ll also learn what other places you might be lacking when it comes to HIPAA compliance.

I had someone on a LinkedIn discussion about a breach suggest that organization should regularly train their staff on HIPAA. Turns out that doing so isn’t just a good idea, but is also a HIPAA requirement. Having some sort of proven HIPAA training that you’ve completed is one step in the right direction of proving your HIPAA compliance.

The other major step an organization should take is doing a full HIPAA risk assessment. Many organizations are doing this since they’ve had to in order to get meaningful use money. However, even those organization who aren’t asking for the EHR incentive handout are still required to do a HIPAA risk assessment.

What are you doing in your organization or company to prove HIPAA compliance?

4Med Health IT Courses – HIPAA Training, ICD-10 Training, PQRS Training and More

Posted on January 21, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As most of you know, I’ve been sharing a number of different 4Med approved education courses on this site and throughout my various social media channels. I think 4Med’s done a pretty good job putting together training courses that matter to those of us in Healthcare IT. For example, they have HIPAA courses, EHR Courses, ICD-10 courses and they recently added a course on PQRS which I haven’t seen anywhere else. As a partner, those links and the discount code “healthcare20” will get you a 20% discount off the course price. Plus, many of the courses include CMEs for those that need them.

What’s also been amazing to me is how many people I work with sell the 4Med courses as well. Everyone from health IT service providers to EHR consulting companies are signed up as 4Med affiliates and are suggesting these courses to their clients.

It makes sense why so many people are interested in these training courses. HIPAA Omnibus has led many to take another look at their HIPAA compliance. One of those requirements is to have regular HIPAA training. ICD-10 is bearing down on us and many aren’t ready and so ICD-10 training is going to be huge over the next 6 months. PQRS penalties are coming and many have no idea how the PQRS program even works. Hopefully these training courses can be useful for many of you.

Top 5 Tips for HIPAA Compliance

Posted on December 17, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Manny Jones, health care solution manager at LockPath, recently sent me 5 tips to consider in order to meet HIPAA guidelines. It addresses some of the following questions: What does the HIPAA Omnibus rule mean for me? How do I know if I’m compliant? Where do I even begin?

This list of 5 tips are a good place to start.

1. Be prepared for more frequent audits and a fine structure based on knowledge – The new tiered approach means organizations can face much higher fines if they’re not in compliance with the rule.

2. Update Notice of Privacy Practice (NPP) – These should explain that individuals will be notified if there is a breach, disclosures around areas that now require authorizations, and more. Once updated, organizations should redistribute to patients and others to ensure they’re aware of changes.

3. Develop new processes – These should address additional restrictions on use or disclosure of protected health information (PHI).

4. Identify assets containing PHI – Once an organization has an inventory of these assets, they can determine where safeguards/breach notification obligations apply.

5. Understand the new definitions – Organizations should understand how “breach” and “business associate” are now defined and how they apply to their organization.

For those wanting to really dig into the details of HIPAA compliance, you’ll want to consider a HIPAA Compliance training course. These are easy online courses for both the HIPAA privacy officer or your staff. As is noted above, more frequent audits and fines are coming.

Windows XP Won’t Be HIPAA Compliant April 8, 2014

Posted on December 12, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As was announced by Microsoft a long time ago, support for Windows XP is ending on April 8, 2014. For most of us, we don’t think this is a big deal and are asking, “Do people still use Windows XP?” However, IT support people in healthcare realize the answer to that question is yes, and far too much.

With Microsoft choosing to end its support for Windows XP, I wondered what the HIPAA implications were for those who aren’t able to move off Windows XP before April 8. Is using Windows XP when it’s no longer supported a HIPAA violation? I reached out to Mac McMillan, CEO & Co-Founder of CynergisTek for the answer:

Windows XP is definitely an issue. In fact, OCR has been very clear that unsupported systems are NOT compliant. They cited this routinely during the audits last year whenever identified.

Unsupported systems by definition are insecure and pose a risk not only to the data they hold, but the network they reside on as well.

Unfortunately, while the risk they pose is black and white, replacing them is not always that simple. For smaller organizations the cost of refreshing technology as often as it goes out of service can be a real challenge. And then there are those legacy applications that require an older version to operate properly.

Mac’s final comment is very interesting. In healthcare, there are still a number of software systems that only work on Windows XP. We’re not talking about the major enterprise systems in an organization. Those will be fine. The problem is the hundreds of other software a healthcare organization has to support. Some of those could be an issue for organizations.

Outside of these systems, it’s just a major undertaking to move from Windows XP to a new O/S. If you’ve been reading our blogs, Will Weider warned us of this issue back in July 2012. As Will said in that interview, “We will spend more time and money (about $5M) on this [updating Windows XP] than we spent working on Stage 1 of Meaningful Use.” I expect many organizations haven’t made this investment.

Did your HIPAA compliance officer already warn you of this? Do you even have a HIPAA compliance officer? There are a lot of online HIPAA Compliance training courses out there that more organizations should consider. For example, the designated compliance officer might want to consider the Certified HIPAA Security Professional (CHSP) course and the rest of the staff the HIPAA Workforce Certificate for Professionals (HWCP) course. There’s really not much excuse for an organization not to be HIPAA compliant. Plus, if they’re not HIPAA compliant it puts them at risk of not meeting the meaningful use security requirements. The meaningful use risk assessment should have caught this right?

I’m always amazed at the lack of understanding of HIPAA and HIPAA compliance I see in organizations. It’s often more lip service than actual action. I think that will come back to bite many in the coming years. One of those bites will likely be organizations with unsupported Windows XP machines.

Can Providers Cope With EMR Security Challenges?

Posted on June 15, 2011 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Boy, back in the good old days, protecting patient data was comparatively easy. All you had to do was make sure that nobody got their hands on a patient’s paper chart who shouldn’t be looking at it.

After all, simple stuff like locking file rooms and making sure charts never get left in a public place are pretty easy to understand. Sure, paper records get stolen or rifled through now and then — no system is perfect — but putting processes in place to prevent unauthorized chart access isn’t that complicated.

On the other hand, introducing electronic medical records  — plus e-prescribing, digital sharing of lab results and more — is a completely different kettle of fish.

For one thing, providers must control access to medical information stored in their EMR in a far more sophisticated way than they had with paper charts.  For example, while role-based access to data may not sound too threatening to your average IT boss, it’s not exactly intuitive if you’re not a geek. Figuring out just who should get access to what gets a lot more complicated than when you used to just have to pull and route a chart.

Another issue: few clinicians know much about data security, and it’s not likely that they’re going to suddenly get wildly excited about encryption or VPNs.  Sure, you can warn them that it comes down to whether some random stranger (or even a staff member) will steal their patients’ Social Security numbers or broadcast medical secrets. But it’s just about impossible to explain security issues without wandering into scary jargon that will alienate the heck out of many doctors.

Of course, healthcare organizations can make sure their clinicians are trained to understand the importance of  securing their EMR. And they can even explain why specific types of security measures will limit their HIPAA exposure, the best pitch you can make to non-techies.

Still, the bottom line is that moving from paper to EMRs isn’t just a change-management exercise. It forces clinicians to think about how they use, distribute and share data on a profound level. I hope it does, anyway…cause if providers aren’t ready to think about these issues, things aren’t going to be pretty.