HIPAA Compliance for Medical Practices
69.8K views | +10 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Compliance Guidelines for Email & Social Media 

HIPAA Compliance Guidelines for Email & Social Media  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA applies to both the storage and transfer of electronic protected health information, so electronic communications that may include patient data must be handled with care. This includes email communication between patients and healthcare providers, as well as social posts from healthcare companies and their employees. As more patients adopt an email communication preference and more healthcare providers succumb to the pressures of maintaining a social presence, the possibilities of HIPAA violations grow.

 

To ensure you’re taking the necessary steps to uphold HIPAA compliance standards in your electronic communications, follow these guidelines:

#1: Validate Your Email Security

If you’re sharing sensitive patient data via email, you must use encryption to protect patient privacy. How do you ensure your emails are encrypted and fully HIPAA compliant? Here are a few tips:

  • Adopt a HIPAA compliant email service.
  • Check your current email client for an encryption security setting and request a signed business associate agreement.
  • Set up a secure patient portal for provider-patient communications.
  • Avoid including electronic protected health information (ePHI) in the body of your emails.
  • Manually encrypt any ePHI files sent via email.
  • Include a privacy statement at the bottom of every email.

#2: Get Proper Patient Consent

Consent is an important—and necessary—part of ensuring patient privacy. If you want to engage patients in any sort of electronic communication, you must get them to accept the inherent risks and provide documented consent. Here are some scenarios where this consent is a must:

  • Before communicating with your patient via email
  • Before transmitting any sensitive patient data via email
  • Before publishing a patient testimonial on your website
  • Before sharing a patient photograph on your social channels
  • Before posting details of a patient procedure on your social channels

#3: Create Detailed Office Policies

To ensure HIPAA data privacy remains a top priority for employees during email or social media exchanges, you should develop clear office policies for these types of communication. Here are some of the guidelines your policies should include:

  • When and where to share privacy statements
  • What types of information may or may not be sent via email
  • How to avoid HIPAA pitfalls when using social media
  • Which employees may or may not transmit ePHI
  • When to obtain patient consent

#4: Err on the Side of Caution

If you want to stay on the right side of HIPAA, the best policy is to be extremely cautious about the information you share electronically. Simply avoid any electronic communication that falls into a HIPAA compliance gray area. Here are a few best practices to get you started:

  • Don’t publish a social post that includes any details about a patient’s circumstances
  • Establish appropriate electronic boundaries with patients
  • Don’t give medical advice via email or social comment
  • Allow just one or two individuals to post to social media on your office’s behalf
  • Don’t address complaints on social media
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Violation and Hospital Employee viewing PHI 

HIPAA Violation and Hospital Employee viewing PHI  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Violation rocks hospital!  An employee at St. Charles Health system accessed over 2400 patients’ medical records over a two-year period because they were curious. We all know that curiosity killed the cat and now it may have direr consequences for this curiosity seeker and the hospital system. 

HIPAA Violation without intent to commit fraud

The employee who viewed the protected health information (PHI) without a legitimate reason to do so is in jeopardy of large civil fines, loss of their respective clinical license and criminal prosecution. Not to mention termination from their present position. The hospital system has to repair its damaged reputation while at the same time prepare to defend itself against potential civil/criminal lawsuits.  There are too many incidences were an organization is liable for HIPAA violations, even though they “didn’t do it”.

 

Now the local District Attorney has taken interest in this matter and is launching a criminal investigation. Under the HIPAA statute there is no individual right of action, however, the Attorney General of the state where the infraction took place may file charges on the individual(s) behalf.

 

The aforementioned employee signed an affidavit stating that the HIPAA violation they committed, and any of the information they accessed was not to commit fraud, however, that did not halt the criminal investigation.

Hospital employee viewing PHI

This real-life incident demonstrates how healthcare providers and their employees can face serious trouble for viewing records inappropriately. Just remember this incident when you want to be inquisitive about a patient that you are not treating or accessing a patient’s medical records for no business purpose.

 

When performing your job function, it is not a HIPAA violation if you release and/or access a patient’s PHI for treatment, payment or health operations (TPO). When accessing and/or releasing a patient’s PHI, ask yourself does this fall under the TPO exceptions? If it does, then you should just release the minimum information necessary to complete the task and if it does not, then you may need an authorization signed by the patient or his/her representative. In the event you are unsure if you can release and/or access a patient’s PHI, contact your supervisor or your organization’s Privacy Officer.

