HIPAA Compliance for Medical Practices
65.0K views | +1 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Your Guide to Staying HIPAA Compliant When Emailing Patients 

Your Guide to Staying HIPAA Compliant When Emailing Patients  | HIPAA Compliance for Medical Practices | Scoop.it

In the age of electronic communication, there is the ever-present concern of compromised data. Data can be intercepted and accessed by third parties with their own agendas.

Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public.

In response to growing concerns of data interception, Congress passed HIPAA: the Health Insurance Portability and Accountability Act. One of the purposes of this legislation is to protect a patient’s privacy.

Email is not secure

In general, email communication is not secure for two reasons:

  1. The data isn’t encrypted by default.
  2. It’s impossible to tell if the receiver is the intended recipient.

Encryption is the process of modifying data to make it unreadable, but in a way so that it can be returned to its readable state. The reorganization requires a cipher (a code) that both sender and recipient know. Anyone without the cipher will only see gibberish.

By default, most email clients do not encrypt your communications. This includes the popular web-based email clients like Outlook, Gmail, and Yahoo. However, some of these services offer paid features that comply with HIPAA regulations.

Furthermore, there’s never a foolproof way to ensure that the intended recipient is actually the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.

Nevertheless, modern patients expect instant communication, so you can’t avoid emailing. For many patients and practices, email is becoming the preferred method of communication.

Here’s how to stay compliant with your electronic communications.

Encrypt everything

Any piece of electronic data is required to be encrypted, including physical documents scanned to a computer. It’s a simple process to have a scanned document/image sent to your storage location via encrypted email. Speak with your IT professional to set this up.

Protected health information (PHI) must be protected at rest and transit. This means it must be secured during transmission across networks or the Internet and when it’s stored in drives at workstations and servers.

The person conducting the transmission is the liable party. As a non covered entity or business associate, a replying patient isn’t bound by HIPAA regulations. You are only responsible for your emails’ security.

While HIPAA does not require that you encrypt every device and storage location, it would be silly not to. Encryption is cheap, easy, and can protect you from embarrassing mistakes and tedious litigation. Even if you technically followed the rules, you could still upset your patients if data were exposed.

It isn’t necessary to use a dedicated service to send HIPAA compliant emails. These services work, but with some added expense.

Some email clients allow for configurations that satisfy the law. For example, the desktop client Microsoft Outlook offers an encryption option under Security Settings. If you then enable Internet Message Access Protocol (IMAP) and choose to delete emails from the server (and store them solely on your local disk), you can guarantee no chance of interception.

While encryption is important, it’s worth mentioning that HIPAA doesn’t require you to encrypt interagency emails. If you send an email to a colleague on the same secure server, no encryption is necessary. However, best practice is to encrypt everything to be safe.

If a patient is unable to accept encrypted communications, they can waive their right to privately receive emails from you. In this case, you can use any means of communication that works for you and the patient. Just make sure to have them sign a consent form and save it.

Get the patient’s consent

Consent is an important part of privacy. You can ensure you have the right contact information and protect yourself from lawsuits by getting permission in writing from your patient before you correspond through email.

On the form, explain to the patient the inherent risks of electronic communication. Offer some advice on safeguarding their computer to ensure their emails aren’t accessed by other people.

I recommend having your attorney evaluate a consent form before you send it to your patients.

Here’s a template to give you an idea of what it looks like. For best results, use an online intake form with e-signature capabilities (like ours).

Once you have the consent form, be sure to keep it safe. If the patient ever blames you for a privacy breach, you’ll want to be able to show that you had their permission.

When a patient initiates an email conversation, it’s safe to assume they permit that type of communication (unless they have previously expressed otherwise). Still, you must treat secure these emails like any other.

If a patient hasn’t agreed to communicate electronically, never contact them through email.

Include a privacy statement with each email

Every email you send should conclude with a privacy statement. The statement should notify the receiver that the email is inherently insecure, express that the content is strictly confidential, and tell them who to report the email to if they are not the correct recipient.

The purpose of this statement is to remind the recipient every time that their correspondence isn’t 100% safe. If they choose to reply with confidential information, they are doing so at their own risk. Further, it encourages parties who shouldn’t read the email to report the miscommunication.

