Author: JDS

Posted on

Why Do I Need a HIPAA Compliant IT Service Provider?

Why do my “Business Associates” need to be HIPAA compliant? I have a Business Associate Agreement so I’m fine. Why do I need a HIPAA compliant IT Service Provider?

These are just some of the common question we get on a regular basis when speaking with clients and potential clients. So really, what is the big deal about Business Associates? The detailed answer to that question could take awhile so lets just look at the simple answers.

Gone with the wind… that about sums up two things. First, the fact that HIPAA has changed alot since the Final Rule came out in January 2013 and as of this writing the grace period is over. Gone are the days when a Covered Entity could just point the finger at a Business Associate as the cause or reason for a breach or non-compliance. “I didn’t know my IT guy was (or was not) doing that”, is no longer acceptable.

Second, the famous line of the movie is sometimes what I hear from doctors that just don’t like all the regulation and changes. I can empathize with Covered Entities. As a HIPAA compliant Healthcare IT Service & Support Provider, we have to abide by many of the same regulations as well as take on the liabilities.

So let’s take a look at the biggest reason to take this Business Associate stuff seriously… liability… and lots of it. Here is how HIPAA used to read regarding Covered Entities and Business Associates:

[CFR 160.402(c)]

that was then…

(c) Violation attributed to a covered entity. A covered entity is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member, acting within the scope of the agency, unless—
(1) The agent is a business associate of the covered entity;
(2) The covered entity has complied, with respect to such business associate, with the applicable requirements of §§ 164.308(b) and 164.502(e) of this subchapter; and
(3) The covered entity did not—
(i) Know of a pattern of activity or practice of the business associate, and
(ii) Fail to act as required by §§ 164.314(a)(1)(ii) and 164.504(e)(1)(ii) of this subchapter, as applicable.

THIS IS NOW…

(c) Violation attributed to a covered entity or business associate.
(1) A covered entity is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency.

(2) A business associate is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency.

As you can see (in red), the changes to the law put the burden of the actions or inactions of Business Associates right back on the Covered Entity. No longer is their an “unless”. Sure, Business Associates are now liable but so are the Covered Entities liable, even if they did not know what the Business Associate was doing… or not doing.

That brings us to another myth… Having a Business Associate Agreement is all you need… WRONG! Covered Entities must do their due diligence in making sure their Business Associates are compliant, and not just saying they are. Any Business Associate can sign an Agreement and tell you they are compliant and you have no idea if that is truly the case. So what does a Covered Entity do? You do your homework… or in this case… your due diligence. If someone told you they could do something and you weren’t sure they weren’t lying, what would you likely say? Prove it! That is just what you want to say to your Business Associates in the form of documentation and a targeted questionnaire. A Business Associate needs to attest to their compliance, back it up with documentation and sign a Business Associate Agreement. Furthermore, the Business Associate should keep you very much in the loop on what services or support they are providing you… especially your IT provider.

A Covered Entity’s IT provider is arguably the most critical outsourced component within your practice. As technology increases more and more within your practice the reliance and trust in your IT provider will go up exponentially. Having the right IT provider in place is crucial to the health of your practice.

What do you do with your Business Associate that won’t comply? You find one that will. Unless you have exigent circumstances in that the vendor is the only one you can get (then you should document this decision to the teeth).

Contact us and ask for our Due Diligence Kit and we will send one out to you FREE of charge to get you started on dealing with your Business Associates the right way.

If you’re interested in more information or a FREE consultation to see if Carolina Computer Concepts is right for you, mention that when you email or call and we will show you how we can help. We have very strong partnerships with key healthcare, compliance and IT vendors which allows us to offer a strategic alliance directly to our clients.

Posted on

A Cloud Based EMR Does Not A Compliant Entity Make

Snake-oilRecently, a question came up that involved entities that said they are perfectly fine with HIPAA compliance because they use a cloud based EMR (or EHR) who takes care of all their HIPAA compliance for them.

A discussion ensued ending with the question:     This can’t really be true, can it?

