Healthcare Business Today

Your leading source for best practices across the healthcare spectrum

HIPAA

Three HIPAA Recommendations Organizations Should Consider

by Leave a Comment

By Carol Amick

According to the United States Department of Health and Human Services, approximately 70% of organizations are not HIPAA Compliant.  The Health Insurance Portability and Accountability Act, known as HIPAA mandates industry-wide standards for health care information and electronic billing, and requires protection as well as confidential handling of protected health information. According to HIPAA rules, any company that deals with protected information must have a physical network and process security measures that are followed to ensure compliance.  It may be safe to say that many organizations are still perplexed about HIPAA audits, enforcements and compliance.  As a result, the number of organizations that fail to meet compliance each year remain the majority.  To begin understanding compliance, healthcare organizations would be wise to consider three key recommendations. 

1. Analyze the past, to avoid making the same mistake twice

It is important for hospitals and healthcare facilities to look at some of the common mistakes that are repeatedly noted in HIPAA security reviews.  HIPAA states that out of all the reviews completed, there are a number of frequent compliance violations and issues that are found each year. This includes impermissible uses and disclosures of protected health information, lack of safeguards to protect health information, lack of patient access to their personal health information, lack of administrative safeguards on electronic protected health information, and use or disclosure of more than the minimum protected health information.   Protecting valuable data by analyzing past mistakes is an important step in the compliance process. 

[Read more…] about Three HIPAA Recommendations Organizations Should Consider

The Importance of Privacy Laws for Healthcare Insurance Markets

by Leave a Comment

By Matt Dumiak

Privacy regulations and legislation are topics that continue to be of concern for businesses.  News of data breaches, data vulnerabilities and compromised private information is released almost daily from businesses both small and large- some insurers included.  Legislation has recently been proposed for individual states, addressing data privacy regulations head-on.  Several states including Virginia, Vermont, Colorado, and New Jersey have all introduced related privacy regulations recently. California recently set themselves apart in the privacy space with the adoption of the California Consumer Privacy Act (CCPA), which gave citizens the rights to not only protect their own data, but to obligate businesses to disclose exactly which information has been collected about them. 

At the federal level, the United States has yet to propose a national privacy bill that would affect healthcare insurers.  Vermont recently implemented a law regulating data broker companies that buy and sell personal information.  With the new law, brokers must disclose what information they collect as well as allow their customers to opt out of collection.  Furthermore, consumers can sue data brokers if they sell any information that causes illegal discrimination. A similar law has also been proposed in Colorado that is broader, yet specifically manages personal identifying information. Individual states seem to be leading the way for data privacy regulation discussions. [Read more…] about The Importance of Privacy Laws for Healthcare Insurance Markets

Even More at Stake Than Meets the Eye with Potential HIPAA Violations

by Leave a Comment

Alexa GreenbaumBy Alexa Greenbaum

A federal court in New Mexico recently declined to dismiss tort claims asserted by a registered nurse against her employer, a government-run hospital, where she obtained treatment for a sexual assault. In denying the motion to dismiss, the court effectively rejected the federal government’s attempt to escape claims based on invasion of privacy for the disclosure of information regarding the assault (G.R. v. United States).

However, the court withheld ruling on the government’s motion to dismiss plaintiff’s claim for “negligence per se” based on the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Instead, the court certified for the New Mexico Supreme Court the question of whether the claim fails, as there is no private right of action afforded by HIPAA. This case serves as a valuable reminder for hospitals of the broad implication of liability for disclosing private information, including the potential impact of HIPAA violations beyond mere regulatory enforcement.  

Alleged Disclosure of Treatment Leads To Court Battle

The plaintiff sued her employer, Gallup Indian Medical Center, for the dissemination of information relating to treatment she received there after she fell victim to a physical and sexual assault. Her lawsuit claims the hospital disclosed private details of the assault to coworkers who were not her direct care providers. Specifically, G.R brought tort claims for public disclosure of private facts, intentional infliction of emotional distress, negligence, and negligence per se. The claim for negligence per se – a theory whereby an act is considered automatically negligent because it violates an existing statute – was premised on the hospital’s alleged HIPAA violation.