If your email needs are simple, this can be done by adding a signature to your emails through your client. If you work in a larger practice, speak with your IT professional to ensure that all emails include this statement.

That said, email disclaimers are not a substitute for properly encrypted PHI emails. The purpose of the disclaimer is simply to inform. It does not absolve you of responsibility in any way.

Use an email provider that signs a Business Associate Agreement

A Business Associate Agreement is a HIPAA requirement for email providers. There are countless services that specialize in HIPAA compliant communications for healthcare providers. Each come with their own features.These agreements do not come standard with free email clients, but many paid versions offer this service.

If a provider does not sign this agreement, they are noncompliant. Do not assume an email service provider has signed an agreement unless it is clearly advertised on their website.

Develop an office policy

It’s important to have a clearly defined policy for your staff or colleagues regarding protected health information (PHI). A casual discussion isn’t enough. You need procedures.

In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of PHI (mental health issues, for instance) to in-person meetings only.

Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not the receptionist, administrative assistant, or billing department. These restricted parties should only contact patients regarding administrative issues and immediately notify healthcare staff if a patient mentions medical information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

A Patient’s Right to Access Medical Records

A Patient’s Right to Access Medical Records | HIPAA Compliance for Medical Practices | Scoop.it

Most medical practices, healthcare organizations, and clinicians are very familiar with HIPAA rules and regulation. However, the law can be extensively complicated and is often a source of confusion and misinterpretation. According to the Office for Civil Rights (OCR), one of the most common complaints and frequently misunderstood parts of the law involves a patient’s right to access their personal medical records. Due to the recent increase of patient complaints on this subject matter the OCR has published new guidance regarding the right of access. Below are a few of the highlights. (The full text can be viewed at www.hhs.gov.)

The HIPAA Privacy Rule requires all covered entities to provide individuals with access to their personal health information in “designated record sets,” upon their request. A designated record set is a group of records maintained by or for a covered entity, including; medical and billing records, enrollment, payment, claims, or medical management record systems and other records used by a covered entity to make decisions about an individual’s health. 

Information that is not included is; PHI that is not part of the designated record set or used to make decisions about an individual's health, psychotherapy notes, and information compiled for a legal suit. 

Does the HIPAA rule apply to electronic medical records? 

Yes.  Patients have the right to access both paper and electronic medical records.  

Can a patient request that another individual be given access to their information? 

Yes.  A patient should sign a request that provides the recipient, which records to send, and where to send them.

Can a covered entity charge the patient a fee for copies of their medical records?

Yes. HIPAA allows a “reasonable fee.”  The covered entity can charge a minimal fee for supplies and labor. It is important to note that state law may limit the ability to charge for records. 

What form or format must the medical records be provided?

A covered entity must provide the patient with their medical records in the form and format requested, or if not available, in a readable format as agreed to by the covered entity and individual.

What is the timeframe in which a covered entity must provide a patient their requested records? 

A covered entity has 30 days from the date of request to produce the records.  One 30-day extension is permissible with a written notice to the patient and reason for the delay with the expected date of completion.

How quickly must an entity make corrections to inaccurate medical records?

When patients access a medical record and discover information they believe is inaccurate, they must file a written request for the record to be corrected.  The covered entity must then respond to the request within 60 days.  It may take an additional 30 days but must provide a written explanation for the delay and a date of completion.

What should patients do if they have difficulty obtaining a copy of their medical records?

It may be appropriate to contact the healthcare provider’s designated privacy HIPAA compliance officer. This action will document the complaint, and show that the patient has made an effort to resolve the problem. If the provider ignores the complaint, the individual may want to proceed with an HHS complaint.

Conclusion

Providing patients with access to their medical health information empowers individuals to take control over health decisions and enables them to effectively monitor chronic conditions, adhere to treatment plans, and track their progression.  Additional benefits include increased patient engagement, improved outcomes, and a more patient-centered health care system.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 Essential Steps to Ensure an Effective HIPAA Program

5 Essential Steps to Ensure an Effective HIPAA Program | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance is a term that is often thrown around the healthcare industry; however, I commonly ask myself – is the meaning of HIPAA Compliance the same throughout the industry? The answer is NO! Walking into a healthcare organization in the last month, the HIPAA Privacy Officer was excited to tell me that they are fully HIPAA compliant and don’t have any on-going concerns with meeting the regulations. A quick review of the documentation requirements and auditing practices indicated that there were many missing holes in their HIPAA Compliance Program. As I spoke with the HIPAA Privacy Officer, she provided me with the tool she used to get to their current state with HIPAA. Needless to say, the tools were missing core components of documentation requirements and didn’t have specific essentials for on-going maintenance for compliance. This left the organization at risk for a HIPAA data breach or unauthorized use or disclosure of health information!

