HIPAA Compliance for Medical Practices
63.7K views | +25 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

The Importance of HIPAA Compliance 

The Importance of HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

No matter what business you’re in, information and technology management is important for success. But in the health-care realm, the ability to keep data safe and secure is even more paramount. That’s because government regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA) state that all protected health information must be strictly protected — and that any breach of such information must be reported immediately.   

In addition, the HITECH Act expanded the scope of who was responsible for meeting HIPAA regulations by including any third-party business associate that handles or processes personal health information for a covered entity like a hospital, insurance company, or medical provider. That means financial, accounting, legal, billing, claims processing, and IT firms that work with the health-care industry, along with all of the third-party vendors that they use.
So why does HIPAA-compliant IT support matter? With the new breach notification requirements, companies that mishandle health information can now be audited, fined, or slapped with civil or criminal charges. And that doesn’t even take into account the hit to a company’s reputation that comes with a data breach.
Take the recent announcement that Anthem, Inc., the second-largest health insurance provider in North America, inadvertently exposed the medical information, Social Security numbers, and email addresses of over 80 million consumers. Regulatory fines will certainly be forthcoming — but tens of thousands of Anthem clients have already filed class-action lawsuits against the company, as well.
In our current data breach-sensitive day and age, the revelation of a situation like Anthem’s can lead to productive changes in the world of HIPAA-compliant IT support. Unfortunately, some of those changes include major IT providers deciding to walk away from the health-care industry altogether.
At CMIT Solutions, we’ve put in the extra time and effort to make sure our IT solutions are HIPAA-compliant. Below are some of the most important ones that small businesses rely on:
• Data encryption. HIPAA regulations require that data be encrypted at rest in the data centers where it resides, in transit across the Internet, and to and from the cloud. Anthem’s data breach resulted from data on its servers not being encrypted, presumably so employees had easier access to it. But such shortcuts are reflective of outdated IT policies that don’t meet today’s needs.
• Strong backup, recovery, and eradication capabilities. HIPAA rules dictate several requirements for storing data: backups must reside in certain locations; retrieval of data must be overseen through access control and login monitoring; data must be kept available, even in the event of a disaster; and old storage systems must be destroyed, not reused. No small business owner should be expected to add worries to his or her day-to-day duties — that’s what a HIPAA-compliant IT provider is for.

 Tested policies and procedures. This might not seem to fall under the IT umbrella, but best-practices policies and procedures can save your business from a HIPAA-related disaster down the road. A trustworthy and truly HIPAA-compliant IT provider will have Business Associate Agreements, Privacy and Security Rule Risk Assessments, and other documents ready for your perusal and implementation.
At CMIT Solutions, we understand the complexities of IT support for the health-care industry, and we’ve worked hard to meet HIPAA regulations. We offer proven solutions that can deliver positive outcomes and an unparalleled level of care while increasing your efficiency and productivity. Contact us today to find out how we can be your all-in-one IT provider.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to Eliminate Your HIPAA Compliance Blind Spots 

How to Eliminate Your HIPAA Compliance Blind Spots  | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA compliance (i.e., adherence to regulations detailed in the Health Insurance Portability and Accountability Act of 1996), most health facilities are well versed on the Privacy Rule and its protection of personal medical information. They work hard to maintain patient trust by upholding the necessary privacy standards. But sometimes, even the most conscientious facilities let patients’ health details slip through the cracks.


The rise of mobile technology and electronic medical records have left the health industry with a few harsh blind spots. Health information that is stored and/or transferred electronically (i.e., electronic protected health information, or ePHI) is highly susceptible to a HIPAA breach. So health organizations must be extra diligent to ensure they are fully safeguarding ePHI and remaining HIPAA compliant.

To help you take stock of your organization’s HIPAA security efforts, here are 4 tips for eliminating your HIPAA compliance blind spots:

#1: Limit Information Shared in Mobile Messages

In today’s fast-paced, mobile world, we often receive appointment confirmations or prescription refill notices via voicemail, text, or email. While this is convenient for health organizations and patients, it opens up the door for HIPAA security violations.

To keep a patient’s private health information out of the wrong hands, health organizations should limit the information they share in mobile messages. For instance, a prescription refill notice should not contain details of the specific prescription; it should simply notify the patient that it’s time for him or her to submit a refill request. Likewise, appointment confirmation messages should leave out any details regarding the specific reason for the appointment.

If a facility wants to take its privacy protection a step further, it can even limit its mobile messages to a simple request for a patient to call the facility for further information.

#2: Be Cautious of Open Text Fields

A lot of health organizations have moved their data collection efforts online in recent years, which means they are collecting new patient registrations or appointment requests with online forms. While using a HIPAA compliant data management system is a great (and necessary) way to protect patient data, a HIPAA breach is still possible if facilities aren’t careful.

Online forms that contain open text fields can inadvertently lead to HIPAA security violations. This is because patients may unknowingly share ePHI, such as current medications or medical conditions, in that free text space. For instance, when providing feedback on a patient satisfaction survey, a patient might state that his or her doctor was supportive and caring after delivering a cancer diagnosis.

To limit the sharing of ePHI on online forms, health organizations can add disclaimers next to any open text fields to warn patients not to include personal medical details in those fields. Or they can remove any open text space altogether.


#3: Evaluate Facility Advertisements

Online advertising—particularly on social media—is fairly new territory for health facilities. And for good reason. The healthcare industry is subject to deeper scrutiny than other industries when it comes to advertising, and those working in the industry are held liable for both truth in advertising and HIPAA compliance. This means they have to be super careful about what they publish for all to see.

If proper permission is not obtained, any use of a patient’s information or likeness in an advertisement could be a HIPAA breach. For instance, if a dermatologist posts photos of a patient’s skin before and after treatment, the patient’s identity could be compromised. Even if the post or advertisement contains only a portion of the patient’s face, his or her privacy could still be violated if family members or close friends recognize the patient.

To avoid violating HIPAA security laws when advertising online, healthcare organizations should take extra steps to evaluate all advertisements and ensure they aren’t improperly using identifiable patient photos or information.

#4: Avoid Use of Patient Names

This might seem like a no-brainer when it comes to protecting patient data, but facilities should avoid using patient names or other personally identifiable information when possible. As mentioned earlier, patients will sometimes share ePHI unknowingly when filling out online medical forms. To avoid tying patients directly to any sensitive information they might provide, health organizations can find ways to gather the information without using patients’ names.

For example, if a facility is simply surveying patients to help improve its overall services, the facility should consider gathering anonymous feedback. In other instances, when it is helpful or necessary to have a patient record tied to the information, organizations should consider using a unique identifier—such as a patient ID or account number—instead of a name.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA: Secure Your Borders

HIPAA: Secure Your Borders | HIPAA Compliance for Medical Practices | Scoop.it

As an Iraq war veteran, I served as a physician with an infantry unit on the streets of Fallujah.


During the seizure of the city, we always were reminded by our commanding officers of the importance of protecting our borders.


As physicians, I believe we need to be aware and vigilant of protecting our privacy borders.


Health Insurance Portability and Accountability Act, better known as HIPAA was passed by Congress in 1996. From that time forward, protecting the borders and not leaking confidential protected health information became a physician’s priority.


As a medical student back then, I was warned never to discuss a patient in an elevator or the hospital cafeteria.


Easy enough, I presumed.


I soon learned however, that just as in Iraq, protecting borders is never an easy task.


Since 2009, there have been more than 800 patient data breeches and 29 million patient records affected by HIPAA violations, according to the 2013 Redspin Breach Report.


These date breaches can also strain the wallet. Depending on the scale of the breach, fines for HIPAA violations can start at $100 and can go as high as $50,000, capping at $1.5 million annually. Fines aren’t the only consequence practitioners face – a HIPAA violation can break the trust that patients have with their physicians.


Smaller practices are at risk as much as large organizations. It becomes harder to keep track of electronic communication within the practice when patients and staff have mobile devices and can be unaware of how easily HIPAA rules can be violated.


For example, an employee may think it is harmless to use his smartphone to post a picture or video of a patient. Well-intentioned employees may post or text an interesting physical exam finding. Even something as harmless taking a picture of food may violate HIPPA when the employee does not realize the lunch is sitting on a patient chart.


As a doctor working to protect my patients and myself, here are some useful tips to protect your borders and remain HIPPA compliant:


  • Prepare Physical borders: setup security alarms, lock offices when unattended, and as a rule shield protected health information from secondary viewers.
  • Administrative borders: designate security responsibilities, train staff to know the consequences of HIPAA breaches, take a monthly review of user activity, have stringent policy enforcement across all roles.
  • Technical border: secure passwords (no writing them on post-it-notes), back up data, regular virus checks, data encryption for anything sent electronically. Use secure technology such as liveClinic to stay HIPPA compliant, yet communicate with your patients virtually.
  • Secure borders with policies: written protocols on authorizing users, documentation of security measures, policies for notifications on breaches, retain records HIPAA records appropriately


Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

5 Types of HIPAA Violation for Doctors to Avoid

5 Types of HIPAA Violation for Doctors to Avoid | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Violations are a constant threat to doctors running a medical practice. Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely. 
Depending upon the type of the breach, physicians can be liable for $100 up to $50,000 for each violation, with a maximum of $1.5 million for identical provisions during a calendar year.

Worse than this, some violations can lead to imprisonment in extreme circumstances. (For a full guide to the levels of HIPAA violation, you can review this guide.)

For these reason, as well as securing and safe-guarding your patient security, it is very important to know which HIPPA violations to avoid. Essentially, if you violate HIPAA, you’re risking the information of your patients, as well as potentially your credibility and reputation as a professional. 
Here are a group of HIPAA violations doctors may wish to avoid:

1) Discussing patient information publicly

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Paper files in Non-Secure Locations

The days of having paper charts are fading away, as more and more doctors move to using an EHR for all patient records. If you still use any form of paper documents, be sure not to leave them in unsecured or unattended areas. Also be wary of charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.
Also, if you are converting from paper documents to an electronic office, be sure to shred any patient records before you dispose of them.

