Published on March 5, 2014
Can Your Health IT Service Provider Ensure Security For ePHI? Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
Outsourcing your healthcare documentation, medical coding and billing, and other back office tasks can help save time and money and improve your productivity and efficiency. However, as a physician, there’s one question that you should ask yourself – is my health IT service provider conscious about the safety of my data? Poor IT security policies can land you in troublesome and costly penalties for HIPAA (Health Insurance Portability and Accountability Act) violations. Even a well known institution like the Idaho State University was recently penalized for a health information security breach. So before you outsource your back office tasks, it’s important to ensure that your health IT service provider has the following policies in place to ensure security of electronic protected health information: Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
Check whether the IT provider offers encryption for both active (in use) and inactive (not in use) ePHI. Otherwise, the ePHIs are at risk Encryption for ePHI of security breaches and HIPAA violations. Suppose that your medical billing service provider accesses your ePHI via an unencrypted network. There is a chance that someone can intrude the network and access the information when it is being transferred. The same applies to the ePHI stored in a computer, laptop or USB drive. If the device is stolen, misplaced or lost, ePHI confidentiality is at stake. In 2012, BlueCross BlueShield of Tennessee, a leading Health Benefit Plan company in Tennessee paid around $1.5 million to the Department of Health and Human Services (HHS) when 57 unencrypted computer hard drives containing the protected health information of more than 1 million people was stolen. Business Continuity & Disaster Recovery Plans The service provider that you select should have business continuity and disaster recovery plans. Even though most service providers plan how to handle an immediate service interruption, testing usually doesn’t take place until an emergency occurs! This is a bad practice. So ensure that your service provider has a tested and proven disaster recovery plan system in place. This will reduce wait time for updates – for you as well as your patients. Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
Data breaches may occur if the patients’ health information is not Proper Shredding of disposed off safely and securely. For data stored electronically, the ePHI potential for unauthorized access, erasing, altering, or losing, is high. Even if documents are deleted from the recycle bin, they are prone to unauthorized access via hard disk recovery. When disposing of data stored on computer disks, the disks need to be erased several times and it should be ascertained that the data cannot be recovered from them. The service provider should be able to recognize when, how and in what circumstances the ePHIs were destroyed. Identify Data Breaches Most data breaches are difficult to detect. As per the Verizon Data Breach Investigations Report 2013, around 66 percent of data breaches would take even months or years to discover. So you should ensure that your service provider has an efficient system (anti-virus software, malware detection tools, advanced analytic tools) to identify different types of data breaches. Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
Regular Risk Make sure that your service provider performs risk assessments Assessment regularly to address changing threats and policies so that effective and stringent security measures can be implemented. For example, the HIPAA Omnibus Final Rule effective from March, 2013 considers even the risk of data breach as a violation. Changes in technology can bring about new risks. It’s important that your service provider stays up-todate with such changes and conducts regular risk adjustments to detect and deal with security violation threats. HIPAA Business Associate Agreement If your service provider is willing to sign a HIPAA business associate agreement (BBA) with you, this is an indication of their commitment to security for your ePHI. The contract ensures safety for personal health information in accordance with HIPAA guidelines. The agreement should clearly show how your health IT service provider will report and respond to any kind of data breach. Also, make sure that the provider can produce evidence for routine audits such as SSAE 16 reports or PCI certification. Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
The bottom line: when you outsource your documentation or medical coding or billing tasks, look for a medical transcription company or medical billing company that is HIPAA complaint. Outsource Strategies International www.outsourcestrategies.com Headquarters: 8596 E. 101st Street, Suite H Tulsa, OK 74133 Call: 1-800-670-2809
Can Your. Health IT Service Provider Ensure Security For ePHI? Outsource Strategies International www.outsourcestrategies.com. Headquarters: 8596 E. 101st ...
Learn the privacy and security implications of ePHI and how you can to ensure ... Health care providers must also ... and security into your ...
Review Existing Security of ePHI (Perform Security Risk Analysis) ... Can Your Health IT Service Provider Ensure Security for ePHI? 123 Views. RedspinInc.
How to Ensure Your Email and ... Electronic Patient Health Information (ePHI). ... email-security and encryption service that can ...
Policy on Security of Electronic Protected Health Information (ePHI) ... are "health care providers" that ... Security Officer to ensure ...
Other Provider Services. ... Can You Ensure Privacy & Security of ePHI with Meaningful Use Certified EHR? ... Meaningful Use Stage 2 Compliant EHR.
... into contact with per the HIPAA Security Rule if: You are a ... u)), a provider of medical or health services ... can I put ePHI at LuxSci?
HIPAA Compliance for IT Providers: ... How can IT service providers comply? ... Healthcare organizations that handle ePHI. They include most health plans, ...
These Security Rule safeguards can help health care providers avoid ... Many health care providers will ... As the guardian of ePHI, it is up to you ...