HIPAA Cheat Sheet — Your Guide to Understanding HIPAA

Author: Joseph Jachimiec, Security Administrator

Looking for a HIPAA-compliant print and mail provider? Overwhelmed with the confusing HIPAA terms and security mumbo-jumbo? Look no further than this HIPAA cheat sheet.

Let’s take a quick look at HIPAA. By the end of this article, you should know enough HIPAA information to impress even me!

Let’s get to it…

Brief HIPAA History

In 1996, Congress passed the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. In addition, Congress tasked the Office of Civil Rights (OCR) and the Department of Health and Human Services (HHS) with enforcing the new HIPAA laws.

The new HIPAA regulations not only enabled Americans to transfer health coverage between jobs but also detailed the requirements for businesses to protect our personal health information.

This same data protection is a priority for us at Nahan.

PHI and ePHI – What Is It?

These days, it seems like there’s an infinite variety of data and information. For HIPAA purposes, sensitive data revolves around our private and personal health information.

In the HIPAA world, this personal health information is called Protected Health Information (PHI). When PHI is in digital format–when it’s electronically stored, accessed, or transmitted–it’s called electronic PHI or ePHI.

PHI and ePHI can include:

  • Names
  • Addresses
  • Medical Records
  • Photos
  • …and any other health information that can identify an individual

HIPAA specifies two types of organizations that handle PHI and ePHI, and thus must be HIPAA compliant: Covered Entities and Business Associates.

What’s the difference?

Covered Entities vs. Business Associates

Covered Entities collect, create, store, and transmit PHI and ePHI. They are the first line of businesses that are “covered” by the HIPAA regulations, meaning they must follow the HIPAA laws and regulations to avoid fines and other disciplinary actions.

Covered Entities include:

  • Hospitals, Clinics, & Urgent Care
  • Dental, Chiropractic, and other miscellaneous health care services
  • Health Insurance Companies
  • Health Care Clearinghouses

Business Associates, on the other hand, are businesses that provide various services to Covered Entities. For example:

  • IT Support Services
  • Document Shredding
  • Cloud Storage
  • Billing & Invoicing
  • Print & Mail Providers (such as Nahan)

In the course of providing these essential services, Business Associates may encounter PHI and ePHI. Therefore, Business Associates must follow many of the same HIPAA rules and regulations as Covered Entities.

As hinted above, Nahan is a Business Associate to our Covered Entity customers and we take the protection of their PHI and ePHI seriously.

In fact, we’re proud to be HIPAA Compliant!

Additional HIPAA Rules

No cheat sheet explaining the fundamentals of HIPAA would be complete without touching on the HIPAA Rules.

There are four main HIPAA rules. Lawmakers established these rules after the initial adoption of HIPAA in 1996. The rules clarify the older laws and set additional standards, especially for the protection of PHI and ePHI.

Here are the four HIPAA Rules summarized in true cheat sheet style!

Privacy Rule

  • Applies to Covered Entities only
  • Gives patients rights over their own PHI and ePHI
  • Defines steps for keeping confidentiality when communicating with individuals

Security Rule

  • Applies to both Covered Entities and Business Associates
  • Defines administrative, physical, and technical controls for PHI and ePHI data handling
  • Requires training and documentation for Covered Entity and Business Associate employees

Breach Notification Rule

  • Sets standards to follow after a data breach involving PHI/ePHI
  • Establishes conditions based on breach size
  • Sets requirements for reporting incidents to the OCR, HHS, and public media

Omnibus Rule

  • Amends Privacy and Security Rules
  • Prohibits the use of PHI and ePHI for marketing purposes
  • Sets further HIPAA compliance mandates for Business Associates

Conclusion

The HIPAA laws and regulations are a confusing landscape. Breaking it down into bullet points can help with understanding the big picture: protecting PHI and ePHI.

