WHAT'S NEW

What's New

  • LDA Health Plan Trust Final Notice to Members +

      November 1, 2019 Dear LDA members, The Louisiana Dental Association Health Plan Trust (LDAHPT) was formed with the intention of providing a quality alternative in the health benefits market Read More
  • LDA Office Ribbon Cutting +

    As previously announced, the LDA office relocated to another area in Baton Rouge. Effective September 30, 2019, the new address is 5637 Bankers Ave., Baton Rouge, LA 70808. Phone and fax numbers Read More
  • LDA to Partner with TDSC for Incredible Member Savings +

    The Dentists Supply Company – TDSC.com To Order Supplies – tdsc.com/louisiana  or call 1-888-253-1223 Membership just keeps getting better! Your newest benefit? Significant savings on dental supplies. LDS has partnered with The Read More
  • Feature: HIPAA and Email, The ACTUAL Law +

    HIPAA and Email: The ACTUAL Law By Robert McDermott, President/CEO (an LDA/LDS Endorsed Company) Sending and receiving electronic Protected Health Information (ePHI) through email can be a safe and effective Read More
  • Other Opioid C.E. Resources +

    DATE: August 10, 2018 EVENT: Fall C.E. – Opioid CoursePROVIDER: Louisiana Dental Association, approved PACE program provider LOCATION: Country Inn and Suites, 2727 Monroe Highway 165, Pineville, La. REGISTRATION: www.ladental.org/fallce or Read More
  • 1

ICE logo for WHITE BKGND web

HIPAA and Email: The ACTUAL Law

By Robert McDermott, President/CEO (an LDA/LDS Endorsed Company)

Sending and receiving electronic Protected Health Information (ePHI) through email can be a safe and effective way to share sensitive information with other providers, insurers and patients. It only gets tricky when providers don’t understand the details of HIPAA law. Once you know, you can effectively embrace technology, improving patient care and practice productivity.

Let’s take a look at eye-opening background information on HIPAA violation enforcement. Every day, at least one healthcare data breach is reported to the Dept. of Health and Human Services (HHS).[1] The HHS Office for Civil Rights (OCR) is responsible for enforcing the Privacy and Security Rules. The OCR audits practices and enforces civil and criminal corrective actions which may lead to fines, jail time and even practice closure. In 2018, the OCR wrapped up an all-time record year of HIPAA enforcement. “Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” states OCR Director Roger Severino.[2]

The good news is that it’s easy to stay on the right side of the law. You can know the actual HIPAA law requirements by remembering the six-letter word ACTUAL.

  1. Authenticate Recipients
  2. Control Access
  3. Transmit Securely
  4. Unaltered Records
  5. Audit Every Message
  6. Lock ePHI for 6 years

Here’s a closer look at what these six requirements mean:

  1. Authenticate Recipients. Your secure email exchange should automatically verify that the doctor to whom you are sending ePHI is a registered provider. The federal government’s preferred DIRECT protocol is the most secure method for provider verification. Look for a secure email provider whose platform is built on the DIRECT protocol.
  1. Control Access. Only authorized users should access the content of emails. Your secure email system should have mechanisms in place for automatic user log-off and encryption (scrambling the message content so hackers can’t access ePHI).
  1. Transmit Securely. This is where encryption is critical. The higher your level of encryption, the more secure your ePHI. For example, if your secure email exchange has a 2048-bit encryption level, it will take quadrillions of years to break that encryption using today’s technology.[3]
  1. Unaltered Records. All your patient information must be kept in such a way that it can’t be altered or lost. The smartest backup systems store your ePHI at multiple secure data centers - not your office, home or briefcase. Cloud-based backups keep your ePHI on secure servers located around the country. In the rare event that one location is compromised, the other back-up locations have you covered.
  1. Audit Every Message. The OCR can audit any practice at any time, and anyone can submit a HIPAA complaint against your practice. If you get audited, you will be required to produce a detailed audit trail of all emails containing ePHI.
  1. Lock ePHI for 6 Years. This law goes hand-in-hand with #’s 4 and 5 above. Your records need to be securely stored so that the information can’t be altered or lost for a minimum of six years.

There are HIPAA-compliant email exchange services that meet all six requirements. Just remember the ACTUAL law and you’ll be on your way to safe, secure and time-saving improvements for your practice.

iCoreConnect’s HIPAA-compliant email service, iCoreExchange is endorsed by LDA.

iCoreExchange meets or exceeds every HIPAA requirement for emailing ePHI.

3000 165 070119 LDA ACTUAL Graphic


[1] https://www.hipaajournal.com/march-2019-healthcare-data-breach-report/

[2]https://www.hhs.gov/about/news/2019/02/07/ocr-concludes-all-time-record-year-for-hipaa-enforcement-with-3-million-cottage-health-settlement.html

[3] https://www.digicert.com/TimeTravel/math.htm


 

HIPAA Technical Safeguard: Authentication (Part 3)

By Robert McDermott, President & CEO / iCoreConnect

This is the third article of a five-part series that looks at the area of HIPAA law known as the “Technical Safeguards.” The Technical Safeguards are designed to protect electronic Protected Health Information (ePHI) from internal and external risks. Implementation of these safeguards is required by law, and helps you avoid costly fines.

In this brief article, we address the “Authentication”Regulation §164.312(d)

What is the “AUTHENTICATION” Standard?

This standard requires a covered entity to verify people (or entities) seeking access to ePHI are who they say they are in any electronic communication, such as email.

To accomplish “authentication” (verify user identity) require something:

  1. Known only to the individual, such as password or PIN
  2. Possessed by the individual, such as a smart card, a token or a key
  3. Unique to the individual, such as a biometric (e.g. fingerprints, voice patterns, facial patterns or iris patterns).

