HIPAA Compliance for Medical Practices
83.9K views | +10 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

What Happens if a Nurse Violates HIPAA?

What Happens if a Nurse Violates HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

What happens if a nurse violates HIPAA Rules? How are HIPAA violations dealt with and what are the penalties for individuals that accidentally or deliberately violate HIPAA and access, disclose, or share protected health information (PHI) without authorization?  

 

The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules must be followed by all covered entities and their business associates. The failure to comply with HIPAA Rules can result in significant penalties for HIPAA covered entities. Business associates of covered entities can also be fined directly for HIPAA violations, but what about individual healthcare workers such as nurses? What happens if a nurse violates HIPAA Rules?

What are the Penalties if a Nurse Violates HIPAA?

Accidental HIPAA violations by nurses happen, even when care is taken to follow HIPAA Rules. While all HIPAA violations can potentially result in disciplinary action, most employers would accept that accidental violations are bound to occur from time to time. In many cases, minor violations of HIPAA Rules may not have negative consequences and can be dealt with internally. Employers may decide to provide additional training in some cases to ensure the requirements of HIPAA are fully understood.

 

If a nurse violates HIPAA by accident, it is vital that the incident is reported to the person responsible for HIPAA compliance in your organization – the Privacy Officer, if your organization has appointed one – or your supervisor. The failure to report a minor violation could have major consequences. You can read more about accidental HIPAA violations here.

 

Serious violations of HIPAA Rules, even when committed without malicious intent, are likely to result in disciplinary action, including termination and punishment by the board of nursing. Termination for a HIPAA violation does not just mean loss of current employment and benefits. It can make it very hard for a nurse to find alternative employment. HIPAA-covered entities are unlikely to recruit a nurse that has previously been fired for violating HIPAA Rules.

 

Willful violations of HIPAA Rules, including theft of PHI for personal gain or use of PHI with intent to cause harm, can result in criminal penalties for HIPAA violations. HIPAA-covered entities are likely to report such incidents to law enforcement and investigations will be launched. Complaints about HIPAA violations submitted to the Office for Civil Rights can be referred to the Department of Justice to pursue criminal penalties, including fines and imprisonment. Criminal prosecutions are rare, although theft of PHI for financial gain is likely to result in up to 10 years in jail.

 

There is no private cause of action in HIPAA. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. There may be a viable claim, in some cases, under state laws.

Further information on the penalties for HIPAA violations are detailed here.

Examples of HIPAA Violations by Nurses

The list of possible HIPAA violations by nurses is long, although the most common nurse HIPAA violations are listed below.

  • Accessing the PHI of patients you are not required to treat
  • Gossiping – Talking about specific patients and disclosing their health information to family, friends & colleagues
  • Disclosing PHI to anyone not authorized to receive the information
  • Taking PHI to a new employer
  • Theft of PHI for personal gain
  • Use of PHI to cause harm
  • Improper disposal of PHI – Discarding protected health information with regular trash
  • Leaving PHI in a location where it can be accessed by unauthorized individuals
  • Disclosing excessive PHI and violating the HIPAA minimum necessary standard
  • Using the credentials of another employee to access EMRs/Sharing login credentials
  • Sharing PHI on social media networks (See below)

Nurses Who Violate HIPAA with Social Media

Sharing protected health information on social media websites should be further explained. There have been several instances in recent years of nurses who violate HIPAA with social media.

 

Posting any protected health information on social media websites, even in closed Facebook groups, is a serious HIPAA violation. The same applies to sharing PHI including photographs and videos of patients via messaging apps such as WhatsApp, Skype, and Facebook Messenger. Unless prior authorization has been received from a patient, in writing, nurses should avoid sharing photographs and videos of patients (or any PHI) on social media sites. The National Council of State Boards of Nursing (NCSBN) has released a useful guide for nurses on the use of social media (on this link).

 

There have been several recent cases of nurses taking photographs and videos of patients in compromising positions, recording abuse of patients in nursing homes, and taking embarrassing or degrading photographs and sharing them with friends via social media networks.

 

There has been considerable publicity surrounding the practice, following the publication of a report on the extent to which this is occurring by ProPublica (Summarized here). In that case it involved the sharing of photographs of patients on Snapchat. 35 separate cases were uncovered.

 

In January, a nursing assistant was fired for sharing videos and photos of abuse of a patient with Alzheimer’s on Snapchat. A criminal complaint was filed and the nursing assistant faces up to three and a half years in jail if convicted.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

genuinemedica's comment, September 25, 2019 5:44 AM
visit on https://bit.ly/2lnMOdb
Scoop.it!