 

Finally, this violation reaffirms the need to conduct a HIPAA Risk Analyses, including monitoring the privacy/breach rule.  Use your policies and procedures for efficient and effective training, auditing and monitoring.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
K.I.R.M. God is Business " From Day One"'s curator insight, July 2, 4:09 AM

There is a way to address certain issues using protocol. and proper procedures. Take yourcissue to the right people in the right way. 

Scoop.it!

Is Your Practice HIPAA Compliant?

Is Your Practice HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

Is Your Practice HIPAA Compliant?

With considerations and requirements that can be somewhat overwhelming, achieving HIPAA compliance can be quite challenging for medical practices. Even for those well acquainted with HIPAA provisions, there’s always the possibility of gaps and weaknesses. According to the Department of Health & Human Services (HHS), an average of 1,445 complaints has been submitted each day during the calendar year 2018. This staggering statistic means there is much cause for concern.

 

Often, the missteps in HIPAA compliance aren’t deliberate or due to lackadaisical procedures, but rather the result of insufficient documentation and/or inefficient tools. The first step in determining where your vulnerabilities lie is through a Security Risk Analysis. However, a Risk Analysis is often considered the Achilles heel for practices, requiring substantial documentation on multiple processes and contingencies. While the many complex layers of a Risk Analysis present multiple opportunities for errors to occur, its importance in passing audits and being prepared is invaluable.

 

Security Risk Analysis

The Office of Civil Rights (OCR) has determined that the Risk Analysis, which is derived from the Security Rule, to be the foundation of a HIPAA-compliant program. The Risk Analysis and its significance in HIPAA compliance impacts every part of the healthcare ecosystem. There are no opt-outs of HIPAA compliance, no matter the size of an organization or any other influencing factors. Every organization that transmits any Personal Health Information (PHI) in an electronic format or in data content in connection with a transaction for which HHS has adopted a standard, must be HIPAA-compliant. This includes providers such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, health insurance companies, HMOs, company health plans, government and military/veteran health care programs, health care clearinghouses, and/or MACRA/MIPS participants.

 

In straightforward terms, per the HHS site, the purpose of the Risk Analysis is to “conduct an accurate and thorough assessment of the potential risk and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].” To ensure that information is protected and safeguarded by HIPAA standards, the Risk Assessment takes into account three separate organizational areas: physical, technical, and administrative. Each division must have its own plan for compliance, detailing both strengths and possible weaknesses. It’s also not a one and done type of exercise–plans must evolve throughout a healthcare organization’s lifespan.

 

Risk Analysis and Meaningful Use

In today’s medical profession, failing a Meaningful Use (MU) audit isn’t as uncommon as one would hope. In fact, the Morning eHealth section of Politico magazine reported that according to Centers for Medicare & Medicaid Services (CMS) data, 209,000 doctors and providers were penalized for failure to meet MU standards in 2014, which is approximately two in five physicians practicing in the U.S. Failing a Meaningful Use audit often comes down to the same weak link—either the lack of, or the insufficiency of, a practice’s Risk Analysis. And further reports on 2016 HIPAA audits by HHS.gov have found that organizations did not have an adequate Risk Analysis 83% of the time. As the foundation for HIPAA compliance, it’s simple to see that Risk Analysis deficiencies can impact many other components of the compliance network as well.

Risk Analysis: The Center Piece of a Much Bigger Compliance Puzzle

Risk Analysis sets the tone for HIPAA compliance and having a sound plan that details strategies in all three areas are essential. However, many other pieces must fit together to complete the puzzle. Remaining compliant is an ongoing act of vigilance. Policies and procedures must be drafted that define processes to safeguard PHI, and should include Disaster Recovery and Business Continuity Plans—compliance must continue even when the worst scenario occurs. In addition, everyday operating initiatives must be supported, such as password protocols and staff training. In fact, staff should be trained in PHI security within 90 days of hire, with continued education scheduled on an annual basis.

 

Furthermore, organizations should set in place routine procedures to ensure patients sign required HIPAA-related notices and forms, during both new patient onboarding, and on an annual basis going forward. It is also essential to regularly verify that vendors and other providers that interact with a patient’s PHI are not only HIPAA-compliant but have executed Business Associate Agreements to offset any liability in the case of a breach. Lastly, retaining HIPAA documentation in both hard copy and digital means practices have information readily accessible to confirm compliance.