3) Non-Encrypted Email or Sending Incorrect emails

Never underestimate the importance of encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you might consider an-encrypted email or file sharing service for pertinent patient information.
 Along with this, make sure to consider that you are sending patient information to the correct recipient. When sending bulk emails to patients, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient or an email attachment. This is one of those areas where slow, steady careful checking pays off.

4) Unsecured Patient Portals

If you use or are considering creating a patient portal, make it has secure login compliance, so that any personal patient information is not easily accessible without a username and password. 
 When it comes to families who can share information, be sure to get authorisation from a patient first. A good practice is to require identity verification for password reminders, and you might also remind your patients to access their patient portal when they have a secure internet connection.

5) Non-HIPAA video chat

Some doctors have considered using Skype or Face-time to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end. Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine. 

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. A data breach of any kind can damage your practice reputation even without your knowledge. By treating all patient information with the same caution you can and enjoy the peace of mind that comes with being HIPAA compliant.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Employees Are Your Biggest HIPAA Vulnerability 

Employees Are Your Biggest HIPAA Vulnerability  | HIPAA Compliance for Medical Practices | Scoop.it

While 2015 was accurately dubbed “The Year of the Healthcare Hack”, according to Experian’s 2016 Data Breach Report, 2016’s largest threat hits much closer to home – it’s your own employees.

The Experian report states, “While large breaches may be compromising millions of people’s records in one fell swoop, smaller incidents caused by employee negligence will also continue to compromise millions of records each year.” Experian predicts that these employee driven breaches will actually cause more damage.1

These smaller incidents collectively put you at a risk for an OCR audit, which in addition to being a distraction from your business can also lead to fines and penalties. Even if there are no fines or penalties, a minor breach can add up in legal fees, customer notices and above all the cost of customer retention communication.

In most cases these are not malicious employee breaches. The majority will be caused by lack of understanding and complacency. The first is very easy to address, you train and test your employees on your HIPAA Policies and Procedures, as required by HIPAA, so they understand the role they play in protecting health information they touch..

Complacency can be a little more difficult to remedy. Once you have trained your employees on your Policies and Procedures, they go back to their daily routine. Initially, they are more aware of HIPAA and protecting important data, but after a short while they let down their guard. After all, they know their job; they know your customers and a breach has never happened before so they begin to feel immune to the potential dangers. Fortunately, there are two steps you can take to keep your employees sharp:

  1. Educate them about the Value of Healthcare Data – It can be difficult for employees to understand why anyone would go to great lengths to get this health information. Helping them see what that data is worth in the wrong hands will give them more of an appreciation for the Policies and Procedures you’ve put in place to protect it.
  2. Remind them regularly – To maintain your HIPAA compliance, all of your employees should be trained annually, but it is unrealistic to expect them to keep that information at the top of their minds long term. Brief monthly trainings or reminders that touch on just one piece of your Policies and Procedures can be enough to make HIPAA a priority all year long.

Employee breaches may be the biggest threat to healthcare data this year, but it doesn’t have to affect you. The Experian Report points out that, “Organisation that implement regular security training with employees and a culture of security committed to safeguarding data will be better positioned for success.”1

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Audit Survival Tips and Strategies

HIPAA Audit Survival Tips and Strategies | HIPAA Compliance for Medical Practices | Scoop.it

What to Do if You’re Contacted by OCR

When the Department of Health and Human Services (HHS) or the Office for Civil Rights (OCR) reaches out to health care organizations in response to a potential HIPAA investigation, auditors follow a very specific path toward contact, investigation, and resolution. Once a complaint is received and OCR has determined that it is legitimate, it will issue letters of notification to both the complainant and the recipient. These letters will outline a timeline for the investigation and will explicitly identify the investigating party as the OCR.

Once the investigation begins, OCR will collect and review documentation submitted by both parties. They may use any number of investigative methods including interviews and onsite visits to determine if there is sufficient evidence to support the allegations. Once again, OCR will send a letter explaining their findings. Resolutions will then vary depending on the outcome of their investigation.

HIPAA Audit Survival

HIPAA audit survival starts with keeping informed about OCR procedures. Knowledge is power. In this case, being aware and prepared is the best way to prepare your practice for a potential investigation. OCR will only contact you directly via a certified letter or email. Disreputable parties regularly attempt to lure unsuspecting practitioners into buying “certification” services that are fraudulent.

FACT: There is no certifying body for HIPAA compliance by any federal or private entity–any organization that claims otherwise is using misleading or potentially fraudulent language.

  1. Your best defence then is to keep in mind the above described process, and stop communicating with any party that suggests a deviation from the standard procedure outlined.
  2. Next, if you’re unsure if you’ve been contacted by a federal agency or not, ask the sender to confirm the identity of their organization, then verify them with a google search about their services
  3. If your organization receives an email or call from an entity claiming that you need to have a “Mandatory HIPAA Risk Assessment Review with A Certified HIPAA Compliance Adviser” be on full alert. This deviation from the official procedure described above will let you know that the caller is not providing a legitimate notice from a federal or state regulatory agency. Do not feel obligated to provide or share any of your information if you receive such notice.

To protect yourself, be leery of misleading language and marketing efforts targeted at health care professionals by such third party organisation. Some such advertising will occasionally try to leverage the threat of a federal offence to garner a sale of technology that isn’t legal. This type of fraud has become so widespread that OCR has responded to this unlawful conduct with a statement telling health care officials not to follow any of the links in the email. For more information on how to mitigate HIPAA breaches and fines, check out these upcoming HIPAA educational webinars brought to you by Telemental Health’s HIPAA compliance affiliate, the Compliance Group.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Compliance: Facts vs Myths

HIPAA Compliance: Facts vs Myths | HIPAA Compliance for Medical Practices | Scoop.it

There is more confusion about the new HIPAA compliance  rules than ever before. While the new omnibus updates go into effect September 21st, 2013, becoming HIPAA compliant doesn't need to to be a costly or expensive affair. In fact, our own data collected over 37 months across 11,500+ medical providers suggests that the HIPAA compliance update can be a source of new revenues. Here are the top nine questions, myths or factoids we encounter about the new HIPAA compliance rules and its affect on practice revenues.

1) Is it true we are eligible for a Federal incentive check as part of Meaningful Use Stage II for using HIPAA compliant email?

A major component of Meaningful Use Stage II is "patient engagement." That means 5% of your patient population has to be registered for and communicating with your office electronically. While much of this will end up being routine requests for medical records, appointment questions, Rx requests and follow up questions - much of this can be automated or handled by mid-level staff through a mobile-based secure messaging system. We say mobile because we have seen desktop based system will most often fail to achieve patient participation rates that are significant enough for MUS2.

Unfortunately, most existing patient portals have failed to achieve the 5% meaningful use number quite simply because current patient portal technology was developed in the nineties and early 2000's, "long before" much of the American population had smart mobile devices and tablets. Because legacy patient portals lack the ability to handle SMS-based texts or mobile-device based emails, patients have simply not adopted them. So patients have continued to carry on with the pattern they know best - to call the office to book an in-office visit, even for tasks as routine as a prescription refill request.

Having a HIPAA compliant email system must incorporate both text messaging from doctors to patients, email from mobile devices and the ability to support the attachment of images from mobile device cameras and .PDF files from desktop computers. This would not only meet the criteria and allow for attestation of this component of Meaningful Use Stage II, but would complete what many argue is the most difficult to achieve component of receiving the Meaningful Use Stage II incentive payments for HIPAA compliance.

2) Can I achieve Meaningful Use Stage II with my current patient portal?

Statistically it is not likely that a medical provider organization with more than 2,000 covered and eligible patients could attest to the 5% meaningful use figure with a legacy desktop-based patient portal.

3) Email is secure for HIPAA compliance. Or email is not secure for HIPAA compliance.

While most email is not inherently encrypted, even encrypting the emails your office sends does not mean the receiving party can read it without installing the same software on their mobile device or desktop computer. Imagine your encrypted email recipient getting the following first message -

"You have received an encrypted message from HIPAA Compliance Hero LLC - the leaders of secure medical messaging. Download this app - trust us, there's no virus."

One can encrypt email for HIPAA compliance all they want, but it's unlikely the other party will read it. So in essence, they're useless even though they're encrypted.

4) Free email services meet standards for HIPAA compliance.

Most free email services are not HIPAA Omnibus compliant because they scan the contents of the email and match them with advertisements. The new HIPAA Compliance Omnibus Rule 2013 is different from the prior HIPAA regulations in that it accounts for the rise of free email services. While it seems petty and a major annoyance for medical practices, with the ubiquity of Internet-connected mobile devices this update to the HIPAA compliance rules protect patients. It was very smart of the committee to incorporate this component, here's an example why this is relevant -

Patient Randal sends an email to his Dr. Lee about something he feels may be a sexually transmitted disease and includes a picture from his smartphone. Either Patient Randal or Dr. Lee mentions the word "genital herpes" in one of their email messages and suddenly, wherever Patient Randal goes online, he seems to see advertisements for Valtrex. Which seems odd to his wife who uses a shared tablet device and she suddenly sees herpes treatment ads when she's on Zappos.com looking for shoes. Because advertising matching algorithms (this particular technique is called "re-targeting") have become so accurate, scanning our medical emails in a free email service have the potential to violate HIPAA with alarming frequency and to the great embarrassment of our patients.

5) Texting patients is secure enough for HIPAA compliance. Texting patients is not secure enough for HIPAA compliance.

Texting patients was never secure, can't ever be secure. The rise of "Secure Text Messaging Apps" do not make texting secure. They simply mimic texting through an app to app service - that both the initiating and receiving party must download - but it is not text messaging. This has the same inherent problems as encrypted email services - the other party must download the same app. Again, in essence secure text messaging is not text and though it may be secure, practically speaking they're largely ignored by patients.

6) I need an attorney or consultant to get our practice to meet HIPAA compliance standards. 

