Why Do I Need a HIPAA Compliant IT Service Provider?

Why do my “Business Associates” need to be HIPAA compliant? I have a Business Associate Agreement so I’m fine. Why do I need a HIPAA compliant IT Service Provider?

These are just some of the common question we get on a regular basis when speaking with clients and potential clients. So really, what is the big deal about Business Associates? The detailed answer to that question could take awhile so lets just look at the simple answers.

Gone with the wind… that about sums up two things. First, the fact that HIPAA has changed alot since the Final Rule came out in January 2013 and as of this writing the grace period is over. Gone are the days when a Covered Entity could just point the finger at a Business Associate as the cause or reason for a breach or non-compliance. “I didn’t know my IT guy was (or was not) doing that”, is no longer acceptable.

Second, the famous line of the movie is sometimes what I hear from doctors that just don’t like all the regulation and changes. I can empathize with Covered Entities. As a HIPAA compliant Healthcare IT Service & Support Provider, we have to abide by many of the same regulations as well as take on the liabilities.

So let’s take a look at the biggest reason to take this Business Associate stuff seriously… liability… and lots of it. Here is how HIPAA used to read regarding Covered Entities and Business Associates:

[CFR 160.402(c)]

that was then…

(c) Violation attributed to a covered entity. A covered entity is liable, in accordance with the federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member, acting within the scope of the agency, unless—
(1) The agent is a business associate of the covered entity;
(2) The covered entity has complied, with respect to such business associate, with the applicable requirements of §§ 164.308(b) and 164.502(e) of this subchapter; and
(3) The covered entity did not—
(i) Know of a pattern of activity or practice of the business associate, and
(ii) Fail to act as required by §§ 164.314(a)(1)(ii) and 164.504(e)(1)(ii) of this subchapter, as applicable.


(c) Violation attributed to a covered entity or business associate.
(1) A covered entity is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the covered entity, including a workforce member or business associate, acting within the scope of the agency.

(2) A business associate is liable, in accordance with the Federal common law of agency, for a civil money penalty for a violation based on the act or omission of any agent of the business associate, including a workforce member or subcontractor, acting within the scope of the agency.

As you can see (in red), the changes to the law put the burden of the actions or inactions of Business Associates right back on the Covered Entity. No longer is their an “unless”. Sure, Business Associates are now liable but so are the Covered Entities liable, even if they did not know what the Business Associate was doing… or not doing.

That brings us to another myth… Having a Business Associate Agreement is all you need… WRONG! Covered Entities must do their due diligence in making sure their Business Associates are compliant, and not just saying they are. Any Business Associate can sign an Agreement and tell you they are compliant and you have no idea if that is truly the case. So what does a Covered Entity do? You do your homework… or in this case… your due diligence. If someone told you they could do something and you weren’t sure they weren’t lying, what would you likely say? Prove it! That is just what you want to say to your Business Associates in the form of documentation and a targeted questionnaire. A Business Associate needs to attest to their compliance, back it up with documentation and sign a Business Associate Agreement. Furthermore, the Business Associate should keep you very much in the loop on what services or support they are providing you… especially your IT provider.

A Covered Entity’s IT provider is arguably the most critical outsourced component within your practice. As technology increases more and more within your practice the reliance and trust in your IT provider will go up exponentially. Having the right IT provider in place is crucial to the health of your practice.

What do you do with your Business Associate that won’t comply? You find one that will. Unless you have exigent circumstances in that the vendor is the only one you can get (then you should document this decision to the teeth).

Contact us and ask for our Due Diligence Kit and we will send one out to you FREE of charge to get you started on dealing with your Business Associates the right way.

If you’re interested in more information or a FREE consultation to see if Carolina Computer Concepts is right for you, mention that when you email or call and we will show you how we can help. We have very strong partnerships with key healthcare, compliance and IT vendors which allows us to offer a strategic alliance directly to our clients.

