HIPAA Compliance for Medical Practices
82.6K views | +33 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

The HIPAA Privacy Rule and Provider to Provider Communications

The HIPAA Privacy Rule and Provider to Provider Communications | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Privacy Rule allows for provider to provider communications – for providers that are part of a patient’s care team – to exchange clinical information, including protected health information (PHI) among each other. 

 

Circumstances under which provider to provider communications involving use and disclosure of PHI are addressed below.

When Are Provider to Provider Communications Permitted Under the HIPAA Privacy Rule?

Generally, under the HIPAA Privacy Rule, which imposes restrictions on the use and disclosure of PHI by covered entities (including healthcare providers), any pertinent clinical care information, including mental health treatment information, can be disclosed and discussed between a patient’s current treatment providers (that is, can be the subject of provider to provider communications) without written authorization by the patient, representative, or guardian, except for the content of written psychotherapy notes.

What Constitutes Psychotherapy Note Information?

The HIPAA Privacy Rule definition of a “psychotherapy note” is quite restrictive. Under HIPAA, psychotherapy notes consist of:

  • A mental health professional’s written analysis, of
  • A conversation that occurred, during
  • A private counseling session

The written analysis must be maintained separately from the medical record to qualify as “psychotherapy notes.”

 

Generally, patients do not have the right to obtain a copy of these under HIPAA. When a psychologist denies a patient access to these notes, generally, the denial is not subject to appeal or review.

 

A provider may, in the exercise of his or her discretion, choose to provide a copy of the patient’s psychotherapy notes to the patient, consistent with applicable state law.

The Privacy Rule does permit psychotherapy notes to be disclosed under very limited circumstances:

  1. A covered entity may disclose protected health information contained in psychotherapy notes to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. 
  2. A covered entity may use or disclose protected health information in psychotherapy notes to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
  3. A covered entity may use or disclose psychotherapy notes for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling.
  4. A covered entity may use or disclose psychotherapy notes to defend itself in a legal action or other proceeding brought by the patient.
  5. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose psychotherapy notes, if the covered entity, in good faith, believes the use or disclosure:
    • Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
    • Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

 

A covered entity MUST disclose psychotherapy notes, when disclosure is required by the Secretary of Health and Human Services, to determine whether the entity is HIPAA compliant.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

Scoop.it!

PHI Protection: How to Secure Healthcare Data

PHI Protection: How to Secure Healthcare Data | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare data breaches have been highlighted recently, with several large breaches occurring over the last few months. Hackers target the healthcare industry as they hold a wealth of sensitive information on their patients, and often have less secure data than in other industries.

 

Ransomware attacks continue to rise as healthcare organizations often need to pay the ransom to get their data back.

 

A ransomware attack occurs when a hacker gains access to data, often encrypting the data until a sum of money is paid.

 

A healthcare organization losing access to their data can mean a matter of life or death, so they often pay the hackers.

 

As protected health information (PHI) is ten times more valuable than financial information on the darkweb, it is important to know how to implement PHI protection. 

How to Implement PHI Protection

PHI protection is an essential part of preventing or mitigating a healthcare breach. The first step to implementing PHI protection is to know where the sensitive data is stored, how it is transmitted, and how it is used.

 

Identifying these will allows an organization to determine what protections should be in place for each device, enabling more thorough security measures to be implemented. 

In addition organizations should:

  • Complete a security risk assessment (SRA) to determine where security measures may be lacking. Once gaps are identified, organizations should create remediation plans to ensure PHI protection. To be HIPAA compliant, covered entities and business associates must conduct thorough SRAs annually.
  • Encrypt data to reduce the risk of healthcare breaches. Encrypted data cannot be viewed without a decryption key, making it the most effective for PHI protection. Although not explicitly mandated by the Department of Health and Human Services (HHS), it is recommended.
  • Train employees on organization policies and procedures as well as HIPAA requirements. The majority of healthcare breaches occur as a result of human error. Employees must be trained on what constitutes PHI, and how to properly handle it. Additionally, employees should be able to recognize phishing emails and what to do if they suspect an email is malicious.
  • Vet vendors by sending them an SRA to complete. Covered entities have an obligation to ensure that the vendors that they are working with have the proper measures in place for PHI protection. If the vendor lacks security measures, they must implement adequate safeguards before they are permitted to receive PHI.
  • Sign business associate agreements (BAAs) with all vendors before PHI is shared. BAAs limit the liability for both parties in the event of a breach as they state that each party has agreed to be HIPAA compliant, and they are responsible for their own compliance.

PHI protection should be a top priority for anyone working in healthcare. Healthcare organizations that have the proper security measures surrounding PHI will limit the risk of experiencing a breach.

 

If a breach should occur, an organization that has proper PHI protection will be better prepared to respond to the breach. 

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

Scoop.it!

Making The Most Out Of HIPAA/HITECH Compliance Consulting

Making The Most Out Of HIPAA/HITECH Compliance Consulting | HIPAA Compliance for Medical Practices | Scoop.it

Times are changing, and as new laws affect the health care sector, you can’t afford any future issues due to non-compliance. Planning is essential to avoid unnecessary costs and save time.

 

Though a federal mandate, at iHealthOne we believe this proactive measure will enhance the privacy and security of your electronic health records.

 

If customers establish you are HIPAA/HITECH non-compliant, you risk affecting their willingness to disclose essential health information to you.

 

Thanks to HIPAA/HITECH compliance consultancy, you have no reason for any concerns. In this article, we’ll walk you through this essential regulatory process.

 

IS HIPAA/HITECH COMPLIANCE CONSULTANCY ESSENTIAL?

 

Whether a seasoned or new practice, it helps to accept guidance from a consultancy on all phases of compliance.

 

A consultancy does extra research on the necessary and up-to-date information your staff require for implementation. It can provide further training for stress-free self-administration and subsequent compliance.

 

Consultant professionals conduct a risk analysis and advise on setting up safeguards to avoid HIPAA/HITECH violations. They provide detailed reports on risk exposure, as well as checklists and customized forms that suit your company.

 

This includes breach notifications, disaster recovery, and risk management solutions. Consequently, this can play an important role in improving your health strategy plans for smooth operation.

 

WHO SHOULD CONSIDER HIPAA/HITECH COMPLIANCE CONSULTING?

 

If you’re an entity that covers or provides healthcare payments and treatments, and you have access to patient information, HIPAA/HITECH compliance consultancy is vital. This also includes subcontractors and healthcare business associates.

 

EXTRA TIPS ON COMPLIANCE

 

Ensure you always comply on time. This will pave the way for effective management of patient data security and assessment services. Also, it will save you unneeded lawsuits or hefty fines for non-compliance.

 

EHR1 has a compliance department that can help you recognize potential gaps while guaranteeing 100 percent client data security and confidentiality.

 

You gain the most out of our quality technical safeguards. With the EHR1 certified cloud-based dental software, we counsel you on corrective measures to adopt before a compliance review or OCR audit. You also have access to our:

• Vulnerability scans
• Network penetration testing
• Electronic health records software upgrades
• Effective incident response planning
• Implementation of an information security program
• Improved customer trust and organizational reputation services, among others.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Achieving HIPAA Compliance: Guide to Properly Disposing of PHI Hardware

Achieving HIPAA Compliance: Guide to Properly Disposing of PHI Hardware | HIPAA Compliance for Medical Practices | Scoop.it

What is HIPAA Compliance?

HIPAA, or The Health Insurance Portability and Accountability Act, sets the standard for PHI protection.

 

Any company or organization that handles PHI must have security measures in place and adhere to them. There are two main categories of organizations covered by HIPAA:  ·

         

Covered Entities (CEs): This includes anyone that provides treatment, payment, or operations (commonly known as TPO) within a healthcare setting.

 

Business Associates: This includes anyone outside of the covered entity who may have access to patient information or provides any kind of support in treatment, payment, or operations of the organization.

Devices That May Contain PHI

It’s important to understand what types of hardware you may have in your office that could contain PHI; these include but are not limited to:

  • Laptops
  • Desktops
  • Smartphones
  • Printers
  • Copiers
  • USB Drives
  • Servers
  • Tablets
  • Fax Machines
  • X-Ray Machines
  • Pacemakers
  • Defibrillators
  • CT and MRI Scan Machines

Essentially, almost any connected device within a healthcare organization is vulnerable and may contain PHI that needs to be protected and disposed of properly when the time comes.

 

Under HIPAA law, your organization is required to document its disposal policy in your Security Policies and Procedures. Your organization should maintain an inventory of all your equipment, whether each device can store or access PHI, serial number and other relevant information. 

How to Securely Dispose of Hardware With PHI

The US Department of Health and Human Services (HHS) recommends the following three techniques for properly removing any sensitive information from workplace hardware. Before you can get rid of the physical device, you must delete any and all PHI related information from the device.

The procedures for securely disposing of PHI include:

 

1. Clearing 

Clearing, also referred to as overwriting, is the process of replacing PHI on a device with non-sensitive data. This method should be performed, at a minimum, of seven times so that the PHI is completely irretrievable.

 

2. Purging 

You can purge your organization’s hardware through a method called degaussing. This refers to the process of clearing a device through the use of magnets.

 

Hard drives rely on magnetic fields to store information; therefore, you can disrupt the equipment’s function and render its data unreadable by using a strong magnetic field.  

 

3. Physical Destruction 

Physical destruction is the only surefire way to prevent a leak of PHI data. Destruction of PHI hardware requires pulverizing, burning/melting, disintegrating or shredding.

 

This method, however, is not always viable. If you have equipment that you would like to clear and re-use, or if your equipment is rented, destroying it may not be feasible.

Conventional Methods of “Wiping” Your Hard Drive Won’t Cut It 

If your organization is selling or discarding any hardware, you may be tempted to simply erase the hard drive components. Deleting files will not permanently delete PHI. Although the information will no longer be visible to you, it is still there and can be retrieved.

 

You need secure data destruction that permanently eliminates PHI data from every piece of hardware so that your patients’ information is not put in jeopardy.

 

There are companies who specialize in the proper disposal of PHI hardware. These companies should offer a HIPAA Certificate of Destruction as validation that the equipment was disposed of properly, and within HIPAA guidelines.

Training Employees on PHI Disposal

HIPAA law regarding disposal of protected health information dictates that you train your employees on how to properly dispose of PHI.

 

According to HIPAA law, any workforce member who is involved in disposing of PHI or who supervises others who dispose of PHI, must receive proper PHI training.

 

PHI should be maintained in a secure area, such as a locked depository bin, and disposed of through a qualified vendor. 

Requirements for Keeping PHI Hardware

HIPAA requires businesses to store PHI for six years, sometimes seven years, depending on the state in which you operate.