Or you may:

  1. Implement a system that uses the federally-recognized DIRECT protocol. (DIRECT is a set of standards for securely transmitting ePHI.)

How do I know if my system meets the HIPAA Technical Safeguards?

Your safest route is to consult with a vetted provider of HIPAA-compliant email and software. The provider can conduct an assessment of your current system.

When looking for a practice management and HIPAA-compliant email provider, confirm it provides at least two “authentication” methods or uses the DIRECT protocol, as well as meets or exceeds all five HIPAA Technical Safeguards.

All ePHI must meet the standards set by the National Institute of Standards and Technology, regardless of whether the information is in transit or at rest. For more information about “AUTHENTICATION”, call iCoreConnect at (888) 810-7706, or visit HHS.gov. iCoreConnect’s cloud-based, HIPAA-compliant email exchange, iCoreExchange, is endorsed by LDA and utilizes the DIRECT protocol for electronic communication of PHI.

 


 

HIPAA Technical Safeguard: Audit Control (Part 2)

By Robert McDermott, President & CEO / iCoreConnect

This is the second article of a five-part series that looks at the area of HIPAA law known as “Technical Safeguards.” Technical safeguards are designed to protect electronic Protected Health Information (ePHI) from internal and external risks. Implementation of these safeguards is required by law, and helps you avoid costly fines.

In this brief article, we address “Audit Control” [Standard §164.312(b)].

If you were asked to produce an audit trail of everyone who accessed your patient data, could you generate the report immediately?

What are “audit controls”?

The Audit Controls standard requires a covered entity to “Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use ePHI.”


What does that mean?

You must be able to produce a detailed audit trail of all user access and activity surrounding ePHI.

An audit trail is a report that tells you who accessed which data, and when it was accessed.

The report includes digital certificates to verify users. A digital certificate is an electronic password used to authenticate that a user is who he or she claims to be.


How do you implement the audit controls safeguard?

  1. Implement monitoring systems that track user activity on your computers.
    By monitoring system activity, you’ll be able to determine if a security violation occurred, and produce electronic logs of all user activity.

  2. Create an audit and accountability policy for your staff.
    In it, address roles, responsibilities, management commitment, implementation, and compliance of the regulation.

  3. Stay up-to-date on security-relevant events at your office.
    Identify—and periodically review and update—key audit events, and events significant to the security of information systems and the environments they operate in.

Examples of key audit events include activities that create, store, and transmit ePHI.

  1. Keep reports at least 6 years.
    Store full logs for a minimum of 6 years. Some organizations may choose to keep their documentation longer based on state law, requirements of accreditation organizations, or other business reasons.
    Regulation §

What does it boil down to?

Implement a HIPAA-compliant email exchange that automatically logs and audits all required actions and produces an audit report within minutes of a user session (for HIPAA auditors).

For more information about access controls, or to see if you’re in compliance with the “AUDIT CONTROL” security standard, visit HHS.gov or call iCoreConnect at (888) 810-7706. iCoreConnect’s cloud-based, HIPAA-compliant email exchange, iCoreExchange, is endorsed by LDA.

 


Feature: HIPAA Technical Safeguard, Part 1
HIPAA Technical Safeguard: Access Control

By Robert McDermott, President & CEO / iCoreConnect

This is the first article of a five-part series looking at the aspect of HIPAA law known as “Technical Safeguards.” In this brief article, we address “Access Control” [Regulation 164.312(a)(1)].

The Access Control standard ensures that devices are accessed only by known, authorized user(s).

What is a “Technical Safeguard”?

The HIPAA Technical Safeguards are parts of the law designed to secure Protected Health Information (PHI) in its electronic form (also known as “ePHI”).

Do you have to follow the Technical Safeguards?

The HIPAA Technical Safeguards are law. Adhering to the safeguards not only protects your patients’ data, but it protects you from costly fines.

How is Access Control implemented?

There are four implementation specifications for Access Control:

  1. Unique User Identification (Required): Assign a unique user ID to record user activity and identify those using electronic devices.
  2. Emergency Access Procedure (Required): Implement procedures allowing for access to ePHI in the event of an emergency.
  3. Automatic Logoff (*Addressable): Implement electronic procedures that automatically logs authorized staff off from the device they’re using to access or exchange ePHI.
  4. Encryption (*Addressable): Implement a system that encrypts messages sent beyond your firewall and decrypt messages coming into your system.

All ePHI must meet the standards set by the National Institute of Standards and Technology, regardless of whether the information is in transit or at rest.

*What’s the difference between “required” and “addressable”?

You may see the word “required” or “addressable” associated with different specifications of the law. In an “addressable” specification, the government gives you opportunity to document in writing how you have achieved the specification in an alternate manner or why you are unable to implement the specification.

All ePHI must meet the standards set by the National Institute of Standards and Technology, regardless of whether the information is in transit or at rest.

For more information about access controls, or to see if you’re in compliance with the “ACCESS CONTROL” security standard, visit HHS.gov or call iCoreConnect at (888) 810-7706. iCoreConnect’s cloud-based, HIPAA-compliant email exchange, iCoreExchange, is endorsed by the LDA.

lda logo white

Links with this symbol are password protected for LDA members only.
lda logo white

5637 Bankers Ave.
Baton Rouge, LA 70808
(225) 926-1986  |  (800) 388-6642
(225) 926-1886  Fax
info@ladental.org

Links with this symbol are password protected for LDA members only.
5637 Bankers Ave.
Baton Rouge, LA 70808
(225) 926-1986  |  (800) 388-6642
 Fax (225) 926-1886
info@ladental.org