A Cloud Based EMR Does Not A Compliant Entity Make

Snake-oilRecently, a question came up that involved entities that said they are perfectly fine with HIPAA compliance because they use a cloud based EMR (or EHR) who takes care of all their HIPAA compliance for them.

A discussion ensued ending with the question:     This can’t really be true, can it?

I suppose someone could dream up some condition and try to argue it is true.  I, however, tend to follow the statistics.  The chances any group is able to have all the HIPAA compliance requirements handled by their cloud based software provider is so very tiny I will say it can not actually be true.  Yes, some vendors may tell you just that but the term snake oil salesman comes to mind……

Here is your check list of things your vendor must provide to take care of all your compliance for you.  If you actually do have a vendor with all this covered and documented, please let me know.  I am eager to get to know them and work with them.

Does your vendor….

  • Provide a complete and thorough Risk Analysis looking at everything you store in your office that could include PHI.
  • Know every record that comes in and out of your office and how it is managed?
  • Configure your network security and firewall?
  • Monitor you computer systems to confirm they have all their security updates and an active antivirus/malware system?
  • Provide documentation and reports that compliance activity is taking place and reviewing the results?
  • Confirm data you exchange with every single business associate you work with is secured and protected properly?
  • Confirm your Business Associate Agreements are properly in place with every entity that you have a BA relationship?
  • Perform due diligence with all your Business Associates?
  • Update your Notice of Privacy Practices (NPP) to make sure all cases your office should cover is included properly?
  • Confirm you post your updated NPP properly to meet the new requirements?
  • Create a complete disaster recovery and business continuity plan that covers all aspects of your operation being functional?
  • Complete a physical site security checklist and determine all your physical safeguards are adequate and properly documented?
  • Review your administrative safeguards to confirm they are adequate and meet the required and addressable elements properly with documentation of same?
  • Create and monitor a plan for disposal of all media and equipment that may contain PHI – like printers and copiers?
  • Create and document a breach response plan?
  • Create, monitor and execute a training plan for every member of your staff regarding HIPAA terms, requirements, acceptable uses and disclosures, how to identify a breach, what your own internal policies and procedures require for HIPAA and more?

Should I go on, because there is more?  For now, I will just leave it at that.

Don’t get me wrong.  There are a lot of HIPAA things, in the Security Rule especially, that you can outsource to your cloud software provider.  But, even those things don’t relieve you of responsibility.  It is up to you to make sure you document completely and audit regularly to make sure those functions like backup and recovery of the data they maintain, up-time guarantees,encryption at rest and in transit, password and user access controls, etc are actually working as required.

The wall of shame is full of CEs and BAs that thought someone else was taking care of their compliance.  You can’t just say someone else is doing it for me.  If you do, you probably need more training before making your final HIPAA decisions and, of course, detailed documentation of those decisions.   It really takes time and effort on every entity’s part to create their culture of compliance that is really required to make an honest stab at HIPAA compliance in your office.

All this is really a question any CE or BA should be asking themselves no matter who their vendor may be.  Do we have all these things covered?  If you don’t then you definitely need to consider getting some help.  There is a lot to do and you can’t just “mail in” your compliance requirements.


Re-posted with permission. Original post located here.

What is Reasonable and Appropriate for Your Specific Environment

These days we deal with resistance and denial towards HIPAA compliance. There are many reasons given for incomplete or ineffective compliance programs. We have heard everything from long rambling rants against the government, claims of not applicable to me and plenty of “we don’t have the _____” (fill in: time, money, resources) to explain away the compliance gaps.

There is, however, one case that concerns me when we find it. A practice or business is given a standard list of HIPAA Security implementation recommendations. The problem is that the list of recommendations doesn’t always include a review of what is reasonable and appropriate for the specific environment. The result is a group frozen by fear, sticker shock or worse paying for services and equipment that may be overkill for them. The Security Rule explains in the General Rules section just what should be considered in determining what is reasonable and appropriate for a specific environment (emphasis added):

HHS recognizes that covered entities range from the smallest provider to the largest, multi-state health plan. Therefore the Security Rule is flexible and scalable to allow covered entities to analyze their own needs and implement solutions appropriate for their specific environments. What is appropriate for a particular covered entity will depend on the nature of the covered entity’s business, as well as the covered entity’s size and resources.

