1) The requirements are theoretically tractable by an SMB but only just.
2) Non-compliance is ridiculously widespread. Ridiculously. This is partly because HIPAA prohibits people from doing things they really want to do (emailing about a patient, perhaps to that patient) and partially because the requirements are so vague.
3) Be prepared to use HIPAA as a pricing segmentation engine and for your providers to use it on you. Getting a BAA with Rackspace, for example, quintupled our costs.
4) Get insured. Because literally everyone is exposed to this and investigations are infrequent, the industry treats them like acts of God. You can insure, minimally, the cost of responding to an investigation (though my policy doesn't cover any fines assessed) and breach notification.
This is partly because HIPAA prohibits people from doing things they really want to do (emailing about a patient, perhaps to that patient) and partially because the requirements are so vague
My healthcare provider solves this by having a health portal that I log in to to send/receive messages to my doctor and view test results.
It's all SSL encrypted and protected with my individual password, which is more than they can guarantee with plain email. When I have a new message in the message center, they send me an email to tell me to log in.
I should hope that any healthcare provider that wants to share PHI with a patient does the same rather than using email, where they have no assurance that the email is encrypted, stored securely, or protected by a strong password.
This is a great example of a HIPAA poser, because that system: still a violation if one treats the regulations as actually meaning what they say. The "We have a message for you" disclosed a doctor-patient relationship (protected health information) about an email address (personally identifiable).
It's unlikely they'll receive a complaint/investigation for installing that software.
I fail to see how the email discloses anything protected, since it's completely generic:
Dear member,
You have a new message from *Redacted Healthcare System*
Please click on the link below, or copy and paste the link into your browser.
So from the email it's impossible to tell if it's even a message for me, or someone else in my household that I'm authorized to receive healthcare information for. And it hardly seems any more revealing than the weekly "wellness emails" that every healthcare system seems to send to its members.
HHS specifically allows a provider to use email:
The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).
Exactly. He's calling himself a poser with a claim like that. The use of protected portals with generic notifications is both allowed and widespread in use. Almost every provider I've run into does a variation of this. There's even turn-key solutions in this and other regulated markets. Incidentally, it was also the solution secure email providers came up with for when people don't have your encryption software but do have regular email & HTTPS-enabled browsers.
I'll go further to say it's probably one of the best models a company can use since vast majority of INFOSEC research and product development goes into exactly that sort of construction and tech. Even high assurance sector has solutions for some of that. Plus it has high usability and compatibility. Win across the board.
I work in this industry, connecting customers' data flows, and one of the biggest problems I have on a regular basis is trying to describe to a client how their ADT data is not matching their claims data (which matches on account numbers, mrns, etc) without using PHI for examples. It's very frustrating.
I second 1, 3, and 4. Good advice. The market could handle Number 2 like they did in smartcards and DO-178B sector. Apparently, whatever they're doing isn't appealing.
1) The requirements are theoretically tractable by an SMB but only just.
2) Non-compliance is ridiculously widespread. Ridiculously. This is partly because HIPAA prohibits people from doing things they really want to do (emailing about a patient, perhaps to that patient) and partially because the requirements are so vague.
3) Be prepared to use HIPAA as a pricing segmentation engine and for your providers to use it on you. Getting a BAA with Rackspace, for example, quintupled our costs.
4) Get insured. Because literally everyone is exposed to this and investigations are infrequent, the industry treats them like acts of God. You can insure, minimally, the cost of responding to an investigation (though my policy doesn't cover any fines assessed) and breach notification.