It's true that any business should have good legal counsel. There are also HIPAA expert consultants who can help guide medium-sized and larger organisations through the HIPAA Omnibus update. It's not as costly or annoying as one would think, but, while it may be prudent to retain the services of a HIPAA Omnibus attorney or expert, the reality is that most small practices are under such financial pressure that they will likely rather risk penalties than make the upfront investment. For such practices that want to take the bare minimum to protect themselves, we recommend -

i) Signup and use the free version of Doctor Base PANDA 6. It's secure, mobile (works on phones and tablets as well as desktop computers) will help you achieve the 5% portion of meaningful Use Stage II. And it's free.

ii) Complete a The firm Nixon Peabody has an example checklist for your practice and Business Associates.

* This is in no way meant to be a complete list or legal advice. And yes, our attorneys make us write sentences like this.



7) Other than the law, why use secure forms of messaging?

In the 3 years that Doctor Base has been tracking consumer patient behaviour on mobile devices, we have seen an increasing correlation with 4 - 5 star ratings of medical providers on social media sites be directly correlated to the acceptance of email as a form of communication. A study by Patty and Nathan Sakunkoo at Stanford University show how consumers making even "important" choices are swayed by star ratings of a minority online.

Even by our own internal metrics, we have seen a one star rise in ratings for a doctor equal approximately a 14.3% increase in online appointments (as measured across 5 specialities within CA and TX over a period of 37 months). A two star increase resulted in a 41.1% increase in online appointments, further reinforcing some of the findings in the Stanford study which indicated that more reviews leads to even more reviews. Or as P.T. Barnum once stated, "a crowd draws a crowd."

Caveat Emptor: P.T. Barnum also stated that, "there's a sucker born every minute." But that never seemed to stop people from coming to the circus.

You get the point - reviews will have an economic impact on your business and hence, accepting patient email will positively affect your ratings in social media. The HIPAA Omnibus rule update can actually be a revenue generator for your practice when executed and adopted correctly.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Where Is HIPAA Taking Physician Practices?

Where Is HIPAA Taking Physician Practices? | HIPAA Compliance for Medical Practices | Scoop.it


Several provisions of the Health Insurance Portability and Accountability Act of 1996, or HIPAA, were intended to encourage electronic data interchange (EDI) and safeguard the security, privacy, and confidentiality of patient health information In the context of this act, security is the means by which confidentiality and privacy are insured. Confidentially defines how patient data can be protected from inappropriate access, while privacy is concerned with who should have access to the patient data. This article explores how the policies stipulated by HIPAA are shaping the practice of medicine and will likely affect your practice in the future.


HIPAA Security vs Innovation:

If you're a typical small-practice physician, odds are that you view HIPAA as simply another federally mandated cost of practising medicine, regardless of the intended outcome of the act. This position is understandable, given the cost of mandated training for you and your office staff. Furthermore, if your practice is computerised, then you'll need to spend even more money on software upgrades and possibly additional training from the vendor.

HIPAA rules and regulations are complex, in part because much of compliance is open to interpretation. For example, security issues, which are predominantly in the domain of software and hardware vendors, are based on “risk assessment,” not specific technology standards. The act doesn't stipulate specific technologies or endorse nationally recognised procedures, but leaves it up to the physician practice or medical enterprise to ensure that patient health data are secure. (HIPAA's security standards take effect on April 20, 2005, for all “covered entities” except small health plans However, because HIPAA enforcement is complaint-driven – there are no “HIPAA Police” checking to see that your practice meets the law's requirements – differences in interpretation of the act are likely to end up in a courtroom at some point. For this reason, some experts recommend assessment of HIPAA compliance by outside counsel.

Most physicians are understandably concerned with the immediate compliance issues surrounding HIPAA and privacy and confidentiality of patient data. Even though the security standards were designed to be “technology-neutral,” the vagaries of these requirements are having a direct impact on medicine beyond the acute phase of compliance, especially in the introduction of new technologies in the clinical arena. New technologies, from wireless to tablet PCs, bring with them added functionality, potential workflow enhancements, and efficiencies – as well as new HIPAA security compliance issues.

Consider, for example, the effect of HIPAA's privacy rules on a physician contemplating the purchase of a Palm Pilot or other PDA. Even late adopters have probably observed the benefit of PDAs. Need to share patient data? Just beam it across the infrared link from one PDA to the next. Need to review patient lab data? Just touch the screen and the data are only a second away.

But it isn't that simple once HIPAA enters into the picture. Now a PDA carrying patient data is a compliance concern, as HIPAA's privacy rule applies to all mediums of a patient's protected health information, whether it's print, verbal, or electronic. Does your PDA have a login and auto logout feature? If not, then anyone could take your PDA and look up patient data. Consider the liability issues if you forgot your PDA at a coffee shop and someone picked it up and scanned through your list of patients. But with a login screen, one of the major benefits of a PDA – instant access to data – is lost.

If you use one of the wireless PDAs, such as the BlackBerry, then there are additional HIPAA-related issues: Does your PDA support the encryption of email and patient data it sends over the Internet? Is the encryption enabled? Is the level of encryption good enough for HIPAA?

Perhaps you've been considering adding a wireless (WiFi) LAN to your clinic or practice. You may have good reason to; wireless will allow you to carry a laptop into examining rooms for decision support and not have to worry about Ethernet cords. But considering HIPAA, is your WiFi system secure? Is the data encryption good enough? If not, will you have to buy new PCs and PDAs, or simply upgrade the operating systems? Do you need to hire a consultant? Maybe it's easier to simply string cables to each office and forget about the laptop this year. Or maybe it would be better to hold off on the computer-assisted decision support project altogether.

Paradoxically, although proponents of HIPAA once thought that it would enhance the move toward the electronic medical record (EMR), I believe that it is having the opposite effect. Because of the uncertainty surrounding HIPAA compliance and whether the legal system will be swamped with cases alleging violations of privacy, it's simply safer for small practices to stay with paper charts, and let the big medical practices deal with the inevitable lawsuits.

This brings up another cost issue: Does your insurance cover a patient suit over HIPAA? If so, how inclusive is the insurance? For example, let's say your practice regularly sends digital audio files overseas for transcription. You send the audio files and receive text documents a day later. Do you know how the patient data are handled at the transcription service? If a transcriptionist overseas decides to protest his or her low wages by posting a transcription of your patient's clinic visit openly on the Web, are you liable? Will your insurer pay? This example isn't as far-fetched as it might seem. In October 2003, a disgruntled Pakistani transcriber threatened the University of California-San Francisco over back pay.[3] She threatened to post patients' confidential files on the Internet unless she was paid more money. To show that she was serious, she sent UCSF an unencrypted email with a patient record attached.


HIPAA, Privacy, and the Physician:

Whereas compliance with HIPAA's upcoming security requirements is largely in the purview of vendors and the information services department in most larger medical centres, privacy concerns are usually addressed at the physician level. Consider the major privacy provisions of the act, most of which took effect in April 2003, listed in the Table.

Major Privacy Components of HIPAA, Based on Data From the DHHS.

Implementing each of these privacy components falls squarely on you and your office staff. You, your office manager, or someone else in your practice must be designated the Privacy Officer and given the responsibility of ensuring compliance with the act. If you haven't already had at least 1 practice walk-through with the major privacy provisions, make sure you do so.



Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

5 Security Issues Threatening HIPAA Compliance

5 Security Issues Threatening HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The security of your organization is a high priority, especially when dealing with PHI and medical records. There are many causes of breaches in security, and knowing which issues pose the most risk for your facility is key. While security issues compound and grow larger based on the size and scope of your organization, having the right perspective in addressing these problems makes a difference in avoiding noncompliance. These five security issues have been identified as being the most common in organisations that threaten HIPAA compliance:

  • Awareness, Training and Implementation

It is important that all employees, agents and business associates be fully aware of the security policies and protocols of the organization. As new technology is introduced and continues to change the infrastructure of the operation, compliance officers must make a concerted effort to keep all lines of communication open, encouraging employees to ask questions regarding new technology, its uses, and any other issues that may pose a risk.

  • Unexpected Events

An unexpected event can create serious problems. They vary from natural disasters, inclement weather to security breaches. You must have a plan in place to handle these issues quickly and professionally. It is wise to conduct drills, revisit your disaster plans on a continual basis and make sure all employees are aware of all contingency plans.

  • Smart Devices and Remote Accessibility

Smartphones, tablets and other mobile devices have posed challenges for organisations and their security policies. It is essential to work with the IT department to make sure all devices used on the campus are completely secure. Implementing a comprehensive training program, and conveying this information to any visitors is crucial in this process. Restricting access to PHI, having defined data wiping procedures, and restricting vendor access is key.

  • Documentation

During an audit, documentation is one of the easiest ways to find deficiencies within your HIPAA compliance. It is important to have accurate, up-to-date documentation on every protocol used to prevent misuse of PHI and operate safely within the designated guidelines. Using resources like the HIPAA Audit Protocol and the National Institutes of Science and Technology HIPAA Security Rule Toolkit can be used to prepare and manage your documentation to stay in compliance with HIPAA laws and regulations. Having a detailed strategy in place to have the right documentation will help prevent ongoing security issues.

  • Policies and Procedures

Many organisations have an overlap of policies and procedures, which causes inconsistencies within the infrastructure. There should be a designated compliance officer and/or team in place to review and update the policies on a continuous basis, taking note of any deficiencies, overlap and possible areas where policies and procedures are not being carried out efficiently, or employees are unaware of.

Understanding the risks associated with each of these security issues is paramount in developing and implementing effective strategies to remain in HIPAA compliance. The ultimate objective is to ensure your employees, business associates and other agents of the organization stay updated with any security protocols to comply with their directives. Keeping HIPAA compliance initiatives and efforts in the forefront of your organisational goals will help in avoiding these and other security issues that may be specific to your organization. Working as a unit is the most effective method in combating helping to combat the problem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Mobile Devices and HIPAA Compliance

Mobile Devices and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

It’s important to make sure your mobile devices are HIPAA compliant. As technology continues to become an integral part of the healthcare environment, it is common for healthcare professionals to communicate with their colleagues via text message or mobile device. Many facilities and practitioners use tablets and other software to transfer and record patient information, but this poses great risks in staying within HIPAA guidelines.