Closing the gaps in HIPAA compliance

Closing the gaps in HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

It's been more than ten years since Congress passed the Health Insurance Portability and Accountability Act (HIPAA). Healthcare organizations have worked ever since to consistently maintain the privacy and security of patient health information. HIPAA requirements are vast and deep, requiring considerable effort for organizations to keep up with. Many--especially physician practices and smaller hospitals--do not have the bandwidth to keep on top of all the different HIPAA nuances.


Compounding this lack of resources is a widespread belief that HIPAA violations or security breaches only occur in other organizations. As such, practice leaders may think there is low risk in noncompliance and not prioritize the work. In addition, staff may not realize whose responsibility compliance is, leaving an important task open-ended and potentially incomplete.  


All that said, organizations that make a commitment to HIPAA compliance can protect themselves and their patients. HIPAA compliance, or lack thereof, has both financial and cultural implications, so identifying common HIPAA compliance gaps is a great way to start down the path to compliance. This article will discuss two major gaps that many organization encounter: the prevailing "it won't happen to us" attitude and a lack of concentrated resources to maintain compliance.


The ever-mounting risk


There has never been a more important time to enhance a HIPAA compliance program. With the increasing prevalence of laptops and portable devices that house electronic health records and other patient information, the risk that a technology device will be stolen and its data compromised is growing. Hackers are also becoming more sophisticated--the news is full of organizations that have experienced attacks on their secure information.


Evolving technology is not the only risk factor. In fact, many compliance breaches stem from human error. For instance, staff might inadvertently leave a patient record open on a computer screen or a paper file in a public place. Perhaps a physician forgets his or her laptop in the car or shares his or her private security code with non-authorized personnel in an effort to make life easier. While seemingly minor, all of these examples showcase how HIPAA breaches can occur. Luckily, being proactive in identifying risk can help organizations better prepare.


Position for HIPAA Success


While getting a handle on HIPAA compliance may seem overwhelming, it is achievable for organizations that take a well-considered approach. A key first step is laying the cultural groundwork, which includes addressing attitudes toward HIPAA and making sure proper resources are allocated and effectively concentrated. Here are a few strategies for getting started.


Address the attitude toward compliance. For HIPAA compliance to gain attention, organization leaders must acknowledge and emphasize the importance of preserving data privacy and security. Moreover, they need to communicate that keeping information safe is every staff person's responsibility. This requires more than just lip service, but rather a concerted effort to uncover and resolve possible issues, effectively dispelling the "a breach won't happen to us" attitude.


One effective way to bring HIPAA compliance to the forefront is to conduct an informal analysis of the current state of compliance in the organization. Leaders should walk through the organization, using a critical eye to spot red flags. For example, does staff quickly respond to patient medical record requests and follow a consistent and well-defined process? How does the organization secure portable technology? What are the facility's rules about security passwords? Does staff know not to discuss a patient's care in common areas? An organization should consider documenting this assessment and sharing it with staff, so that everyone gains an appreciation of how compliance works and how organization can improve. Within this document, leaders may also want to outline the potential consequences of a breach, citing similar organizations that experienced a problem and the financial and cultural ramifications.

Another way to underscore the importance of an organization's commitment to HIPAA compliance is to be open about improvement. Leaders should encourage staff to report any gaps they notice, particularly workarounds that could place the organization at risk. For example, if a staff member sees that his peers are constantly rushing and leaving electronic medical records open, there should be a method for safely sharing that information with leadership. The response should be encouraging, not punitive, emphasizing the need for improvement not disciplinary action. Also, when making changes, leaders should gain staff feedback to make sure that new processes and technology fit within workflow and do not place an undue burden on staff.


Critically assess, and allocate, resources. To keep on top of HIPAA, organizations should have at least one staff person dedicated to compliance as part of his or her job. This individual should perform regular audits, review and update policies, provide training, conduct risk assessments and so on. Organizations must closely look at whether they can earmark the necessary resources. If they can't, they may have to consider seeking outside assistance in the form of technology, consultants or outsourcing. Leaving compliance to chance or placing it as an ad hoc responsibility will not be sufficient to protect patient data.


Making the Commitment


Ultimately, an organization will be successful in complying with HIPAA if it is honest with itself about the risks it faces, the resources it can allocate and what gaps exist. Facilities that take a hard look at these gaps and work to mitigate them will go a long way in keeping information safe, protecting patients and themselves.

No comment yet.
Scoop.it!

