HIPAA Compliance for Medical Practices
75.3K views | +11 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Understanding the HIPAA Security Rule: Administrative Safeguards

Understanding the HIPAA Security Rule: Administrative Safeguards | HIPAA Compliance for Medical Practices | Scoop.it

The Administrative Safeguards are the most comprehensive standards, as they cover over half of the HIPAA Security Rule. These standards encompass many of the oversight aspects of managing a covered entity. The other two posts in this blog series covered Technical Safeguards and Physical Safeguards.

 

The Department of Health and Human Services defines these safeguards as “administrative” actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information”.

 

Administrative Safeguards are broken down into the following standards:

  • Security Management Process: A covered entity must implement policies and procedures to prevent, detect, contain, and correct security violations. There are four required implementations for this standard:
    • Risk Analysis
    • Risk Management
    • Sanction Policy
    • Information System Activity Review
  • Assigned Security Responsibility: This standard requires the designation of a security official who is responsible for the development and implementation of policies and procedures.
  • Workforce Security: Under this standard, a covered entity must implement policies and procedures to ensure that all staff members have appropriate access to ePHI, and also to prevent those workforce members who do not have permission, from accessing it. There are three addressable implementations under this standard:
    • Authorization and/or Supervision
    • Workforce Clearance Procedure
    • Termination Procedures
  • Information Access Management: This standard relates to the implementation of policies and procedures regarding the authorization of access to ePHI. There are three addressable implementations under this standard:
    • Isolating Healthcare Clearinghouse Functions
    • Access Authorization
    • Access Establishment and Authorization
  • Security Awareness and Training: Under this standard, a covered entity must have a security awareness and training program for all members of its workforce, including physicians and management. There are four implementations for this standard:
    • Security Reminders
    • Protection of Malicious Software
    • Log-in Monitoring
    • Password Management
  • Security Incident Procedures: Covered entities must have policies and procedures in place to address security incidents. There is one implementation:
    • Response and Reporting
  • Contingency Plan: The purpose of this standard is for covered entities to establish policies and procedures for responding to emergencies or other occurrences (fire, vandalism, natural disasters, etc.) that may damage systems containing ePHI. There are five implementations for this standard:
    • Data Backup Plan
    • Disaster Recovery Plan
    • Emergency Mode Operation Plan
    • Testing and Revision Procedures
    • Applications and Data Criticality Analysis
  • Evaluation: This standard requires covered entities to perform periodic technical and nontechnical evaluations in response to environmental and operational changes affecting the security of ePHI.
  • Business Associate Contracts and Other Arrangements: The final standard relates to the relationship between a covered entity and the vendors it uses. It states that the covered entity may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity’s behalf, only if the covered entity obtains the correct assurances. There is one implementation under this standard:
    • Written Contract or Other Arrangement

HIPAA Administrative standards provide a broad and wide-encompassing scope of administrative functions that a covered entity must implement regarding the security of ePHI. Here are some basic practices that a covered entity can put into place:

 

  • Perform a regular risk analysis of systems used by the office to determine any new vulnerabilities or weaknesses.
  • Appoint a HIPAA Security Officer who oversees the implementation of these standards and maintains all policies and procedures related to security measures.
  • Ensure that all staff members adhere to a policy of creating strong passwords to access workstations/software programs that access ePHI. These passwords should not be common words or phrases and should not be shared among employees.
  • Create regular backups of any servers or systems that process ePHI. This can be done via a cloud-based system or an encrypted backup tape/hard drive.
  • Immediately remove access to any programs that process ePHI (EMR, billing/scheduling software, etc.) for any employee that becomes no longer associated with the covered entity (termination or job change). This will help prevent improper access to patient data.
  • Obtain and maintain Business Associate Agreements (BAAs) with any third-party vendors that store or process PHI. These agreements must ensure that the vendor will appropriately safeguard patient information.

 

As with Physical and Technical Standards, Administrative Standards need to be reviewed for each covered entity through an annual HIPAA Security Risk Assessment. These assessments are not only mandatory, but they are essential to determine any risks that can lead to a breach of data.

 

In closing, the HIPAA Security Rule covers a wide range of standards and implementations that covered entities must employ to ensure HIPAA compliance. Failure to adhere to these policies can lead to OCR (Office of Civil Rights) sanctions in the forms of audits and even severe civil penalties.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

What you should know about HIPAA PRIVACY RULE

What you should know about HIPAA PRIVACY RULE | HIPAA Compliance for Medical Practices | Scoop.it

Does the HIPAA Privacy rule affect you?  

