6 listener questionsWe get questions from listeners on a pretty regular basis.  When they come in from an email we do our best to reply with an answer.  Sometimes they get backed up for us to get them on the show, however.  Today we are covering some of those, in fact, we are covering 6 listener questions.

HIPAA For MSPs by J. David Sims 6 Listener Questions
00:00:00 00:00:00

6 Listener Questions

Great note from a listener:

I can not tell you both how much I enjoy the podcast. I drive about 1,000 miles a week and you keep me company most of the way and I have only gone through 80 episodes because I keep going back to refresh my memory on something you said. You are funny and informative. I have been in healthcare, health insurance, I.T., and now healthcare compliance. I believe I have some level of expertise with HIPAA and you both challenge my knowledge.  So, thank you both so much for what you do.

-Alex-

Thanks, Alex!

First a note about the creepy Alexa laugh. We told you she is listening and reacting when you think she isn’t listening.  Our discussions during the Alexa and HIPAA episode explained why we worried.

1- What do we do with Active Directory users and computers that are no longer used?

We have clients asking what is the risk level of having users disabled in Active Directory? Do they need to remove/delete those users? Also, what if they have computers disabled? Is there a risk? Do they need to remove them?

Don’t disable and leave in place.  Either delete and put in another OU.  Either way, there should be a regular review of the information in Active Directory as part of the security protocols.

Why? They can be enabled too easily.

2- When do you notify other entities like state AG, not just HHS?

When does “other” security breach notification requirements become applicable, like from the Attorney General’s Office?  I’m sure a lot of small businesses have no idea that some of the state’s AG Office have security breach notification requirement for PII.

State laws matter.  Check out our episode about knowing your state laws.  They are changing this year due to the Equifax breach.  How much they will change still remains to be seen.  That is one of the many things we plan to discuss next week is changing state laws.

3- Providing services in remote locations. How do you maintain security in those situations?

Behavior analysts are often few and far between, but we still need to observe our clients in natural situations. For this reason, we often act as consultants in remote areas and need to access our internet and files away from a central office (if we have one at all). Can you give any suggestions on how to maintain security in such a situation?

We did cover this in the cybersecurity outside the office based on the OCR newsletter about traveling during the holidays.  We recommend you make sure there is a consistent plan.  Most important is to not allow workforce members to connect to random networks like client’s homes, restaurant, and coffee shops unless they are using a VPN that has been vetted by your IT staff.  I prefer using the Personal Hotspot feature of my phone in most cases when I am mobile.  Hotels and other sites like those, well, it depends.

4- How can I work with providers who clearly need help in this area to build a culture of compliance?

In my company, we work with a lot of small, rural, human service providers. There is just not a culture of compliance in general in this area of the world (and not a lot of resources for them to dedicate to developing it). It’s not great, but we can’t just abandon our responsibilities to our clients. Do you have any recommendations on how to work with the providers to build that culture?

5- What do we do to make sure we are using secure fax capabilities with digital or online fax solutions?

Faxes are a big issue no matter if you are doing it old school with analog or with an internal fax server.  The next step is to look at cloud fax solutions.  What do you do to make sure they are HIPAA compliant?

Controls in place matter for picking up faxes on machines.  Going to digital is great but you have to deal with when and how they are received, stored, and delivered.

6- Can I communicate with patients via unsecured email or text messages?

We covered this topic in a few episodes before but CMS created some confusion and there seems to be a regular stream of it from other sources.  Here is the bottom line:

  1. If a patient would like you to communicate with them in any unsecured manner (text messages, emails, SMS messages, etc) you should confirm they understand it is not secure.  If that is ok with them, then do as they ask.  It is recommended that you make a note in the chart that you had this conversation.
  2. If you are communicating with other members of your staff or parties involved in TPO of the patient, then it must always be done in a secure manner.

Keep sending us the questions and we will do the best that we can to respond.  Eventually, we cover them on an episode in some manner.  Clearly, there are many topics that our listeners are touching on. That helps us find the right topics for future episodes, too.