Nahan is a trusted Business Associate and provider of HIPAA-Compliant print and mail services. We meet and exceed HIPAA requirements for protecting our customer’s PHI and ePHI.

If you are looking for a HIPAA-Compliant provider, contact us today!

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by ar130405 from Pixabay

What is Variable Data Printing? A Closer Look.

Author: Jon Legg, Data Processing Department Leader

In today’s data-driven marketing world, utilizing the power of your data can be the difference between a good marketing campaign and a great marketing campaign that produces a fantastic ROI. A question that we often get asked is “What is Variable Data Printing and how does it work?”

What is Variable Data Printing?

Variable Data Printing is using your customer’s data to change text, images, or other content from one piece of mail to the next.  Instead of printing one form 100,000 times you can instead print 100,000 highly individualized pieces.  And when we say highly personalized we are talking about more than just a salutation line that says “Dear John Doe.” 

At Nahan we have done a wide range of projects that utilize variable data printing.  The following four specific examples show what highly personalized could look like to you.

  1. One project had hundreds of mall locations and for each record, we used a field in the data to variably pull the closest mall to the consumer, a logo for that mall, hours of operation, and a mall directory. 
  2. Another project required us to uniquely link over 400,000 photographs so that each record imaged the correct photograph. 
  3. A third project involved providing each recipient with a personalized map that showed their house on a map, the nearest store, and a highlighted route between the two.
  4. Lastly, another project showcased a piece that changed all of its content based on the consumer.  Family of four?  All content showed family-friendly activities and all images changed to photos of families.  Single?  The entire piece changed to show photos of adults with more of a focus on entertainment and nightlife.

Variable data printing can do all of this and more. 

What is Variable Data Printing

As we like to say, “Where there is data, there is opportunity for customization.”

What Files Are Needed For a Variable Data Project?

At Nahan we can accept all types of files and work with you to get more out of your mail list.  Our preferred file format is a CSV file transmitted to our SFTP site.  We are also able to use API integrations to directly link with our customers to provide a more seamless transfer of data; both to Nahan and back to our customers.  This can include return files, reports, and much more.

How is Data Kept Safe?

In today’s digital landscape we can use data for just about anything, which makes that data extremely valuable.  Sadly, the bad guys know that as well and are constantly looking to get their hands on data.  But Nahan takes pride in keeping your data safe.  We are PCI compliant and are equipped to work with HIPAA data. We have lots of hands-on experience with both.  Beyond that our data processing team is literally in a locked room that requires two different forms of authentication just to get in! Given all the efforts that we put into data security, you can rest assured that not only will Nahan keep your data safe, but we will also put it to work for you! 

Working Together on a Strategy

As a company, we are not afraid of pushing the boundaries of what can be done with data.  We are constantly using the newest technology and then working to perfect it.  We also have a data processing team that is equally unafraid of pushing limits and seeing how much we can do with a simple mail list.  Let’s work together and see what we can get your next mailing to do for you! Contact us to learn more.

Author: Jon Legg is a Department Leader at Nahan Printing and started with the company in 2015.  He currently oversees the Data Processing department as well as the PreMedia department.  This means that any files, whether art or data, all come through Jon’s teams.  When he isn’t at work Jon loves spending time with his wife and daughter, traveling (usually to Disney World), and working with our local theater company both on stage and as a Director. 

Three Things to Look for in a Secure Print Partner

Author: Joseph Jachimiec, Security Administrator

Yogi Berra once said, “Okay you guys, pair up in threes… and talk about information security!”

Okay, I added the part about information security. But he still said “pair up in threes,” which is a brilliant Yogi-ism…

Taking his advice to heart, I paired up my knowledge about InfoSec and came up with three things to look for in a secure print partner. Play ball!

1. A Maturing Information Security Program

Your print partner must have an information security program, period.

Bonus points if they have a “maturing” InfoSec program. This means the program (by design) develops and improves over time, guided by business and customer needs. Sprinkle in leadership commitment, reliable frameworks, and awareness training, and you’re off to a good start.