I suppose someone could dream up some condition and try to argue it is true.  I, however, tend to follow the statistics.  The chances any group is able to have all the HIPAA compliance requirements handled by their cloud based software provider is so very tiny I will say it can not actually be true.  Yes, some vendors may tell you just that but the term snake oil salesman comes to mind……

Here is your check list of things your vendor must provide to take care of all your compliance for you.  If you actually do have a vendor with all this covered and documented, please let me know.  I am eager to get to know them and work with them.

Does your vendor….

  • Provide a complete and thorough Risk Analysis looking at everything you store in your office that could include PHI.
  • Know every record that comes in and out of your office and how it is managed?
  • Configure your network security and firewall?
  • Monitor you computer systems to confirm they have all their security updates and an active antivirus/malware system?
  • Provide documentation and reports that compliance activity is taking place and reviewing the results?
  • Confirm data you exchange with every single business associate you work with is secured and protected properly?
  • Confirm your Business Associate Agreements are properly in place with every entity that you have a BA relationship?
  • Perform due diligence with all your Business Associates?
  • Update your Notice of Privacy Practices (NPP) to make sure all cases your office should cover is included properly?
  • Confirm you post your updated NPP properly to meet the new requirements?
  • Create a complete disaster recovery and business continuity plan that covers all aspects of your operation being functional?
  • Complete a physical site security checklist and determine all your physical safeguards are adequate and properly documented?
  • Review your administrative safeguards to confirm they are adequate and meet the required and addressable elements properly with documentation of same?
  • Create and monitor a plan for disposal of all media and equipment that may contain PHI – like printers and copiers?
  • Create and document a breach response plan?
  • Create, monitor and execute a training plan for every member of your staff regarding HIPAA terms, requirements, acceptable uses and disclosures, how to identify a breach, what your own internal policies and procedures require for HIPAA and more?

Should I go on, because there is more?  For now, I will just leave it at that.

Don’t get me wrong.  There are a lot of HIPAA things, in the Security Rule especially, that you can outsource to your cloud software provider.  But, even those things don’t relieve you of responsibility.  It is up to you to make sure you document completely and audit regularly to make sure those functions like backup and recovery of the data they maintain, up-time guarantees,encryption at rest and in transit, password and user access controls, etc are actually working as required.

The wall of shame is full of CEs and BAs that thought someone else was taking care of their compliance.  You can’t just say someone else is doing it for me.  If you do, you probably need more training before making your final HIPAA decisions and, of course, detailed documentation of those decisions.   It really takes time and effort on every entity’s part to create their culture of compliance that is really required to make an honest stab at HIPAA compliance in your office.

All this is really a question any CE or BA should be asking themselves no matter who their vendor may be.  Do we have all these things covered?  If you don’t then you definitely need to consider getting some help.  There is a lot to do and you can’t just “mail in” your compliance requirements.

 

Re-posted with permission. Original post located here.
Posted on

What is Reasonable and Appropriate for Your Specific Environment

These days we deal with resistance and denial towards HIPAA compliance. There are many reasons given for incomplete or ineffective compliance programs. We have heard everything from long rambling rants against the government, claims of not applicable to me and plenty of “we don’t have the _____” (fill in: time, money, resources) to explain away the compliance gaps.

There is, however, one case that concerns me when we find it. A practice or business is given a standard list of HIPAA Security implementation recommendations. The problem is that the list of recommendations doesn’t always include a review of what is reasonable and appropriate for the specific environment. The result is a group frozen by fear, sticker shock or worse paying for services and equipment that may be overkill for them. The Security Rule explains in the General Rules section just what should be considered in determining what is reasonable and appropriate for a specific environment (emphasis added):

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

Its size, complexity, and capabilities,

Its technical, hardware, and software infrastructure,

The costs of security measures, and

The likelihood and possible impact of potential risks to e-PHI.

No, this doesn’t mean you can decide you are so small and the rules are too complex to follow them at all. That is definitely not what reasonable and appropriate means in this context. What it does mean, though, is that you can determine how to implement the standards, both required and addressable, but apply these considerations to your implementation plans.