You should be familiar with the Health Insurance Portability and Accountability Act also known as HIPAA, but do you know how the privacy rule affects you? The U.S Department of Health and Human Services (HHS) has worked diligently since establishing HIPAA law to regulate privacy standards in the healthcare industry. When you think of the word privacy many things may come to mind, such as closing the door during a patient’s consultation or ensuring confidentiality while discussing patient treatments with fellow staff members. As a covered entity it is your responsibility to protect the privacy of your patients. 

 

6 ways in which you can implement a Culture of Privacy:

During your day to day operations, you need to be aware of how to implement the culture of privacy in your practice and comply with the law. Across all roles, every employee in your practice needs to be exercising compliance with HIPAA. Here are six ways in which you can implement a culture of privacy.

  • Provide HIPAA training to all your employees and maintain documentation that your entire staff has completed HIPAA training.
  • Ensure that your entire staff knows what patient information can be shared and not shared outside and inside of the workplace.
  • Get your patients to sign consent forms regarding sharing any form of PHI for any purpose including your own marketing purposes.
  • Stay updated on changes in the law on new disclosure restrictions and Update your patient authorization forms updated regularly on any such new disclosure restrictions.
  • Educate your patients and give them a clear outline of how they can request or obtain a copy of their medical records.
  • Ensure that you are giving your staff only the minimum necessary access to PHI to perform quality healthcare.

 

It is your responsibility to maintain professional top-quality healthcare for all parties involved while maintaining compliance with the law. Exercising the privacy culture is the way your practice stays current and minimizes the potential of a data breach. As a covered entity you need to be aware of the potential consequences that come with non- compliance. Consequences range from significant monetary fines to criminal penalties like jail time and a damaged reputation.  In addition, there are strict breach notification requirements outlined in the law.

 

In the event of a breach, you may be investigated by the appropriate federal agency like Office of Civil Rights (OCR) or the Department of Homeland Security or the Department of Justice, or other federal agencies who may be involved.  Depending on the results of the investigation, you may face penalties. Here are some penalties for data breaches that may apply. 

 

  • 100 dollars per record per day under HIPAA law with the maximum annual penalty being 1.5 million dollars per violation.
  • Loss of patient trust and repeat business due to damage to your reputation.

 

Millions of dollars in fines could potentially cause you to lose your livelihood and business. A bad reputation would stop repeat business and new customers from coming. These top penalties and consequences are avoidable and quality healthcare is attainable if you are complying with the law and practicing the culture of privacy every day. Remember to instill a culture of privacy in your office and follow the Five Steps to HIPAA Compliance every year.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

8 HIPAA Compliance Steps for Your Medical Practice

8 HIPAA Compliance Steps for Your Medical Practice | HIPAA Compliance for Medical Practices | Scoop.it

Complying with 1996 Health Insurance Portability and Accountability Act (HIPAA) regulations is vital to keep your patients’ protected health information (PHI) private, confidential, and secure. What is HIPAA? It’s the safety standards for all entities handling sensitive electronic patient data. The guidelines apply to everyone in your hospital, medical, or dental practice who saves, accesses, and shares patients’ computerized health and financial records.

 

Proper precautions will help you gain the best patient rapport and standing. You’ll also avoid breach-related complaints, reputational damage, hefty monetary fines, civil lawsuits, criminal charges, medical license loss, and/or imprisonment. E-Complish excels at compliance with both Payment Card Industry (PCI) and HIPAA compliance protocols. With us you can be sure client payment info and PHI remains safeguarded, but follow the eight steps below to ensure that your medical or dental facility is compliant

Run Thorough Risk Assessments

Did your medical practice adopt an electronic health record (EHR) system before clear directions specified everything it should contain? Then your office might be using a system that fails to meet HIPAA standards. Using the latest guidelines, run a thorough risk assessment on your current system. That will highlight any noncompliant areas that you need to update to fulfill your obligations. In addition, you or a HIPAA specialist must complete mandatory security risk assessments annually. Then develop detailed action plans and timelines that address all evaluated issues requiring remediation or follow-ups.

Prepare for Disasters Before They Occur

Keeping all customer data that your medical or dental facility handles safe from corruption and loss is key. Installing antivirus programs on all business computers will protect them from viruses that could corrupt or destroy files. To prevent losses due to mishaps, backup all health records frequently. Using off-site locations will stop destructive events like office fires and floods from making valuable backups irretrievable.

Develop a Policy and Procedure Manual

Create written instructions that detail how your staff should address and maintain patient privacy, confidentiality, and security. Include a HIPAA compliance overview with specific processes for patient notifications, disclosures, and relevant forms. Distribute this manual to all existing employees and new hires. Requiring them to sign and return statements that they read and understand your policies and procedures can increase conformity. Review, update, and redistribute your handbook as regulations expand and change.