Therefore, when a covered entity is deciding which security measures to use, the Rule does not dictate those measures but requires the covered entity to consider:

Its size, complexity, and capabilities,

Its technical, hardware, and software infrastructure,

The costs of security measures, and

The likelihood and possible impact of potential risks to e-PHI.

No, this doesn’t mean you can decide you are so small and the rules are too complex to follow them at all. That is definitely not what reasonable and appropriate means in this context. What it does mean, though, is that you can determine how to implement the standards, both required and addressable, but apply these considerations to your implementation plans.

Our approach is to always define the environment before defining the plan. The Security Risk Analysis is first in the list of requirements for a reason. But, keep in mind, that even the tasks performed in the Risk Analysis should be confirmed as reasonable and appropriate for your specific environment.


Reposted with permission from: http://smallproviderhipaa.com/2013/10/31/what-is-reasonable-and-appropriate-for-your-specific-environment/

**Warning** New Ransomware Targets Businesses

Security researchers from Emsisoft have come across a new ransomware family which they’ve dubbed CryptoLocker, or Trojan:Win32/Crilock. This particular piece of ransomware is designed to encrypt files on the infected device and keep them that way until a ransom is paid by the victim.

Interestingly, the files targeted by CryptoLocker are not ones that might be considered important by home users. Instead, the targeted files have extensions such as odt, doc, docx, xls, xlsx, ppt, pptx, mdb, accdb, rtf, mdf, dbf, psd, pdd, jpg, srf, sr2 ,bay ,crw, dcr, kdc, erf, mef, mrw, nef, nrw, raf, raw, rwl, rw2, ptx, pef, srw, x3f, der, cer, crt, pem, and p12.

This shows that the threat is designed to target businesses, to which the content of these files might be of great value.

According to experts, the ransomware is distributed via emails that inform recipients of customer complaints. The file that’s attached to these notifications is a downloader that’s designed to retrieve the actual malware.

Once it infects a device, CryptoLocker creates a registry entry to make sure it starts at every boot. Then, it establishes communications with its command and control (C&C) server. First, it attempts to contact a hardcoded IP address. If that fails, apparently random C&C domains are generated based on a domain generation algorithm.

After a C&C server is found, the malware starts communicating with it via traffic that’s encrypted using RSA encryption.

“Using RSA based encryption for the communication not only allows the attacker to obfuscate the actual conversation between the malware and its server, but also makes sure the malware is talking to the attacker’s server and not a blackhole controlled by malware researchers,” Emsisoft experts noted in a blog post.

Finally, CryptoLocker looks for the aforementioned files and encrypts them using AES. Unfortunately, it’s impossible to decrypt the files without the AES key, which is stored on the C&C server and accessible only to the attacker.

However, users are advised not to pay up. Remove the infection with an antivirus program and restore the encrypted files from a backup, assuming you have one.

How does your business or practice combat such a potentially devastating infection?  First, you need security and protection.  At the minimum we recommend a really good antivirus software along with monitoring to ensure it is always up-to-date and scanning as scheduled.  It does no good to have antivirus if you aren’t sure its performing properly at all times.  Second, you need a proven backup solution with versioning.  If you have never tried to recover from your backup then do you really know it will work?  We have plenty of backup and recovery horror stories I could tell.

If you need help in these areas give us a call.  We can help with managed antivirus, network security and backup/recovery solutions for any size business.  Don’t wait until you’re a victim, get help now.