 

It is important to keep this in mind when you are preparing to dispose of hardware that may have PHI on it that still needs to be retained. Make sure you have a backup plan in place for PHI before disposing of hardware.

 

Your business reputation depends on your ability to serve your clients or patients. This includes making sure that the personal information they trusted you with is never compromised by improper or careless disposal of hardware. 

 

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

mark's curator insight, May 3, 10:56 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.

WE OFFER MONEY BACK GUARANTEE TO EVERYONE PURCHASING MEDICINES FROM US YOU CAN LOOK AT SOME FEW QUESTIONS THAT HAVE BEEN ANSWERED TO BACK THIS POINT HERE

If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE

 

 

Scoop.it!

How to protect your organization against a HIPAA breach

How to protect your organization against a HIPAA breach | HIPAA Compliance for Medical Practices | Scoop.it

Here’s the sad truth about information systems: Very few of them are safe from hackers. If cyber criminals can read President Obama's unclassified email, if foreign hackers can affect the screening of a major motion picture, and if an international ring of hackers can steal $1 billion from more 100 banks by—in part—causing ATMs to spew money onto sidewalks, then few IT systems are completely secure. 

 

 

The question, then, is: What steps should we take now to prepare? Having adequate insurance coverage is a good place to start, for a couple of reasons.

 

First,  adequate coverage that is tailored to fit a healthcare organization and that has appropriate liability limits makes sense for any business today. Read: Agency seeks to strengthen cyber defenses for insurers Second, all healthcare companies regardless of size need to be prepared to respond quickly.

 

A data breach makes all consumers, including patients and health plan members, extremely vulnerable. Once a breach occurs, consumers whose financial data and personal health information (PHI) are in the hands of criminals could lose thousands or even millions of dollars.

 

But also they could lose something of much more value: peace of mind. In addition, healthcare organizations have become prime targets because patient data has an even higher street value than other personal information. Last year, experts estimated that data from one patient was worth about $10 to a criminal, an amount that was 10 to 20 times higher than what one credit card number would fetch. 

 

Next: Why healthcare is more vulnerable to breaches     For all these reasons, it’s vital for those responsible for storing and securing patients’ and health plan members’ financial and health information respond quickly. Given that many healthcare providers maintain all three types of protected data—personal credit information personal identification information , and PHI—the opportunity for hackers to access all three types, and especially PHI, makes all healthcare providers and insurers attractive targets.

 

The longer we wait to inform patients and members, the more time criminals have to wreak havoc on bank accounts, credit cards, and to use medical information to their advantage. Retail breaches usually are limited to the theft of credit card or bank card data. In healthcare, we are more vulnerable to cyber crime because there are so many enterprises of various sizes, from small physician groups to the largest health insurers, and each one is a target. Each physician group and each healthcare organization regardless of size is linked to larger companies, such as hospitals and insurers, and to smaller companies, including systems vendors and other healthcare providers.

 

At each location in the chain, from a small three-member doctor group to a major national corporation, we’ve made IT systems easier to hack by allowing access to as many providers as possible so that physicians can see patients’ data from last week, last month, and last year. Also, we’ve granted patients wider access to their data through online portals that let them view their electronic health records easily from any device, including handheld tablets and smartphones. Improving access for patients and connecting more devices to networks makes it easier for criminals to gain access too. What’s more, providers have been converting millions of patients’ paper records to electronic data over the past few years.

 

While those paper records were inconvenient and easy to lose, they were at least more secure than electronic medical charts, a factor that might make physician groups the most vulnerable of all entities in healthcare. Not only is the data in today’s EHRs accessible to hackers, but many physician offices are in various stages of upgrading their EHR systems to comply with federal meaningful use regulations.

 

While they’re putting these systems in place, few physicians are worrying about installing comprehensive data-security systems. Next: How healthcare executives should prepare for potential breaches     Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), physician groups and healthcare organizations of all sizes are responsible for ensuring that all business associates have secured their information systems. Keep in mind that third-party business-associate vendors cause a large percentage of data breaches.

 

So, for many reasons, it’s a dangerous time for anyone running a physician’s office. Having adequate cyber coverage will go a long way toward mitigating the damage of a breach.  Some policies automatically add cyber coverage o their typical malpractice insurance policies that often include services to take over the response function for the insured.

 

Such offerings are important because they allow any healthcare organization to deliver a fast, thorough, and appropriate response as soon as possible after a cyber hack of any kind. A quick response is vital to retaining the respect of your customers and vendors In addition, your coverage should allow you to offer all of your patients and employees credit monitoring for at least six months if not longer.

 

And the coverage should help patients and employees notify all of their credit card issuers. Your current cyber coverage might already include the services of a breach consultant who can advise you and—more importantly advise your patients or health plan members—about the steps to take to protect their data after a breach. Just having someone to consult with on such a treacherous issue could be enough to calm your nerves and those of your patients or plan members as well.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

Gabe Maxwell's comment, September 26, 2019 7:14 PM
<a href="https://getmedicalmarijuanaonline.com/product/buy-gushers-online/">Buy Gushers</a>
<a href="https://getmedicalmarijuanaonline.com/product/special-blend-10g-oral-applicator-3-pack/">Buy 10g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/green-label-15g-oral-applicator-6-pack/">Buy 15g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-moonrocks-now/">Buy Moonrocks</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-nyc-diesel/">Buy Nyc Diesel</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-lemon-kush/">Buy Lemon Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-zkittlez/">Buy Zkittlez</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-purple-kush/">Buy Purple Kush</a>

<a href="https://getmedicalmarijuanaonline.com/product/buy-gelato-33/
">Buy Gelato</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-mango-kush/
">Buy Mango Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-fire-og-kush/
">Buy Fire Og</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-death-star/
">Buy Death Star</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-green-crack-buy-green-crack-online/
">Buy Green Crack</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grapefruit-kush/
">Buy Grapefruit kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/ghost-train-haze/
">Buy Ghost Train Haze</a>

<a href="https://getmedicalmarijuanaonline.com/product/chocolope/
">Buy Chocolope</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-banana-kush/
">Buy Banana Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-headband/
">Buy Headband</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-golden-goat/
">Buy Golden Goat</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-orange-kush/
">Buy Orange Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-northern-lights-2/
">Buy Northern Lights</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grape-ape/
">Buy Grape Ape</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-agent-orange-buy-agent-orange-online/
">Buy Agent Orange</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-blueberry-kush-online/">Buy Blueberry Kush</a>
Scoop.it!

Protecting PHI: Managing HIPAA Risk with Outside Consultants 

Protecting PHI: Managing HIPAA Risk with Outside Consultants  | HIPAA Compliance for Medical Practices | Scoop.it

The rising complexity of healthcare, particularly as it relates to providers’ growing technical needs, is increasingly prompting healthcare organizations to seek the help of outside consultants. In engagements with healthcare entities, thought IT consultants try to minimize interaction with patient data, they often have access to protected health information (PHI). When working with HIPAA Covered Entities, consultants are treated as “business associates” and are required to comply with Privacy Rules designed to protect PHI.

 

Managing HIPAA compliance when engaging outside consultants requires that consultants enter into a Business Associate Agreement (BAA). The BAA must:

  • Describe the permitted and required uses of PHI by the business associate in the context of their role
  • Provide that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided for by the contract

Here are several best practices to follow to ensure the protection of PHI in consulting arrangements.

 

FTE Mentality

During the contract period, the expectation is that consultants act as if they were an employee of the hospital or provider organization and therefore treat PHI in this manner. It is important to know that consultant business associates could be held liable or equally responsible for a PHI data breach in the same way a full-time employee could be.

 

Role-Based Access Rules

Limit access to PHI based on role to ensure that only the parties that need PHI have access to it. An IT strategist, for example, does not need to see live patient data. Associates leading implementation projects, on the other hand, may need access to live PHI. Typically, this occurs late in the implementation process, when the time comes to test a system with live, identifiable patient data.

 

Safeguard Access Points

If a hospital wants a consultant to have regular access to PHI, it would be preferable that the hospital provides the consultant with a computer or device with appropriate access authorizations and restrictions in place. Avoid the use of personal devices whenever possible. Make sure that only approved and authorized devices can be used inside the firewall and require multi-factor authentication during log-in. Avoid inappropriate access to PHI by way of shared or public data access points. Don’t allow private access to PHI where others could intervene.

 

Keep it Local

Don’t take PHI away from the source of use. Consultants should avoid storing PHI on personal devices, including smart phones, which are particularly susceptible to theft and loss. Devices used to store or access PHI must be registered. Best practices often include controls giving IT staff advance permission to remotely wipe or lock a stolen registered device. Avoid leaving registered devices in cars or unprotected areas.

 

Paper-based reports also pose threat of PHI leak. Documents you take home over the weekend, for example, could be accessed by family members, lost, or stolen. Electronic, paper, verbal and image-based PHI should all be confidently secured. Of course the regulations also relate to visual and verbal protections. When accessing PHI avoid allowing others to view your screen over your shoulder. When discussing PHI make sure only those who need to know and have appropriate authority can hear the conversation.

 

The healthcare industry is making great strides in establishing digital infrastructure, much of which is cloud-based, putting new onus on providers and their business partners to ensure the security of that information. No one wants to make headlines for the latest data breach, least of all the IT consultants hired by providers to help guide their data management efforts. Rigorous attention to HIPAA Privacy Rule guidelines is not only required – it’s imperative to maintaining trust in the healthcare ecosystem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

How Do I Become HIPAA Compliant?

How Do I Become HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

For healthcare providers, HIPAA compliance is a must. HIPAA guidelines protect patients’ health information, ensuring that it is stored securely, and used correctly.

 

Sensitive data that can reveal a patient’s identity must be kept confidential to adhere to HIPAA rules. These rules work on multiple levels and require a specific organizational method to implement comprehensive privacy and security policies to achieve compliance.

 

Most organizations find this to be a daunting task. We have put together a HIPAA compliance checklist to make the process easier.

 

The first is to understand how HIPAA applies to your organization. The second is to learn how to implement an active process, technology, and training to prevent a HIPAA-related data breach or accidental disclosure. Finally, the third is to put physical and technical safeguards in place to protect patient data.

By the time you’re done with our list, you will know what you need to consider to have a better conversation with your compliance advisors.

What is HIPAA?

Before talking about compliance, let’s recap the basics of HIPAA.

Signed into law by President Bill Clinton in 1996, the Health Insurance Portability and Accountability Act provides rules and regulations for medical data protection.

HIPAA does several important things. It reduces health care abuse and fraud and sets security standards for electronic billing of healthcare. It also does the same for the storage of patients’ healthcare information. The Act mandates the protection and handling of medical data, ensuring that healthcare data is kept private.

