WHAT'S NEW

What's New

  • Disaster Preparedness and Resources, Including LDA Foundation Grants +

    The LDA Office will be closed this afternoon (July 12) in anticipation of Tropical Storm Barry effects. It is our hope that we will be back in the office Monday Read More
  • LDA to Partner with TDSC for Incredible Member Savings +

    The Dentists Supply Company – TDSC.com To Order Supplies – tdsc.com/louisiana  or call 1-888-253-1223 Membership just keeps getting better! Your newest benefit? Significant savings on dental supplies. LDS has partnered with The Read More
  • Feature: HIPAA Technical Safeguard, Part 3 +

    HIPAA Technical Safeguard: Authentication By Robert McDermott, President & CEO / iCoreConnect This is the third article of a five-part series that looks at the area of HIPAA law known as Read More
  • Other Opioid C.E. Resources +

    DATE: August 10, 2018 EVENT: Fall C.E. – Opioid CoursePROVIDER: Louisiana Dental Association, approved PACE program provider LOCATION: Country Inn and Suites, 2727 Monroe Highway 165, Pineville, La. REGISTRATION: www.ladental.org/fallce or Read More
  • 1

ICC logo on white w tag web

HIPAA Technical Safeguard: Authentication

By Robert McDermott, President & CEO / iCoreConnect

This is the third article of a five-part series that looks at the area of HIPAA law known as the “Technical Safeguards.” The Technical Safeguards are designed to protect electronic Protected Health Information (ePHI) from internal and external risks. Implementation of these safeguards is required by law, and helps you avoid costly fines.

In this brief article, we address the “Authentication”Regulation §164.312(d)

What is the “AUTHENTICATION” Standard?

This standard requires a covered entity to verify people (or entities) seeking access to ePHI are who they say they are in any electronic communication, such as email.

To accomplish “authentication” (verify user identity) require something:

  1. Known only to the individual, such as password or PIN
  2. Possessed by the individual, such as a smart card, a token or a key
  3. Unique to the individual, such as a biometric (e.g. fingerprints, voice patterns, facial patterns or iris patterns).

Or you may:

  1. Implement a system that uses the federally-recognized DIRECT protocol. (DIRECT is a set of standards for securely transmitting ePHI.)

How do I know if my system meets the HIPAA Technical Safeguards?

Your safest route is to consult with a vetted provider of HIPAA-compliant email and software. The provider can conduct an assessment of your current system.

When looking for a practice management and HIPAA-compliant email provider, confirm it provides at least two “authentication” methods or uses the DIRECT protocol, as well as meets or exceeds all five HIPAA Technical Safeguards.

All ePHI must meet the standards set by the National Institute of Standards and Technology, regardless of whether the information is in transit or at rest. For more information about “AUTHENTICATION”, call iCoreConnect at (888) 810-7706, or visit HHS.gov. iCoreConnect’s cloud-based, HIPAA-compliant email exchange, iCoreExchange, is endorsed by LDA and utilizes the DIRECT protocol for electronic communication of PHI.

 


 

HIPAA Technical Safeguard: Audit Control

By Robert McDermott, President & CEO / iCoreConnect

This is the second article of a five-part series that looks at the area of HIPAA law known as “Technical Safeguards.” Technical safeguards are designed to protect electronic Protected Health Information (ePHI) from internal and external risks. Implementation of these safeguards is required by law, and helps you avoid costly fines.

In this brief article, we address “Audit Control” [Standard §164.312(b)].

If you were asked to produce an audit trail of everyone who accessed your patient data, could you generate the report immediately?

What are “audit controls”?

The Audit Controls standard requires a covered entity to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.”


What does that mean?

You must be able to produce a detailed audit trail of all user access and activity surrounding ePHI.

An audit trail is a report that tells you who accessed which data, and when it was accessed.

The report includes digital certificates to verify users. A digital certificate is an electronic password used to authenticate that a user is who he or she claims to be.


How do you implement the audit controls safeguard?

  1. Implement monitoring systems that track user activity on your computers.
    By monitoring system activity, you’ll be able to determine if a security violation occurred, and produce electronic logs of all user activity.

  2. Create an audit and accountability policy for your staff.
    In it, address roles, responsibilities, management commitment, implementation, and compliance of the regulation.

  3. Stay up-to-date on security-relevant events at your office.
    Identify—and periodically review and update—key audit events, and events significant to the security of information systems and the environments they operate in.

Examples of key audit events include activities that create, store, and transmit ePHI.

  1. Keep reports at least 6 years.
    Store full logs for a minimum of 6 years. Some organizations may choose to keep their documentation longer based on state law, requirements of accreditation organizations, or other business reasons.
    Regulation §

What does it boil down to?

Implement a HIPAA-compliant email exchange that automatically logs and audits all required actions and produces an audit report within minutes of a user session (for HIPAA auditors).

For more information about access controls, or to see if you’re in compliance with the “AUDIT CONTROL” security standard, visit HHS.gov or call iCoreConnect at (888) 810-7706. iCoreConnect’s cloud-based, HIPAA-compliant email exchange, iCoreExchange, is endorsed by LDA.

 


Feature: HIPAA Technical Safeguard, Part 1
HIPAA Technical Safeguard: Access Control

By Robert McDermott, President & CEO / iCoreConnect

This is the first article of a five-part series looking at the aspect of HIPAA law known as “Technical Safeguards.” In this brief article, we address “Access Control” [Regulation 164.312(a)(1)].

The Access Control standard ensures that devices are accessed only by known, authorized user(s).

What is a “Technical Safeguard”?

The HIPAA Technical Safeguards are parts of the law designed to secure Protected Health Information (PHI) in its electronic form (also known as “ePHI”).

Do you have to follow the Technical Safeguards?

The HIPAA Technical Safeguards are law. Adhering to the safeguards not only protects your patients’ data, but it protects you from costly fines.

How is Access Control implemented?

There are four implementation specifications for Access Control:

  1. Unique User Identification (Required): Assign a unique user ID to record user activity and identify those using electronic devices.
  2. Emergency Access Procedure (Required): Implement procedures allowing for access to ePHI in the event of an emergency.
  3. Automatic Logoff (*Addressable): Implement electronic procedures that automatically logs authorized staff off from the device they’re using to access or exchange ePHI.
  4. Encryption (*Addressable): Implement a system that encrypts messages sent beyond your firewall and decrypt messages coming into your system.

All ePHI must meet the standards set by the National Institute of Standards and Technology, regardless of whether the information is in transit or at rest.

*What’s the difference between “required” and “addressable”?

You may see the word “required” or “addressable” associated with different specifications of the law. In an “addressable” specification, the government gives you opportunity to document in writing how you have achieved the specification in an alternate manner or why you are unable to implement the specification.

All ePHI must meet the standards set by the National Institute of Standards and Technology, regardless of whether the information is in transit or at rest.

For more information about access controls, or to see if you’re in compliance with the “ACCESS CONTROL” security standard, visit HHS.gov or call iCoreConnect at (888) 810-7706. iCoreConnect’s cloud-based, HIPAA-compliant email exchange, iCoreExchange, is endorsed by the LDA.

lda logo white

Links with this symbol are password protected for LDA members only.
lda logo white

7833 Office Park Blvd.
Baton Rouge, LA 70809
(225) 926-1986  |  (800) 388-6642
(225) 926-1886  Fax
info@ladental.org

Links with this symbol are password protected for LDA members only.
7833 Office Park Blvd.
Baton Rouge, LA 70809
(225) 926-1986  |  (800) 388-6642
 Fax (225) 926-1886
info@ladental.org