Ensure Compliance: Join ChartLogic’s Webinar “Are You HIPAA-Compliant?”

In today’s modern electronic healthcare world, HIPAA compliance is mandatory, crossing all sectors of the healthcare industry. To avoid costly penalties, data violations, and breaches in doctor-patient trust, small practices, and large organizations alike must keep current with the HIPAA landscape and ensure that weaknesses in their systems are turned to strengths.

Join a free webinar hosted by Abyde & ChartLogic to learn more about Security Risk Analysis and other related HIPAA requirements. In this complimentary educational HIPAA compliance webinar, other topics covered will include:

  •  HIPAA Privacy & Security Rules simplified
  •  MACRA/MIPS & Meaningful Use HIPAA Compliance requirements explained
  •  Statistics from the most recent HIPAA audits
  •  Passing an audit
  •  Software solutions for HIPAA compliance

 

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Breach Notification Rule

HIPAA Breach Notification Rule | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Breach Notification Rules under the HITECH and GINA Act were issued on January 25, 2013, resulting in modifications to HIPAA Privacy, Security, and Enforcement. This is commonly known as the Omnibus Rule. The Omnibus Rule mandates covered entities (CEs) and business associates (BAs) provide the required HIPAA breach notifications following an impermissible use or disclosure of protected health information (PHI).

What is a HIPAA Breach?

A HIPAA breach notification may be required because of an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) of an individual.  An impermissible use or disclosure is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the protected health information has been compromised.

A risk assessment must include consideration of at least the following factors:

  • The extent and nature of the PHI involved (i.e. types of identifiers and likelihood of re-identification);
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • If the PHI was viewed and/or acquired;
  • To what extent the risk to the PHI has been mitigated.

How Does a HIPAA Breach Notification Work?

(1) HIPAA Breach Notification Rule: Following a breach of unsecured PHI, CEs must notify affected individual(s) and the Secretary of Health and Human Services (HHS).”  In instances where the breach affects more than 500 residents of a State or jurisdiction, notice must be provided to prominent local media.  In addition, BAs must notify CEs that a breach has occurred.

Individual HIPAA breach notifications must occur without delay, but not later than 60 days from the date of the breach discovery.  A breach is considered to be “discovered” when at least one employee of the entity knows of the breach.  This does not include the person responsible for the breach.

(2) Covered Entities HIPAA Breach Notification: Covered entities are required to notify affected individuals following the discovery of a breach of unsecured PHI. The CE must provide the individual notice in written form by first-class mail.  Notices by email are permissible if the affected individual has agreed to receive notices electronically.

What about Business Associates?

(1) Business Associates HIPAA Breach Notification:  If a breach of unsecured PHI occurs by a business associate, the BA must notify the CE following the discovery of the breach.  A business associate must provide notice to the covered entity no later than 60 days from the day of discovery of the breach.  BAs are required to provide the identification of each individual affected by the breach.  The covered entity is responsible for ensuring the individuals are notified of a breach by a business associate even if the covered entity is charged with the responsibility of providing individual notices to the business associate.

(2) Out-of-date Information: If the CE or BA has insufficient or out-of-date information for more than 10individuals, the CE must provide a substitute individual notice by one of two methods.  It may post the notice on the home page of its website for at least 90 days.  Or it may provide the notice in major print or broadcast media where the affected individuals reside. This notice must include a toll-free number that remains active for at least 90 days.  If the CE or BA has insufficient or out-of-date information for less than 10 individuals, the covered entity may provide a substitute notice by an alternative form of written, telephone, or other means of notification.

HHS Wall of Shame

As required by section 13402(e)(4) of the HITECH Act, the Secretary posts a list of HIPAA breaches of unsecured protected health information affecting 500 or more individuals. These HIPAA breaches can range from a laptop theft to a hacking/IT incident.In 2015 there were over 113 million breaches of individual records reported, and the number of incidents related to “hacking” and “IT incidents” have doubled since 2014.   And this only includes breaches involving 500 or more individuals!

Most recently, St. Joseph Health (SJH) has agreed to settle potential violations of HIPAA Privacy and Security Rules following the report that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012.  The public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.  SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan.  This plan requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff accordingly.

The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information. Entities must not only conduct a comprehensive HIPAA risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.