Need The Best IT Services In Colorado Springs?

Call Us Today!

719.439.0599

Apple, Mac, and HIPAA Compliance: What Business Associates & Covered Entities Must Consider

down_img

HIPAA Compliance with AppleThe Health Insurance Portability and Accountability Act (HIPAA), enacted in 1996, requires all covered healthcare entities and their business associates to protect the privacy and security of patient’s protected health information (PHI).

Today, organizations are much more distributed, and employees are finding it necessary to access important company data using mobile devices like their iPhone or iPad. This forces organizations to ensure these devices are protected, regardless of where they are, to prevent risks to PHI.

When healthcare organizations access patient data from their mobile devices, employers and employees must ensure these devices are completely secure and HIPAA compliant. In order for healthcare businesses to qualify for government funding, they must ensure that authorized people are the only ones with access to Electronic Protected Health Information, or ePHI.

HIPAA Security With Apple

Many businesses have questioned the security of FaceTime and iOS, however, according to an Apple spokesperson they are both compliant with HIPAA:

“The iPad supports WPA2 (Wi-Fi Protected Access) Enterprise to provide authenticated access to your enterprise wireless network.  WPA2 Enterprise uses 128-bit AES (Advanced Encryption Standard) encryption, giving users the highest level of assurance that their data will remain protected when they send and receive communications over a Wi-Fi network connection.”

Encryption is mandatory for health care organizations using Apple devices to send or receive ePHI. As for FaceTime, Apple says that with the proper configuration, it can be HIPAA compliant.

“In addition to your existing infrastructure, each FaceTime session is encrypted end-to- end with unique session keys. Apple creates a unique ID for each FaceTime user, ensuring FaceTime calls are routed and connected properly,” the email explained.

Apple products also feature a remote-deletion option, which allows the owner to completely wipe the device remotely in the event that an employee’s device is lost or stolen.

Mac and HIPAA Compliance

Fewer than 10 percent of U.S. physician practices have implemented an electronic medical record (EMR) system. A common barrier is cost and moving from the comfort zone provided by using paper charts.

Ron Okamoto, Apple’s Vice President of Worldwide Developer Relations, says:

“The stability, security and ease of use of Mac OS X are major factors behind its strength in the healthcare, science and biotech industries.”

He also said that Apple’s development community is currently working on a wide range of various health care applications, and there’s been a significant increase in the numbers of iPhones, iPads and iMacs that are showing up in hospitals and physician practices across the U.S.

However, the medical software industry hasn’t responded as quickly, and there are only 20 EMR and practice management systems available for the Mac OS X.

Conducting a Risk Analysis

The U.S. Department of Health and Human Services (HHS) requires organizations to conduct a Risk Analysis. There are a total of nine mandatory components that any healthcare organization storing or transmitting ePHI must include in their Risk-Analysis document.

Auditing Your HIPAA Compliance Plan

Performing a formal audit of your HIPAA Compliance Plan provides feedback to your privacy officer, and documents that your organization has been following its own policies and procedures.

An audit is an independent appraisal and verification function, which examines records and/or activities, in order to test the effectiveness of procedures. This ensures compliance with established policies, assessment of the adequacy of controls, and knowledge of necessary improvements.

Before auditing your HIPAA Compliance Plan, you must have expert knowledge of the HIPAA Regulation, as well as a thorough understanding of the audit process. When done properly, your annual HIPAA Compliance Audit will provide the documentation needed to prove that your organizations’ policies and procedures follow the HIPAA mandates.

Firewalls and Home Routers

Your network is connected to the Internet by a router or a firewall. A router directs traffic between two networks—your internal network (Intranet) and the Internet. A firewall basically does the same, however, security features are included to block unauthorized traffic to meet HIPAA compliance requirements.

A firewall can also filter Internet traffic to prevent viruses and other malware from reaching your computers, which is another requirement for HIPAA compliance.

To properly protect your network, you should consider a business-grade firewall including additional subscription-based features.

Recently, an organizations firewall failed to block unauthorized traffic and 17,500 patient records were breached. This resulted was a $400,000 fine—a lot more expensive than the cost of a sufficient firewall.

Business Associate Agreements

On January 25, 2013, HHS released a new, updated version of its sample Business Associate (BA) Agreement. It includes changes that reflect the provisions of the HITECH Act and the Omnibus Final Rule.

While this sample is great for review, covered entities should note that it’s not recommended to use the HHS sample agreement without modifications. As HHS explained, the language should be changed to accurately reflect business arrangements between a covered entity and a business associate, or a business associate and subcontractor.

To comply with State laws, avoid relying on this sample as it may not be sufficient, and doesn’t replace consultation with a lawyer or negotiations between both parties of the contract.

Business associate agreements must to be revised by September 23rd 2013. However, those that were in place following January 25th, 2013, and that aren’t renewed or amended, are allowed one extra year and must be revised by September 23rd 2014.

Under the HIPAA Omnibus Rule, business associates who handle PHI must be prepared for audits and enforcement actions. For the first time, business associates (vendors that provide various services to covered entities and have access to patient information, as well as their subcontractors) will be held liable for HIPAA compliance and face penalties for violations.

Penalties for Violations

HIPAA enforcement has moved away from the previous voluntary compliance framework, and towards a penalty-based system. There are four violation categories:

1.     Unknowing—Resulting in $100-$50,000 fine per violation.

2.     Reasonable Cause—Resulting in $1,000-$50,000 per violation.

3.     Willful Neglect—Corrected, $10,000-$50,000 per violation.

4.     Willful Neglect—Uncorrected, at least $50,000 per violation.

When an organization violates an identical provision during the same calendar year, the maximum penalty is $1,500,000. 

Colorado Computer Support Will Ensure Your Organization’s HIPAA Compliance With a Formal Audit of Your HIPAA Compliance Plan

Colorado Computer Support is your certified provider of Managed IT Services and Apple consulting firm in Colorado Springs. Our information technology support solutions can be adapted to meet all of your business technology needs, and ensure that your organization is compliant with HIPAA.

Call us today at 1-719-439-0599 to learn more about our complete range of technical services for Colorado business.

Business Technology Support

We invite you to contact us using the method that's most convenient for you:

4925 N Union Blvd

Colorado Springs, CO 80918

local: 719.439..0599
toll-free: 866.611..5207
fax: 719.355..3581

Contact Us Using The Form Below.