Sounds simple, but it’s not. Consider the following…

Leadership Commitment

A robust information security program starts from the top down. It must have the full support of the CEO and company leadership with a clear security commitment shown to employees, stakeholders, vendors, and customers.

Controls

As discussed in my previous article, a well-designed InfoSec program encompasses administrative, physical, and technical controls.

For administrative controls, think policies and documentation. For physical controls, think door locks, cameras, and key cards. And for technical controls, think firewalls and encryption. Make sure there are policies, standards, procedures, and guidelines in each of these areas. 

Frameworks & Training

Ask if they built the program on a well-known cybersecurity framework like the NIST Cybersecurity Framework, CIS Controls, or ISO/IEC 27001:2013.

Also, make sure the print vendor has a diverse security awareness training program for its employees. More about this later.

2. Independent Third-Party Security Audits

Okay, your potential print partner has an information security program. They’ve told you they segment their networks, scan for vulnerabilities (and patch them), and have full documentation and policies.

Do you take their word for it? Or do you, as the Russian proverb goes, trust but verify?

I think you know the answer. But how do you verify? It’s time-consuming and expensive to fly your security auditors out. However, due diligence is a must.

That’s where independent third-party security audits come in. Trained, unbiased auditors perform these evaluations. And in most cases, compliance obligations require third-party validation.

So ask about the third party reports and certifications that confirm your potential print partner is meeting their InfoSec duties. Make sure they’re following industry standards, using best practices, and protecting your data with proven methods.

For instance, what’s their S2SCORE? Do they have an AICPA SSAE 18 SOC 2 report? If they process credit cardholder data, are they PCI DSS compliant? If you’re in the healthcare field, is the print vendor HIPAA compliant

Besides independent audits, does your potential partner have a track record of fixing security gaps? Do they have a history of remediating and improving any security findings the inspections uncover? Or do they strike out?

3. Security Awareness Training Program

I mentioned awareness training above, but it’s so important that I’m calling it out in this separate section.

Someone once said that humans are the weakest link in the security chain (no offense if you’re human). All this means is we’re emotional, and thus easy prey for social engineering trickery. 

A robust training program covers a few different bases here. First, it shines a spotlight on the threat of social engineering and teaches ways to identify it when something doesn’t seem right.

It’s not about paranoia; it’s about awareness. It’s about thinking before divulging information, clicking on a strange email link, or plugging in that USB thumb drive.

The security awareness program should use different media like email training, newsletters, video, and even live training. Is the training spread out over different time frames like weekly, monthly, and yearly?

Phishing Tests

To further combat social engineering and ransomware, make sure the vendor’s awareness training program includes email phishing tests and remediation training for anyone who takes the bait.

Policy Acknowledgments

And don’t forget about the print vendor’s security policies. All employees must be aware the information security policies exist, what those policies cover, and where to access those policies for further reference. Annual acknowledgment of security policy training is ideal.

Bonus: look to see if the print vendor cares about its employee’s digital safety outside of work. Security training for their family and home life is a welcome addition.

Conclusion

When evaluating a potential secure print partner, look for telltale signs the print provider cares about your data security. Ask them to prove it.

At the very least, look for:

  • A reliable information security program
  • Third-party assessments
  • A security training program that’s proactive about educating its employees.

Is there more to consider? Sure, but don’t get overwhelmed. Start with these basics, and you’ll go a long way toward protecting your data with your trusted print vendor.

If you’re looking for a secure print partner, contact us today. We’ll show you how Nahan meets all these criteria and more.

Joseph Jachimiec is a security, IT, and marketing professional. As the Security Administrator at Nahan, he heads up our information security program and is the go-to guy for our customer/third-party security audits and PCI, SOC 2, and HIPAA compliance initiatives. In his spare time, he dreams about what it would be like to have more spare time.

Image by Paul Brennan from Pixabay