Guidelines for Establishing Effective Protocols

When determining your current compliance protocols on mobile devices, there must be specific questions answered to make sure all areas are covered. These questions should include:

  • Owners of the devices
  • Whether or not the devices are registered with the facility
  • Whether or not any PHI noted on a mobile device is uploaded and backed up on the server
  • Whether or not the devices can be wiped, both on premises and remotely
  • Whether or not a VPN (Virtual Privacy Network) is used to exchange information
  • Whether or not all policies and procedures address the use of mobile devices
  • Whether or not there is a separate mobile device usage policy in place
  • Whether or not the company utilises a BYOD (bring your own device) system
  • Whether or not the staff is properly trained on the mobile device policy

When analysing these protocols, these questions should provide insight into any changes that need to be made, or if additional protocols should be implemented. It is important to make sure all mobile device use pertaining to the patients and the healthcare facility be under a strict monitoring schedule.


Implementing Security Measures for Mobile Device Use

There are a number of security measures that will assist in securing PHI on mobile devices:

  • Use of encrypted passwords that change every month, or an alternative secure user authentication process.
  • Implementation of an automatic screen lock feature that will time-out after a certain period of time.
  • Remote disabling.
  • Remote wipe features.
  • Disabling of any file-shared applications and software.
  • Using firewalls.
  • Using security software.
  • Custom encryption.
  • Corporate permission when attempting to download applications.
  • Wi-Fi navigation controls with encryption.
  • Deletion of PHI before transferring the device to someone else, or getting rid of the device.

All of these security measures must be enforced and included as a part of the training process for employees. Your organization should always have best practices in effect and fully documented to meet compliance with HIPAA rules.


How to Develop a Mobile Device Policy

Staying compliant takes a concerted effort from the entire management team. Policies must be developed, implemented and consistently reviewed. Here are a few steps:

  • Make concrete decisions

Deciding how the devices will be used plays a major role in your strategy. Each option, whether for access, retrieval, storage or for creation of PHI should be carefully outlined with all the risks involved. Common issues that should be addressed include lost or stolen devices, downloads, use from unauthorised users and the use of unsecured networks.

  • Determine accessibility

Once you have identified the risks of using mobile devices, carefully assess whether or not it would be a good idea to implement their usage. It is important to factor in devices that are company owned, and whether or not employees will use their own devices, which will pose great risks to PHI. Carefully analyse what information will be accessible, retrievable, transmitted and stored when using a mobile device, how the HIPAA rules will be applied, and what types of devices will be used on the system.

  • Identify a viable strategy

The strategy you develop should include all security safeguards and solutions to maintain privacy. Your strategy should be evaluated at every benchmark.

  • Development

Proper documentation must be in place for an effective implementation. This documentation should include the development of a management system, a BYOD system, all restrictions that should be in effect, any security settings, what can be stored on the device, protocols for misuse, a deactivation and recovery process, and training of all professionals.

  • Training

Training is one of the most important components of any policy implementation. All employees should be fully aware of any risks attached to using a mobile device, the HIPAA guidelines for protecting PHI, how to fully secure their device and any health information on the device, and procedures for avoiding any mistakes. The training should be separate components to ensure every employee fully understands, in addition to receiving these policies in writing. Every team member is obligated to ensure the organization stays in compliance.

Although mobile devices are very useful, there are many opportunities for breaches and attacks to occur. The risk is very high within the healthcare environment, and making sure all risks can be avoided is key. Being proactive in ensuring your company is HIPAA compliant will keep you protected from any enforcement procedures that can occur as a result of non-compliance. The safety of PHI is very important. Having high standards and effective protocols in place while using technology can make a significant difference.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why Staff Are Your Biggest HIPAA Vulnerability?

Why Staff Are Your Biggest HIPAA Vulnerability? | HIPAA Compliance for Medical Practices | Scoop.it

Editor's note: This is the third blog in a series of articles on HIPAA compliance and is produced in partnership with Total HIPAA Compliance. The second blog in this series discussed HIPAA training for your staff and can be viewed here.

While 2015 was accurately dubbed “The Year of the Healthcare Hack”, according to Experian’s 2016 Data Breach Report, 2016’s largest threat hits much closer to home – it’s your own staff.

The Experian report states, “While large breaches may be compromising millions of people’s records in one fell swoop, smaller incidents caused by staff negligence will also continue to compromise millions of records each year.” Experian predicts that these staff driven breaches will actually cause more damage.

These smaller incidents collectively put you at a risk for an OCR audit, which in addition to being a distraction from your practice can also lead to fines and penalties. Even if there are none, a minor breach can add up in legal fees, patient notices and above all the cost of patient retention communication.

In most cases these are not malicious staff actions. The majority will be caused by lack of understanding and complacency. The first is very easy to address, you train and test your staff on your HIPAA Policies and Procedures, as required by HIPAA, so they understand the role they play in protecting health information they touch.


Complacency can be a little more difficult to remedy. Once you have trained your staff on your Policies and Procedures, they go back to their daily routine. Initially, they are more aware of HIPAA and protecting important data, but after a short while they let down their guard. After all, they know their job; they know your patients and a breach has never happened before so they begin to feel immune to the potential dangers. Fortunately, there are two steps you can take to keep your staff sharp:

  1. Educate them about the Value of Healthcare Data – It can be difficult for staff to understand why anyone would go to great lengths to get this health information. Helping them see what that data is worth in the wrong hands will give them more of an appreciation for the Policies and Procedures you’ve put in place to protect it.
  2. Remind them regularly – To maintain your HIPAA compliance, all of your staff should be trained annually, but it is unrealistic to expect them to keep that information at the top of their minds long term. Brief monthly training or reminders that touch on just one piece of your Policies and Procedures can be enough to make HIPAA a priority all year long.

Staff breaches may be the biggest threat to healthcare data this year, but it doesn’t have to affect you. The Experian Report points out that, “Organisations that implement regular security training with staff and a culture of security committed to safeguarding data will be better positioned for success.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Which Type of HIPAA Training Is Right for Your Practice?

Which Type of HIPAA Training Is Right for Your Practice? | HIPAA Compliance for Medical Practices | Scoop.it

How to Choose Training
Looking at the NueMD survey from this year, the results show only 58% of the practices surveyed said they have implemented annual training for their staff. If you aren’t training annually, this is a MAJOR hole in your HIPAA Compliance Plan. You can have the best Compliance Plan money can buy, but without staff training, this plan is effectively useless.

Two types of training are required under the HIPAA Law.

  1. Training on the HIPAA Law
  2. Training on your specific policies and procedures

Training on the law can be difficult, unless you happen to have a HIPAA expert on staff. Training on your specific policies and procedures, however, should be handled by internal staff who are familiar with your practice’s decisions since they likely had a hand in creating them.


What to Look for in Training
There are a multitude of training choices out there. Do you train everyone yourself, hire an outside resource, or use an online training solution? This is really a choice that is best answered by how confident you are in your knowledge of HIPAA, what your budgets look like, and the size of your staff.


Training Staff Yourself
Theoretically, this is the cheapest option, provided you have a strong understanding of HIPAA and a dedicated employee who can train your entire staff. However, many practices struggle to find an internal staff member that truly understands HIPAA, has the time to train staff annually, and can train any new staff as they come on board in addition to any other responsibilities they may have within the practice.

  1. Strengths - Cost effective, easy to incorporate new staff
  2. Weaknesses - Requires you have a staff member that understands all aspects of HIPAA, additional responsibility for a staff member, have to store training records internally, finding time to train staff, and training development costs that reflect updates in the HHS rulings


Hiring an Outside Resource
Your legal counsel should be able to supply someone to train your staff on HIPAA and your Compliance Plan, but this a more expensive option than training staff on your own. Another issue you may run into is coordinating staff to be available when the trainer is onsite, and the inflexibility of training new staff members when they come on board.

  1. Strengths - Expert trainer in office
  2. Weaknesses - Difficult to incorporate new staff into training program, expensive, finding time that is convenient to train all staff at same time


Online Training
For many practices, this has all the benefits they are looking for: expert training, cost-effective and easy to incorporate new trainees as they come in. The drawbacks are, you still need to train your employees on the specifics of your plan. This option stands a chance if it is motivating and memorable.

  1. Strengths - Cost effective, easy to incorporate new staff, expert training, staff can train when it is convenient for their schedule
  2. Weaknesses - May not be up-to-date and still have to train staff on specifics of your practice’s HIPAA Compliance Plan

Any of these three approaches can be pretty boring. I recommend you try the training before you buy in, and make sure it’s not the dreaded “Death by PowerPoint.”


What about HIPAA certifications?
This is actually a marketing claim that will ultimately end up costing you more money with little to no additional benefit. HHS does not have a certification program, nor do they recognise these certifications. Usually, this is a way for companies to justify charging more for their services. 


What are auditors looking for?
In the upcoming audits, HHS is going to be looking at your training logs. This means having a date workforce members were last trained, individual test scores, and regular training updates. The training records are important to show that you are taking HIPAA seriously, and have consistently trained your staff. If you don’t dedicate a budget to HIPAA compliance and training, you probably will not meet OCR’s requirements for HIPAA training.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

A New Way to Sue Health Care Professionals Using HIPAA?

A New Way to Sue Health Care Professionals Using HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

Walgreens has been ordered to pay $1.44 million in a lawsuit brought against it for a violation of the Health Insurance Portability and Accountability Act (HIPAA) by one of its pharmacist employees.  While this may not sound like a big deal, this case represents only the second time HIPAA has been successfully used this way in court and it could have serious repercussions on the health care system.

The story begins when a Walgreens pharmacist looked up the medical records of her husband’s ex-girlfriend, whom she suspected gave her husband an STD. Apparently she found what she was looking for and told her husband about it, who then sent a text message to his ex and informed her that he knew all about her results.

The ex did not appreciate this, and told the Walgreens pharmacy about what happened.  At some point after that, the pharmacist accessed the ex’s medical records again, and eventually the ex filed a lawsuit against Walgreens, claiming it was responsible for the HIPAA violation because it failed to properly educate and supervise its employee.