The part of HIPAA we are concerned with relates to healthcare cybersecurity. To be compliant, you must protect patients’ confidential records.

HIPAA rules have evolved. When the law was first enacted, it did not mention specific technology. As the HIPAA compliant cloud has become commonplace, it has inspired additional solutions. For example, our Data Security Cloud (DSC) is being developed to create a base infrastructure for a HIPAA compliant solution. Providing a secure infrastructure platform to ride on top of, DSC makes creating a HIPAA-compliant environment easier.

Secure infrastructure handles things at the lowest technical level that creates data, providing the key features to keep data safe. These features include separation/segmentation, encryption at rest, a secure facility at the SOC2 level of compliance, and strict admin controls among other required security capabilities.

 
 

Why Is HIPAA Compliance Important?

HIPAA compliance guidelines are incredibly essential. Failure to comply can put patients’ health information at risk. Breaches can have a disastrous impact on a company’s reputation, and you could be subject to disciplinary action and strict violation fines and penalties by CMS/OCR.

Last year’s Wannacry ransomware attack affected more than 200,000 computers worldwide, including many healthcare organizations. Most notably, it affected Britain’s National Health Service, causing serious disruptions in the delivery of health services across the country.

To gain access to the systems, hackers exploited vulnerabilities in outdated versions of Windows that are still commonly used in many healthcare organizations. With medical software providers offering inadequate support for new OS’s and with medical devices such as MRIs lacking security controls, the attack was easy to carry out.

The attack demonstrated the strength of today’s hackers, highlighting the extent to which outdated technologies can pose a problem in modern organizations. This is precisely why HIPAA also regulates some aspects of technology systems used to store, manage, and transfer healthcare information.

The institutions that fail to implement adequate systems can suffer significant damage. If a breach takes place, the law requires affected organizations to submit various disclosure documents, which can include sending every subject a mailed letter. They may also be required to offer patients a year of identity protection services.  This can add up to significant dollars, even before confirming the extent of the breach.

 

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule creates national standards. Their goal is to protect medical records and other personally identifiable health information (PHI).

It applies to three types of companies: providers, supply chain (contractors, vendors, etc.) and now service providers (such as data centers and cloud services providers). All health plans and healthcare clearinghouses must be HIPAA compliant.

The rules also apply to healthcare providers who conduct electronic health-related transactions.

The Privacy Rule requires that providers put safeguards in place to protect their patients’ privacy. The safeguards must shield their PHI. The HIPAA Privacy Rule also sets limits on the disclosure of ePHI.

It’s because of the Privacy Rule that patients have legal rights over their health information.

These include three fundamental rights.

    • First, the right to authorize disclosure of their health information and records.
    • Second, the right to request and examine a copy of their health records at any time.
    • Third, patients have the right to request corrections to their records as needed.

The HIPAA Privacy Act requires providers to protect patients’ information. It also provides patients with rights regarding their health information.

 

What Is The HIPAA Security Rule

The HIPAA Security Rule is a subset of the HIPAA Privacy Rule. It applies to electronic protected health information (ePHI), which should be protected if it is created, maintained, received, or used by a covered entity.

The safeguards of the HIPAA Security Rule are broken down into three main sections. These include technical, physical, and administrative safeguards.

Entities affected by HIPAA must adhere to all safeguards to be compliant.

Technical Safeguards

The technical safeguards included in the HIPAA Security Rule break down into four categories.

    • First is access control. These controls are designed to limit access to ePHI. Only authorized persons may access confidential information.
    • Second is audit control. Covered entities must use hardware, software, and procedures to record ePHI. Audit controls also ensure that they are monitoring access and activity in all systems that use ePHI.
    • Third are integrity controls. Entities must have procedures in place to make sure that ePHI is not destroyed or altered improperly. These must include electronic measures to confirm compliance.
    • Finally, there must be transmission security. Covered entities must protect ePHI whenever they transmit or receive it over an electronic network.

The technical safeguards require HIPAA-compliant entities to put policies and procedures in place to make sure that ePHI is secure. They apply whether the ePHI is being stored, used, or transmitted.

Physical Safeguards

Covered entities must also implement physical safeguards to protect ePHI. The physical safeguards cover the facilities where data is stored, and the devices used to access them.

Facility access must be limited to authorized personnel. Many companies already have security measures in place. If you don’t, you’ll be required to add them. Anybody who is not considered an authorized will be prohibited from entry.

Workstation and device security are also essential. Only authorized personnel should have access to and use of electronic media and workstations.

Security of electronic media must also include policies for the disposal of these items. The removal, transfer, destruction, or re-use of such devices must be processed in a way that protects ePHI.

Administrative Safeguards

The third type of required safeguard is administrative. These include five different specifics.

    • First, there must be a security management process. The covered entity must identify all potential security risks to ePHI. It must analyze them. Then, it must implement security measures to reduce the risks to an appropriate level.
    • Second, there must be security personnel in place. Covered entities must have a designated security official. The official’s job is to develop and implement HIPAA-related security policies and procedures.
    • Third, covered entities must have an information access management system. The Privacy Rule limits the uses and disclosures of ePHI. Covered entities must put procedures in place that restrict access to ePHI to when it is appropriate based on the user’s role.
    • Fourth, covered entities must provide workforce training and management. They must authorize and supervise any employees who work with ePHI. These employees must get training in the entity’s security policies. Likewise, the entity must sanction employees who violate these policies.
    • Fifth, there must be an evaluation system in place. Covered entities must periodically assess their security policies and procedures.

Who Must Be HIPAA complaint?

There are four classes of business that must adhere to HIPAA rules. If your company fits one of them, you must take steps to comply.

The first class is health plans. These include HMOs, employer health plans, and health maintenance companies. This class contains schools who handle PHI for students and teachers. It also covers both Medicare and Medicaid.

The second class is healthcare clearinghouses. These include healthcare billing services and community, health management information systems. Also included are any entities that collect information from healthcare entities and process it into an industry-standard format.

The third class is healthcare providers. That means any individual or organization that treats patients. Examples include doctors, surgeons, dentists, podiatrists, and optometrists. It also includes lab technicians, hospitals, group practices, pharmacies, and clinics.

The final class is for business associates of the other three levels. It covers any company that handles ePHI such as contractors, and infrastructure services providers. Most companies’ HR departments also fall into this category because they handle ePHI of their employees. Additional examples include data processing firms and data transmission providers. This class also includes companies that store or shred documents. Medical equipment companies, transcription services, accountants, and auditors must also comply.

If your entity fits one of these descriptions, then you must take steps to comply with HIPAA rules.

What is the HIPAA Breach Notification Rule?

Even when security measures are in place, it’s possible that a breach may occur. If it does, the HIPAA Breach Notification Rule specifies how covered entities should deal with it.

The first thing you need to know is how to define a breach. A breach is a use or disclosure of PHI forbidden by the Privacy Rule.

The covered entity must assess the risk using these criteria:

    1. The nature of the PHI involved, including identifying information and the likelihood of re-identification;
    2. The identity of the unauthorized person who received or used the PHI;
    3. Whether the PHI was viewed or acquired; and
    4. The extent to which the risk to the PHI has been mitigated.

Sometimes, PHI may be acquired or disclosed without a breach.

The HIPAA rules specify three examples.

  • The first is when PHI is unintentionally acquired by an employee or person who acted in good faith and within the scope of their authority.
  • The second is inadvertent disclosure of PHI by one authorized person to another. The information must not be further disclosed or used in a way not covered by the Privacy Rule.
  • The third occurs if the covered entity determines that the unauthorized person who received the disclosure would not be able to retain the PHI.

 

If there is a breach as defined above, the entity must disclose it. The disclosures advise individuals and HHS that the breach has occurred.

 

Personal disclosures must be mailed or emailed to those affected by the breach. A media disclosure must be made in some circumstances. If more than 500 people in one area are affected, the media must be notified.

 

Finally, there must also be a disclosure to the HHS Secretary.

The HIPAA Breach Notification Rule protects PHI by holding covered entities accountable. It also ensures that patients are notified if their personal health information has been compromised.

 

What Are The HIPAA Requirements for Compliance

The common question is, how to become HIPAA compliant?

The key to HIPAA compliance certification is to take a systematic approach. If your entity is covered by HIPAA rules, you must be compliant. You must also perform regular audits and updates as needed.

 

With that in mind, we’ve compiled a comprehensive checklist for use in creating your HIPAA compliance policy.

HIPAA Compliance Checklist

These questions cover the components to make you are HIPAA-compliant. You can use the checklist to mark each task as you accomplish it. The list is intended to be used for self-evaluation.

Have you conducted the necessary audits and assessments according to National Institutes of Standards and Technology (NIST) Guidelines?

 

The audits in question involve security risk assessments, privacy assessments, and administrative assessments.

Have you identified all the deficiencies and issues discovered during the three audits?

 

There are several things to consider before doing the self-audit checklist. You need to ensure that all security, privacy, and administrative deficiencies and issues are appropriately addressed.

 

Have you created thorough remediation plans to address the deficiencies you have identified?

After covering the deficiencies and issues mentioned above, you need to provide remediation for each group.

Do you have policies and procedures in place that are relevant to the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule?

 

You must be aware of these three critical aspects of a HIPAA compliance program and ensure each is adequately addressed.

    • Have you distributed the policies and procedures specified to all staff members?
      • Have all staff members read and attested to the HIPAA policies and procedures you have put in place?
      • Have you documented their attestation, so you can prove that you have distributed the rules?
      • Do you have documentation for annual reviews of your HIPAA policies and procedures?
    • Have all your staff members gone through basic HIPAA compliance training?
      • Have all staff members completed HIPAA training for employees?
      • Do you have documentation of their training?
      • Have you designated a staff member as the HIPAA Compliance, Privacy, or Security Officer as required by law?
    • Have you identified all business associates as defined under HIPAA rules?
      • Have you identified all associates who may receive, transmit, maintain, process, or have access to ePHI?
      • Do you have a Business Associate Agreement (Business Associate Contract) in place with each identify you have identified as a Business Associate?
      • Have you audited your Business Associates to make sure they are compliant with HIPAA rules?
      • Do you have written reports to prove your due diligence regarding your Business Associates?
    • Do you have a management system in place to handle security incidents or breaches?
      • Do you have systems in place to allow you to track and manage investigations of any incidents that impact the security of PHI?
      • Can you demonstrate that you have investigated each incident?
      • Can you provide reporting of all breaches and incidents, whether they are minor or meaningful?
      • Is there a system in place so staff members may anonymously report an incident if the need arises?

As you work your way through this checklist, remember to be thorough. You must be able to provide proper documentation of your audits, procedures, policies, training, and breaches.

