HIPAA Compliance for Medical Practices
59.3K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The Status Of HIPAA Compliance

The Status Of HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The Office for Civil Rights (OCR), the agency within the U.S. Department of Health and Human Services tasked with HIPAA compliance enforcement, is about to start formally notifying various healthcare providers and plans that they have been selected for an audit. Those covered entities selected will be required to submit specific documentation to OCR that demonstrates how their respective organizations are complying with HIPAA compliance requirements. 

 

The goal with the Phase 2 Audit program is to determine how well covered entities are implementing the correct policies and procedures for HIPAA compliance. If the results of the Phase 2 audits are anything like the first audit, OCR is probably going to see disappointing data indicating most organizations are not fully complying with all the requirements. 

 

There is an easier way to find out the status of current compliance with covered entities, not to mention a less costly way, in saving the taxpayers money in paying a contractor to gather the needed results.  Published reports showed that OCR paid about 9 million dollars to the global audit firm KPMG in 2012 to conduct the Phase 1 audits.

 

NueMD released the results of their follow-up survey to the original survey conducted in 2014, which looked at the status of HIPAA compliance. In the updated survey, 927 respondents, which included practices and billing companies, answered a number of revealing questions about the current status of HIPAA knowledge and compliance. For comparison purposes, OCR is looking to identify about 200 covered entities for the Phase 2 audit.

 

So what did NueMD find out in their updated survey? Overall HIPAA compliance is still not close to where it needs to be with most organizations. With so many HIPAA data breaches occurring on what seems like a daily basis, the survey clearly shows why this is occurring.

 

Here are some significant findings of the survey:

 

  • Regarding the annual requirement for HIPAA Security Awareness Training, the 2014 survey indicated 62% of owners, managers and administrators claimed they provided training for their staff annually — now that number has dropped to 58%.

 

  • Appointing HIPAA Security and Privacy Officers is another requirement for compliance. The survey found an actual decrease in these appointments. Although appointments were only a few percentages down, the study said, “These may not be extraordinary changes, but the numbers are moving in the wrong direction!”  Agreed.

 

  • On the positive side, the survey showed, “A region that suggests a correlation between increased awareness and improved compliance is that of Business Associate Agreements,” (BAA).  In 2014, 60% of the respondents were aware of the use of BAAs, where in 2016, 68% now claim to know more about these rules.  

 

  • Another positive finding was in the awareness of the HIPAA Omnibus updates. In 2014, respondents indicated 64% were aware of the updates in law. That percent increased to 69% this time around. There are many additional patient rights afforded by the Omnibus Rule that healthcare providers must be aware of. Although there was an increase, providers must do a better job in understanding their responsibilities under Omnibus. 

 

The NueMD updated survey is a great barometer to gauge overall HIPAA compliance efforts, but as the survey shows, covered entities still have a long way to go to make sure they fully understand all the requirements and just not some.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

HIPAA and Social Media: Avoiding Costly Mistakes | Eyemaginations

HIPAA and Social Media: Avoiding Costly Mistakes | Eyemaginations | HIPAA Compliance for Medical Practices | Scoop.it

A nurse inspired by a young chemotherapy patient’s courage posts a photo on her personal Facebook page, being careful not to use the patient’s name. A practice manager posts a photo of an office party on Instagram; a stack of patient files is in the background. A nurse writes an angry blog post about an alleged cop-killer who is being treated at the hospital where she works, but does not name the patient, victim, or her employer. What do all of these scenarios have in common? They are all examples of HIPAA violations that led to a healthcare professional being reprimanded, fined, or fired.

You may think your practice is up to date on patient privacy, but changes in HIPAA policies, healthcare information technology, and the explosion of social media have changed the game. “Despite widespread awareness of the need to store and send sensitive patient data securely, physicians and practices run afoul of HIPAA rules on a regular basis, which opens the door to both civil and criminal penalties,” reports Medical Economics. The maximum HIPAA fines have increased to a whopping $50,000 per violation.

Here’s what you need to know about HIPAA and protecting your patients and your practice in this age of social media and oversharing.

Decoding ‘patient identifiers’

Because there are new social media platforms emerging all the time, it can be daunting to figure out what’s OK to post and what’s not. First, you and your employees need to understand what is considered a HIPAA violation on social networks. Most healthcare professionals know to avoid impermissible use or disclosure that compromises the security or privacy of a patient’s protected health information (PHI). The confusion arises in defining what PHI is and is not.

HIPAA specifies 18 identifiers beyond a patient’s name that must be kept private. One of those is “full face photographic images and any comparable images,” which is where the nurse mentioned in the Facebook example above ran afoul of HIPAA. This even includes recognizable patient photos or files in the background of photos, such as in the office party example above. You’re not even in the clear if you’re simply reposting or “regramming” photos of a patient sharing all the details of their medical issues on their own social media accounts. If the patient can be identified, don’t do it.

It’s also important to consider things that might be “patient identifiers” besides a person’s name or face. In one case, a nurse posted a comment on a small-town newspaper’s blog that mentioned a patient’s age and mobility aids, which were enough to figure out whom she was discussing.  “In small communities especially, people can quickly determine who is in the hospital and for what with just a few details. Innocent comments about a patient lead to identification,” notes Kyna Veatch on the legal website Law360.com.  

This also goes for celebrities and high-profile people. In the case of the nurse mentioned above who angrily shared her views about a patient online, news coverage about the murder case made it clear whom she was talking about. Another common example of HIPAA violations is when staffers cannot contain their excitement about treating a pro athlete or well-known TV personality and “overshare” on social media. “Posting verbal ‘gossip’ about a patient to unauthorized individuals, even if the name is not disclosed” can get medical practices into hot water with HIPAA, warns the company Healthcare Compliance Pros (HCP).

HIPAA do’s and don’ts

Let’s look at some best practices related to HIPAA and social media:

Do keep your and your employees’ personal social media accounts separate from the practice accounts. “Some ophthalmologists choose to create personal pages with pseudonyms that only their friends and family know,” notes Veatch. “This keeps patients from searching for them and sending friend requests.” Avoid “friending” patients on personal or practice accounts, and advise your employees to do the same.

Don’t make the mistake of thinking that posts are private or disappear once they have been deleted.Search engines and screenshots can make even deleted posts permanent. As a general rule, don’t post anything you wouldn’t be comfortable sharing in public. “If there is any doubt at all about a certain post, picture, or comment then check with your compliance officer or even a colleague before publishing,” advises HCP.

Do speak up when patients are asking for medical advice online. Crowdsourcing your medical care on social media is never a good idea, but people do it all the time. Doctors can offer advice as long as it’s general and not specific to one patient. Sharing a patient education video on a particular health topic or condition can be one way to do it. “Speaking to patients as a collective on social media should steer providers away from any privacy risks,” per physician and social media expert Kevin Pho of KevinMD.com. If an unknown patient reaches out and asks a personal health question on social media, “take that conversation offline with a standard response that asks the patient to call the office and make an appointment, or if an emergency, to call 911 or go to the emergency department,” he advises.

Don’t overlook staff training. Educating your staff and having a solid social media policy in place is imperative to HIPAA compliance, according to Healthcare IT News. Your policy should define social media, mention specific sites, and describe what information employees are allowed to post online and what is off-limits, on both the practice pages and their personal pages. As Healthcare IT News states, “When employees post on social media, not only do they represent themselves, they represent the employer, the office, and all healthcare professionals.”

 

 

 

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.