HIPAA Compliance for Medical Practices
82.6K views | +0 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

4 Tips: HIPAA Compliance for Small Practices

4 Tips: HIPAA Compliance for Small Practices | HIPAA Compliance for Medical Practices | Scoop.it

When determining what HIPAA safeguards are appropriate for your organization it is important to address the following:


    1. Policies and Procedures. HIPAA compliance for small practices requires you to create customized policies and procedures. This ensures that the policies and procedures that you implement apply directly to the way your practice operates.To be HIPAA compliant, policies and procedures must be written and must be reviewed annually to account for any changes in business operations. Policies and procedures dictate privacy and security protocols for your organization, as well as the proper uses and disclosures of protected health information (PHI)
    2. Self-audits. Self-audits measure your practice’s administrative, physical, and technical safeguards against HIPAA standards. Conducting self-audits allows you to identify the gaps in your safeguards so that you may create remediation plans to bolster your safeguards.
    3. Notice of Privacy Practices. A Notice of Privacy Practices (NPP) is a written notice that covered entities are required to provide to their patients. The Notice provides patients with information regarding how their PHI will be used and disclosed by the covered entity. It also dictates the patient’s rights in regards to their PHI.
    4. Business Associate Agreements. Business associate agreements (BAAs) are legally binding contracts signed between a covered entity and their business associates. A business associate is any entity that creates, maintains, stores, receives, or transmits on your behalf. A BAA mandates the protections that the business associate must have in place before PHI can be shared with them. 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Health insurer Reaches Settlements Over HIPAA Violations 

Health insurer Reaches Settlements Over HIPAA Violations  | HIPAA Compliance for Medical Practices | Scoop.it

Health insurer Aetna has reached settlements with a number of state attorney generals over HIPAA violations resulting from mailings to HIV/AIDS and cardiac patients, the New Jersey attorney general announced


The three states and district involved in the Aetna settlements are Connecticut, the District of Columbia (DC), New Jersey, and Washington. Aetna agreed to pay Connecticut around $100,000, DC around $175,000, and New Jersey $365,000. Washington has not yet disclosed how much it will receive from Aetna.


As part of the settlements, Aetna has agreed to implement policy, protocol, and training reforms designed to safeguard individuals’ PHI and ensure the confidentiality of mailings containing that information. The company has also agreed to hire an independent consultant to evaluate and report on its privacy protection practices and to monitor its compliance with the settlements’ terms.



“Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures,” said NJ Attorney General Gurbir Grewal. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”


The investigation revealed that Aetna disclosed HIV/AIDS-related information on about 12,000 individuals through a third-party mailing on July 28, 2017. The envelopes used in the mailing had a transparent address window, which revealed recipients’ names, addresses, and text that included the words “HIV medications.”


The second breach occurred in September 2017 and involved a mailing sent to 1,600 individuals about a study of patients with atrial fibrilation (AFib). The envelopes for the mailing included the name and logo for the study, IMPACT AFib, which could have been interpreted as indicating that the addressee had an AFib diagnosis.


DC Attorney General Karl Racine said in a statement: “Aetna failed to protect the health information of District residents and illegally disclosed their HIV status. Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information. Today’s action will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers’ private information.”


The three states and DC alleged that Aetna not only violated HIPAA but also state laws pertaining to the PHI of individuals in general and of persons with AIDS or HIV infection in particular.


In January 2018, Aetna settled a class action lawsuit that required it to pay $17 million in relief to the 12,000 individuals regarding the HIV mailing.


Lead plaintiff Andrew Beckett, which is a pseudonym, alleged in his original complaint that PHI and confidential HIV-related information “was disclosed improperly by Aetna and/or Aetna-related or affiliated entities, or on their behalf, to third parties, including, without limitation, Aetna’s legal counsel and a settlement administrator, and through a subsequent mailing of written notices that were required to be sent as part of a settlement of legal claims that had been filed against certain Aetna-related entities or affiliates.”


The letters from Aetna had originally been sent in response to a settlement over previous data privacy violation worry. The healthcare company had been sued in two separate class-action lawsuits in 2014 and 2015.


“Those lawsuits alleged that Aetna jeopardized the privacy of people taking HIV medications by requiring its insureds to receive their HIV medications through mail and not allowing them to pick up their medications in person at the pharmacy,” according to the 2017 lawsuit.