The hospital moved to dismiss G.R.’s claims for negligence, negligence per se, and public disclosure of private facts, but the court permitted the claims for negligence and public disclosure to proceed. It found no legitimate public interest was served in publicizing the nurse’s assault, and therefore greenlighted her privacy claim. In sum, the court did not take lightly the government’s attempt to avoid liability for disclosure of private information. It declined to rule on the negligence per se claim, however, and specifically avoided answering the question of whether a HIPAA violation may legally set the standard of care for such a cause of action. [Read more…] about Even More at Stake Than Meets the Eye with Potential HIPAA Violations

Network Diversity Offers Value in the Healthcare World

by Leave a Comment

Let’s face it, the healthcare industry is constantly changing and healthcare organizations find themselves running to keep up with this rapidly shifting environment. From the uncertainty of current healthcare reform to meeting the compliance needs of Meaningful Use and EHRs and protecting growing amounts of patient information, IT decision makers are moving fast and furious to implement technologies that will support this growing data-centric ecosystem. They are also trying to do this while facing shrinking budgets and less in-house IT support to navigate these challenges, which is not an easy task.  

Whether you are part of a large urban hospital or a small rural health clinic, you’ll want to trust that a reliable communications network is in place to support your applications, data and mission-critical business operations. In addition, with healthcare organizations being at constant risk of security breaches, you have to be prepared with a reliable and secure network to avoid the threats that could impact your entire organization – and those that might put patients’ lives at risk.

Let’s explore three major considerations to help ensure you have a reliable network in place that will meet your ever-evolving needs:

  1. Migration of applications to the cloud
  2. Network diversity to fit growing needs
  3. Relying on network partners

Cloud architecture provides network flexibility

Many hospitals and healthcare organizations are moving mission-critical applications to the cloud because of the flexibility it provides. According to a 2016 HIMSS Analytics Cloud Study, 84 percent of healthcare organizations have adopted cloud-based solutions, suggesting organizations are recognizing the value the cloud offers. Hosting applications in the cloud can help you scale as you grow, collaborate with partners and patients as well as store massive amounts of patient data.

While migrating business operations or applications to the cloud will provide many benefits and help address challenges such as data growth resulting from EHRs and HIPAA regulation, it also magnifies the risk posed by single points of failure in your network infrastructure. Network outages can result from a security breach, fiber cut, power outage or other last-mile access impairment, and can result in loss of data, loss of provider and patient communications as well as lost revenue. If you lose access to the cloud and the Internet, everything can come to a halt, including providing care for your patients. Creating a secure, diverse network to avoid failure is a must because it will keep your business up and running when faced with a disruption.

The right network to fit your needs

Protecting the backbone of your IT operations is key to keeping your organization operational. With various options available, consider the type of network you have in place and ask yourself whether it creates the ultimate level of security and diversity as well as if it supports all of your business and patient-centered applications.

While some healthcare organizations realize the need for reliable connectivity, many do not have an effective network solution in place. A commissioned study conducted by Forrester Consulting on behalf of Windstream found that midmarket companies are challenged in creating true access diversity. Specifically, 65 percent are challenged by the reliability and resiliency of their links. Organizations are under tremendous pressure to effectively secure networks and data, while at the same time striving to meet the full array of regulations that have been put in place to protect them and their patients.

There is a plethora of network services to choose from that will provide end-to-end network connectivity to keep your organization fully operational and securely connected, even when the infrastructure is threatened. But you need to make sure you have the right combination of network services to address all your operational needs, which can vary greatly.

When solving for highly available connectivity for healthcare organizations, two solutions to consider include a Hybrid SD-WAN overlay network solution and Fixed Wireless as an access diversity solution. An SD-WAN solution allows seamless management of applications, as well as direct management of your network traffic in real time. SD-WAN is scalable, triggers optimal use of bandwidth and allows easy management of applications. Fixed Wireless is an attractive way to provide optimal network diversity and protection because it does not share points of failure with your fiber assets, it is highly reliable and it offers high-bandwidth speeds.

It is also important to look at your network solution end to end including power, premise equipment, building entry, diverse last mile, diverse homing to your provider’s POPs, and diverse transport method. You need to eliminate single points of failure, and the solution can combine traditional network solutions such as MPLS with newer entrants such as broadband and SD-WAN, depending on the network bandwidth needs of a specific location. This means looking beyond redundancy and asking yourself if the two last mile access loops that you have today share the same physical path? If they do they are redundant but not diverse.

Relying on IT partners

Not all healthcare organizations have an adequate in-house IT department or a reliable IT partner to help ensure they have a dependable network in place that provides full SLA-backed protection.

When your business needs outweigh the ability of your in-house staff to provide guidance on a network plan, you may need to rely on a partner or vendor. In this case, be diligent in investigating your potential partner’s experience. Be prepared to ask questions about their network experience and ask to talk to existing customers.

When searching for a network partner, select one that holds HIPAA certifications and has in place HIPAA safeguards, is willing to sign a Business Associate Agreement, has a solution backed with a stated service level agreement that provides complete, purpose-built diversity, and is continually investing in its own network. These considerations will help ensure your risks are minimized and your business is protected as best as it can be.