Our approach is to always define the environment before defining the plan. The Security Risk Analysis is first in the list of requirements for a reason. But, keep in mind, that even the tasks performed in the Risk Analysis should be confirmed as reasonable and appropriate for your specific environment.

 

Reposted with permission from: http://smallproviderhipaa.com/2013/10/31/what-is-reasonable-and-appropriate-for-your-specific-environment/
Posted on

**Warning** New Ransomware Targets Businesses

Security researchers from Emsisoft have come across a new ransomware family which they’ve dubbed CryptoLocker, or Trojan:Win32/Crilock. This particular piece of ransomware is designed to encrypt files on the infected device and keep them that way until a ransom is paid by the victim.

Interestingly, the files targeted by CryptoLocker are not ones that might be considered important by home users. Instead, the targeted files have extensions such as odt, doc, docx, xls, xlsx, ppt, pptx, mdb, accdb, rtf, mdf, dbf, psd, pdd, jpg, srf, sr2 ,bay ,crw, dcr, kdc, erf, mef, mrw, nef, nrw, raf, raw, rwl, rw2, ptx, pef, srw, x3f, der, cer, crt, pem, and p12.

This shows that the threat is designed to target businesses, to which the content of these files might be of great value.

According to experts, the ransomware is distributed via emails that inform recipients of customer complaints. The file that’s attached to these notifications is a downloader that’s designed to retrieve the actual malware.

Once it infects a device, CryptoLocker creates a registry entry to make sure it starts at every boot. Then, it establishes communications with its command and control (C&C) server. First, it attempts to contact a hardcoded IP address. If that fails, apparently random C&C domains are generated based on a domain generation algorithm.

After a C&C server is found, the malware starts communicating with it via traffic that’s encrypted using RSA encryption.

“Using RSA based encryption for the communication not only allows the attacker to obfuscate the actual conversation between the malware and its server, but also makes sure the malware is talking to the attacker’s server and not a blackhole controlled by malware researchers,” Emsisoft experts noted in a blog post.

Finally, CryptoLocker looks for the aforementioned files and encrypts them using AES. Unfortunately, it’s impossible to decrypt the files without the AES key, which is stored on the C&C server and accessible only to the attacker.

However, users are advised not to pay up. Remove the infection with an antivirus program and restore the encrypted files from a backup, assuming you have one.

How does your business or practice combat such a potentially devastating infection?  First, you need security and protection.  At the minimum we recommend a really good antivirus software along with monitoring to ensure it is always up-to-date and scanning as scheduled.  It does no good to have antivirus if you aren’t sure its performing properly at all times.  Second, you need a proven backup solution with versioning.  If you have never tried to recover from your backup then do you really know it will work?  We have plenty of backup and recovery horror stories I could tell.

If you need help in these areas give us a call.  We can help with managed antivirus, network security and backup/recovery solutions for any size business.  Don’t wait until you’re a victim, get help now.

Posted on

OCR Issues Model Notices of Privacy Practices

As the compliance date for the final Omnibus HIPAA privacy and security rule looms, September 23, 2013, the Office for Civil Rights and Office of the National Coordinator for Health Information Technology lend a helping hand to covered entities by publishing model Notices of Privacy Practices (NPP) for health care providers and health plans. The Omnibus Rule implements a number of changes required under HITECH , including “material” changes to NPPs.

The model NPPs reflect these changes and are designed to help covered entities meet their obligation to develop and distribute clear, user friendly notices. The agencies also provided optional formats for the NPPs:

  • Notice in the form of a booklet;
  • A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
  • A notice with the design elements found in the booklet, but formatted for full page presentation; and
  • A text only version of the notice.

Note to covered entities: The agencies state that the model NPPs reflect the regulatory changes of the Omnibus Rule, and can serve as a baseline for compliance. Covered entities will still have to tailor the notices to their particular circumstances and insert information specific to their organizations. In addition, covered entities should review the rules for how and when notices need to be provided. See 45 CFR 164.520. For example, NPPs generally can be provided by email provided the recipient has consented. Also, if a covered entity maintains a website about its customer services or benefits, it must prominently post the NPP on that site.