As a final addition to our checklist, here is a review of the general instructions regarding a HIPAA compliance audit.

    • If a document refers to an entity, it means both the covered entity and all business associates unless otherwise specified
    • Management refers to the appropriate officials designated by the covered entity to implement policies, procedures, and standards under HIPAA rules.
    • The covered entity must provide all specified documents to the auditor. A compendium of all entity policies is not acceptable. It is not the auditor’s job to search for the requested information.
    • Any documents provided must be the versions in use as of the audit notification and document request unless otherwise specified.
    • Covered entities or business associates must submit all documents via OCR’s secure online web portal in PDF, MS Word, or MS Excel.
    • If the appropriate documentation of implementation is not available, the covered entity must provide examples from “equivalent previous time periods” to complete the sample. If no such documentation is available, a written statement must be provided.
    • Workforce members include:
      • Entity employees
      • On-site contractors
      • Students
      • Volunteers
    • Information systems include:
      • Hardware
      • Software
      • Information
      • Data
      • Applications
      • Communications
      • People

Proper adherence to audit rules is necessary. A lack of compliance will impact your ability to do business.

In Closing, HIPAA Questions and Answers

HIPAA rules are designed to ensure that any entity that collects, maintains, or uses confidential patient information handles it appropriately. It may be time-consuming to work your way through this free HIPAA self-audit checklist. However, it is essential that you cover every single aspect of it. Your compliance is mandated by law and is also the right thing to do to ensure that patients can trust you with their personal health information.

One thing to understand is that it is an incredible challenge to try to do this by yourself. You need professional help such as a HIPAA technology consultant. Gone are the days you can have a server in your closet at the office, along with your office supplies. The cleaning personnel seeing a print out of a patient’s file constitutes a ‘disclosable’ event.

Screen servers, privacy screens, and professionally-managed technology solutions are a must. Just because you use a SAS-based MR (Medical Records) solution, does not mean you are no longer responsible for the privacy of that data. If they have lax security, it is still the providers’ responsibility to protect that data. Therefore the burden of due diligence is still on the provider.

Phoenix NAP’s HIPAA compliant hosting solutions have safeguards in place, as audited in its SOC2 certifications. We provide 100% uptime guarantees and compliance-ready platform that you can use to build secure healthcare infrastructure.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

mark's curator insight, May 3, 1:22 PM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buy drugs online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order medications online from the best online pharmacy in the USA Here.

WE OFFER MONEY BACK GUARANTEE TO EVERYONE PURCHASING MEDICINES FROM US YOU CAN LOOK AT SOME FEW QUESTIONS THAT HAVE BEEN ANSWERED TO BACK THIS POINT HERE

If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse online and other highly controlled pills like BOTOX, MORPHINE, CODEINE, DIAZEPAM DILAUDID, SUBUTEX, FENTANYL PATCHES, XANAX, NEUROBLOC, OXYCODONE, OXYCONTIN, OPANA, ROXICODONE, SUBOXONE, OXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE

 

 

Scoop.it!

HIPAA liability protections: business associate agreements are must for effective risk management

HIPAA liability protections: business associate agreements are must for effective risk management | HIPAA Compliance for Medical Practices | Scoop.it

The first step for a physician, known under the language of HIPAA as a “covered entity,” is to determine the need for a BAA with a vendor. A vendor is considered a “business associate” under HIPAA if the vendor creates, receives, maintains, or transmits patient health information (PHI) on the provider’s behalf.

 

Common services performed by a business associate (BA) include claims processing, data analysis, quality assurance, billing and collection, practice management, legal, accounting, and consulting.

 

Entities that only serve as conduits, such as the post office or Internet service providers, are not considered BAs even though they handle patient information.

 

What BAs must include

If a business associate is providing services to a covered entity, the parties must enter into a written BAA that:

 

  • establishes the permitted uses/disclosures of PHI,
  • stipulates that the BA must use appropriate safeguards to prevent unauthorized PHI uses and disclosures,
  • spells out that the BA reports to the covered entity any unauthorized uses and disclosures,
  • extends the terms of the BAA to its subcontracts, and
  • establishes that upon termination of the BAA, the vendor must either return or destroy all PHI.

 

The consequences of not having a written BAA can be severe. The Office of Civil Rights (OCR) could request a copy of a covered entity’s BAA if there is a complaint registered over a covered entity or if a breach occurs.

 

Violations under HIPAA can be penalized at anywhere between $100 to $50,000 per violation, up to a calendar year maximum penalty of $1,500,000 for a single violation. The OCR could take the position that every day that the BA and covered entity did not have a business associate agreement is a violation, and multiply the fine by the number of days no BAA penalty was in place, so the penalties can be steep.

 

Liability of agents

Under HIPAA, a covered entity is liable for the acts of its agents, which can include a BA.

 

Whether an agency relationship exists is determined case by case, with the essential factor being whether the provider has the right or authority to control the BA’s conduct. The authority of a provider to give instructions or directions is the control that can result in an agency relationship.

 

The language in the BAA will be considered in determining whether an agency relationship is present. If a covered entity is controlling the performance of its BA, the covered entity should closely monitor the BA’s performance since the covered entity will be held accountable for its performance.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Strategies for Measuring HIPAA Compliance Efforts

Strategies for Measuring HIPAA Compliance Efforts | HIPAA Compliance for Medical Practices | Scoop.it

About 40% of large health care organizations do not take the time to measure how well their HIPAA compliance measures are working, according to Brian Wells, Chief Technology Officer of the cybersecurity firm Merlin International, headquartered in Vienna, Virginia. Most are unaware if they have thwarted cyberattacks, blocked malicious emails or kept staff from releasing inappropriate information.

 

“If they can't report that to the board, then they may stop giving them money to do more,” Wells said.

 

Measuring an organization's HIPAA strategy can be challenging. It is difficult to know if efforts to thwart cyberattacks have actually prevented breaches. “When ransomware like WannaCry comes out, it may be possible to say you protected yourselves,” he said. “If nothing bad has happened in a while, you can assume you are either doing a good job or just haven't been a target.”

 

How are providers supposed to measure HIPAA compliance effectiveness? Here are a few strategies for determining if an organization is on the right path using both internal and external resources.

 

A human touch
Wells works with hospitals now, but when he was on the medical practice side, his group performed annual testing on HIPAA regulations. The test was not hard, but everyone in the practice had to pass it. This not only lets a provider know where education is slipping through the cracks, but also provides a paper trail to point to should a practice get audited.

 

Adam Greene, a partner with Seattle-based Davis Wright Tremaine, also recommends informal testing to make sure people

 

understand their obligations under HIPAA. For example, the person in charge of HIPAA security can make a checklist to ask staff that includes questions like: “If someone wants to see something in their medical record, how would you respond?” Staff should know the patient has a right to records and the process involved in turning them over, be it filling out a form or directing the patient to the staff member who handles requests.

 

Another option is to assign an individual who would be accountable for walking around an office to ensure protected health information is secured properly. A few points to include would be ensuring computers are not facing toward patients; locked cabinets do not have the key hanging next to them; and people are logging out when they leave their computers.

“There could be a 10- to 20-question checklist and they can use it to see how they are doing and compare it over time,” said Marti Arvin, Vice President of Audit Strategy for CynergisTek, which is headquartered in Mission Viejo, California.

 

Arvin said an internal audit can be used to make sure staff members know where privacy policies are and that they are understood; whether all patients at their initial visit are provided with notices of privacy procedures; and if all of the staff members are receiving HIPAA training as they should.

 

Technology testing
Because health IT is constantly under attack, it would be difficult, expensive, and “voluminous” to show all of the attacks an organization has defended against, Greene said.

One option instead is to perform vulnerability scanning on a regular basis to examine if a system has unpatched software or other vulnerabilities. Another good practice is a phishing test. Here, an organization generates its own malware link and sends it to staff to see if anyone clicks.

 

Wells said an IT department can put in place a program that will check to see that people are only doing what they are supposed to be doing with their devices. It can also detect unmanaged devices that appear in the system. Electronic audit logs can be monitored to ensure people are not abusing their access.

 

Encryption is a must-have under HIPAA, and Greene said the best way to look at it is demonstrating that laptops are encrypted and will remain that way. For instance, someone with administrative rights can turn off encryption if they choose. But technical measures can be used to limit someone's ability to turn it off and to maintain compliance.

 

“Those things are really more to let you know how compliant you think you are,” Wells said. “For a full security audit, you are typically going to have to hire out.”

Keep it simple


Most physician practices are “dramatically under-resourced” in HIPAA staffing, Greene said. “The office administrator might be the privacy officer and maybe the security officer, too,” he said. “That is a lot of responsibilities, so providers need to give it some thought … and be careful about laying [extra responsibilities] on an office administrator who doesn't have enough time to do their regular job.”

 

Some of these auditing duties may need to be spread throughout an organization or hired out, but practices need to have an individual who is held accountable for auditing HIPAA policies. “There should be some oversight,” Arvin said. “Lots of practices give the title of security officer, but don't give resources or educate them on the responsibilities of overseeing the program.”

Greene also recommends making this a long-term endeavor. Instead of trying to look at all areas of compliance at once, he recommends starting with places where an office has had problems, where similar practices have had settlements, or where the Office for Civil Rights offers guidance.

 

For example, an individual responsible for HIPAA compliance might first spend some time ensuring staff members are providing patients with access to their records and if they are charging the right amount for them. Then he or she could move to other areas, such as disclosure of privacy practice guidelines.

“You can ultimately look at different regulatory requirements and create a master plan for how you are going to audit them,” he said. “Prioritize some immediately and others next year or the year after because they are seemingly lower risk.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

mark's curator insight, May 5, 5:28 PM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buy drugs online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order medications online from the best online pharmacy in the USA Here.

WE OFFER MONEY BACK GUARANTEE TO EVERYONE PURCHASING MEDICINES FROM US YOU CAN LOOK AT SOME FEW QUESTIONS THAT HAVE BEEN ANSWERED TO BACK THIS POINT HERE

If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse online and other highly controlled pills like BOTOX, MORPHINE, CODEINE, DIAZEPAM DILAUDID, SUBUTEX, FENTANYL PATCHES, XANAX, NEUROBLOC, OXYCODONE, OXYCONTIN, OPANA, ROXICODONE, SUBOXONE, OXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE

 

 

Scoop.it!

Hospitals Fail at HIPAA Compliance Re Medical Records Requests

Hospitals Fail at HIPAA Compliance Re Medical Records Requests | HIPAA Compliance for Medical Practices | Scoop.it

Many hospitals failed at HIPAA compliance in response to simulated patients’ requests for medical records, according to a study by Yale researchers published in the JAMA Network Open.

