HIPAA Compliance for Medical Practices
77.0K views | +6 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Understanding the HIPAA Security Rule: Administrative Safeguards

Understanding the HIPAA Security Rule: Administrative Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

The Administrative Safeguards are the most comprehensive standards, as they cover over half of the HIPAA Security Rule. These standards encompass many of the oversight aspects of managing a covered entity. The other two posts in this blog series covered Technical Safeguards and Physical Safeguards.

 

The Department of Health and Human Services defines these safeguards as “administrative” actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information”.

 

Administrative Safeguards are broken down into the following standards:

  • Security Management Process: A covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations. There are four required implementations for this standard:
    • Risk Analysis
    • Risk Management
    • Sanction Policy
    • Information System Activity Review
  • Assigned Security Responsibility: This standard requires the designation of a security official who is responsible for the development and implementation of policies and procedures.
  • Workforce Security: Under this standard, a covered entity must implement policies and procedures to ensure that all staff members have appropriate access to ePHI, and also to prevent those workforce members who do not have permission, from accessing it. There are three addressable implementations under this standard:
    • Authorization and/or Supervision
    • Workforce Clearance Procedure
    • Termination Procedures
  • Information Access Management: This standard relates to the implementation of policies and procedures regarding the authorization of access to ePHI. There are three addressable implementations under this standard:
    • Isolating Healthcare Clearinghouse Functions
    • Access Authorization
    • Access Establishment and Authorization
  • Security Awareness and Training: Under this standard, a covered entity must have a security awareness and training program for all members of its workforce, including physicians and management. There are four implementations for this standard:
    • Security Reminders
    • Protection of Malicious Software
    • Log-in Monitoring
    • Password Management
  • Security Incident Procedures: Covered entities must have policies and procedures in place to address security incidents. There is one implementation:
    • Response and Reporting
  • Contingency Plan: The purpose of this standard is for covered entities to establish policies and procedures for responding to emergencies or other occurrences (fire, vandalism, natural disasters, etc.) that may damage systems containing ePHI. There are five implementations for this standard:
    • Data Backup Plan
    • Disaster Recovery Plan
    • Emergency Mode Operation Plan
    • Testing and Revision Procedures
    • Applications and Data Criticality Analysis
  • Evaluation: This standard requires covered entities to perform periodic technical and nontechnical evaluations in response to environmental and operational changes affecting the security of ePHI.
  • Business Associate Contracts and Other Arrangements: The final standard relates to the relationship between a covered entity and the vendors it uses. It states that the covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf, only if the covered entity obtains the correct assurances. There is one implementation under this standard:
    • Written Contract or Other Arrangement

HIPAA Administrative standards provide a broad and wide-encompassing scope of administrative functions that a covered entity must implement regarding the security of ePHI. Here are some basic practices that a covered entity can put into place:

 

  • Perform a regular risk analysis of systems used by the office to determine any new vulnerabilities or weaknesses.
  • Appoint a HIPAA Security Officer who oversees the implementation of these standards and maintains all policies and procedures related to security measures.
  • Ensure that all staff members adhere to a policy of creating strong passwords to access workstations/software programs that access ePHI. These passwords should not be common words or phrases and should not be shared among employees.
  • Create regular backups of any servers or systems that process ePHI. This can be done via a cloud-based system or an encrypted backup tape/hard drive.
  • Immediately remove access to any programs that process ePHI (EMR, billing/scheduling software, etc.) for any employee that becomes no longer associated with the covered entity (termination or job change). This will help prevent improper access to patient data.
  • Obtain and maintain Business Associate Agreements (BAAs) with any third-party vendors that store or process PHI. These agreements must ensure that the vendor will appropriately safeguard patient information.

 

As with Physical and Technical Standards, Administrative Standards need to be reviewed for each covered entity through an annual HIPAA Security Risk Assessment. These assessments are not only mandatory, but they are essential to determine any risks that can lead to a breach of data.

 

In closing, the HIPAA Security Rule covers a wide range of standards and implementations that covered entities must employ to ensure HIPAA compliance. Failure to adhere to these policies can lead to OCR (Office of Civil Rights) sanctions in the forms of audits and even severe civil penalties.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

HIPAA regulatory actions on failure to comply with breach rules

HIPAA regulatory actions on failure to comply with breach rules | HIPAA Compliance for Medical Practices | Scoop.it

Caps on HIPAA penalties restrict OCR's ability to enforce proportionately

OCR Director Roger Severino said at the 2018 HIPAA NIST/ OCR conference, that it may be necessary for them to revisit the caps in HIPAA enforcement actions.  When asked about the inconsistency among different federal agencies on the amounts of penalties levied for data breaches, Director Severino said that having consistency or standard among agencies may not be easy to accomplish.  On the HIPAA side, there are caps on the penalties that can be levied.  He admitted that it may be necessary to take another look at these caps to ensure fairness and proportionality for judgments.  If a company is so large that a multi-million dollar fine may not be a big impact for them, then the caps may actually be hindering OCR’s ability to impose an appropriate enforcement action on such a company.

HIPAA enforcement highlights

The OCR Director highlighted their recent HIPAA enforcement highlights and provided some details behind those cases.  Some of the cases he discussed were how one covered entity left unprotected medical records on an open truck, one entity mentioned a patient’s name on a press release, insufficient monitoring of logs to detect incidents and how film crews were allowed into a medical center without prior authorization.