Posted on

Coffee Shops Limit Wi-Fi To Discourage ‘Laptop Hobos’

BOSTON (CBS) – It is a common sight in coffee shops all over the area: a person with a cup of coffee, an opened laptop, and no intention of going anywhere. These patrons have even earned themselves a nickname: “Laptop Hobos”

Some shops, overwhelmed by people surfing the web and holding business meetings, are developing more restrictive policies with their Wi-Fi. Disputes over outlets and cords dragged across busy lobbies are also common problems.

Ken Kavanaugh, a regular patron at Fuel America in Brighton, knows he can fit this bill. “I am probably a laptop hobo. I’ve been a free bird since last July and I spend most of my time at coffee houses. That is where I have my meetings.”

Like most cafes, Fuel America offers free unlimited Wi-Fi. Jeff Bonasia, managing director, said, “It really has become a cost of entry into the coffee house-cafe market. It is what people expect.”

Bonasia said he doesn’t require any purchases to tap the Wi-Fi, and he publicly posts the access code. He thinks these long term patrons create a lively atmosphere and he has never asked anyone to leave. Sometimes the requests can be pretty bold at Fuel America, however.

“They actually said it would be great if you had printers in the back so we could print stuff,” said Bonasia with a smile.

Not all coffee shops or restaurants are so generous with the free Wi-Fi. Some are beginning to set limits, or eliminate it altogether. Michael Oshins, a professor of hospitality at Boston University, said it is a predicament for these outlets. “All of a sudden it kind of snowballs into, I can stay here for, this can actually become my office, I don’t have to pay rent any more, this can become my free space.”

That is why Peet’s Coffee now limits Wi-Fi to paying customers who are “Actively enjoying their food or beverage.”

Panera is cutting computer users off after a half hour during their busiest hours.

Fuel America patron Suzanne Mello says policies like that are too severe. “I would probably just go to another store if that is the case. Where ever I can get free Wi-Fi and AC and they let me stay is good.”

Oshins believes these shops have a tough balance to achieve. They obviously need paying customers, but there is also value in looking busy. “It’s like, this place is happening. I want to go there. So all of a sudden it creates that customers become part of the environment or the ambiance, if you will, and all of a sudden it is more welcoming,” said Oshins.

Reposted from here

Posted on

Worker’s Reluctant to Follow Company BYOD Policy

Even at companies with BYOD (bring-your-own-device) policies, users may still be reluctant to officially register their tablets and smartphones with IT, instead preferring to covertly access the network. That’s according to a new study that shows employees are concerned about losing their personal data if they officially register their devices with the IT organization at their company. To ensure compliance with policies, managed services providers (MSPs) may need to win over small and mid-sized businesses (SMBs) employees with promises to protect personal data.

Aruba Networks, Inc. (ARUN) conducted the survey of more than 3,000 employees around the world. American respondents, specifically, fear the loss of personal data more than other regions of the world, the study revealed. Around 66 percent of American respondents claimed that they fear the loss of data, compared to the 45 percent of Europeans and 40 of Middle Easterners who felt the same.

More than 50 percent of Americans said their IT department takes no steps to ensure the security of corporate files and applications on their personal devices, a concern that has forced many employees to keep personal devices away from IT departments. Seventeen percent of Americans have not told their employers that they use a personal device for work. If you think that’s frightening, keep reading.

Eleven percent of American respondents said they would not report a compromised device, while 36 percent said they would not report leaked data immediately.

According to the survey, these numbers come from a distrust of IT departments and employee fear about what IT may do with personal data. Forty-five percent of respondents in the United States worry about their IT department’s access to personal data.

Should MSPs include policies and guarantees to customers’ employees on personal data?

There need to be incentives from the company to persuade employees to follow BYOD policy.  Furthermore, there must be a culture of transparency and trust from IT to help calm the fears workers have.

Our Mobile Device Management (MDM) solutions allow our technicians and engineers the ability to monitor and manage the mobile device but they do not have access to personal items such as text messages or pictures.  If there is ever a question of what we can or can not do, we give the client a complete tour of our MDM platform.