 

The researchers surveyed 83 top-ranked US hospitals with independent medical records request processes and medical records departments reachable by telephone.

 

According to HIPAA, patient requests for medical record must be fulfilled within 30 days of receipt in the format requested by the patient if the records are readily producible in that format. OCR guidance says that hospitals can charge a cost-based fee to provide those records.

 

The researchers conducted scripted interviews with medical records departments in a simulated patient experience and also collected medical records release authorization forms. There was wide variation in the information provided on the authorization forms and from the telephone calls in terms of what data could be requested, release formats, costs, and processing times.

 

On the authorization forms, only 44 hospitals (53%) provided patients the option to acquire the entire medical record. On telephone calls, all 83 hospitals stated that they were able to release entire medical records to patients.

 

There were discrepancies in information given in telephone calls versus authorization forms among the formats hospitals said that they could use to release information: 69 versus 40 for pick up in person, 20 versus 14 for fax, 39 versus 27 for email, 55 versus 35 for CD, and 21 versus 33 for online patient portals. These results demonstrated noncompliance with HIPAA in refusing to provide records in the format requested by the patient, the study noted.

 

There were 48 hospitals that had costs of release above the federal recommendation of $6.50 for electronically maintained records. In one case, a hospital charged $541.50 for a 200-page medical record. At least seven of the hospitals were noncompliant with state requirements for processing times.

 

“Discrepancies in information provided to patients regarding medical records request processes and noncompliance with regulations appear to indicate the need for stricter enforcement of policies relating to patients’ access to their protected health information,” the researchers concluded.

 

The study is timely because the Trump administration has launched the MyHealthEData initiative, which is designed to improve EHR patient data access and use. MyHealthEData is intended to break down the barriers that prevent patients from having electronic access and control over their own health records from the device or application of their choice.

 

In 2017, President Donald Trump issued an executive order in which he directed government agencies to “improve access to and the quality of information that Americans need to make informed healthcare decisions, including data about healthcare prices and outcomes, while minimizing reporting burdens on affected plans, providers, or payers.” The order was part of a broader effort to increase market competition in the healthcare market.

 

“The MyHealthEData initiative will work to make clear that patients deserve to not only electronically receive a copy of their entire health record, but also be able to share their data with whomever they want, making the patient the center of the healthcare system. Patients can use their information to actively seek out providers and services that meet their unique healthcare needs, have a better understanding of their overall health, prevent disease, and make more informed decisions about their care,” explained a March 2018 CMS press release.

 

While the goals of MyHealthEData are lofty, the results of this Yale study call into question the ability of private healthcare organizations to fulfill the Trump administration’s initiative, never mind comply with existing HIPAA patient access requirements.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

4 Steps to Assess a Possible HIPAA Data Breach

4 Steps to Assess a Possible HIPAA Data Breach | HIPAA Compliance for Medical Practices | Scoop.it


The HIPAA Omnibus Rules dramatically elevated your risk of data breaches. From lowering the breach standard to requiring documentation on why you think that you didn’t commit a breach, your practice needs to diligently work to avoid problems and properly handle a breach. An event that compromises the security or privacy of Protected Health Information (PHI) is considered an impermissible use or disclosure of PHI. Impermissible use or disclosure is a breach unless you can show that there was a low probability that the PHI was compromised. This is not an academic discussion since you are required to properly notify patients and the Department of Health and Human Services (HHS) about breaches, and you are subject to fines for breaches. For example, mailing patient information to the wrong party, and unauthorised access to your electronically stored patient records are breaches unless you can show that there is low probability that PHI was compromised.

There are three exceptions to the breach trigger: unintentional acquisition, access, or use of PHI while employees are performing their jobs, inadvertent disclosure to someone authorised to access PHI, and situations where you have a good faith belief that the recipient will not be able to retain the information. For example, a fleeting view of some PHI on a computer screen may not be considered a relevant incident. Using a “good faith evaluation” and “reasonable conclusion”, you evaluate the incident based on four factors:

  1. PHI Nature and Extent: The sensitivity of the information and ability to identify the patient as well as presentation options are factors in determining the probability. Deidentifying PHI is not easy or straightforward. In addition to name and phone numbers, a picture of a face or a free form text note about the patient could easily lead to identifying the patient. For example, a list of dated deidentified lab results with a separate list of patient appointments for the day of the lab would not present a low probability of compromise. On the other hand, loss of electronically stored diagnostic data that requires special software from the device manufacturer may present a low probability of compromise. This answer would be different if the lost information was PHI contained in an unsecured PDF file.
  2. Unauthorised Person Received or Used PHI: The status of the recipient of the PHI may offer a reasonable way to avoid a breach. For example, sending the patient report to the wrong doctor may lead to a low probability of compromise since the receiving doctor has been properly trained in HIPAA Privacy and Security.
  3. Actual Acquisition or Viewing of PHI: If your organization quickly uncovered the incident, you may be able to prevent the viewing or even possession of the PHI. For example, contacting the receiving party and recovering the information before the other people open the information may present a low probability of compromise. Similarly, if an envelope with PHI was lost, but upon recovery, you determine that the envelope was never opened, you may have a low probability of disclosure or use.
  4. Mitigation Factors: In the final step of your evaluation, you can determine if there were mitigating issues that lead you to a good faith and reasonable conclusion that the information was not disclosed. For example, a thumb drive containing PHI on a patient lost in a healthcare facility but recovered in a nonpublic area may present a mitigating factor.

If you determine that the probability of compromised PHI is low, you do not have a problem. Otherwise, you have a breach and have to respond according to the breach notification requirements. If you have encountered a breach, within 60 days of discovery of the breach, you have to:

  • Contact the Patients: You have to mail a letter to the last known address of the affected patients. If you cannot contact more than 10 patients, your website or public media with an 800 number should be publically presented for 90 days.
  • Inform HHS: You have to maintain a log of breaches to send to HHS annually. If a breach involves over 500 patients, you have to directly contact the Office of Civil Rights.
Technical Dr. Inc.'s insight:
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

No comment yet.
Scoop.it!

Make Sure Business Associates Don’t Violate HIPAA

Make Sure Business Associates Don’t Violate HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

A violation of HIPAA by a practice’s business associate underscores the importance for conducting adequate due diligence, having business associate agreements (BAAs) in place, and ensuring that the level of encryption is adequate.


The U.S. Federal Trade Commission (FTC) recently released a statement indicating that a business associate, Henry Schein Practice Solutions, Inc. (“Schein”), a dental practice software company, will pay the government $250,000 for false advertising associated with what was relayed to the public and what was actually used in its products in relation to the level of encryption. While the fine is not considered large by any means, the implications for medical professionals, business associates, and subcontractors alike, are significant. 


The ramifications to the company, in relation to the issuance of the administrative complaint and the consent agreement are:


• Pay a $250,000 fine;

• Prohibition on “misleading customers about the extent to which its products use industry-standard encryption or how its products are used to ensure regulatory compliance”;

• Prohibition on claims that patient data was protected; and

• Schein needs notify all of its clients who purchased during the period when the material misstatements were made; and

• That the consent agreement will be published in the Federal Register.


Of equal or greater significance is the “NOTE” on the FTC’s press release, which states:


NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions for twenty years. Each violation of such an order may result in a civil penalty of up to $16,000.


The takeaways for providers and business associates alike are significant. All government agencies are taking a hard look at material misrepresentations related to HIPAA compliance. The potential implications are significant and underscore the importance of not cutting corners in relation to risk assessments and compliance.

No comment yet.
Scoop.it!

HIPAA Compliance is a Business Risk

HIPAA Compliance is a Business Risk | HIPAA Compliance for Medical Practices | Scoop.it

Medicine is Risky


The practice of medicine is a risky business. There is always the risk that a certain treatment will fail to help a patient. There is a risk of being accused of malpractice. There is a risk of being accused of incorrectly billing a patient, insurance company or government agency. There is a risk of being sued by an employee or ex-employee for HR related issues. The list of risks goes on and on.


Healthcare is not unique when it comes to risk. Lawyers, accountants, architects and engineers all have associated business risk. In fact, it can be argued that every business has associated risk. The risk of a business failing is with every business no matter what vertical that business operates in. Just ask Enron and RadioShack and Joe’s pizza.


Manage Risk


The key to business risk is how an organization manages the risk. Healthcare organizations have malpractice insurance which usually comes with a malpractice risk management program. The program identifies areas of risk, provides steps to reduce risk and defines steps to minimize impact of losses when they occur 


Risk management refers to strategies that reduce and minimize the possibility of an adverse outcome, harm, or a loss. The systematic gathering and utilization of data are essential to loss prevention. Good risk management techniques improve the quality of patient care and reduce the probability of an adverse outcome or a medical malpractice claim. This core curriculum outlines the attitudes, knowledge, and skills currently recommended for residents in the area of risk management. The primary goal of a successful risk management is to reduce untoward events to patients. Risk management programs are designed to reduce the risk to patients and resulting liability to the health care provider. Standard of care is the foundation for risk management. The main factors in risk management include the following.


Nonmedical and medical risk management is a three-step process which involves: 1) identifying risk; 2) avoiding or minimizing the risk of loss; and 3) reducing the impact of losses when they occur. Medical risk management focuses on risk reduction through improvement of patient care.


Patient Data Risk


The practice of creating, storing and accessing electronic patient data brings with it new risks to healthcare organizations. Sure in the past there was a risk of someone breaking into an office and stealing patients’ paper charts but the risk exponentially increases now that a majority of new patient data is electronic. All this data is spread across electronic health records (EHRs), patient portals, digital x-ray machines, email, desktops, laptops, USB drives, smartphones and tablets. There are risks of an employee mistake like losing a laptop with patient information or falling for a fake email that tricks them into giving up information that thieves can use to access and steal patient data.


Like any other business risk, the risk to patient data needs to be properly managed. Just like with a malpractice risk management program, the risk to patient data needs to be addresses with 3 steps:


  1. Identifying Risk – it is critical that organizations understand what risks are associated with electronic patient data. Where is the data stored or accessed? As mentioned previously, the data could be stored on servers in an office, in a cloud-based EHR, on laptops or mobile devices. It is critical to get a thorough inventory of all patient data that is created, stored or accessed. The next step is understanding the risk to all of this patient data. The risk to data stored on a digital ultrasound machine is much different than data stored on laptops that leave an office.
  2. Minimize Risk – once the various risks are identified to patient data, it is critical to take steps to reduce the risk. Implementing the proper safeguards such as security policies and procedures and employee training can go a long way to lower the risk to patient data.
  3. Reduce the Impact – unfortunately it is very difficult to eliminate the risk to patient data. Steps can be taken to lower the risk but the amount of patient data is increasing every day and the risk of employee mistakes or criminals stealing the data increases as well. Organizations need to have a plan in place to respond to a patient data breach. That plan may include a breach response program that defines the steps the organization will take if there is a breach, or ensuring that an organization’s IT department or company is prepared to respond and/or stop a suspected data breach. Reducing the impact of a patient data breach might include cyber insurance that will provide financial resources to help the organization in the event of a data breach.


