HIPAA Compliance for Medical Practices
60.5K views | +2 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Seven Tips for Avoiding HIPAA Penalties in 2015

Seven Tips for Avoiding HIPAA Penalties in 2015 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA violations may result in penalties of $100 to $50,000 per violation, depending on the conduct at issue.  If the violation results from “willful neglect” the party is subject to mandatory fines of $10,000 to $50,000 per violation. 

A single data breach may result in numerous violations.  For example, the loss of a laptop containing PHI of 2,000 patients may constitute 2,000 violations.  Additional penalties may be assessed if the breach resulted from failure to implement required policies or practices.  To make matters worse, covered entities must self-report breaches of unsecured protected health information (PHI) to the affected individual and HHS. 

The good news is that a covered entity may avoid HIPAA penalties if it does not act with “willful neglect” and corrects the violation within 30 days. 

Here are seven tips for avoiding “willful neglect” penalties, especially those arising from breaches of electronic PHI:


1. Conduct or update your security risk assessment required by the security rules.  This is a first step in identifying and preventing potential security breaches.  In 2014, HHS made available a risk assessment tool to help providers conduct and document their own risk analysis. 


2. Implement the administrative, technical, and physical safeguards required by the HIPAA security rule.  Most physician practices have polices required by the privacy rule, but comparatively few have properly addressed the safeguards required by the security rule.  Implementing the required safeguards is necessary not only for regulatory compliance; it is also simply a good business practice given the potentially disastrous consequences of system failures or cybercrimes.  Again, the government’s HealthIT website, HealthIT.gov, contains helpful tools and guides that practices may use to achieve compliance. 


3. Execute business associate agreements (BAAs) with business associates.  A good BAA is not only required by HIPAA; it will also help insulate the practice from HIPAA liability if its business associate violates HIPAA.  Ensure the BAA confirms that the business associate is acting as an independent contractor, not an agent of the practice.


4. Train your employees and monitor their performance.  According to HHS commentary, covered entities may avoid HIPAA penalties based on the misconduct of a rogue employee so long as the covered entity implemented appropriate policies and adequately trained the employee.  Unfortunately, there is no similar guarantee that policies and training will protect a provider from liability for state privacy claims:  An Indiana jury recently returned a $1.44 million verdict against Walgreens based on an employed pharmacist’s privacy violations despite Walgreens’ policies and training.  Thus, physician groups need to ensure their training is effective.


5. Respond immediately to any suspected breach. This is critical for several reasons. First, HIPAA requires covered entities and business associates to investigate privacy complaints, mitigate any breach, and impose appropriate sanctions against any agent who violates HIPAA.  Second, an entity may be able to prevent the data from being compromised by taking swift action, thereby avoiding the obligation to self-report HIPAA violations.  Third, a covered entity or business associate may avoid HIPAA penalties altogether if it does not act with willful neglect and corrects the violation within 30 days.  Corrective action may include modifying policies, implementing additional safeguards, disciplining employees, and providing additional training.


6. Report breaches in a timely manner. While the initial action resulting in the breach may not have been willful, the failure to timely report a reportable breach as required by the rules may constitute willful neglect. Under HIPAA, the unauthorized access, use, or disclosure of unsecured PHI is presumed to be reportable to the individual and HHS unless the covered entity can demonstrate there is a low probability that the data has been compromised based on factors such as the type of PHI disclosed; the recipient of the PHI; whether the PHI was actually accessed or disclosed; and steps taken to mitigate any breach. 


7. Document your actions. Documenting proper actions will help providers defend against HIPAA claims. Covered entities and business associates are required to maintain documentation required by HIPAA for six years.

Although there is no guarantee that these steps will protect against breaches, they will help physician groups mitigate resulting liability under the HIPAA rules.


more...
No comment yet.
Scoop.it!

Securely Disposing Medical Practice Equipment

Securely Disposing Medical Practice Equipment | HIPAA Compliance for Medical Practices | Scoop.it
It goes without saying that computers are expensive. Medical practices will often gift used office equipment to employees or family members; or donate them to vocational programs. Risk management attorney Ike Devji says that donating old equipment like scanners, fax machines, and computers at the end of the year is very common. "At the end of the year practices will rush to spend money so that it is not taxable. They buy [new] equipment … and computers are replaced."

There's just one small problem. Deleting sensitive patient data will not permanently eliminate it from the hard drive of the device. And if you've donated your practice's scanner to the local thrift store, it still contains sensitive patient data that "a well-trained 12-year-old kid with access to YouTube can get … off the hard drive," says Devji.

Devji points out that a high-end digital scanner can store up to 10,000 pages of patient data. And equipment that is synched to your EHR, even smartphones and tablets, needs to be destroyed or disposed of in a secure manner.

If you have old equipment that you'd like to get rid of, contact your IT consultant. He should be able to point you in the right direction. Or you could follow Devji's approach: He uses his old equipment for target practice in the Arizona desert.
more...
No comment yet.