Walgreens argued what the pharmacist did fell outside of her job duties and therefore it was not responsible for the breach.  The judge and jury disagreed, and the jury decided Walgreens was responsible for 80% of the damages owed the plaintiff (so I guess that means the total judgement for the plaintiff was $1.8 million). Walgreens has already said it will appeal.

As I said above, it may not sound like a big deal, but it potentially is.

Although HIPAA has a mechanism by which health care providers can be subject to federal civil and criminal penalties for violations, conventional legal wisdom says HIPAA does not allow for a “private cause of action”, meaning a private individual cannot sue a health care provider for breaching their medical privacy.

Or at least that’s how HIPAA used to be interpreted, before Neal Eggeson, the enterprising young attorney who successfully argued the only two cases in which HIPAA has been used in this fashion, came along.

Mr. Eggeson, who specialises in privacy law and medical malpractice, in an interview with Lawyers.com, said “10 years into the HIPAA privacy rule, I should not be the only attorney in the country doing this type of work.”

But, recently, a pathologist reader who is also an attorney wrote me and said the manner in which HIPAA was used in the Walgreens case was actually not novel after all.

The reader also stated he believes there will likely be a lot more of these HIPAA-type privacy lawsuits “as more and more plaintiff attorneys realise pharmacies, hospitals, and other health organisations are vulnerable and have deep pockets.”

After I received the reader’s email, I reached out to Neal Eggeson, the lawyer who successfully argued the Walgreens case and asked him for clarification regarding his case and how he used HIPAA.  He was kind enough to respond.

My reader’s thoughts on the article are below, followed by Mr. Eggeson’s. Many thanks to both of them for helping me understand both this case and how HIPAA is being used in civil lawsuits better.


The reader:

“As a multiple personality professional, I have a great amount of respect for HIPAA, its use as a shield for privacy data, and its use as a sword in litigation.  As such, even though the federal HIPAA statutes may not have a specific private right of action, I believe pathologists and other health care providers should recognise that breach of privacy litigation, both health care related and non-health care related, has been around for many years as a private (common law, sometimes statutory law) right of action.

What plaintiffs commonly have been doing in recent years is to use a HIPAA violation as the underlying predicate offence in their breach of privacy, defamation, negligence, breach of fiduciary duty, or other likewise suit.  Since HIPAA does not have a private right of action, common folks like you and I cannot use HIPAA directly in a privacy lawsuit, only the government can sue with HIPAA (civilly and criminally I might mention).  What private citizens have been doing, though, is proving to the court that if a HIPAA violation occurred, then this violation serves as a breach of duty by the health care professional in negligence cases, fiduciary duty cases, and straight forward violation of privacy cases.

…Doe v. Quest in the Missouri Supreme Court, where the court allowed a breach of fiduciary claim to stand verses Quest after their phelebotomist wrongly faxed HIV results without the express permission of Mr. Doe.  This case used overtones of HIPAA and similar state privacy laws, like state HIV privacy laws, as the underlying predicate (underlying wrong) in the suit.  Additionally, I easily found three other cases where HIPAA violations were used as the underlying predicate for private rights of action in state law privacy violation claims.


The first is a federal case (attached) from the Eastern District of Missouri by Judge Stephen Limbaugh (he is either the brother or cousin of El Rushbo), I.S v Washington Univ (E.D. Mo 2011).  In this case, Judge Limbaugh recognised that there was no individual private right of action under HIPAA, but that under Missouri law, HIPAA could be used to provide a standard of care from which to judge a defendant’s actions, and that HIPAA could also be used to establish a legal duty of care.  States vary in their laws, so every state may not agree with Missouri state law, but many do.

Second, in a 2006 state court case (attached), the North Carolina Court of Appeals allowed HIPAA to be used to demonstrate the standard of care element in a psychiatric privacy case where the plaintiff sued for negligent infliction of emotional distress.  If one can use HIPAA as the standard of care and show HIPAA was violated, then the next logical step is that the health care professional breached a duty owed to the plaintiff by violating the standard of care.  After that, all that remains is proving damages.

Finally, in a more recent West Virginia Supreme Court case, a case that cites many underlying cases from other states in a survey of the law, the Court found that HIPAA does not preempt state laws and that HIPAA may be used as the basis of a negligence claim (used as the standard of care to which a breach of duty is judged). See R. K. v St. Mary’s Med Ctr, (2012) attached.

I hope you find this discussion interesting.  HIPAA is a very complex and tricky set of laws and regulations, and I fear litigating HIPAA will become the next new cottage industry for plaintiff attorneys. The more pathologists and physicians know about HIPAA, the better.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

NueMD HIPAA Survey Results 

NueMD HIPAA Survey Results  | HIPAA Compliance for Medical Practices | Scoop.it

In 2014, NueMD, an Electronic Health Record (EHR) and billing software company, distributed a questionnaire to medical practices and billing companies to gain insights on their knowledge of HIPAA regulations, compliance measures, and communication methods.¹ There were 1197 responses, with 1037 medical practices and 160 billing companies. Two years later in 2016, the survey was distributed again to determine how much has changed in relation to the participants’ knowledge.² This time it was a total of 927 responses, with 799 medical practices and 58 billing companies. The respondents were clients of NueMD.

In this blog, we compare the data found in these two surveys. The results are surprising.

HIPAA Audits

2014: In 2014, only 32% of those surveyed were aware of HIPAA audits

2016: In 2016, 40% participants reported that they knew about HIPAA audits

Currently, audits of business associates are taking place. The first round in 2016 looked at covered entities (primarily healthcare providers). In October 2016, HIPAA audits expanded to include business associates. HHS is drawing from a list of 20,000 BAs identified in the first round of audits. Next year, OCR plans to conduct full audits for a selected group of covered entities and business associates. These audits will be more intense than previous ones because they involve auditors coming onsite for several days. HHS gives the practice 10 days to prepare. For those organizations that have not started the compliance process in advance, there is almost no way to prepare in time if you are selected for an audit.3

HIPAA Compliance Plan

2014:In 2014, 58% of those surveyed stated they had a HIPAA compliance plan in place. However, there was a disconnect between managers and staff. 68% of managers claimed to have a HIPAA compliance plan but only43% of staff.

2016:In 2016, a whopping 70% of respondents reported that they have a HIPAA compliance plan.

All organizations that come in contact with PHI should have a compliance plan in place. There are several important documents that a medical practice must complete to have a comprehensive  plan. This includes Privacy and Security Policies and Procedures, Business Associate Agreements and a Risk Assessment. Based on the response to the next two questions, it is likely that not as many healthcare providers are really as compliant as they indicate.

Business Associate Agreement (BAA)

2014: 60% of those surveyed were aware that the Omnibus Ruling requires BAAs with third party vendors.

2016: The number rose to 68% of participants knowing about the BAA rules.

Business Associate Agreements Reviewed and Updated

2014: 24% of respondents had “all” of their BAAs reviewed and updated since the 2013 Omnibus Rule, and 21% surveyed said “some”.

2016: There was an increase from 2014 to 2016, with 29% responding “all” BAAs are updated and reviewed, and 19% having “some” of their BAAs up to date.

Recently OCR was notified that Women and Infants Hospital (WIH) of Rhode Island lost unencrypted backup tapes of ultrasounds of over 14,000 patients. The tapes also included PHI like names and dates of birth. WIH is a covered entity member of Care New England Health Center (CNE). CNE provides centralized corporate support for its covered entities. The two organizations signed their BAA in 2005 and had not updated it since. he Omnibus Ruling in 2013 added extra requirements to Business Associate Agreements. Failure to update their BAA to incorporate these new requirements rendered their 2005 Agreement ineffective. In the end, the outdated BAA resulted in a $400,000 settlement.

Risk Assessment

2014: Only 33% said they performed a risk analysis

2016: This question was not included in the NueMD 2016 HIPAA Survey Update

If there is a audit, one of the first things OCR will ask to see is a Risk Assessment. This helps organizations realize their potential areas of risk in regards to the PHI they handle. Failing to assess potential areas of risk in your organization is failing to protect PHI.

In July 2016, a settlement was reached with U-Miss Medical Center after a breach that affected 10,000 people. It was found that UMMC did not take adequate risk management security measures. They settled with OCR for $2.75 million.5

HIPAA Training

2014: 62% of managers reported that they provided HIPAA training for their employees.

2016: This number surprisingly dropped over the 2 years. Only 58% of organizations surveyed claimed to have provided HIPAA training.

Proper HIPAA training should educate people on the Law. Lack of training equals lack of knowledge and translates into more risk. On October 17, 2016, St. Joseph Health (SJH) settled potential violations with HHS following the report that files containing PHI were publicly accessible through internet search engines from 2011 until 2012. SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. As part of the corrective action plan, with HHS’ final approval of the training materials, SJH must train all appropriate workforce members, in accordance with SJH’s applicable administrative procedures and provide annual retraining.6

To help comply with the current compliance regulation, check out Total HIPAA’s latest service, HIPAA Prime™. HIPAA Prime is an easy-to-follow, cost-effective online solution for quickly developing and implementing your personalized HIPAA Compliance Plan. Whether you are a small or large organization, HIPAA Prime will satisfy all of your documentation and training requirements.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends?

Does HIPAA Restrict Healthcare Professionals from Communicating with Family and Friends? | HIPAA Compliance for Medical Practices | Scoop.it

Buddy Dyer, the mayor of Orlando, requested a waiver of the HIPAA rules following the June 12 shooting at Pulse Nightclub. Families and loved ones were inquiring about the status of patients located at local hospitals, but were not provided timely reports. Many of the patients being treated at the hospitals in Orlando did not have formalized legal relationships, and the mayor felt HIPAA would slow down the sharing of information with partners.

Some healthcare professionals feel that HIPAA restricts them from providing information about patients to their families and loved ones. There are stories of loved ones denied information about elderly parents or adult children by medical professionals citing HIPAA. In many cases, healthcare professionals do not understand the flexibility of HIPAA.

