eFolder Webinar, 10 HIPAA FAQs from MSPs and VARs
-
Upload
efolder -
Category
Technology
-
view
985 -
download
6
description
Transcript of eFolder Webinar, 10 HIPAA FAQs from MSPs and VARs
10 HIPAA FAQs from MSPs and VARs
Carlo TapiaMarketing Coordinator, eFolder678-888-0700 [email protected]
Mike SemelPresident, Chief Compliance Officer,Semel Consulting888-997-3635 x 101
© 2014 eFolder, Inc. All Right Reserved.2
Agenda
• Introductions
• What is HIPAA?
• What must MSPs and VARs do to comply?
• When was the HIPAA deadline?
• What is the cost of HIPAA?
• 10 HIPAA FAQs from MSPs and VARs
© 2014 eFolder, Inc. All Right Reserved.3
eFolder Expert: Mike Semel
4
Semel Consulting
© 2014 eFolder, Inc. All Rights Reserved.
• Founded in September, 2012
• 30-year VAR/MSP
• 10 years’ experience with HIPAA, conducting assessments and remediation
• Former Hospital CIO
• Specialization in health care, financial, and education verticals
5
What is HIPAA?
• Health Insurance Portability and Accountability Act (1996)
• Reduces health care fraud and abuse
• Mandates industry-wide standards for health care information
• Requires the protection and confidential handling of protected health information
© 2014 eFolder, Inc. All Right Reserved.
6
The Cost of HIPAA
Massachusetts provider settles HIPAA case - lost laptop
© 2014 eFolder, Inc. All Right Reserved.
$1.5MAlaska DHSS settles HIPAA security case - lost hard drive $1.7M
$150KResolution Agreement with Adult & Pediatric Dermatology, P.C. of Massachusetts - lost flash drive
HHS.gov/ocr/privacy/hipaa/enforcement/examples/index.html
7
When was the HIPAA Deadline?
© 2014 eFolder, Inc. All Rights Reserved.
8
What must MSPs and VARs do to comply?
Comply with HIPAA’s Administrative, Technical, and Physical Safeguards
© 2014 eFolder, Inc. All Right Reserved.
9
Question 1
What information is protected by HIPAA?
• Any combination of a patient’s name (or other identifier) with information about their medical diagnoses or treatment
• Can be written, verbal or electronic
• On any device or in the Cloud
© 2014 eFolder, Inc. All Right Reserved.
10
Why do we have to comply with HIPAA as aBusiness Associate?
• Your health care clients and business that support health care clients give you access to electronic Protected Health Information (ePHI), or the systems that store it
© 2014 eFolder, Inc. All Right Reserved.
Question 2
11
If a client refuses to sign a Business Associate Agreement with us can we still do business with them?
• Yes; you do not have a risk if your client refuses to comply with HIPAA
• You have to comply with HIPAA with or without asigned contract
© 2014 eFolder, Inc. All Right Reserved.
Question 3
12
Do we have a responsibility to report if our client is doing something intentionally or deliberately out of compliance?
• No; HIPAA does not require you to report your client for non-compliance
• HIPAA does require your client to ensure that you are compliant, is supposed to give you a chance to remediate compliance issues, and cancel their contract and report you if you don’t comply
© 2014 eFolder, Inc. All Right Reserved.
Question 4
13
Do we have to sign Business Associate Agreements with our vendors?
• Any vendor that stores ePHI is a Business Associate and must comply with HIPAA
• Cloud services, online backup providers, and data centers must sign Business Associate (BA) Agreements
• You or your vendor may originate the contract
© 2014 eFolder, Inc. All Right Reserved.
Question 5
14
How can we verify our my backup and cloud vendors are really HIPAA compliant?
• Any data you send to a non-compliant vendor is a HIPAA data breach
• Some vendors think that signing BA Agreements is enough
• Validate that the vendor is complying beyond signing agreements
• If you aren’t convinced of your vendors’ level of compliance, switch vendors!
© 2014 eFolder, Inc. All Right Reserved.
Question 6
15
Do our clients really need Domain networks instead of Workgroup networks?
• Yes; HIPAA requires Individual User Identification, Audit Logs, and Information System Activity Review, all of which require a Domain instead of a Workgroup
• Audit Logs must be retained for 6 years
© 2014 eFolder, Inc. All Right Reserved.
Question 7
16
If a laptop computer is encrypted and then lost, is it reportable?
• No; encrypting any device provides a ‘Safe Harbor’ and the loss is not reportable
© 2014 eFolder, Inc. All Right Reserved.
Question 8
© 2012 eFolder, Inc. All Right Reserved.17
Are cloud vendors and backup providers exempt from HIPAA because the data is encrypted and they don’t have encryption keys?
• No; while encryption provides ‘Safe Harbor’ in case of a data breach, it is not an exemption for an organization that maintains encrypted data
Question 9
18
What do we have to do to become HIPAA-compliant?
• Learn HIPAA!
• Implement HIPAA-specific policies and procedures
• Do a HIPAA Risk Analysis
• Train your workforce
• Perform and document ongoing HIPAA-compliant services
• Select HIPAA-compliant partners, like eFolder
© 2014 eFolder, Inc. All Right Reserved.
Question 10
19
eFolder and HIPAA
© 2014 eFolder, Inc. All Rights Reserved.
• eFolder will sign Business Associate Agreements
• eFolder has completed a proper HIPAA Risk Analysis conducted by experienced professionals
• eFolder has written HIPAA-specific policies and procedures
• eFolder has trained its workforce to comply with HIPAA
• eFolder has retained HIPAA professionals to maintain compliance over time
• eFolder will provide you with a letter attesting to our HIPAA compliance to take to your clients
20
• eFolder Partners, contact your account manager for Business Associate Agreement (BAA)
• All registrants will receive a HIPAA Compliance Playbook– Video training course to educate partners– Microsoft PowerPoint to train employees– Example HIPAA compliance checklist– Example Business Associate Agreement (BAA)– More!
eFolder and HIPAA
© 2014 eFolder, Inc. All Right Reserved.
21
HIPAA Rapid Compliance VARs/MSPsVirtual Workshop
• 6-hours of webinar training
• Customized policies and checklists & a lot more
• 1-on-1 consulting
• No travel costs, lost workdays, lawyer lectures
• Webinars will be recorded for review or sharing with other employees
HIPAA Compliance Workshop
© 2014 eFolder, Inc. All Right Reserved.
22
HIPAA Compliance Workshop
Registration• http://bit.ly/NCRTrC• Workshop limited to 35 participants
Cost• $1,299• $999 for eFolder partners
Dates• Monday, March 10, 8 a.m.- 10 a.m. PT• Thursday, March 13 8 a.m. - 10 a.m. PT• Monday, March 17 8 a.m. - 10 a.m. PT
© 2014 eFolder, Inc. All Right Reserved.
Q&A
www.efolder.net
+1 800-352-0248
HIPAA Compliance Workshop
http://bit.ly/NCRTrC