Establish an Ongoing Staff Training Program

Your weakest links determine your EHR’s strength. In medical and dental offices, untrained employees make the most errors unintentionally. Staffers who fail to follow safety protocols when accessing files and records can render even a very dependable encryption system useless. That might allow unauthorized parties to gain access illegally.

Guiding new hires is just the beginning. Re-educating your entire team to adhere to vital safeguards annually will ensure data security and integrity. Everyone must recognize that protecting health information is essential. Gather staffers’ signatures, acknowledging awareness of HIPAA principles and practices. Document all employees’ names with initial and refresher course dates to verify that you’re fulfilling your ongoing commitment. Also evaluate and revise your training program as regulations expand and change.

Add Compatible and Compliant Office Equipment

All new equipment you buy for your medical or dental facility must be compatible to work well with your existing system while providing sufficient security. Make sure that all purchases include both of these crucial elements because either one alone is an ineffective mistake.

Collaborate With All Affected Internal Parties

The changes you must make to become HIPAA compliant will affect various internal personnel. Inform all involved supervisors and departments about necessary modifications to their routines. Preventing violations requires everyone’s ongoing and diligent participation.

 

Demonstrate Privacy throughout Your Facility

Treat your patients with the discretion they deserve everywhere from your lobby to examination rooms. Minimize personal references to specific patients by announcing just their given or surnames when calling them to the reception desk, payment windows, and doctor consultations. Providing private, quiet spaces for discussions with individuals will stop uninvolved parties from overhearing sensitive information. Always knock on closed doors before entering patients’ rooms. Never leave their files and documents visible or unsecured where unauthorized people could view them.

Post HIPAA Notices

Print notices explaining your HIPAA practices. Place them in easily noticeable common office areas. Your patients can review applicable privacy laws with information about how you’re striving to protect their health care’s confidentiality.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do Dentists need to comply with HIPAA?

Do Dentists need to comply with HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

In April 2018, a dental office in New Jersey, Michael Gruber, DMD, PA reported that their computers were hacked and 4624 patient records were stolen.  Now, this incident appears on the “Wall of Shame” at the Department of Health and Human Services website. Yes, it can happen to anybody.

 

Many dentists seem to think that either they do not need to comply with HIPAA (Health Insurance Portability and Accountability Act) or that they are already compliant as they have taken HIPAA training provided by their EHR or by a consultant. While HIPAA training is indeed one of the annual requirements to be compliant with HIPAA law, it certainly is not the only requirement.

 

In the event of a breach like the one reported by Michael Gruber, DMD, PA, as it involved the loss or theft of more than 500 patient records, it became a reportable breach. Dentists, like any other covered entity, are required to comply with HIPAA breach notification rules that involve notifying OCR (Office of Civil Rights), the patients and in some cases, media.  This can become an expensive proposition as legal fees, penalties, media costs, postage costs, forensic investigation costs, and other related expenses are incurred during this breach notification and investigation phase.

 

Once a covered entity becomes a victim of a breach, OCR puts the case under investigation and more likely than not, conducts an audit of the practice.   One of the first documents requested in this case is a copy of the office’s HIPAA risk assessment or analysis which should be done annually.   

 

They would typically also ask to see your HIPAA policies and procedures.  Depending on the outcome of the investigation, OCR, as the enforcement arm of the Department of Health and Human Services, might also decide to impose monetary fines for HIPAA violations.  In severe cases of criminal negligence or impropriety, federal agencies such as the FBI or Department of Homeland Security or the Department of Justice get involved and there have been examples where a healthcare provider or an employee has been jailed.

Basic requirements for HIPAA compliance for a dental office:

  • Risk Assessment or Analysis:

    Conduct a risk analysis or risk assessment every year.

  • HIPAA Training:

    Train all your employees (including dentists, hygienists, assistants and all administrative/ office staff) every year on HIPAA privacy, security and breach notification rules.

  • Policies and Procedures:

    Create and maintain HIPAA policies and procedures and ensure that employees are familiar with them and follow them regularly.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Proposed HIPAA Law Changes

Proposed HIPAA Law Changes | HIPAA Compliance for Medical Practices | Scoop.it

Upcoming proposed changes to HIPAA law from the Office for Civil Rights (OCR)

Roger Severino, Director of the Office for Civil Rights (OCR), in his keynote address at the 11th Annual OCR/ NIST conference “Safeguarding Health Information: Building Assurance through HIPAA Security”, informed of some proposed policy changes in HIPAA law that OCR is in the process of working through.  Be on the lookout for upcoming policy enhancements. 

