Facebook

Twitter

YouTube

LinkedId

Blog

Latest Technologies, Industry Trends & Best Practices

HIPAA in the Contact Center: PHI and Encryption

To ensure that your organization and your clients are acting in accordance with the HIPAA Security Rule as it relates to ENCRYPTION of ePHI, I did some extensive research and found a resource written by the American Medical Association titled “HIPAA Security Rule: Frequently asked questions regarding encryption of personal health information.” The document addresses a number of questions among physicians and other health care professionals as well as other HIPAA-covered entities and business associates. Consider the below points as it relates to your usage of ePHI: 

To Begin with, What Information Should You Encrypt?

Any systems and individual files containing PHI/ePHI should be encrypted. Examples include electronic medical records, claims payment appeals, scanned images, emails containing ePHI, etc.

Emails containing ePHI. If you or your clients (physicians) correspond with health insurers or other health care professionals via email and those emails contain ePHI, then you could be accused of failing to protect ePHI for which you are responsible.

Encrypt all devices containing ePHI. Passwords are not enough, especially in the event that a hard drive was removed from a laptop containing ePHI. All devices that contain ePHI, including laptops, PCs, smartphones and tablets, need encryption technology, preferably “whole disk encryption” technology.

If ePHI is accessed via the Internet, encrypt those sessions. Since data that is published on the Internet is available to the public, you need to check with your Web service provider to ensure that any PHI that travels across the Internet is protected by secure sockets layer (SSL) or similar technology.

Encrypt any other remote access sessions. If you have a situation in which physicians/staff connect to the home office remotely to read email or access other resources containing ePHI, then this access may constitute a vulnerability to unauthorized snooping. It is important that these sessions be conducted using encrypted tunnels, or VPNS.

What Happens If a Security Breach Occurs at an Organization That Uses Encryption Technology?

If the ePHI is stored and transmitted in encrypted form, then you do not need to notify patients. This only applies to HIPAA-covered entities and business associates that use encryption technologies that render ePHI unusable, unreadable, or indecipherable to unauthorized individuals.

How do Startel’s Solutions Help Organizations Protect ePHI?

Businesses that handle sensitive information are not only morally obligated to protect sensitive, private and personal information of their clients; they are legally obligated to do so. Startel’s Encrypted Email Service enables compliance with HIPAA by utilizing Secure/Multipurpose Internet Mail Extensions (S/MIME) encryption protocol. This protocol converts email messages from a readable plaintext format to a scrambled cipher text format. Only the recipient using the private key that matches the public key used to encrypt the email message can decipher the message. If someone intercepts the message without access to the private key the email message would appear only as garbled text.

The private and public keys are the means for both encoding and decoding email messages. Essentially the unique private/public key acts as a distinctive digital signature bound to a particular email address.

In addition, the Startel Encrypted Email Service is encoded utilizing the Advanced Encryption Standard (AES) 128 Bit block size. This level of cryptography ensures security is maintained for all encrypted messages. Any attempt to “break” an encrypted message secured at 128 Bit encoding would take billions of years to try every possible combination.

Users of Startel’s Encrypted Email Service have peace of mind knowing that their messages remain secure and private during transmission and storage.

In my third blog post of this topic, I will address how Startel’s Secure Messaging application handles ePHI and specifically, how it complies with HIPAA.

Source: http://www.ama-assn.org/resources/doc/psa/hipaa-phi-encryption.pdf

HIPAA In the Contact Center

The buzz surrounding HIPAA in contact centers is getting louder, and with good reason: As of September 23, 2013, healthcare providers, health plans, other HIPAA covered entities and their business associates must comply with the new Privacy and Security requirements. Those who fail to comply by the deadline or experience breaches in customer data security may face with substantial fines and penalties.

This blog post will be one of several regarding HIPAA, and what we (software vendors and users) must do to comply with it. To ensure we all have a basic and common understanding of HIPAA, this first blog post will address some general definitions, including how Startel and our customers are designated per HIPPA and how the Privacy and Security Rules apply to us.

HIPAA Overview
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. These Rules help to protect the privacy of individual’s health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.

Before we can discuss the HIPAA Privacy Rule and HIPAA Security Rule, we must mention who these Rules apply to.

Covered Entities and Business Associates
The HIPAA Rules apply to both covered entities and business associates:

Covered Entity (CE)
: CEs are basically any person, business, or government entity that furnishes, bills, or receives payment for health care in the normal course of business. Examples include physicians, hospitals, pharmacies, health care clearinghouses (billing services) and health plans/insurers.



Business Associate (BA)
: A business associate is a person or organization that performs a function on behalf of a covered entity. Examples of a BA include software vendors (such as Startel), third-party billing companies, claims processors, collections agencies, and outsourced contact centers. BAs must also agree to the privacy and data security requirements of HIPAA. A business associate could be a contact center outsourcer that handles calls for a covered entity or a collection agency working on their behalf.

Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.

The Standards for Privacy of Individually Identifiable Health Information, also known as the Privacy Rule, establishes a set of national standards that protects individuals’ health information – called “protected health information (PHI)”. PHI is “any health information that is individually identifiable”. Examples include an individual’s name, date of birth, social security number, address, as well as health status and payment/billing information. The Privacy Rule addresses the use and disclosure of PHI whether in written, oral, or electronic format by covered entities. It also sets standards for individuals’ privacy rights to understand and control how their health information is used.

The Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule, is a national set of security standards for protecting certain health information that is held or transferred in electronic form (ePHI). The Security Rule addresses the technical and non-technical safeguards that covered entities must put in place to secure individuals’ ePHI. Technical safeguards include access control, audit controls, integrity controls and transmission security. Each of these technical safeguards can be addressed with software solutions, including encryption technology and secure messaging.  

In March 2013, the long-awaited Omnibus Rule made the most sweeping changes since the HIPAA Privacy and Security Rules were first implemented. The new rule expands the definition of a business associate to include “any downstream subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate.” Business associates and their subcontractors who have access to PHI are directly liable for compliance with the HIPAA Privacy and Security Rules. In addition, among the changes is an enhanced opportunity for the Office for Civil Rights to enforce compliance.

Why am I sharing all of this information to you and why is it important? Since both Startel and our customers (telephone answering services and contact centers) are considered business associates we are therefore:
•    Required to comply with the Rules’ requirements, including the Obnibus Rule, to protect the Privacy and Security of PHI. We have until September 2013 to become compliant.
•    Directly liable for compliance with certain provisions of the HIPAA Rules. Penalties can be civil or criminal and may cost thousands of dollars and possibly imprisonment.

In my next blog post, I will address how Startel’s solutions address a pressing topic area: Encryption of PHI/ePHI, and specifically, what information/devices must be encrypted to ensure HIPAA compliance.

Source: http://www.hhs.gov/

Buy Our Solutions