In order to understand whether Mayor Dyer and healthcare providers need to be concerned about HIPAA restrictions, let’s look at the Law. The waiver described under Section 1135 of the Social Security Act includes suspending certain HIPAA provisions to protect physicians, emergency medical staff, and law enforcement agencies so that they will not face penalties and sanctions for the release of PHI in a crisis.

The suspended requirements are:

  1. 45 C.F.R. § 164.510 requiring healthcare providers to obtain a patient’s agreement so that a medical professional can speak with family members or friends or provide patients the right to opt out of the facility directory;
  2. 45 C.F.R. § 164.520, the requirement to distribute a Notice of Privacy Practices to patients; and
  3. 45 C.F.R. § 164.522, the patient’s right to request privacy restrictions or confidential communications.

In 2010 President Obama issued an executive memo ordering the Department of Health and Human Services (HHS) to address the issue of hospital visitation for same-sex couples. Later that same year, the department prohibited hospitals from discriminating against visitation rights based on sexual orientation and gender identity.

A statement from HHS Assistant Secretary for Public Affairs Kevin Griffis explained the reason why the waiver was not needed in Orlando:


Entities such as healthcare organizations, governmental agencies and law enforcement are allowed to exercise professional judgment as stated under HIPAA. For example, PHI communicated by Emergency Medical Technician (EMT) via a radio to the 911 Dispatcher or between other ambulance units is also permitted through the professional judgment definition in HIPAA. For most law enforcement personnel, as well as fire departments, the HIPAA Privacy Rule does not apply to them either as disclosures are needed to perform their job duties. They can release PHI about victims of a vehicle accident or for investigation of a crime scene. The essential part to note is as long as the conversations by the personnel covered under these provisions are related to treatment-related disclosures, there is no HIPAA violation. Hospitals and large health organizations must train their emergency staff on HIPAA and their specific policies and procedures to comply with the regulations.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Health Data Collected by App Developers not regulated by HIPAA

Health Data Collected by App Developers not regulated by HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

It seems that your medical data may not be as protected as you might first assume.

A recent report from the Department of Health and Human Services showed that the vast majority of mobile health apps on the marketplace aren’t covered by HIPAA, the Health Information Portability and Accountability Act of 1996.

HIPAA currently applies only to traditional medical establishments, such as hospitals, doctors and health insurance providers. Apps or devices used in conjunction with a doctor’s office or a hospital are not legally allowed to share or sell your information. However, there is no definitive federal law governing what happens to the data that an app developer, tech company or private individual collects.

Typically a patient using a third-party developed app enters medical information, which is then sent in some form to a physician. The data in a patients medical record would be covered by HIPAA, however the data that the third-party app developer collected would not be.

Despite being identical sets of data, stored in different computers, they have different levels of protection.

App companies although not governed by HIPAA, are better to be focussed on abiding by the standards. Any app developer found to be using unfair or deceptive practices with regards to user medical data, could be held accountable by the FTC.

As Federal regulations are increased to include app data collected by third-party developers, this will continue to be a legal grey area, and one that patients, doctors and developers all need to be aware of.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Multi-Line Agencies and Privacy Requirements 

Multi-Line Agencies and Privacy Requirements  | HIPAA Compliance for Medical Practices | Scoop.it

It’s important to train all staff in a multi-line agency on HIPAA Compliance

There is a great deal of crossover within a multi-line agencies. Cross-selling group or individual health insurance and other benefits, between personal lines and key commercial lines clients, has been one of the best ways to preserve a long-term relationship. To do this well, there’s going to have to be some exchange of often confidential information between different teams. Plus, the reality that there is often little to no physical or electronic separation between team members means that you need to worry about having your bases completely covered in case of an unintentional breach. Simply said: It’s very important that all parties are properly trained on these regulations — one of many reasons a multi-line agency will often require all staff to be trained on HIPAA.

Protecting PHI, NPPI and PII

Across your agency, you may have multiple agents that will have access to or come in contact with Protected Health Information (PHI), Non-Public Personal Information (NPPI) and Personally Identifiable Information (PII). In our experience, agents handling long-term care, vision, Medicare, dental and health insurances are reluctant to refer clients to agents who sell life, auto, home, commercial liability, 401(k), and Workers’ Comp if these agents are not properly trained on their responsibilities to safeguard clients’ Protected Health Information (PHI).

Gramm-Leach-Bliley (GLB) is an entirely separate federal law (from HIPAA) that dictates what insurance agents can do with personally identifiable information collected from or about consumers, or resulting from a transaction with consumers. This is commonly called Non-Public Personal Information (NPPI). Insurance agents are prohibited from disclosing NPPI as defined in GLB to nonaffiliated third parties without notifying the client or providing an opportunity for the client to opt out.

Non-health related insurances are considered financial products and are regulated by the privacy and security obligations of GLB. Many of these privacy and security concerns overlap when it comes to PHI, NPPI and PII. Everyone within your agency, whether they are working on health insurance or not, has to understand and appreciate the need for privacy of all the client information you handle.

For those of you selling products in the Federal Marketplaces (FFM), there are major concerns when it comes to privacy. Personally Identifiable Information (PII), is defined as information that can be used to distinguish or trace an individual’s identity. Information qualifies as PII in the  Marketplaces when used alone or combined with other personal or identifying information linked or linkable to a specific individual. For example, a name, date and place of birth, Mother’s maiden name, an IP address, and or biometric records are some examples of PII. This is the broadest definition of individual information to date, and it is important to remember that it is not limited to only health information. PII includes financial information as well.

Marketing Guidelines

Marketing means that an agent encourages individuals to use a product or service. HIPAA, GLB and ACA have very different marketing guidelines. Under HIPAA, agents may use an individual’s PHI for marketing purposes only in face-to-face meetings and to identify clients to whom they want to give promotional gifts of nominal value. The agent may use PHI to market or handle issues related to the health insurance product itself, including marketing to different carriers. For any other uses of PHI, the agent must receive prior written authorization from the client.

GLB marketing guidelines allow an agency to shop for the best price on life insurance or other coverages with a variety of carriers, with a proper agreement in place, and a Notice of Privacy Practices given to the client. An agency is able to take NPPI and disclose it to third parties without additional authorizations.

According to Marketplace rules, you are prohibited from cross marketing to a SHOP client, even if you have written permission from the client to market, or you are in a face-to-face meeting. This is an important distinction from HIPAA where you can cross market in face-to-face meetings, or if you have a signed agreement from the client. You could be fined or prohibited from selling into the SHOP or FFM if you are found to be in violation of these cross marketing rules. It is permissible to leave a list of other services, and tell the client to call if they are interested.

HIPAA, GLB and ACA require you to protect personal information about your clients, adopt policies and procedures, provide privacy notices to your clients on a yearly basis, and ensure your staff understands their responsibilities. Most of these requirements for HIPAA, GLB and the ACA can be fulfilled with the same set of documents, which are part of the Total HIPAA compliance documents and training.

Smart multi-line agencies will take advantage of meeting federal requirements with one combined effort. Meeting these compliance requirements gives your organization a good reputation because it is clear you’re dedicated to taking all the steps possible in order to protect your clients’ information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

10 common HIPAA violations and preventative measures to keep your practice in compliance

10 common HIPAA violations and preventative measures to keep your practice in compliance | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA law to protect patient health information is quite well known by personnel in most physician offices. There still remain, however, some questions regarding HIPAA's rules and regulations. Providers who are not up to date with changes in the law risk potential violation that could not only damage a practice's reputation but cause criminal and civil fines.

The Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, was established in 1996 to set national standards for the confidentiality, security, and transmissibility of personal health information.

Healthcare providers are required, under the HIPAA Privacy Rule, to protect and keep confidential any personal health information. It also sets limits and conditions on its use and disclosure without patient authorization. The Rule also gives patients rights to their health information, including rights to obtain a copy of their medical records, and request corrections.

HIPAA does have exceptions to the rule, however, such as if it hindered the ability to provide quality healthcare services. One example is discussion between two physicians who are both treating a patient. In addition, peer reviewed activities, disclosures needed by health plans to resolve billing questions, and other similar situations are exempted.

The Department of Health and Human Services defines covered entities as healthcare providers, health plans, and healthcare clearinghouses, which include hospitals, physicians, chiropractors, dentists, optometrists, schools, nonprofit organizations that provide some healthcare services, and even government agencies. However, those affected by HIPAA does not end there.

HIPAA violations can result in substantial fines to a practice ranging from $100 to $1.5 million. Healthcare providers can also be at risk for sanctions or loss of license.

We list below some of the more common reasons for HIPAA violation citations:

1. Employees disclosing information – Employees' gossiping about patients to friends or coworkers is also a HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.

2. Medical records mishandling – Another very common HIPAA violation is the mishandling of patient records. If a practice uses written patient charts or records, a physician or nurse may accidentally leave a chart in the patient's exam room available for another patient to see. Printed medical records must be kept locked away and safe out of the public's view.

3. Lost or Stolen Devices – Theft of PHI (protected health information) through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information can result in HIPAA fines. Mobile devices are the most vulnerable to theft because of their size; therefore, the necessary safeguards should be put into place such as password protected authorization and encryption to access patient-specific information.

4. Texting patient information – Texting patient information such as vital signs or test results is often an easy way that providers can relay information quickly. While it may seem harmless, it is potentially placing patient data in the hands of cyber criminals who could easily access this information. There are new encryption programs that allow confidential information to be safely texted, but both parties must have it installed on their wireless device, which is typically not the case.

5. Social Media - Posting patient photos on social media is a HIPAA violation. While it may seem harmless if a name is not mentioned, someone may recognize the patient and know the doctor's specialty, which is a breach of the patient's privacy. Make sure all employees are aware that the use of social media to share patient information is considered a violation of HIPAA law.

6. Employees illegally accessing patient files - Employees accessing patient information when they are not authorized is another very common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost a practice substantially. Also, individuals that use or sell PHI for personal gain can be subject to fines and even prison time.