In response to the January 2018 lawsuit settlement, Aetna said that it is “implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”


“Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident,” Aetna said in a statement.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

The HIPAA Privacy Rule and Provider to Provider Communications

The HIPAA Privacy Rule and Provider to Provider Communications | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Privacy Rule allows for provider to provider communications – for providers that are part of a patient’s care team – to exchange clinical information, including protected health information (PHI) among each other. 


Circumstances under which provider to provider communications involving use and disclosure of PHI are addressed below.

When Are Provider to Provider Communications Permitted Under the HIPAA Privacy Rule?

Generally, under the HIPAA Privacy Rule, which imposes restrictions on the use and disclosure of PHI by covered entities (including healthcare providers), any pertinent clinical care information, including mental health treatment information, can be disclosed and discussed between a patient’s current treatment providers (that is, can be the subject of provider to provider communications) without written authorization by the patient, representative, or guardian, except for the content of written psychotherapy notes.

What Constitutes Psychotherapy Note Information?

The HIPAA Privacy Rule definition of a “psychotherapy note” is quite restrictive. Under HIPAA, psychotherapy notes consist of:

  • A mental health professional’s written analysis, of
  • A conversation that occurred, during
  • A private counseling session

The written analysis must be maintained separately from the medical record to qualify as “psychotherapy notes.”


Generally, patients do not have the right to obtain a copy of these under HIPAA. When a psychologist denies a patient access to these notes, generally, the denial is not subject to appeal or review.


A provider may, in the exercise of his or her discretion, choose to provide a copy of the patient’s psychotherapy notes to the patient, consistent with applicable state law.

The Privacy Rule does permit psychotherapy notes to be disclosed under very limited circumstances:

  1. A covered entity may disclose protected health information contained in psychotherapy notes to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. 
  2. A covered entity may use or disclose protected health information in psychotherapy notes to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
  3. A covered entity may use or disclose psychotherapy notes for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling.
  4. A covered entity may use or disclose psychotherapy notes to defend itself in a legal action or other proceeding brought by the patient.
  5. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose psychotherapy notes, if the covered entity, in good faith, believes the use or disclosure:
    • Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
    • Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.


A covered entity MUST disclose psychotherapy notes, when disclosure is required by the Secretary of Health and Human Services, to determine whether the entity is HIPAA compliant.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004


HIPAA: Secure Your Borders

HIPAA: Secure Your Borders | HIPAA Compliance for Medical Practices | Scoop.it

As an Iraq war veteran, I served as a physician with an infantry unit on the streets of Fallujah.


During the seizure of the city, we always were reminded by our commanding officers of the importance of protecting our borders.


As physicians, I believe we need to be aware and vigilant of protecting our privacy borders.


Health Insurance Portability and Accountability Act, better known as HIPAA was passed by Congress in 1996. From that time forward, protecting the borders and not leaking confidential protected health information became a physician’s priority.


As a medical student back then, I was warned never to discuss a patient in an elevator or the hospital cafeteria.


Easy enough, I presumed.


I soon learned however, that just as in Iraq, protecting borders is never an easy task.


Since 2009, there have been more than 800 patient data breeches and 29 million patient records affected by HIPAA violations, according to the 2013 Redspin Breach Report.


These date breaches can also strain the wallet. Depending on the scale of the breach, fines for HIPAA violations can start at $100 and can go as high as $50,000, capping at $1.5 million annually. Fines aren’t the only consequence practitioners face – a HIPAA violation can break the trust that patients have with their physicians.


Smaller practices are at risk as much as large organizations. It becomes harder to keep track of electronic communication within the practice when patients and staff have mobile devices and can be unaware of how easily HIPAA rules can be violated.


For example, an employee may think it is harmless to use his smartphone to post a picture or video of a patient. Well-intentioned employees may post or text an interesting physical exam finding. Even something as harmless taking a picture of food may violate HIPPA when the employee does not realize the lunch is sitting on a patient chart.


As a doctor working to protect my patients and myself, here are some useful tips to protect your borders and remain HIPPA compliant:


  • Prepare Physical borders: setup security alarms, lock offices when unattended, and as a rule shield protected health information from secondary viewers.
  • Administrative borders: designate security responsibilities, train staff to know the consequences of HIPAA breaches, take a monthly review of user activity, have stringent policy enforcement across all roles.
  • Technical border: secure passwords (no writing them on post-it-notes), back up data, regular virus checks, data encryption for anything sent electronically. Use secure technology such as liveClinic to stay HIPPA compliant, yet communicate with your patients virtually.
  • Secure borders with policies: written protocols on authorizing users, documentation of security measures, policies for notifications on breaches, retain records HIPAA records appropriately


Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004

No comment yet.