OCR Issues Model Notices of Privacy Practices

As the compliance date for the final Omnibus HIPAA privacy and security rule looms, September 23, 2013, the Office for Civil Rights and Office of the National Coordinator for Health Information Technology lend a helping hand to covered entities by publishing model Notices of Privacy Practices (NPP) for health care providers and health plans. The Omnibus Rule implements a number of changes required under HITECH , including “material” changes to NPPs.

The model NPPs reflect these changes and are designed to help covered entities meet their obligation to develop and distribute clear, user friendly notices. The agencies also provided optional formats for the NPPs:

  • Notice in the form of a booklet;
  • A layered notice that presents a summary of the information on the first page, followed by the full content on the following pages;
  • A notice with the design elements found in the booklet, but formatted for full page presentation; and
  • A text only version of the notice.

Note to covered entities: The agencies state that the model NPPs reflect the regulatory changes of the Omnibus Rule, and can serve as a baseline for compliance. Covered entities will still have to tailor the notices to their particular circumstances and insert information specific to their organizations. In addition, covered entities should review the rules for how and when notices need to be provided. See 45 CFR 164.520. For example, NPPs generally can be provided by email provided the recipient has consented. Also, if a covered entity maintains a website about its customer services or benefits, it must prominently post the NPP on that site.

Microsoft Aims To Take On iPad In Health Care


When internist Nitin Patel called up Microsoft in May to rave about its Surface Pro tablet, Dennis Schmuland, the company’s head of health strategy for U.S. Health & Life Sciences, was taken aback. “I was surprised, because he was so excited,” says Schmuland. “We didn’t solicit this.”

Microsoft is elated by Patel’s call. While physicians’ use of tablets is widespread—72% according to Manhattan Research, more than half of the nearly 3,000 physicians it surveyed, used Apple iPad in the first quarter of 2013. Microsoft released Surface RT last year, and Surface Pro this past February. According to IDC, shipments of Surface amounted to 900,000 units in this year’s first quarter. It has a long way to catch up with the iPad, which commands nearly 40% of the tablet market. “We’re not getting any requests from doctors to build on it [Surface],” says Daniel Kivatinos, a founder of drchrono which provides an electronic health record specifically for the iPad. Also, a 128 GB Surface Pro retails for $999, versus $799 for an iPad.

Patel who doubles as a geek-in-chief at Palmetto Health, one of the largest hospital systems in South Carolina, tried the iPad. He disliked the wait to log into a patient’s chart, the small screen, and the lack of keyboard, among other things. On a Friday afternoon, he drove over to a Best Buy in Columbia, and bought Surface Pro, keeping the receipt. He didn’t return it. Patel was immediately impressed by its speed to access a patient’s chart, and its compatibility with Cerner electronic health record which Palmetto uses throughout its hospitals and clinics. Patel says he now sees two more patients per day as a result.

William Jennings, Palmetto’s medical informatics officer, was initially skeptical, but Surface won over other doctors. “We’re providing an environment where physicians pick what they want. We want technology to work for us not the other way around,” says Jennings. Palmetto just started a three to six month pilot with 30 physicians, including obstetricians and surgeons, who will use Surface on loan from Microsoft, in their every day practice. The goal is to measure patient and physician satisfaction, as well as impact on productivity, which typically drops when medical providers go digital.

“What Palmetto has proven is that you can run Windows 8 or 7, and have the full features of an electronic health record,” says Schmuland, not a lighter version usually offered on an iPad.  If so, that would address major complaints by untethering doctors from their desktops, and allowing them to interact more freely with their patients. He says Microsoft is talking to several electronic health record vendors, including Cerner, Epic, and Allscripts about developing applications.

Schmuland doesn’t know how many doctors are using Surface, but he’s starting to hear more anecdotes, such as Palmetto’s.  “This is an early wave indicator that Windows 8 is resonating with the industry,” he says.

Microsoft sent a crew to Columbia, South Carolina, to film doctors at Palmetto using Surface Pro. Check it out.


original published at: http://www.forbes.com/sites/zinamoukheiber/2013/07/01/microsoft-pins-its-hopes-on-tablets-in-health-care/