Don’t Hate HIPAA


Many people I talk to tell me they hate HIPAA regulations. I don’t blame them. Most people don’t like forced government regulations that have the threat of audits and fines. But HIPAA regulations are really just a risk management program for patient data. HIPAA calls for organizations to take inventory of where patient information is created, stored or accessed. It requires organizations to identify and manage associated risk to patient data. And it calls for organizations to be prepared to respond and lower the impact if patient data is lost, stolen or breached. When compared to a malpractice risk management program, the HIPAA risk management program is very similar.


When I talk to people about HIPAA I make it clear that the risk of a random HIPAA audit is very low. But the risk that patient data is lost, stolen or breached is increasing every day. Patient data needs to be thought of as a business risk that needs to be properly managed.

AACS Atlanta's comment, October 18, 2019 2:19 AM
If you have been charged with a DUI, or if the DUI charge was reduced to reckless driving, the state of Georgia will most likely require you to attend a 20-hour Risk Reduction Program. For detail https://www.aacsatlanta.com/dui-school/ for directions https://g.page/aacs-dui-school?share
DUI SCHOOL Marietta, Decatur and Atlanta-GA's comment, November 28, 2019 2:51 AM
What Is DUI School? How Can It Help With My DUI Case?
https://goo.gl/maps/mxmuM8Vm1Drwxj9BA
A DUI School is something that is required as a condition of probation by the court when you're convicted of a DUI. There are different levels of school… Helpline Number: 404-594-1770
Scoop.it!

Is Google Forms HIPAA Compliant?

Is Google Forms HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

Google Forms is a cloud-based form that can be used to conduct surveys or fill out questionnaires.

 

A provider may use Google Forms to get feedback from patients about recent appointments, or to inquire if they would be interested in a particular service, should the provider choose to add it to their services.

 

However, before a provider may use Google Forms for this type of communication, it is important to determine whether or not Google Forms is HIPAA compliant. Google Forms HIPAA compliance is discussed below. 

Google Forms HIPAA Business Associate Agreement

A key factor when determining a software’s HIPAA compliance is the willingness to sign a business associate agreement (BAA). Google Forms is part of Google’s G Suite offerings, and as such is covered under the G Suite business associate agreement. Before a user is permitted to use Google Forms in conjunction with protected health information (PHI), the user must sign Google’s BAA.

 

For more information on how to get your Google Forms HIPAA BAA, please click here.

Google Forms HIPAA Safeguards

In addition to its willingness to sign a BAA, HIPAA compliant software must include safeguards to ensure the confidentiality, integrity, and availability of PHI: 

  • Access controls. Allows administrators to designate different access levels to information based on an employee’s job function.
  • Audit controls. Tracks access to information to ensure that protected health information is accessed in accordance with the HIPAA Privacy Rule minimum necessary standard.
  • User authentication. Utilizes unique login credentials to ensure that users are who they appear to be.
  • Encryption. Masks sensitive data so that it can only be accessed by authorized users.

For more information on Google Forms HIPAA compliant configuration, please click here.

Google Forms HIPAA Training

No software is fully HIPAA compliant, it is up to the end user to ensure that it is being used in a HIPAA compliant manner. Google Forms HIPAA training is essential for all users to understand how to use the platform in a HIPAA compliant manner. All employees that will be using Google Forms should be trained on proper use before they are permitted to use the platform. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

Scoop.it!

What Is HIPAA And How To Comply With The HIPAA Security Rule

What Is HIPAA And How To Comply With The HIPAA Security Rule | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US legalization that requires healthcare professionals and institutions to secure health information from deletions and data breaches.

 

This law has become relevant in today’s dental practice due to increased data breaches caused by ransomware and cyber attacks.

 

The law’s requirements on HIPAA can be demanding and challenging to understand, but we’ve made it easy for you below. There are three areas you need to be compliant with HIPAA.

 

• PHYSICAL – these are measures that prevent loss of devices and physical theft on medical information e.g. keeping workstations away from the public eye and limiting physical access to computers.

 

• ADMINISTRATIVE – measures that make sure patient data is accessible to authorized personnel and is correct. For example, identifying which employees have access to medical information.

 

• TECHNICAL – these are measures that protect your devices and networks from unauthorized access and data breaches e.g. encrypting files that you upload to a cloud or send via email.

 

The components above represent every aspect of your dental practice from your record-keeping and policies to your building safety and technology.

 

HIPAA also requires all your staff members to work together to protect patient data and be on the same page.

 

HIPAA COMPLIANCE

 

The administrative, physical, and technical requirements for HIPAA security may be a lot of information for you to take in. Additionally, it can be overwhelming for you to handle its compliance in your dental practice solely.

 

To make it easier, HIPAA compliance is an organization-wide issue. This means all your employees will have to understand and know their role in securing dental information.

 

Alternatively, you can outsource your HIPAA compliance to consultants, web services, and IT contractors.

 

This ensures your dental practice meets the required standards and makes your life easier. However, outsourcing your HIPAA responsibilities doesn’t mean you ignore your legal obligations.

 

Your company should always stay on top of any HIPAA changes in recommendations and adopt advanced practices to improve medical information security.

 

Ultimately, ensure your dental practice upgrades all its old technology for better and efficient systems that contribute to medical information security.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

mark's curator insight, May 3, 10:54 AM
Oxy Best Pharmacy, ship and do home delivery World Wide

BUY VYVANSE ONLINE, can be a smart move. It saves you money many times, as you remove the cost of a physical retailer. Online prices for medications are almost always lower, and when it comes to medications you require, any savings you can get can really help. You’ll often have to buy these medications regularly, and those costs can really add up. So buying online gives you an opportunity to save a little time for you to buy will add up to substantial savings in time as you buy from home you need not take a drive to a pharmacy. If you want to buy Vyvanse online, then you’ve come to the right place visit Our Shop Page. To buy this medication from us you do not need a prescription and also it will be good if you have one as it will be way easy to make delivery without doing much on security. We’ll get the drug to you quickly, safely and you will pay online prices that easily beat out what you would pay at a physical pharmacy.

Why Us?

Payment methods: We take Western Union Money Gram, Bitcoin, Cashapp, and Zelle Payments. Order your medications from the best online pharmacy in the USA Here.

WE OFFER MONEY BACK GUARANTEE TO EVERYONE PURCHASING MEDICINES FROM US YOU CAN LOOK AT SOME FEW QUESTIONS THAT HAVE BEEN ANSWERED TO BACK THIS POINT HERE

If your package is not delivered to you because of our error, we will offer you a reshipment. We will ship a similar request for nothing out of your pocket. Inform us quickly in that regard so we solve the issue.

Buy Vyvanse Online HERE Now and have it delivered right at your doorsteps. Oxy Best Pharmacy is the best and secure place to order painkillers online. Customer satisfaction is our highest priority, and we never fail to exceed the customer’s expectations! Contact Oxy Best Pharmacy today for all of your meds. Order Vyvanse and other highly controlled pills like BOTOXMORPHINECODEINEDIAZEPAM DILAUDIDSUBUTEXFENTANYL PATCHESXANAXNEUROBLOCOXYCODONEOXYCONTINOPANAROXICODONESUBOXONEOXYNORM AND RITALIN Online without Prescription. You are always welcome to our pharmacy at any time to enjoy from our best online services feel free to contact our pharmacy HERE

 

 

Scoop.it!

3 Ways To Prioritize Compliance In Your Dental Practice

3 Ways To Prioritize Compliance In Your Dental Practice | HIPAA Compliance for Medical Practices | Scoop.it

Dental Practice compliance has become increasingly important as more and more practices embrace different administrative roles.

 

Every team needs to understand the importance of maintaining compliance from staying up-to-date with HIPAA, labor, and OSHA regulations to documentation standards and other compliance-related issues.

 

However, it can be hard to keep up with all the dental practice compliance issues, especially if you are using a personal approach instead of an organizational one.

 

Here are three ways you can create a culture of compliance without losing clients or money in your dental practice.

 

1. ASSIGN A COMPLIANCE OFFICER

 

One person can’t be an expert in all areas of dental practice compliance. Thus, it’s essential to dedicate a team member that is responsible for maintaining compliance in an assigned area. For example, you can have a compliance officer that is in charge of HIPAA and another in charge of OSHA.

 

Breaking down roles like this ensures your practice is in line with all the laws, and in case of any issues, they can be addressed before its’ too late. Additionally, your compliance officer should have documentation and organization skills to maintain documentation effectively.

 

Compliance officers are also responsible for training new team members and annual team retraining.

 

2. PURCHASE COMPLIANCE SOFTWARE

 

Due to advancements in technology, there are various resources and products that you can use for compliance in multiple areas. For example;

• OperaDDS, DDS Rescue and OperaDDS can be helpful in HIPAA compliance
• AutoSDS is essential for OSHA compliance
• DentalPost can assist you in hiring and recruiting team members

Unfortunately, many organizations forgo buying these resources to save on costs. However, not having appropriate software and resources can cost you more than the prices of these products if an issue arises in the future.

 

3. ENCOURAGE PATIENT COMPLIANCE

 

It’s common to find patients giving a false acceptance of services to avoid voicing their concerns about your treatment or services.

 

To prevent such patients from leaving your practice, ensure you use patient-friendly terminology and a friendly, approachable manner when conversing and clearly explain the importance of recommended treatment and care.

 

Not keeping up with dental practice compliance is a multifaceted problem that practices need to stay on top of to avoid future issues.

 

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Social Media Rules

HIPAA Social Media Rules | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA was enacted several years before social media networks such as Facebook were launched, so there are no specific HIPAA social media rules; however, there are HIPAA laws and standards that apply to social media use by healthcare organizations and their employees. Healthcare organizations must therefore implement a HIPAA social media policy to reduce the risk of privacy violations.

 

There are many benefits to be gained from using social media. Social media channels allow healthcare organizations to interact with patients and get them more involved in their own healthcare. Healthcare organizations can quickly and easily communicate important messages or provide information about new services. Healthcare providers can attract new patients via social media websites. However, there is also considerable potential for HIPAA Rules and patient privacy to be violated on social media networks. So how can healthcare organizations and their employees use social media without violating HIPAA Rules?