The importance of a highly secure IT environment coupled with the lack of adherence of workers to BYOD policies gives rise to major concerns.  Companies of all sizes need to rethink their policies and procedures regarding BYOD.  Also, ensure the MSP or IT provider is trustworthy and operates in complete transparency.  The goal is to protect your company, your IT environment, your customers and your employees.

Companies, especially small businesses, that ignore BYOD are playing Russian roulette.  Everyday workers are using secure business networks to do things on their mobile devices which are highly unsecured and dangerous to the IT environment.  For some verticals, such as healthcare, these oversights can led to a breach and bring disastrous implications.

Want to have a discussion about protecting your business and your employees?  Give us a call find out how we can help.

Posted on

10 Reasons to Use CRM software Within Your Business

When it comes to using CRM software, there are a number of reasons why you want to use it. You need to do all you can to give your business the edge within the marketplace. Customer relationship management software allows you to focus more on your customers, which in turn will fuel your business for success.

1. More information. When you use CRM software, you have more information about your customers. This includes learning about where they are, what age category they fall into and much more.

2. More customer details. Customer details can help you reach out to customers at more times throughout the year. When you have their birthday and anniversary dates, you can send them emails and reminders, which will help your business be thought of in a more personable way.

3. Better demographic information. There is a lot of demographic information available within CRM software. You need to know who your target audience is. If you didn’t know it prior to using the software, you will by the time you have used it a few times because of the data it is collecting with each order that you take and with each new customer you establish.

4. Create marketing promotions. When you have more information about your customers, you can create more effective marketing promotions. This includes putting specific items on sale as well as deciding how you want to market to your customers – be it Facebook, mobile phones, direct mail or some other strategy.

5. Make suggestions. Suggestions can be made to customers when you use CRM software. When you see what the buying patterns are, you can use your inventory of products to determine what it is that they are likely to want. As you make suggestions, you can increase your sales and become more profitable.

6. Sell more. Suggestive selling is a great way to sell more. Just as restaurants use suggestive selling, you can do the same within your own business.

7. Compete with other businesses. You need to compete with the other businesses out there and CRM software helps you do that. Customers will stray to the competition from time to time – unless you are doing all you can to keep them focused on you and your business.

8. Stay on the brain. When you send more emails specifically for specific groups of people, you can stay on the forefront of your customers’ brains. This way they won’t drift off to go to other businesses throughout the year.

9. Customizable. When you use CRM software, it is customizable based upon what you need it for. You can even choose software that integrates into your other software, such as Microsoft Outlook. This ensures you aren’t entering the same information over and over again.

10. Easy to use. It’s also a good idea to use CRM software because it’s easy to use. When it’s easy, you and your entire staff can benefit from the information housed within the program.  When I started out in business I used a huge dry erase board, make-shift excel spreadsheets and a desk calendar to try to accomplish this.  It is so much easier now with good CRM tools.

For help finding the CRM tool that is right for your business, give us a call.

Posted on

How To Select The Best Printer For Your Needs

There are a couple of things you need to first understand before you purchase a printer. They include;

1. LaserJet or Inkjet.
Both LaserJet and Inkjet printers have advantages and disadvantages. 

Inkjet printers are cheaper to buy than LaserJet printers. They also have very good quality print outs. However, the cost of maintaining an Inkjet printer is very high. Also, Inkjet printers make a lot of noise while printing and are slower than LaserJet printers.

LaserJet printers are expensive when buying but very cheap to maintain. Their print quality is very high and they make less noise when printing. They print faster than Inkjet printers.

2. All-In-One or Print-only.
The next thing you need to consider is whether you just want a print-only device or you need to scan copy fax and print. 

Print-only printers are cheaper than All-In-One printers. However, they have limited functionality.

On the other hand, All-In-One printers have scanners, copiers and printers all put in one device. They are a little bit more expensive but very handy especially in an office setting. All-In-One printers also save space as they contain three different devices in one.

