NAID: NAIDnotes #data #aggregation #hipaa

#

NAIDnotes

Common misconceptions about HIPAA and data destruction

In my blog next Tuesday, I will continue my pricing thread about why secure destruction professionals aren t willing to do what s necessary to get out of the commodity rat race. But, today, I am going to mix it up by shedding light on a few Health Insurance Portability and Accountability Act (HIPAA) misconceptions in our industry. Probably the most common HIPAA misconception is that it requires the destruction of protected health information (PHI). It doesn t. Nowhere in any of the five HIPAA rules does it say a word about data destruction, particle size, or anything about how or where PHI has to be destroyed.

What it says is that covered entities are required to prevent unauthorized access to PHI. That s it. But even with such a vague directive, it was enough to get health care organizations to outsource their data destruction. Before that, they were simply throwing the records away or selling the paper to a recycler.

The U.S. Department of Health and Human Services (HHS) gave some direction that they expected data to be destroyed when discarded. Their expectation regarding destruction came when they were asked for an example of what was meant by physical safeguards to prevent unauthorized access. The example they provided, completely separate from the law itself, was for instance, the destruction of discarded PHI.

Still destruction was not specifically required by the law. In fact, a few years ago, a consultant in the Midwest caused some trouble when he convinced health care organizations they did not have to shred at all. He took the position that recycling was enough because, if done with some control, it still prevented unauthorized access to PHI. He convinced hundreds of organizations they could save a lot of money using this loophole. Eventually, that trend died, although there are still some health care organizations relying on recycling instead of destruction for security.

Now, you might think the Health Information Technology for Economic and Clinical Health (HITECH) amendment to HIPAA added a destruction requirement. It did not. HITECH did, however, add the Health Data Breach Notification provisions, stating that if there was a security breach, the authorities, media, and patients must be notified. Further, it stated that improperly discarded paper and electronic equipment containing PHI would be considered a security breach. HHS later issued guidance that said encrypted or wiped hard drives and paper that was made practicably unreadable would not be considered a security breach when discarded.

In reality, there is no reason for concern over this technicality. Even though data destruction is not specifically required in writing by HIPAA, it is a requirement. Like every other data protection law on the books, HIPAA is based on the reasonableness principle. No one could ever say it was reasonable to discard information without destruction and still meet the requirement to prevent unauthorized access to PHI.

It is still important that destruction professionals know the distinction and talk about it correctly in the marketplace. To say HIPAA requires data destruction is not accurate. It is better to say HIPAA requires the prevention of unauthorized access to PHI, which, in turn, necessitates destruction.

It remains to be seen whether clearer requirements for destruction will emerge in the long overdue HITECH Final Rule. You can bet you ll hear from NAID as soon as it s published.

Comments: 0 | Reply





04/09/2017

Posted In: NEWS

Tags: , ,

Leave a Comment

Encrypt or Decrypt sensitive data using AES #encode, #encrypt, #encryption, #online

#

Encrypt or Decrypt email messages. Encryption and Decryption online. Encode or Decode string.

Encode PHP sorce online. Encrypt Text Files. Mail encrypt. Mail encryption. Email encrypt. HTML and PHP Encryption. Bit Encryption. Voltage Encryption. Copyright Protection. Email encryption refers to encryption, and often authentication, of email messages, which can be done in order to protect the content. Strong email encryption. Encode PHP Script. Windows Decoder. Email encryption program. Online Email Encryption. Hosting Solution. Anti Spam Gratis. iPad Password Cracker. Free Usb Encryption Software. Sometimes you want additional protection for your e-mail communication to keep it from unwanted eyes. Email Encryption Software. Encrypt Online. Outlook Email Encryption.String Decrypt. Help protect your account and computer. Encrypted Email Exchange. CBC Encryption. Encrypt or Decrypt: FERON-74, GILA7, HAZZ-15, MEGAN-35, OKTO3, TIGO-3FX, AER-256, ARMON-64, ATOM-128, BASE-64, ESAB-46, EZIP-64, TRIPO-5, ZARA-128, HINDIA-4X, KOREX-3S, ARABICA-2RS, CHINZO-72C, JAPOO-C2S, ZONG22.

Best encryption for network security.
Encrypt or Decrypt sensitive data using AES/DES/RCA encryptors (security tools).