HIPAA and Social Media

The first rule of using social media in healthcare is to never disclose protected health information on social media channels. The second rule is to never disclose protected health information on social media. (see the definition of protected health information for further information).

 

The HIPAA Privacy Rule prohibits the use of PHI on social media networks. That includes any text about specific patients as well as images or videos that could result in a patient being identified. PHI can only be included in social media posts if a patient has given their consent, in writing, to allow their PHI to be used and then only for the purpose specifically mentioned in the consent form.

Social media channels can be used for posting health tips, details of events, new medical research, bios of staff, and for marketing messages, provided no PHI is included in the posts.

Employees Must be Trained on HIPAA Social Media Rules

In 2017, 71% of all Internet users visited social media websites. The popularity of social media networks combined with the ease of sharing information means HIPAA training should include the use of social media. If employees are not specifically trained on HIPAA social media rules it is highly likely that violations will occur.

Training on HIPAA should be provided before an employee starts working for the company or as soon as is possible following appointment. Refresher training should also be provided at least once a year to ensure HIPAA social media rules are not forgotten.

HIPAA Violations on Social Media

In 2015, ProPublica published the results of an investigation into HIPAA social media violations by nurses and care home workers. The investigation primarily centered on photographs and videos of patients in compromising positions and patients being abused.

 

In some cases, images and videos were widely shared, in others photographs and videos were shared in private groups. ProPublica uncovered 47 HIPAA violations on social media since 2012, although there were undoubtedly many more that were not discovered and were never reported.

 

In most cases, the HIPAA violations on social media resulted in disciplinary action against the employees concerned, there were several terminations for violations of patient privacy, and in some cases, the violations resulted in criminal charges. A nursing assistant who shared a video of a patient in underwear on Snapchat was fired and served 30 days in jail.

 

It is not only employees that can be punished for violating HIPAA Rules. There are also severe penalties for HIPAA violations for healthcare providers.

Common Social Media HIPAA Violations

  • Posting of images and videos of patients without written consent
  • Posting of gossip about patients
  • Posting of any information that could allow an individual to be identified
  • Sharing of photographs or images taken inside a healthcare facility in which patients or PHI are visible
  • Sharing of photos, videos, or text on social media platforms within a private group

HIPAA Social Media Guidelines

Listed below are some basic HIPAA social media guidelines to follow in your organization, together with links to further information to help ensure compliance with HIPAA Rules.

  • Develop clear policies covering social media use and ensure all employees are aware of how HIPAA relates to social media platforms
  • Train all staff on acceptable social media use as part of HIPAA training and conduct refresher training sessions annually
  • Provide examples to staff on what is acceptable – and what is not – to improve understanding
  • Communicate the possible penalties for social media HIPAA violations – termination, loss of license, and criminal penalties
  • Ensure all new uses of social media sites are approved by your compliance department
  • Review and update your policies on social media annually
  • Develop policies and procedures on use of social media for marketing, including standardizing how marketing takes place on social media accounts
  • Develop a policy that requires personal and corporate accounts to be totally separated
  • Create a policy that requires all social media posts to be approved by your legal or compliance department prior to posting
  • Monitor your organization’s social media accounts and communications and implement controls that can flag potential HIPAA violations
  • Maintain a record of social media posts using your organization’s official accounts that preserves posts, edits, and the format of social media messages
  • Do not enter into social media discussions with patients who have disclosed PHI on social media.
  • Encourage staff to report any potential HIPAA violations
  • Ensure social media accounts are included in your organization’s risk assessments
  • Ensure appropriate access controls are in place to prevent unauthorized use of corporate social media accounts
  • Moderate all comments on social media platforms

 

The Department of Health and Human Services’ Office for Civil Rights has issued guidance on HIPAA social media regulations, detailing the specific aspects of HIPAA that apply to social media networks. A HIPAA compliance checklist for social media can be viewed on the HHS website.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

Gabe Maxwell's comment, September 26, 2019 6:56 PM
<a href="https://getmedicalmarijuanaonline.com/product/buy-gushers-online/">Buy Gushers</a>
<a href="https://getmedicalmarijuanaonline.com/product/special-blend-10g-oral-applicator-3-pack/">Buy 10g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/green-label-15g-oral-applicator-6-pack/">Buy 15g Oral Applicator</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-moonrocks-now/">Buy Moonrocks</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-nyc-diesel/">Buy Nyc Diesel</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-lemon-kush/">Buy Lemon Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-zkittlez/">Buy Zkittlez</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-purple-kush/">Buy Purple Kush</a>

<a href="https://getmedicalmarijuanaonline.com/product/buy-gelato-33/
">Buy Gelato</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-mango-kush/
">Buy Mango Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-fire-og-kush/
">Buy Fire Og</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-death-star/
">Buy Death Star</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-green-crack-buy-green-crack-online/
">Buy Green Crack</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grapefruit-kush/
">Buy Grapefruit kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/ghost-train-haze/
">Buy Ghost Train Haze</a>

<a href="https://getmedicalmarijuanaonline.com/product/chocolope/
">Buy Chocolope</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-banana-kush/
">Buy Banana Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-headband/
">Buy Headband</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-golden-goat/
">Buy Golden Goat</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-orange-kush/
">Buy Orange Kush</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-northern-lights-2/
">Buy Northern Lights</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-grape-ape/
">Buy Grape Ape</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-agent-orange-buy-agent-orange-online/
">Buy Agent Orange</a>
<a href="https://getmedicalmarijuanaonline.com/product/buy-blueberry-kush-online/">Buy Blueberry Kush</a>
Scoop.it!

The HIPAA Password Requirements

The HIPAA Password Requirements | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA password requirements stipulate procedures must be put in place for creating, changing and safeguarding passwords unless an alternative, equally-effective security measure is implemented. We suggest the best way to comply with the HIPAA password requirements is with two factor authentication.

 

The HIPAA password requirements can be found in the Administrative Safeguards of the HIPAA Security Rule. Under the section relating to Security Awareness and Training, §164.308(a)(5) stipulates Covered Entities must implement “procedures for creating, changing and safeguarding passwords”.

Experts Disagree on Best HIPAA Compliance Password Policy

Although all security experts agree the need for a strong password (the longest possible, including numbers, special characters, and a mixture of upper and lower case letters), many disagree on the best HIPAA compliance password policy, the frequency at which passwords should be changed (if at all) and the best way of safeguarding them.

 

Whereas some experts claim the best HIPAA compliance password policy involves changing passwords every sixty or ninety days, other experts say the effort is a waste of time. A competent hacker should be able to crack any user-generated password within ten minutes using a combination of technical, sociological, or subversive methods (i.e. social engineering).

 

There is more agreement between experts when it comes to safeguarding passwords. In respect of a best practice for a HIPAA compliance password policy, a large majority recommend the use of password management tools. Although these tools can also be hacked, the software saves passwords in encrypted format, making them unusable by hackers.

The HIPAA Password Requirements are Addressable Requirements

One important point to mention when discussing the HIPAA password requirements is that they are “addressable” requirements. This does not mean they can be put off to another date. It means Covered Entities can “implement one or more alternative security measures to accomplish the same purpose.”

In the context of the Administrative Safeguards, the purpose of the HIPAA password requirements is to “limit unnecessary or inappropriate access to and disclosure of Protected Health Information”. Therefore, if an alternative security measure can be implemented that accomplishes the same purpose as creating, changing and safeguarding passwords, the Covered Entity is in compliance with HIPAA.

 

Two-factor authentication fulfills this requirement perfectly. Whether by SMS notification or push notification, a person using a username and password to log into a database containing PHI also has to insert a PIN code to confirm their identity. As a unique PIN code is issued with each log in attempt, a compromised password alone will not give a hacker access to the secure database.

Two Factor Authentication is Already Used by Many Medical Facilities

Interestingly, two factor authentication is already used by many medical facilities, but not to safeguard the confidentiality, integrity and security of PHI. Instead it is used by medical facilities accepting credit card payments to comply with the Payment Card Industry Data Security Standard (PCI DSS) and by others to comply with the DEA´s Electronic Prescription for Controlled Substances Rules.

 

Healthcare IT professionals will be quick to stress that two factor authentication can slow workflows, but recent advances in the software allow for LDAP integration and Single Sign-On between healthcare technologies. As two factor authentication software only transmits PIN codes (and not PHI) the software does not need to be HIPAA compliant, and it is a far easier solution for compliance with the HIPAA Password requirements than frequent changes of passwords and password management tools.

 

Effectively, Covered Entities never need change a password again.

The only thing Covered Entities have to remember before implementing two factor authentication to protect PHI is that, because the HIPAA Password requirements are addressable safeguards, the reasons for implementing the alternative solution have to be documented. This will satisfy the HIPAA requirements for conducting a risk analysis and also satisfy auditors if the Covered Entity is chosen to be investigated as part of HHS´ HIPAA Audit Program.

Why an Alternative to the HIPAA Password Requirements should be Considered

It was mentioned above that most user-generated passwords can be cracked within ten minutes. That may seem an outrageous claim to some IT professionals, but this tool on the ramdom-ize password generating website will give you an idea of how long it could take a determined hacker to crack any password by brute force alone. Social engineering and phishing will likely accelerate the speed at which the hacker succeeds.

 

Randomized passwords containing numbers, symbols and a mixture of upper and lower case letters obviously take a longer to crack – but they are still crackable. They are also much harder for users to remember; and although secure password management tools exist to store passwords securely, if a user wants to access a password-protected account from another device, password management tools are ineffective. The only way for the user to access the account is to have the password written down or saved on another device – such as an unsecured smartphone.

 

Accessing password-protected accounts from secondary devices increases the risk of a data breach due to keylogging malware. This type of malware runs undetected on computers and mobile devices, secretly recording every keystroke in a file for later retrieval by a hacker. As this is a foreseeable risk to the security of Protected Health Information, Covered Entities must either introduce policies to limit users to the devices from which they can access password-protected accounts, or find an alternative to the HIPAA password requirements.  

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Training is not HIPAA Compliance

HIPAA Training is not HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

We hear from so many doctors’ and dentists’ offices that they are “HIPAA-compliant” because they have completed the required annual HIPAA training for their staff.   FALSE! HIPAA Training is not HIPAA Compliance. HIPAA Training is only one of the components of HIPAA Compliance – thinking otherwise could lead to a false sense of security.

 

HIPAA law consists of various requirements in the areas of security and privacy, use and disclosure of PHI (protected health information) and in breach notification rules.

