Security Tips to help with HITECH Compliance

Here are some tips for added security, but this is not a substitute for using an IT person, who is familiar with HITECH/Red Flag Regulations.  Remember, encryption prevents the need to report disclosures to HHS and avoids penalties.  These are not the only solutions, so no matter what it is crucial to find encryption solutions.  These are the ones I have implemented although I rarely have more than a patient name in reports and do not have more than a patient name or account number in audit reports. 

Prior to starting any process and for your business sanity, ensure you have a current backup of your system.  Remember, onsite backup should have enough “disks” to rotate for several weeks.  Also they do need to be replaced periodically because they can fail after they have been used repeatedly.  There are many free or inexpensive options for offsite and automatic backups including Carbonite, Mozy, Amazon S3, Rackspace and others.  The Jungledisk interface which backs up to Amazon’s S3 or Rackspace is an automatic backup that is thoughtless and has saved my butt many times. These also permit you a second “drive” that can function as a network drive if you need to work on a document while you are away from your office; although you do need internet access.

Security software can be vastly expensive and still not catch viruses.  I use AVG for small business which is about $50/year.  AVG has a firewall plus I have a network firewall.  If you use a wireless network, make sure your settings are the highest or newest released, as of the moment that will be WPA2. I changed my own settings so it is relatively easy.  I have had great luck with AVG from a protection standpoint.  This does not bog down my system so I have to push molasses up hill.  The processing speed is barely impacted.

Truecrypt is a hard drive encryption program that is free for home and small businesses.  The company price is very inexpensive!  It has 256-bit encryption and most banks use 128-bit so should be good protection.  This is pretty simple although, I would recommend using the IT specialist I mentioned.  Now, you will have to consider whether to encrypt the entire drive or part of the drive, it will impact processing speed.  If you have an extensive number of employees I would recommend the entire drive because you cannot ensure they will save documents with PHI in the encrypted drive.  You will also need a 20+ digit password for each computer that can be remembered.

The browser FireFox has 256-bit encryption while Internet Explorer has 128-bit encryption.  Firefox is a little different but not terribly noticeable and now it is all I use.  Firefox is also a free browser.

Myfax is an “internet” fax that will send you notifications via email.  There faxes are PGP encrypted; however, what I learned was you need to receive a email notification, login to your account, and download the file direct to your computer.  If it comes as an attachment to your email then the PGP encryption is void.  The cost is about $10/month for home or small business, but the corporate account is not expensive.

Cutepdf Professional costs about $50.00 you can print documents to pdf (this is in the free version) but if you need to send that document to your consultant or CPA the professional version allows for password protection as well.  You would not put the password in the same package as the CD or in the same email.  It will allow you to open a PDF and make a text box for notes that will print out.  So you do not have to recreate the information then add notes in another tool.  This may be more depending on the number of licenses you need.

When printing and saving reports from your billing system, you can export to excel or similar file, leave the patient account number or patient name only but take out address, and other identifying information that will identify 1 specific person.  These will be HIPAA compliant if all Patient specific information is removed.

Ensure staff understands they cannot place PHI or patient financial information in an email.  Having an email encryption program may not be the solution right now because if you use for example PGP email encryption the receiver of the email must have the same email encryption program and the key code (password if you will).  This may be problematic for awhile.  So this is why I want to give you some other options.  One such one is Hushmail which is a 1028bit online e-mail service, where your e-mail never leaves their servers, and so remains encrypted end to end.  But both sender and receiver have to have accounts (though they do have a free option, you must use it regularly though).

I understand processes, but the inner working of IT I utilize experts.  I am not affiliated with nor promote any specific product, these are only suggestions.  I hope you will subscribe to my blog as well as provide comments.  I use this to broadcase updates and tips to help you run your business.  If you need help with your IT network solutions, here is a  contact that works on my office equipment and they can work with clients nationally.  A big thank you to Glenn for helping me with the correct lingo!

Glenn Kimball         GWK Technologies           

Angela Miller of Medical Auditing Solutions LLC has been in health care compliance, auditing, billing, collections and HIPAA for over 18 years.  Ms. Miller has made it the  focus of the business to help providers run their businesses efficiently, collect money, and maintain compliance with federal and state regulations and coverage criteria.  Ms. Miller is very experienced with Medicare & Payer audits.  Ms. Miller ran a very successful compliance program for over 5 years for the largest private held HME/Pharmacy provider in the US at the time.  Ms. Miller  also works as a contract compliance officer to provide an avenue to compliance training to staff, implementation of policies, as well as handling anything that affects cash flow from the initial intake to back-end collections. You can visit our website at Medical Auditing Solutions LLC.