'hipaa compliance' in Global Health, Fitness and Medical Issues

Tags
Current selected tag: 'hipaa compliance'. Clear

HIPAA Compliant Texting and Email | Global Health, Fitness and Medical Issues | Scoop.it

From compliancy-group.com - September 19, 2020 1:47 AM

As more organizations continue to work remotely, they are relying on texting and email as means of communication.

For organizations that work in healthcare, it is important to determine if the communication tool they use is HIPAA compliant. HIPAA compliant texting and email are discussed below.

HIPAA Compliant Texting and Email: What You Need to Know

An essential component of HIPAA is ensuring the confidentiality, integrity, and availability of protected health information (PHI). This includes PHI communicated via texting and email.

For HIPAA compliant texting and email, there are certain measures that must be implemented.

HIPAA Compliant Texting.

Traditional texting platforms are not HIPAA compliant as they cannot be encrypted. Encryption masks sensitive data so that it is unreadable to unauthorized users. As such, they cannot be used in conjunction with PHI.

Traditional texting platforms can only be used for patient communication with prior authorization from the patient. In addition to written consent, the covered entity (CE) must issue a warning to the patient to let them know that text messaging is not a secure form of communication, the warning must also be documented.

However, this authorization extends to provider and patient communication, the provider may not communicate PHI through text message to a party other than the patient. Text messaging can also be used to send patient appointment reminders and under certain circumstances, during a natural disaster.

If your organization prefers to communicate PHI through text messaging, there are HIPAA compliant texting platforms. These platforms are specially designed for the medical field. As such, they include all of the required security measures, and they are willing to sign a business associate agreement (BAA).

HIPAA Compliant Email.

To use email for communication in compliance with HIPAA, the email provider must enable encryption.

When sending email attachments with PHI, the attachments must also be encrypted. However, PHI cannot be contained in an email subject line, as this information cannot be encrypted. Before using email to communicate PHI, you must have a signed BAA with your email provider.

Even with encryption enabled, using email to communicate PHI still poses a risk. This is why providers must receive patient authorization and issue a warning before using email to communicate PHI to a patient.

HIPAA Policies and Procedures Templates | Global Health, Fitness and Medical Issues | Scoop.it

From compliancy-group.com - September 19, 2020 1:49 AM

HIPAA Policies and Procedures Templates are form documents that relate to a particular area of HIPAA compliance.

HIPAA Policies and Procedures templates provide information on what an organization must do to be compliant in that area. As an example, HIPAA Policies and Procedures Templates include a Policy and Procedure Template for Breach Notification.

The template contains general language about how to detect and report a breach.

What Should Be Included in HIPAA Policies and Procedures Templates?

For a healthcare organization to meet HIPAA compliance requirements, its physicians, nurses, other medical staff, and any other employees who may encounter protected health information (PHI) or electronic protected health information (ePHI) must understand what their job roles allow them to do.

HIPAA Policies and Procedures Templates include, for example, a policy and procedure for the HIPAA “Accounting of Disclosures” provision of the HIPAA Privacy Rule. This provision requires healthcare organizations to give patients an accounting of entities and persons to whom the organization has sent patient PHI.

When a patient requests an accounting, the healthcare organization must have a policy, or overall principle, about accountings of disclosures. This principle can be put in writing, as something along the lines of “The law requires us to provide patients with the names of people and organizations we have given their PHI to. The law also requires that we let patients know what PHI we disclosed.”

The organization can only handle specific patient requests once it has implemented a series of processes for doing so. These processes are called procedures.

A procedure is a series of steps allowing for the organization to provide the accounting. Procedures that are required in the accounting of disclosures context include procedures for determining who is qualified to answer a request (so that only people whose job duties require access to PHI can answer), what requests require the organization to provide the accounting and what requests the organization need not provide an accounting for, how the accounting is to be provided (i.e., by first-class mail, overnight mail, fax with a HIPAA compliant fax cover sheet), and when (within what timeframe) the accounting must be provided.

The organization must also have a process in place that addresses what it must do when a patient complains that the accounting he or she received was not complete, or did not contain required information.

Using HIPAA Policies and Procedures Templates, which require that the same process be followed each time a patient makes a request, ensures the organization will consistently and accurately meet its compliance requirements.