7. Social breaches - An accidental breach of patient information in a social situation is quite common, especially in smaller more rural areas. Most patients are not aware of HIPAA laws and may make an innocent inquiry to the healthcare provider or clinician at a social setting about their friend who is a patient. While these types of inquiries will happen, it is best to have an appropriate response planned well in advance to reduce the potential of accidentally releasing private patient information.

8. Authorization Requirements - A written consent is required for the use or disclosure of any individual's personal health information that is not used for treatment, payment, healthcare operations, or permitted by the Privacy Rule. If an employee is not sure, it is always best to get prior authorization before releasing any information.

9. Accessing patient information on home computers – Most clinicians use their home computers or laptops after hours from time to time to access patient information to record notes or follow-ups. This could potentially result in a HIPAA violation if the screen is accidentally left on and a family member uses the computer. Make sure your computer and laptop are password protected and keep all mobile devices out of sight to reduce the risk of patient information being accessed or stolen.

10. Lack of training - One of the most common reasons for a HIPAA violation is an employee who is not familiar with HIPAA regulations. Often only managers, administration, and medical staff receive training although HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained. Compliance training is one of the most proactive and easiest ways to avoid a violation.

The privacy and security of patient health information should be a priority for all healthcare clinicians and medical professionals. Make sure your materials are current, update your manuals, and conduct annual HIPAA training to prevent potential violations. Most violations can be easily be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring that all individuals with access to patient information receive the proper training.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

4 Steps to Assess a Possible HIPAA Data Breach

4 Steps to Assess a Possible HIPAA Data Breach | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach. An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorised access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.

There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorised to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident. Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:

  1. PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.
  2. Unauthorised Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.
  3. Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.
  4. Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.

If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements. If you have encountered a breach, within 60 days of discovery of the breach, you have to:

  • Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.
  • Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.
Technical Dr. Inc.'s insight:
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Bring Your Own Device (BYOD) Guidance 

Bring Your Own Device (BYOD) Guidance  | HIPAA Compliance for Medical Practices | Scoop.it

Bring Your Own Device (BYOD) Guidance


                   Bring Your Own Device, or BYOD, is when employers allow their employees to use their own electronic devices (phones, computers, tablets, etc.) on the organisations network.

BYOD has progressed from infrequent implementation to the norm. In 2015, Tech Pro Research released a study which reported that about 74% of respondents were already using or planning to use BYOD in their organization.¹

Despite its growth, not many organisations are completely confident in BYOD. In 2016, NueMD conducted a HIPAA survey. In this survey, they asked participants how confident they are that the devices they use in their business are HIPAA compliant, and found that only 20% of respondents were at all confident.

                  BYOD can open organisations up to serious security issues if not handled correctly. Since employees are using their own devices, they will take these devices home (and everywhere else); thus, there is more of a chance for these devices to be lost or stolen. Electronics were a lot more secure when it was the norm to leave them in the office. It was up to the company to protect those devices. Now with BYOD, employees will have to use extra caution in order to keep their devices safe.

BYOD also opens up organisations to malware. With an employee using the device for personal use as well, it is easier for a phishing email to reach the employee if the proper security software is not loaded. In addition, malware may be part of a download when unapproved applications are added by the employee. That malware would then affect everything on the device, including work related information. This puts the PHI on your network at risk.

            Obviously, there must be some positives to BYOD, or it would not be as popular as it is. The main advantage is that it cuts costs for the organization. If employees can bring their own devices, organisations can save money because they do not have pay to provide devices for employees. BYOD also results in better productivity because employees are using a device they already understand. No time is wasted on training employees how to use the device.

The implementation of BYOD has grown every year. Eventually you will need to consider BYOD and establish guidelines for implementing it on your network that respect the privacy of the user’s device. Access should only be requested for security reasons outlined in your policy. If you do choose to implement BYOD, it’s important to clearly define this decision in your policies and procedures.

First, you should have policies and procedures in place outlining the use of devices on your network. The policies and procedures should include:

  1. Acceptable uses:
    1. What apps are employees allowed to run?
    2. What websites should and shouldn’t be accessed?
    3. Can they be used for personal use during work?
  2. Acceptable devices:
    1. Will you allow laptops, phones, and tablets?
    2. What type of devices will you allow (Apple, Android, Windows, Blackberry, PC, etc)?
    3. How are you encrypting devices?
  3. Policies:
    1. Is the device configuration set up by the organisation's IT department?
    2. Is connectivity supported by IT?
    3. How often will you require a password change?
    4. Do you have a remote wipe policy?


Second, decide whether or not to implement Mobile Device Management (MDM).  MDM creates a single unified console through which IT can administer different mobile devices and operating systems. MDM allows an organisation's IT department to do things like remotely wipe devices, encrypt devices, secure VPN, and locate devices.

MDM allows you to selectively wipe the information lost on stolen devices. Some devices such as iPhone's have a built-in application (i.e. Find My iPhone). Android phones can be tracked and wiped using Android Device Manager. Both applications are great for individuals, but not necessarily the best option for an enterprise situation where you will need to track more than one device. Wiping a device is a heavy handed approach that may make employees hesitant to use their device on your network, as all of their personal information could be wiped along with work related data. With BYOD in place, employees know what’s expected of them when they use their personal devices at work, including the possibility that the company will use MDM to remotely wipe information as needed.

Alternatives to consider are Mobile Application Management (MAM) and Agent-less BYOD. MAM is software that controls access to mobile apps on BYOD devices. A report by Bit-glass found that only 14% of participants have adopted MAM. Accordingly, MAM never really took off, and MDM has now stagnated due to privacy concerns.³ Their solution is Bit-glass Agent-less BYOD, which protects corporate data on any device without an application. It also has an automated deployment process that does not require IT intervention. Agent-less BYOD is meant to be more secure and less strict on the employee because of its selective wiping capabilities.⁴

Finally, a BYOD policy agreement should confirm that the BYOD user understands and agrees to the policies and procedures. The user should also understand that the organization owns the work-related information on their device. Therefore, the organization has the right to take away access to the company network at any time. The BYOD agreement should be signed by the user, a department manager, and IT.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Privacy and Security Training

HIPAA Privacy and Security Training | HIPAA Compliance for Medical Practices | Scoop.it

The Privacy Rule: requires a CE to train all members of its work force (employees, contract workers, volunteers, trainees, and management) on the policies and procedure with respect to PHI as necessary and appropriate for the work force to carry out their function within the CE.

  1. In addition to new hires, you must provide ongoing training when functions are affected by a material change in policies or procedures.
  2. Document evidence of compliance in written or electronic form and retain.
  3. You must have in place appropriate sanctions against workforce members who violate your privacy policies and procedures or the privacy rule itself.

The Security Rule: requires a CE to train the entire workforce, including management on security issues respective of organisational uniqueness. Security training updates based on technology and security risks must be offered periodically.


What Should Your Privacy and Security Training Include?

Privacy and Security training can be provided through your existing educational operations. Internet modular education program that is convenient for off site workers, contract personnel, and regular personnel, may be an appropriate way to meet compliance.  Off site personnel who find it difficult to be at an onsite training session, can easily meet compliance through online training.  However you wish to comply, your privacy and security training should include the following:

  • Education: knowledge and understanding
    • Cover PHI in all forms: verbal, written, electronic
    • Policies and procedures with respect to PHI
    • General confidentiality
    • Patient rights
    • Sanctions
    • Faxing
    • Complaints
    • Use of social media
    • General security policies
    • Physical and workstation security
    • Breaches: what is a breach and what is the ramification of breaches to the organization and the individual?
    • What is the Office for Civil Rights (OCR)?
      • Understanding of the agency’s responsibility to enforce privacy and security regulations
      • E-mail procedures
      • Faxing procedures
  • Training: how-to Privacy
    • How to handle PHI in the office
    • How to report a potential privacy violation
  • Training: how-to Security
    • Procedures for guarding against, detecting, and reporting malicious software
    • Procedures for monitoring log-in attempts and reporting discrepancies
    • Procedures for creating, changing, and safeguarding passwords
  • Ongoing awareness
    • Maintain a reference area where your privacy and or security officer maintains printed current policies and procedures for privacy and security.
    • Have a process in place to evaluate your training program effectiveness and reliability.
    • Ensure that all users have completed security awareness training before receiving access to electronic PHI (ePHI).
      • This should be an ongoing effort and constantly reviewed and revised when necessary. 
  • Address questions that arise from time to time.
    • Example: What should a HIPAA-compliant Fax form look like?
      • The HIPAA-compliant Fax Cover Sheet should contain all standard information: Date, To, From, Phone, Time, Fax number to, Fax number from, E-mail address, Number of pages including cover, and Message.  The cover sheet should also include a disclaimer similar to: “The information contained in this facsimile message is intended for the sole confidential use of the designated recipients and may contain confidential information. If you have received this information in error, any review, dissemination, distribution or copying of this information is strictly prohibited. If you have received this communication in error, please notify us immediately by telephone and return the original message to us by mail or if electronic, reroute back to the sender. Thank you.”
      • How should an e-mail transmission look to be HIPAA-compliant?
      •  Your e-mail must contain a disclaimer similar to: “The information contained in this transmission may contain privileged and confidential information, including patient information protected by federal and state privacy laws. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution, or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.

        Note: The Federal Regulations for HIPAA

      • HIPAA Exams is your source for all HIPAA Requirements!

        Stay current with Federal HIPAA requirements through up-to-date educational online learning through HIPAA Exams, Inc. Current educational modules are available for Covered Entities, Business Associates, Administrators, Health Care Providers, Nurses, Medical Office Staff, and other Health Care workers.  Call with questions or to discuss your needs. We can help with any compliance training!

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.

Patient Privacy: Let’s Stop Calling It HIPAA

Patient Privacy: Let’s Stop Calling It HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

Often times in medicine, or even life in general, we might be required to revisit the origin of a popular belief, phrase, or “common-sense” piece of knowledge. Through numerous transmissions, these concepts can stray far from their original meanings and transform into something entirely different and even erroneous. Unfortunately that seems to be happening with HIPAA. Speak the words among providers and you’ll likely invoke thoughts of uptight regulators in suits and extraordinarily hefty fines issued to those foolish enough to have loads of data on a unsecured laptop computer. However, HIPAA is not about overbearing rules or inconveniently adding to the documentation burden. It is about privacy.