$45, 360, 383 is the total amount collected by OCR in HIPAA enforcement actions from January 1, 2017, to October 15, 2018.  They have exceeded $100 million in collection amounts from 2008 onwards.

Regulatory actions against entities that fail to report breaches

When asked about the future of the desk audit program, Director Severino indicated that while they are pleased with the number of entities coming forward to report their breaches, OCR may now focus some energy on entities who have not reported their breaches in accordance with the breach notification rule. They may look into taking regulatory action against entities who do not report breaches as required.  

A note to all healthcare entities – If you suffer from a reportable breach, make sure you adhere to breach notification rules and procedures in a timely manner as dictated by law.

 

Healthcare Information is a precious resource 

Director Severino closed his address by saying that healthcare information is like a bar of gold.  There are bad people who want access to it. 

  • Store it in a safe place.
  • Put a perimeter of defenses.
  • Train your personnel.
  • Monitor your logs.
  • Do your risk analysis. 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do Dentists need to comply with HIPAA?

Do Dentists need to comply with HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

In April 2018, a dental office in New Jersey, Michael Gruber, DMD, PA reported that their computers were hacked and 4624 patient records were stolen.  Now, this incident appears on the “Wall of Shame” at the Department of Health and Human Services website. Yes, it can happen to anybody.

 

Many dentists seem to think that either they do not need to comply with HIPAA (Health Insurance Portability and Accountability Act) or that they are already compliant as they have taken HIPAA training provided by their EHR or by a consultant. While HIPAA training is indeed one of the annual requirements to be compliant with HIPAA law, it certainly is not the only requirement.

 

In the event of a breach like the one reported by Michael Gruber, DMD, PA, as it involved the loss or theft of more than 500 patient records, it became a reportable breach. Dentists, like any other covered entity, are required to comply with HIPAA breach notification rules that involve notifying OCR (Office of Civil Rights), the patients and in some cases, media.  This can become an expensive proposition as legal fees, penalties, media costs, postage costs, forensic investigation costs, and other related expenses are incurred during this breach notification and investigation phase.

 

Once a covered entity becomes a victim of a breach, OCR puts the case under investigation and more likely than not, conducts an audit of the practice.   One of the first documents requested in this case is a copy of the office’s HIPAA risk assessment or analysis which should be done annually.   

 

They would typically also ask to see your HIPAA policies and procedures.  Depending on the outcome of the investigation, OCR, as the enforcement arm of the Department of Health and Human Services, might also decide to impose monetary fines for HIPAA violations.  In severe cases of criminal negligence or impropriety, federal agencies such as the FBI or Department of Homeland Security or the Department of Justice get involved and there have been examples where a healthcare provider or an employee has been jailed.

Basic requirements for HIPAA compliance for a dental office:

  • Risk Assessment or Analysis:

    Conduct a risk analysis or risk assessment every year.

  • HIPAA Training:

    Train all your employees (including dentists, hygienists, assistants and all administrative/ office staff) every year on HIPAA privacy, security and breach notification rules.

  • Policies and Procedures:

    Create and maintain HIPAA policies and procedures and ensure that employees are familiar with them and follow them regularly.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Why a HIPAA Manual Won’t Protect You from Audits

Why a HIPAA Manual Won’t Protect You from Audits | HIPAA Compliance for Medical Practices | Scoop.it

When the regulation was first released, HIPAA manuals were an effective way for health care professionals to address the law.

However, in the 21 years since HIPAA was first enacted, the regulatory requirements have changed significantly. These days, with all the new rules and guidance that the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released, a simple HIPAA manual is not considered an effective compliance solution for your behavioral health practice.

Protecting your practice in the 21st century takes more than a dusty HIPAA policy binder. To keep ahead of the $17.1 million in fines levied since the start of 2017 alone, healtha care professionals need to ensure that they have a HIPAA compliance program in place that addresses the full extent of the law.

Why Isn’t a HIPAA Manual Enough?

According to HIPAA regulation, HIPAA policies and procedures need to be reviewed and updated annually. Your practice goes through changes all year long–employees are hired and fired, you might open a new office, or maybe you’ve adopted a new EHR platform.

Policies and procedures must be tailored to the unique needs of your practice, so these yearly changes need to be reflected in your organization’s HIPAA policies and procedures.

If you’re utilizing a HIPAA manual, it doesn’t have the functionality you need to effectively review and update your policies and procedures. Instead, policy binders must be replaced every year in order to maintain your organization’s HIPAA compliance. HIPAA regulation also mandates that, in addition to policies being updated each year, all staff members must be trained on these new policies annually.

A HIPAA Compliance Program that Changes with Your Practice

HIPAA compliance solutions that automatically track the status of your organization’s compliance are a key way to ensure that you are keeping up with the regulatory requirements of the law.

When looking for a HIPAA compliance solution that suits the needs of your behavioral health practice, be sure to check if policies and procedures are included. These policies and procedures should be directly tied to HIPAA audits that you conduct within your own practice to expose areas where you aren’t in compliance with the law. These ‘gaps’ in compliance feed directly into your remediation plans, which then inform the extent of the policies and procedures you need to adopt in your practice.

Your potential HIPAA compliance solution should also include an employee training module based on the policies and procedures that you’ve customized and adopted in your practice. Again, make sure that the solution you’re considering sets these tasks up on an ongoing annual basis.

And of course, when it comes to HIPAA, documentation is king. The solution you’re looking at should include full documentation–preferably automated–so that you can pull yearly reports to demonstrate the status of your organization’s HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.