Free Online Tools for Encrypting Text using 128-bit AES/DES/RCA Encryption. Encrypt or decrypt text online with a password of your choice using this hand tool. This is service for securing your messages in an easy way. CRYPO system will encrypt your message using strong encryption algorithm, and it will be secure for sending. Web based online service for easy text and messages encryption and protection. CRYPO – Best encryption for network security.





31/08/2017

Posted In: NEWS

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Leave a Comment

HIPAA for Professionals #hipaa #email #requirements

#

HIPAA for Professionals

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Public Law 104-191, included Administrative Simplification provisions that required HHS to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.

  • HHS published a final Privacy Rule in December 2000, which was later modified in August 2002. This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
  • HHS published a final Security Rule in February 2003. This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006 for small health plans).
  • The Enforcement Rule provides standards for the enforcement of all the Administrative Simplification Rules.
  • HHS enacted a final Omnibus rule that implements a number of provisions of the HITECH Act to strengthen the privacy and security protections for health information established under HIPAA, finalizing the Breach Notification Rule .
  • View the Combined Regulation Text (as of March 2013). This is an unofficial version that presents all the HIPAA regulatory standards in one document. The official version of all federal regulations is published in the Code of Federal Regulations (CFR). View the official versions at 45 C.F.R. Part 160. Part 162. and Part 164 .

Other HIPAA Administrative Simplification Rules are administered and enforced by the Centers for Medicare Medicaid Services, and include:





14/08/2017

Posted In: NEWS

Tags: , ,

Leave a Comment

Data Centers and HIPAA Compliance #hipaa #compliant #data #center, #data #center

#

Data Centers and HIPAA Compliance

Thanks for visiting! If this is your first time on our site, we encourage you to sign up for our monthly Data Cave Echoes newsletter. to stay up to date with the latest data center industry news!

There have been questions about what role a data center plays when it comes to HIPAA. We want to address what requirements and obligations data centers have when working with clients in the healthcare industry.

First of all, what is HIPAA? The acronym stands for the Health Insurance Portability and Accountability Act of 1996, enacted to protect the health information of patients. When you visit a doctor’s office or the emergency room at your local hospital, all the people seeing your medical history have signed some sheet of paper, promising to keep your information private. This means to disclose healthcare information, they must have your permission (or authorization from the proper authorities in cases of child abuse, etc.). HIPAA also covers how physical and electronic data is handled and secured. Healthcare entities must backup their data and have a disaster recovery plan in place. This is where data centers come in.

The Health Information and Technology for Economic and Clinical Health (HITECH) Act was enacted on February 17, 2009. This Act requires covered entities to disclose breaches in Protected Health Information (PHI). The covered entities and their business associates that “access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI” are required to notify the Department of Health and Human Services or any breaches. The business associates must notify the covered entity of a breach who in turn notifies the individuals involved (patients) and the HHS if more than 500 individuals were affected. From the statement above, data centers like Data Cave, would be considered a business associate.

The problem is there is much to speculate on what this actually means. Some data centers use HIPAA compliance as a marketing tool. Let me make something clear, there is no certification for HIPAA. A data center can be HIPAA compliant, which is what we at Data Cave consider ourselves. Some pay an outside source to come in, look around, and put their stamp of approval on the facility. For Data Cave, meeting HIPAA compliance means limiting people with access to equipment, including our own staff. This also means notifying the proper channels when someone has been near a healthcare entity’s equipment. With most healthcare companies, they are going to want to manage their own equipment, which means our staff wouldn t need to touch it anyway. However, for a data center doing managed services, facility staff would be responsible. In that case the facility would enter into an agreement with the customer to maintain confidentiality. In the event of a breach, whether virtual or physical, a data center would notify the customer (the covered entity) who would, in turn, notify the HHS if applicable.

In other words, no one can claim HIPAA certification. To take it a step further, the essence of a data center is to be secure; so in that case, aren’t we all HIPAA compliant?

To find out more about Data Cave and HIPAA compliance, call us at 866-514-2283 or Contact Us via our website.

More from my site

  • HIPAA, Health Care and Social Media
  • Indiana Data Center Disaster Recovery
  • The Data Cave Advantage, Part 1
  • Disaster Recovery Planning Can Save Your Business
  • Data Center Dictionary: Colocation
  • Whitepaper: Understanding HIPAA and HITECH Compliance




03/08/2017

Posted In: NEWS

Tags: , , , , , , , , , , , , , ,

Leave a Comment