Trying to achieve a satisfactory level of HIPAA compliance at an organization can be a frustrating and daunting task. Sitting down looking at the rule can be overwhelming. Digging through the pages of information in a HIPAA manual or diving into the Federal Register can be impossible with all the other tasks assigned within a job. In addition, it is easy to want to sit down and solve the HIPAA compliance issue you have in one day or one week; however, this often leads to failure and inability to create a program that protects your patient information.

We don’t wake up one morning, decide to run a marathon and go out and accomplish the overwhelming 26.2 miles (well most of us). Normally if you are going to run a marathon, you find a training program that lasts 16-18 weeks, create a plan for cross training activities within your training program, and ask for support and help along the way. That concept and mindset can transferred to HIPAA compliance as well!

One of the most effective ways to properly implement a solid HIPAA program is creating an action plan for compliance and assigning small regular tasks to get through entire HIPAA regulation. It is very important that HIPAA is an on-going process within the organization. It is not just a ‘one and done’ type of regulation due to the nature of work that we do in healthcare and the vast changes within our technologies used.

To help with HIPAA Compliance – here are 5 Essential Steps that must be taken to achieve a solid HIPAA Compliance Program.

 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Risk Assessments – A Necessary Evil

HIPAA Risk Assessments – A Necessary Evil | HIPAA Compliance for Medical Practices | Scoop.it

Not only are HIPAA risk assessments a necessary evil but also a regulatory requirement. This requirement is found in the HIPAA Security Rule implementation specification, § 164.308(a)(1)(ii)(A), which states that covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the organization.

 

Guidance provided by the U.S. Department of Health and Human Services (HHS) states that “There are numerous methods of performing risk analysis and there is no single method or ‘best practice’ that guarantees compliance with the Security Rule.” The overall goal of the assessment process is to determine compliance with the HIPAA Security Standards and implementation specifications along with HITECH and applicable parts of the Omnibus Rule. This determination is vital to assessing whether or not an organization has the appropriate security measures in place to safeguard ePHI.

 

Regardless of the size of the organization or the number of patients, patient records, or how much or how little ePHI is held, a risk assessment needs to be conducted.  A checklist will not suffice.  An assessment must include a gap analysis, which is a determination of the level of risk posed by each question asked during the process.  A good risk assessment should include a mitigation plan that addresses how to fix or correct moderate to high levels of risk that were discovered.

 

So why are some healthcare organizations and business associates not conducting these requirement assessments?  My speculation is that they do not know what an accurate and thorough assessment consists of or because they are uneasy about the process.  There may not be in-house resources to conduct the assessment or there may be a reluctance to bring in a third-party consultant to provide this support. 

 

In a June 2017 HHS Office of Inspector General Report, the Centers for Medicare & Medicaid Services was recently audited to determine whether Medicare EHR incentive payments to eligible professionals was in accordance with federal requirements.  Although the sample size was small, it was used as a projection basis regarding the payments. What the report indicated was that some eligible professionals did not maintain or provide attestation support to meet core requirements. This included not conducting requirement risk assessments, which is one of those core requirements. 

 

In recent HIPAA violation settlements announced by the HHS Office for Civil Rights (OCR), a number of case press releases indicated the investigations into some of these organizations revealed that accurate and thorough risk assessments were not conducted.  This lack of assessments has been a constant theme for most organizations that settle with OCR in HIPAA violation cases.

 

What I tell potential clients who have never conducted a HIPAA risk assessment is that the first time is painful, but necessary.  Risk assessments must be done to determine vulnerabilities and threats to the ePHI that is stored, transmitted, created, and accessed.  Once we locate the weaknesses, we can work on mitigation.  A risk assessment will not be an overnight fix, but an exercise in ongoing HIPAA compliance program management.  

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.