 

These proposed changes to legislation are provoked by input from covered entities, business associates and experts on what issues they currently face due to HIPAA regulations.   

Here are some of the proposed changes that Director Roger Severino talked about.

Good faith disclosures by health care providers

Often people say “I didn’t know” when it comes to either their own health records or those of their loved ones.  Sometimes, especially regarding public health emergencies like the opioid crisis, parents don’t know what is happening with the health of their children until it is too late. In those cases, good faith disclosures may be the right way to go.   Should OCR pursue action against a provider who disclosed patient health information when the patient’s or someone else’s life was at risk?  There should also be a provision for providers to inform the patient’s emergency contacts listed on the consent form when there is a true emergency. 

Improving care coordination and reducing regulatory burden

Notice of Privacy Practices

  • Providers make the Notice of Privacy Practices available to patients and often ask patients to sign the notice as part of the patient package of documents.  Patients sometimes do not know what this is for, what the notice provides them.  It raises several questions like “is this a contract”, “what exactly am I signing here”, “am I giving up my privacy”, etc.  OCR is looking into the notice of privacy practices to see how the process can be improved.

Required Provider to Provider Information Sharing

  • When patients go from doctor to doctor, the patient’s information should follow seamlessly to provide the best possible coordinated care to the patient. Providers are allowed to share information about patients with each other as part of the treatment process.
  • However, today there is no guarantee of receiving the information requested from one provider to another.   OCR is looking at the possibility of changing the law to make this provider-to-provider information sharing mandatory upon information request.

Accounting of Disclosures

  • Another area of review is the Accounting of Disclosures.   Should the TPO (Treatment Payment Operations) provision be revoked or modified?
  • Today, TPO allows for the sharing of protected health information among entities for the purpose of treatment, payment of operations related to a patient.  

OCR is keen on reducing the burden in the healthcare process. Director Severino stated that we definitely do not want a situation where a doctor is treating a computer screen instead of the patient in front of the doctor.

Civil Monetary Penalties or Monetary Settlements to harmed individuals

  • OCR is also looking at the patient compensation process.  Congress wants OCR to compensate patients for breach of privacy. 
  • This can be very complicated as the gravity of breaches could differ greatly from one breach to another.  For instance, the risks vary depending on if patient name and address are stolen, or if a name, address and social security number are stolen, or worse, if sensitive health or disease information is stolen. What level of privacy breach should be compensated?

HIPAA/ FERPA

There is joint guidance available between HIPAA and FERPA for educational institutions.  FERPA is all-encompassing for educational institutions.  However, after a string of recent school shootings, some rules may have to change in terms of communication to psychologists to handle the trauma related to these incidents.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Risk Assessment Requirements

HIPAA Risk Assessment Requirements | HIPAA Compliance for Medical Practices | Scoop.it

Understanding your need for a HIPAA risk assessment is one of the best ways that behavioral health practices can defend against HIPAA fines.

In order to be HIPAA compliant you must address all elements of the law, but one of the most essential places to start is by fulfilling your mandatory HIPAA risk assessments. But how do you know what your HIPAA risk assessment requirements are under the law?

What’s a HIPAA Risk Assessment?

Let’s start with a simple explanation of the risk assessments required for HIPAA compliance.

A HIPAA risk assessment is an audit of your practice to assess the status of your compliance. HIPAA risk assessments give you a better understanding of the gaps that you currently have in your compliance program, so that you can build remediation plans to fix them.

HIPAA regulation outlines that you must conduct Physical, Administrative, and Technical risk assessments within your practice in order to be HIPAA compliant. These risk assessments will measure your practice against HIPAA regulatory standards.

Beyond HIPAA Risk Assessments

Once you’ve completed your risk assessments, you’ll have a clear understanding of which HIPAA standards you need to address.

Remediation plans help organize your compliance program so that you can understand where to focus your efforts to become HIPAA compliant. By completing your remediation plans with HIPAA policies and procedures, you help protect your behavioral health practice from liability in the event of a HIPAA violation in the future.

HIPAA risk assessments are only the first step among many that you need to take to become compliant with the law. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has an online HIPAA risk assessment tool that health care providers across the industry can access.

However, HHS does not have a tool for following up on these risk assessments with remediation plans, policies and procedures, employee training, documentation, business associate management, and breach management. Finding a HIPAA compliance solution to address the remainder of the federally mandated HIPAA standards should be your next step for protecting your practice from breaches and fines.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.