About the Author:

Molly True is a Healthcare Marketing Strategist at Windstream.

Prior to Windstream, Molly was at Avaya as a Senior Healthcare Marketing Manager.  She holds a Certified Associate in Health Information & Management Systems (CAHIMS) from the Healthcare Information and Management Systems Society (HIMSS) and was a national member of HIMSS while at Avaya. 

Molly has an MBA from Meredith College and a BS in Computer Science from Appalachian State University. She also has product management, and product marketing experience. 

Strict HIPAA Compliance: Playing Defense Against Cyberattacks

by Leave a Comment


As cyber-threats grow in both number and intensity, HIPAA compliance can’t be regarded as a check-off item.  A recent study by the law firm Baker Hostetler revealed that more healthcare data breaches occurred during calendar 2015 than any other type of data security event.  The report affirms previous analyses indicating that healthcare is consistently one of the sectors most affected by privacy and security violations.

Violations of HIPAA, the Health Insurance Portability and Accountability Act of 1996, are especially difficult to detect and potentially calamitous because of that difficulty.  If a single Social Security number leaves a healthcare provider’s facility, the loss can be catastrophic to the holder of that Social Security number.  Almost by definition, data losses by smaller providers don’t hit the radar, or the headlines, but that doesn’t diminish their power to do real damage.  In the case of that Social Security breach, every patient that provider serves is now a victim as well.  And smaller organizations have both a harder time being secure and being aware of their security situation. 

Every upstream provider that handles data needs to sign a BAA — a business associate agreement – in order to be in the HIPAA food chain.  A BAA under HIPAA is a sort of promissory note that the IT provider will adhere to the HIPAA law.  But a BAA doesn’t compel compliance or insulate providers from liability or responsibility — that’s why healthcare providers looking for IT support need to exercise extraordinary due diligence.  As of right now, there’s a persistent lack of clarity around HIPAA, and nothing has been tested in court.  The fact is, “HIPAA compliance” comes with disturbingly few obligations.  Perhaps owing to whatever legislative sausage-making gave birth to the law, HIPAA offers no guidance on how to follow it. [Read more…] about Strict HIPAA Compliance: Playing Defense Against Cyberattacks

5 Actions To Improve Health Care Security  

by Leave a Comment

healthcare security, cloud computing protection, asset protectionIn the face of an ever-evolving, more-sophisticated threat landscape, medical organizations continue to explore ways to protect their assets. Securing private patient data and personal information contained in electronic health records (EHR) is a challenge that demands agility and top-shelf technology today. Every organization can, and should, take measures to enhance network security and strengthen oversight protocol.

Prevent leaks with privileged asset management (PAM). Implementing strict access protocol has been used for quite some time to limit who has access to which files. However, while this step is a good start, more can be done. Based on industry research, research firm Gartner recommends administrators establish controls that address “inventory, classification and use of privileged information” within files. Monitoring how data is used, who attempts to extract or modify documents, and where record access originates helps IT teams spot potential threats, empowering organizations to identify possible problems early rather than react after a breach has occurred.

Implement training programs to enhance internal security. Everyone is concerned about external threats; however, internal threats are a significant problem some administrators fail to adequately address. Poorly trained staff members — along with disgruntled employees — may share passwords, post privileged information on social media platforms, fail to keep sensitive information in secure storage areas, or download files corrupted with malicious code. Training programs must focus on security and clearly identify the risks associated with inappropriate actions. [Read more…] about 5 Actions To Improve Health Care Security  

Your Guide to HIPAA Contingency Plan Compliance With Disaster Recovery-as-a-Service

by Leave a Comment

By Veronica Miller, Compliance Solutions Manager, Bluelock

The healthcare industry has undergone a radical digital shift in the past decade. As of 2014, more than 80 percent of U.S. hospitals adopted some type of electronic health record (EHR) system. Now, an industry that used to be dominated by thousands of tons of paper is finally shifting to a paperless way of life. The amount of data is expected to grow as technological innovations and interaction points with data proliferate.

While electronic data has brought ease to healthcare, luxury comes with dangers. Privacy, security, accessibility and continuity are among the top. HIPAA and HITECH regulations are calling for greater protection measures for personal health information (PHI) and the EHR environment.

Pressure from regulators plus major advancements in disaster recovery methodologies makes it the ideal time to establish or revamp your disaster recovery plan with Disaster Recovery-as-a-Service (DRaaS). Healthcare providers are increasingly moving disaster recovery (DR) to the cloud because of the costs and personnel required to manage a DR solution internally that will actually work when needed. [Read more…] about Your Guide to HIPAA Contingency Plan Compliance With Disaster Recovery-as-a-Service