Some All-In-One printers have fax. When getting an All-In-One, always confirm if it has fax as not all of them have fax. In most cases All-In-Ones that have fax are more expensive. 

3. Print Or Scan Quality.
Various aspects of print and scan qualities can be compared between different models. Print resolution is usually measured in dots per inch (DPI). The higher the number of dots per inch the better the printer.

Inexpensive inkjet models usually generate black-only prints at least as high as 600×600 DPI. Color models, meanwhile usually start as high as 4800×1200. Laser jets, meanwhile, typically produce 1200×1200 DPI or better black-only prints and 1200×600 or better color prints.

Scan quality is measured using both bit-rate and DPI measurements. If scanning is an important feature, seek an all-in-one device that offers optical scan resolutions of at least 600×1200 DPI and at least a 24-bit scan rate. Again, higher numbers are better (a scanner that boasts 36- or 48-bit technology will produce even higher-quality scans). Be sure to consider the differences between an inline scanner, in which 8.5-inch x 11-inch pages are easily scanned by passing them through a sheet feeder, and a flat-bed scanner, in which odd-size documents can be easily scanned just by placing them on the glass. In environments where multiple-page documents will frequently be scanned, ensure you select a model that boasts an automatic feed tray.

4. Network Capabilities.
The days where parallel cables where used to connect printers to computers are long gone. In fact, most laptops nowadays do not even have parallel ports. Most printers nowadays are connected to computers via USB cables.

Many printers now boast integrated wireless LAN connectivity. Other models feature embedded network interface cards, making it possible to connect printers to a local area network via a standard wired Ethernet cable, and thereby usable by multiple PCs simultaneously. Still others feature integrated Bluetooth support, which makes it possible for laptop users (among others) with Bluetooth functionality to print wirelessly without the requirement that a local area network even be present. 

When reviewing a printer or multifunction device purchase, be sure to consider your organization’s needs. If multiple users will need to access the printer or all-in-one’s scanning functions, network-equipped models can eliminate the need to purchase multiple units or configure a single PC to host print services for other systems. If many users access the local area network wirelessly, be sure to consider a printer model that also includes WLAN connectivity.
Article Source: http://www.articlebiz.com/article/1051611508-1-how-to-select-the-best-printer-for-your-needs/
Posted on

Go The Extra Mile

If you want a quick way to boost your profits, you need to make sure you are going the extra mile to look after your best customers, before someone else does. 

Think hard about your biggest clients or customers. Can you think of something you did that they would say shows you have over-delivered for them? Not just things they would expect as standard, but really going the extra mile? Have you ever sent them your product and given them free samples of something else? Have you supported them in a charity venture they were undertaking? Have you helped them get through a crisis in their business just because you could rather than because you had to? Or have you phoned and taken them for lunch just to talk about how you can help them? 

If the answer to those questions is no, start thinking about how you can differentiate your business and what you can do to show how important those customers are to you. People often go the extra mile when they are trying to win new business, but often forget that retaining customers is more important than winning new ones. 

Don’t mistake these things for the standard “corporate entertaining” stuff. Everyone has been invited to work dos, races, parties and so on – and most people would never make a decision based on these things. I’m talking about personal, relevant and wow things that really show that you are going the extra mile for your customers – not that you have big budgets to spend! 

Keep these principles in mind: 

• Always under-promise and over-deliver, never the other way round;

• Never tell your customers no because that’s “the policy”;

• Have quicker response times to everything than your competitors;

• Think about the long term value of these customers, not what this might cost today;

• If they are in a hole, do whatever you can to get them out of it – even if you aren’t obliged to;

• Be personal in what you do – people do business with people, not faceless companies.

If you haven’t done these things, now is the time to get busy quickly. Customers need to be reminded constantly that you value them and are doing more than just giving them what they pay for. People hate being taken for granted and being treated as if you have the right to their money and you need to make an emotional connection with people to get them to stick with you and your business. 

So, take action NOW – this week, find a way to go the extra mile this week for at least one of your key customers, whenever or however you can.
Article Source:  http://www.articlebiz.com/article/1051611307-1-go-the-extra-mile/