5 keys to managing a data breach

5 keys to managing a data breach | HIPAA Compliance for Medical Practices | Scoop.it

Unfortunately, data breaches have become an extremely common occurrence. Not all of them have the high-profile of a Target, Ashley Madison, Home Depot or Anthem breach, but the damage to a company and its reputation is very real.


While companies can purchase cyber insurance to help manage the risks associated with a breach, there are also steps a business can take to maximize the relationship with their breach team and minimize the fallout following the cyber event.


Here are five factors to consider when it comes to managing a company’s cyber attack or data breach.


 1. Assess the risk

So how does a company prepare for such an eventuality and what steps should be taken after a breach occurs?


“Start with what you will face if a breach occurs,” advises Anthony Roman, president of Roman & Associates, a global investigation, risk management and computer security consultation firm. “Corporations of all sizes that hold any information that can be deemed private or personal are going to face a number of very serious hurtles in a breach that will encourage them to have a breach plan.”


Roman says this includes class action suits for the “undue release or allowing the release of personal and private information. The average class action suit is settling for $2.9 to $3 million.” He estimates the legal costs to defend a company in a class action suit will range anywhere from several hundred thousand dollars to well over one million.


“You may face government sanctions for local, state, federal or legal violations, some of which are criminal in nature and some which are civil in nature,” he explains. Criminal violations can pierce the corporate veil and involve specific individuals within the corporation.


There could also be regulatory sanctions if the company violated any Federal Communications Commission (FCC) regulations or any other regulatory agency’s regulations regarding cyber security. “That should be a wonderful motivator for anyone to have a robust and compliant breach program,” he adds.


Roman recommends that companies work with their brokers to craft coverage that will reduce their risk, review the policy exclusions, and ensure that they are insured to cover the types of information that will be affected and the resulting exposures from a breach.


2. Avoid these mistakes

The saying goes, “Fail to plan and plan to fail,” and nowhere is that more true than with cyberattacks and breaches. “Not having a well thought out and documented roadmap for the ‘what, when, where, who and how’ of responding to a suspected data breach is a recipe for disaster,” says Paul Nikhinson, Esq., privacy breach response services manager for Beazley.


Related: Many businesses unprepared for cyber attacks

“Most post-incident mistakes could be avoided or mitigated by implementing appropriate pre-incident prevention and response plans,” adds Kevin Kalinich at Aon. He says that some of the major mistakes companies make include:


  • Internal company denial regarding the potential magnitude of the incident. Appropriate resources and attention must be allocated immediately to determine the magnitude of the incident. The financial impact of cyber incidents is not always directly correlated with the size of the incident, but the financial statement impact is often correlated to the effectiveness of the response.
  • Automatically characterizing an “incident” (no immediate legal liability connotations) as a “breach” (immediate legal liability connotations under various laws, regulations and insurance policies).
  • Passing the buck rather than developing a comprehensive coordinated response.
  • Defensive reaction to regulators rather than an open and frank dialogue.
  • Failure to timely notify any and all potentially applicable insurance carriers.


Overreacting or underreacting to the event can also be a problem says Nikhinson. “Where there’s smoke, there’s fire; however, not every bit of smoke necessarily means a five-alarm fire. Going too quickly to the media and clients without an adequate command of the facts often causes far more harm than good.”


He also says that a company can’t just put its “head in the sand and hope for the best. This isn’t just an ‘IT’ problem. It’s something that could result in catastrophic financial and reputational damage to the company.”


Other problems include not having a plan at all, not following the established plan, not engaging a breach coach or team, and having poor communication between breach team members.


3. Working effectively with your breach team

After a company experiences a breach is not the time to be pulling together a team to address the problem. Assuming that a company already has a highly qualified team in place involving legal, IT, security, human resources, risk management and public relations professionals, experts recommend notifying legal counsel as soon as a cyber incident is discovered. “Counsel should handle retaining outside experts to maintain privilege, which puts the company in the best defensible position possible,” counsels Bob Parisi, Marsh’s cyber product leader

.

Kalinich concurs. “Legal counsel should be involved as soon as a cyber incident is identified for a variety of risk mitigation, contractual liability, privacy liability, legal compliance and financial statement impact reduction reasons. Thereafter, depending upon the nature of the incident, the chief information security officer (CISO), IT security, privacy officer and management responsible for cyber incident response should be simultaneously notified. Outside parties such as customers, partners, vendors, suppliers, etc. need not be notified until the entity understands what happened (subject to notification laws, of course).”