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is simply a federal law put in place to protect the identifying information of any patient getting medical care. It gets a little detailed, but essentially the law was put into place so that providers, clearinghouses, and insurance companies make a serious effort to protect information like names, birth dates, social security numbers, photographs, and any other unique identifier a person may have. The end-goal is that a patient’s medical needs are kept private. Aside from being a basic human right, privacy should be protected for additional reasons like the possibility of discrimination against patients by employers or insurers (see preexisting conditions)


Big (Unsecured) Data
For better or worse, we will soon be so proficient at collecting data that nearly every aspect of our lives will be quantified. Despite being completely obtrusive and a little creepy, this massive data collection and analysis will have benefits like solving the obesity epidemic and finding new treatments for many diseases. Unfortunately that is an optimistic view. Currently, most of the data collected with our mobile devices is simply being used to find more efficient ways to market to us. Even more, as we’ve seen over the past couple of years, we are nowhere near experts at data security. Think back to 2013 when Target failed to protect the credit and debit cards of over forty million customers. However, health data is much more sensitive, considering that we can’t simply cancel and replace health information in the same way we would a stolen credit card.


“We’re HIPAA compliant… right?”
Aside from data security, there’s a lot of confusion around HIPAA in general, especially with smaller medical practices. Our recent survey showed that practices are far from HIPAA compliant. Many practices are struggling to train their employees (only 56% of office staff said they’ve received HIPAA training within the last year). And only 45% of respondents reported that their practice has a (HIPAA-required) breach notification policy. At the end of the survey, respondents were asked, “How confident are you that someone in your business is actively ensuring HIPAA compliance?” With only 38% saying “very confident,” it’s clear that we, as an industry, have some work to do. Practices certainly have a lot on their plate, between ICD-10, Meaningful Use, the ACA - but we can’t let HIPAA fall to the wayside. Aside from increased communication and simple education, I suggest we do one more small thing to bring the focus back to what matters.


Ditch the Acronym
Whatever reason a patient may have to keep data private, providers should be making it a top priority. With so much conflict surrounding our personal information, we absolutely cannot afford to take this matter lightly. This isn’t about documentation written in 1996 or outrageous fines. It is about protecting the privacy of people. So, let us rid ourselves of the strange acronym that reminds us of a water animal and take on this issue by giving it a name that makes sense: PATIENT PRIVACY.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

Have you been the victim of a breach? Maybe not, but perhaps you know someone who has. Either way, deciding what to do next can be challenging if you're unprepared. 

First, it's important to determine whether the incident is truly a breach or simply a false alarm, then follow these guidelines to quickly respond.


What is Considered a Breach?
The Department of Health and Human Services (HHS) defines a breach as:

“The unauthorised acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorised person to whom such information is disclosed would not reasonably have been able to retain such information.”

The reason I bring this up is that the definition was updated with the latest Omnibus Ruling which no longer includes the “Harm Standard.” This means if you have a release of information of any kind, be it a fax or email to the wrong person, malware attack, loss of unencrypted device, etc., you have a breach. This is different from the early version of the law which required you to prove the information had been compromised. Now, it’s presumed a breach unless proven otherwise.


Steps to Mitigating a Breach
When responding to a breach, HHS expects you to have your response protocol in place BEFORE a breach happens, so we highly recommend including this as part of your HIPAA Compliance Plan. This is the best way to protect yourself if and when a breach does occur. To get started, follow these four steps:


Step 1: Perform A Risk Analysis
This first step is important and is required by HIPAA. Your Risk Analysis needs to be conducted quickly and should be as thorough as possible. Here's what to look for:

  1. When did the breach start and end?
  2. What date did you discover the breach?
  3. Approximately how many individuals are affected?
  4. What type of breach has occurred?
    • Hacking/IT Incident
    • Improper disposal of PHI
    • Loss 
    • Theft 
    • Unauthorised Access/Disclosure
  5. Where did the breach occur?
  6. What type of PHI is involved?
    • Clinical
    • Demographic
    • Financial
    • Other

As you review this information, you will have a better idea of what happened and whether or not a breach actually took place.


Step 2: Contact the Authorities
At this point, if you’ve discovered that indeed this is a breach, and if you determine a criminal act has transpired, contact your local authorities. For malware issues, you may be referred to the FBI to file an official complaint. 


Step 3: Notification of Patients
Each patient must be notified of the breach by U.S. Mail, unless you have clearly outlined in your Notice of Privacy Practices that notifications will be sent by email. However, if you determine notifications will be sent electronically, all patients must agree and sign off on this method of communication. This can save you a lot of time and money, so we highly recommend including this clause in your compliance plan. To add this clause, contact your lawyer, or the team at Total HIPAA to make sure this is properly laid out.

The Substitute Notice: This is required when you cannot reach 10 or more individuals. You now have two options: 1) You may post the Notice on your website for 90 days, or 2) You can contact local media outlets and have them post the breach notification.


What is Required to be in the Patient Notification?

  1. A brief description of what happened, the date of the breach and the date the breach was discovered.

  2. A description of the types of unsecured PHI involved in the breach (name, address, date of birth, SSN, health information, treatment codes, etc.)

  3. The steps individuals should take to protect themselves from potential harm. The action could be different for each incident.

  4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate damage, and to protect against future breaches.

  5. Contact procedures for individuals to ask questions or learn additional information, a phone number, an email address, website or postal address.


Step 4: Notifying HHS of the Breach, or The Rule of 500

Under 500 Patients Affected
If you have a breach of fewer than 500 patients’ information, you are not required to notify HHS at the time the breach is discovered. You will however need to document all the items described above and report the breach to HHS at the end of the calendar year. Notifications must be submitted to HHS within 60 days of the last day of the year and can be filed online using the OCR's notification portal.


Over 500 Patients Affected
If you have a breach affecting more than 500 patients’ information, you are required to notify HHS immediately. You should also verify the HIPAA breach notification rules for your respective state, as these may vary. In several states, such as California, you are also required to notify the Office of the Attorney General. As always, check with your attorney if you have any questions about your specific state’s notification requirements.


What Happens if You Don’t Self-Report a Breach?
If you are chosen for a HIPAA audit and the auditor discovers you have not self-reported breaches, this falls under the Willful Neglect provision, and you may be fined starting at $10,000 per violation. 


Exceptions to Notification Rules
Law enforcement officials may ask the Covered Entity to refrain from posting any notification if they believe it could impede a criminal investigation or may cause damage to national security.


What Happens if your Business Associate is responsible for a Breach?
Unfortunately, this is happening more and more, and though you have a Business Associate Agreement in place, this could still open you up to an audit from HHS as a result of the Common Agency Provision in the Omnibus Ruling.

We recommend that you have a clause in your Business Associate Agreement that states you will be notified within 15 days of a suspected breach of information. Since you are the Covered Entity, it's best that you take the lead on patient notification. Make sure you get a full report from your Business Associate, and what they are doing to mitigate the breach. It’s important to communicate all relevant information to your patients so they can protect themselves.


We hope that you never have to face a breach, but in the event that you do, we hope you'll return and use this blog as a reference. With more and more small medical practices becoming the victims of hacks, malware attacks, lost devices, and employee negligence, it's so important to have a plan in place before you have an issue. Having this plan can save you time, mitigate a breach faster, and ultimately save you money.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

New York State Approves HIPAA Exams as Infection Control Training Provider

New York State Approves HIPAA Exams as Infection Control Training Provider | HIPAA Compliance for Medical Practices | Scoop.it

New York, NY, August 10, 2016 — HIPAA Exams, Inc, HIPAA Exams is a professional and management development training company with primary focuses on health care, workplace safety, and legislative compliance. HIPAA Exams is accredited by ANCC and is an SBA 8(a) corporation. The Company offers more than 25 health care-related courses that can be purchased, or leased individually, and viewed via the HIPAA Exams LMS or the client’s own viewing system.


New York State Department of Health Has Approved HIPAA Exams’ Infection Control & Barrier Precautions Training for All Healthcare Professionals.

In August 1992, legislation was passed establishing a requirement that certain health care professionals must receive training on infection control and barrier precautions every four years upon renewal of their license. The Infection Control and Barrier Precaution law applies to the following professions: dental hygienists, dentists, licensed practical nurses, optometrists, physicians, physician assistants, podiatrists, registered professional nurses and specialist assistants. As of November 3, 2008, the requirement for training will also include medical students, medical residents, and physician assistant students.

All HIPAA Exams’ courses are online independent study courses, allowing you to work at your own pace.  There is no limit to the number of times a participant may re-take the exam in order to obtain passing score.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Information Security versus HIPAA Compliance

Information Security versus HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

I recently read a headline that stated; “CISO: Compliance Is the Wrong InfoSec Focus”.  It goes on to say "I'm going to improve our maturity of information security controls and then, out of that improvement of those controls ... will come much better regulatory compliance.”  HIPAA is as much about privacy as it is about information security.


I have had many people explain to me that they didn’t need to be HIPAA compliant because they were already compliant with some other standard.  HIPAA HITECH and the Omnibus Rule share some attributes with other standards such as SSAE 16 / SOC 1 / SOC 2 but are much broader.  The Privacy Rule is something that IT departments tend to ignore.  
The Cycle of Compliance has three main components; HIPAA risk assessment (the NIST protocol is the industry standard), written policies and procedures that have been tailored to the organization, and training and awareness based on the organisation's policies and procedures.  Having a “canned set of policies and procedures is certainly not adequate, nor is training based on policies and procedures that are not in place in the organization.  Staff will adopt policies and procedures more readily if they are trained on the specific policies and procedures developed for their organization.
The Cycle of Compliance will cover all of the HIPAA requirements and documentation of these activities will help build a legal firewall around an organization.  Once set up properly this process will contribute towards greater productivity and job satisfaction for staff while only requiring a few hours a month to maintain.
Information security is an important part of HIPAA compliance but not the “whole enchilada” as we say here in California.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.