Roman recommends activating the company’s internal breach team as soon as a breach is revealed since most breaches occur way before they are discovered. “As you’re noticing it happened, it probably occurred earlier and they are sucking you dry of confidential information, client information, individuals’ personal information, corporate secrets and information that may be sensitive from a public relations perspective.”


There should also be a designated team leader and decision-maker says Roman, “Someone who can take all of the advice and says this is what we will do and has the authority to do it.” He also recommends that executives resist the urge to micromanage the problem. “They should assess the decisions made by the professionals and act accordingly.”


Communication between team members is critical to successfully managing the breach. “Do your best to break down internal information silos,” recommends Beazley’s Nikhinson. “Does legal know what IT/IS is investigating and how it is being documented? Does IS know that risk purchased a cyber-insurance policy and that it has certain reporting requirements? At what point do you bring in corporate communications? Coordination between all of the internal stakeholders is essential, and having someone akin to a project manager to facilitate that coordination can make all the difference in the world.”


4. Experience matters

Insurance brokers, legal counsel, public relations professionals and other vendors on the breach team should have extensive experience in cyber attacks and breaches. An experienced insurance broker can help a client find a cyber policy that best matches their needs and risks says Parisi. “The broker should have assisted the client in fully understanding coverage as well as the value-added services that are part of today’s cyber coverage. By doing that the client will be able to fully utilize the benefits of the coverage when a breach or event happens.”


Clients should report a breach to their broker or agent as soon as it occurs. According to Aon’s Kalinich, an experienced cyber broker will be able to:


  • Identify the applicable insurance policies.
  • Provide the insured with the required insurance notice requirements.
  • Detail any specific insurance policy requirements (i.e., third-party forensic experts must be selected from the insurance company panel in order to be covered by the insurance policy).
  • Arrange a call between insurance broker legal cyber incident claims specialist and the insured.
  • Determine whether, and in what manner, notice is required to insurers.
  • Describe past cyber incident best practices that reduce the total cost of risk.
  • Maintain consistent and timely communications between the insured and the insurers.


5. Practice makes perfect

Roman recommends that companies hold periodic breach rehearsals, which can be conducted by a firm outside of the business. “Surprise your team. Tell them this is a drill and there is a breach,” he advises. This gives executives an opportunity to see how quickly the breach team can be pulled together and how they will react to a real breach. It also gives them an opportunity to role play some of the critical elements of the plan.


Brokers can assist their clients by ensuring they have the right coverage for their business exposures as well as “a proactive relationship with their carrier’s breach response team so their first meeting doesn’t occur in the middle of a firefight,” adds Nikhinson.

Waiting until after a cyber breach occurs is too late to begin managing its effects, and can have dire consequences to a company’s reputation and its bottom line. Being proactive will help mitigate some of the damage and give the company a roadmap for successfully managing the breach.

No comment yet.
Scoop.it!

Healthcare Faces Massive Cybersecurity Risks | EMR and HIPAA

Healthcare Faces Massive Cybersecurity Risks | EMR and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

When a consumer publication like The Washington Post — hardly an insider journal of computing — picks out your industry and slams it for having poor cybersecurity, you know something’s amiss.

The newspaper has just published a report, following a year-long cybersecurity investigation, arguing that healthcare is one of the most vulnerable industries in the U.S., making it a tasty target for terrorists, black-hat hackers and criminals.

It’s rather embarrassing, but it’s hard to argue with the Post’s conclusion that healthcare data security isn’t what it could be. A few data points:

* Researchers are finding that healthcare institutions routinely fail to fix known bugs in aging software, something other industries have largely overcome.

* Providers are making careless use of such public cybertools;  the paper cites the example of the University of Chicago medical center, which at one point operated an unsecured Dropbox site for new residents managing care through their iPads (with a single user name and password published online, yet!)

* According to Post research, open source system OpenEMR “has scores of security flaws that make it easy prey for hackers”

* In perhaps the scariest example, the paper notes that clinicians routinely work around cybersecurity measures to get their job done.

Another factor contributing to cybersecurity holes is confusion about the FDA’s position on security. While the agency actually wants vendors to update FDA-approved device interfaces and systems, vendors often believe that the FDA bars them from updating device software, the Post found.

That leaves devices, especially defibrillators and insulin pumps, open to attacks. Researchers have been able to find these devices, linked to the web in the clear, simply by using a specialized search engine.

As wireless medical devices and smartphones, iPads and Android devices creep into the mix, cybersecurity vulnerabilities are likely to get worse, not better.  I wonder whether we’ll need to see a cybersecurity disaster take place before the industry catches up to, say, financial services?


No comment yet.