Minimum steps needed for HIPAA Compliance:

At the very minimum, a doctor’s or dentist’s office must do the following for HIPAA Compliance:

  1. Exercise privacy in the office everywhere.   Be careful about accidental disclosure of patient information.
  2. Display the Notice of Privacy Practices prominently in your office lobby and on your website.
  3. Exercise caution in the use and disclosure of PHI (Protected Health Information).     Patients have the right to review and obtain their PHI.   The onus falls on the medical practice to secure and protect PHI from unauthorized disclosure of any kind.
  4. Conduct the mandatory annual risk assessment, or hire an expert to conduct it for you.   The assessor must take into consideration all the security and privacy-related criteria while conducting the assessment, including all your administrative, physical and technical safeguards.   A detailed list of recommendations and action items should follow as a result of the risk assessment.
  5. Prepare and follow security and privacy policies and procedures.   Your risk assessment should highlight the minimum required policies and procedures that you would need to prepare or obtain.   Physicians and staff members should be familiar with and should follow these policies and procedures on a daily basis.
  6. Provide annual HIPAA Training to your staff and physicians.

Breach notification:

Breaches have unfortunately become only too common these days in an environment where medical records are extremely valuable in the black market.   HIPAA law also specifies strict breach notification requirements in the event of a breach.   The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) requires the practice to inform all individuals whose data might have been lost or stolen.  

 

A breach of more than 500 records is considered a reportable breach, that is, the practice must notify HHS.   This could result in an audit of the practice by federal agencies, and the first thing they are going to ask you for is a copy of your last annual risk assessment.

Small practices may be targets of breaches too:

Many small practices think that they are too small to be targeted.   False again!   If you look at the HHS "Wall of Shame" which lists reported breaches of more than 500 patient records, you will see several small practices listed there who have undergone breaches.   The reality is that smaller practices are likely to be even more affected by a breach considering the high expenses and workload that follow.    The Ponemon Institute has calculated the average healthcare data breach cost to be $380 per record - for 500 records, that comes to approximately $190,000, which can be highly damaging for a small healthcare practice.

 

We often hear from dentists that they do not believe they need to comply.   Also False!  In fact, just recently, on January 2018, Steven Yang, DDS of California and Zachary Adkins, DDS of New Mexico had breaches of 3000+ patient records each due to the theft of a laptop and other portable electronic devices respectively.   

 

Robert Smith, DMD of Tennessee reported 1500 records breached after a hack.  Several other providers such as physicians, hospitals, pharmacies, health plans, and business associates have experienced breaches in the recent past.   It can and will happen to anyone regardless of size - please do not think that it won't happen to you!

Culture of Security and Privacy:

HIPAA Training is not HIPAA Compliance.   Practices should take these requirements seriously as they are here to protect patients and medical professionals.   Protect yourself and your patients by incorporating a culture of security and privacy compliance in your medical practice.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Audits of Covered Entities and Business Associates

HIPAA Audits of Covered Entities and Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

In August, Advocate Health Care Network agreed to pay a $5.55 million settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), for multiple HIPAA violations. In addition, HHS also recently announced a $650,000 resolution settlement against the Catholic Health Care Services of the Archdiocese of Philadelphia.

 

These multi-million dollar penalties should be a warning for all covered entities or business associates.  Especially, with the next phase of audits now underway. During this phase, OCR is reviewing the policies and procedures utilized by covered entities and their business associates to ensure they meet the standards and specifications of the Privacy, Security, and Breach Notification Rules. These will mostly be desk audits. However, there will be some on-site audits conducted as well.

 

The audit process began in May 2016 when OCR audit sent emails to verify entity’s address and contact information. The next step was a pre-audit questionnaire that was used to gather information about the size, type, and operations of the facilities. Those who participate in the desk audits are required to provide a list of their business associates and their contact information. Emails will go out to the chosen business associates, who are expected to respond promptly. The audits are expected to focus heavily on breach responses. If a business associate does not respond within the timeframe, they will be scheduled in January 2017 for the comprehensive audits.

 

Some frequently asked questions regarding audits include:

Who Will Be Audited?

 

Every covered entity and business associate are eligible for an audit, including covered individual and organizational providers of health services; health plans, health care clearinghouses; and a range of business associates of these entities.

 

What is a Business Associate?

Business associates are considered any third-party contractor that performs work or activities on behalf of a healthcare organization or covered entity that involve the use or disclosure of protected health information.  A few examples may include:

  • Example of business associates: lawyer’s working on a case, a medical transcription or medical billing companies, document storage or disposal companies, answering services, software vendors, and consultants, patient safety and accreditation organizations, health information exchanges, etc.)
  • Examples NOT typically considered business associates: an employee, maintenance or repair personnel, a financial or banking institution that only performs payment activities or a janitorial service. 

 

What are Business Associate Agreements?

HIPAA and HITECH require practices to sign a business associate agreement (BA) with business associates that ensures they will protect all patient's PHI. The contract protects personal health information (PHI) by HIPAA guidelines. Business associates can be held accountable for any data breach and penalized for noncompliance.

 

Why are Business Associates Agreements important?

Business associate contracts are not only necessary for staying in compliance; they are crucial for the adequate protection of patient PHI.  The following are HIPAA requirements for business associate agreements:

  1. Establish the permitted and required uses and disclosures of protected health information by the business associate.
  2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule about electronic protected health information.
  4. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
  5. Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings.
  6. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.
  7. Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.
  8. At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity.
  9. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information.
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements. (1)

 

How Will Auditees Be Selected?

OCR is identifying groups of covered entities and business associates that represent a broad range of health care providers, health plans, health care clearinghouses and business associates.  According to HHS, the sampling criteria for selection will include the size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

 

What If an Entity Doesn’t Respond to OCR’s Requests for Information?

If an entity does not respond to requests for information from OCR, they will utilize publicly available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

No Exception to HIPAA Privacy Rules, Nurse Learns

No Exception to HIPAA Privacy Rules, Nurse Learns | HIPAA Compliance for Medical Practices | Scoop.it

Ms. P, 45, was a nurse working in the cardiology department of a large hospital. Her duties were varied, and included, among other things, accessing patient medical records to review lab values and other diagnostic tests ordered by physicians, and writing progress notes in patients' charts.

When she was originally hired by the hospital, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient that was required to perform her duties.

Later, when the U.S. Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human resources seminar and sign a revised confidentiality agreement.

 

The revised agreement stated that she would not access or view information other than what was required to do her job, and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job.

 

Finally, the agreement contained a section saying that Ms. P acknowledged that violation of the facility's confidentially policy could result in disciplinary action up to and including termination.

Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers—with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.

 

Ms. P's mother had Parkinson's disease, was on numerous medications, and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this because it was her own family.

 

One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation that revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions.

 

When the human resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.

 

“Did you need to access information from their medical records in order to do your job as a clinical affiliate in the cardiology department?” the human resources director asked sternly.

“No,” Ms. P replied. “They were not cardiology patients.”

She was fired that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to see if she could sue the hospital for wrongful termination. The attorney was skeptical.

“HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”

 

Ms. P admitted that she'd had training.

“Were you asked to sign anything?” the attorney inquired.

“Well, yes,” Ms. P said. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”

 

“That's irrelevant,” the attorney said. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.

 

“How old are you?” he suddenly asked.

When she told him, he smiled. “I think we may have an angle. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you – a higher paid experienced nurse – and replace you with a less expensive junior person.”

 

The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Health insurer Reaches Settlements Over HIPAA Violations 

Health insurer Reaches Settlements Over HIPAA Violations  | HIPAA Compliance for Medical Practices | Scoop.it

Health insurer Aetna has reached settlements with a number of state attorney generals over HIPAA violations resulting from mailings to HIV/AIDS and cardiac patients, the New Jersey attorney general announced

 

The three states and district involved in the Aetna settlements are Connecticut, the District of Columbia (DC), New Jersey, and Washington. Aetna agreed to pay Connecticut around $100,000, DC around $175,000, and New Jersey $365,000. Washington has not yet disclosed how much it will receive from Aetna.

 

As part of the settlements, Aetna has agreed to implement policy, protocol, and training reforms designed to safeguard individuals’ PHI and ensure the confidentiality of mailings containing that information. The company has also agreed to hire an independent consultant to evaluate and report on its privacy protection practices and to monitor its compliance with the settlements’ terms.

 

 

“Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures,” said NJ Attorney General Gurbir Grewal. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”

 

The investigation revealed that Aetna disclosed HIV/AIDS-related information on about 12,000 individuals through a third-party mailing on July 28, 2017. The envelopes used in the mailing had a transparent address window, which revealed recipients’ names, addresses, and text that included the words “HIV medications.”

 

The second breach occurred in September 2017 and involved a mailing sent to 1,600 individuals about a study of patients with atrial fibrilation (AFib). The envelopes for the mailing included the name and logo for the study, IMPACT AFib, which could have been interpreted as indicating that the addressee had an AFib diagnosis.

 

DC Attorney General Karl Racine said in a statement: “Aetna failed to protect the health information of District residents and illegally disclosed their HIV status. Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information. Today’s action will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers’ private information.”

 

The three states and DC alleged that Aetna not only violated HIPAA but also state laws pertaining to the PHI of individuals in general and of persons with AIDS or HIV infection in particular.

 

In January 2018, Aetna settled a class action lawsuit that required it to pay $17 million in relief to the 12,000 individuals regarding the HIV mailing.

 

Lead plaintiff Andrew Beckett, which is a pseudonym, alleged in his original complaint that PHI and confidential HIV-related information “was disclosed improperly by Aetna and/or Aetna-related or affiliated entities, or on their behalf, to third parties, including, without limitation, Aetna’s legal counsel and a settlement administrator, and through a subsequent mailing of written notices that were required to be sent as part of a settlement of legal claims that had been filed against certain Aetna-related entities or affiliates.”

 

The letters from Aetna had originally been sent in response to a settlement over previous data privacy violation worry. The healthcare company had been sued in two separate class-action lawsuits in 2014 and 2015.

 

“Those lawsuits alleged that Aetna jeopardized the privacy of people taking HIV medications by requiring its insureds to receive their HIV medications through mail and not allowing them to pick up their medications in person at the pharmacy,” according to the 2017 lawsuit.

 

In response to the January 2018 lawsuit settlement, Aetna said that it is “implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

 

“Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident,” Aetna said in a statement.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

OCR Releases New HIPAA Breach Reporting Tool for “Wall of Shame”

OCR Releases New HIPAA Breach Reporting Tool for “Wall of Shame” | HIPAA Compliance for Medical Practices | Scoop.it

Earlier this week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a redesigned HIPAA Breach Reporting Tool on their site.

The HIPAA Breach Reporting Tool is commonly called the “Wall of Shame” because it lists all organizations that have had health care data breaches affecting more than 500 individuals that have occurred since enforcement began. The Wall of Shame is a searchable, permanent database of HIPAA violations maintained by OCR.

The new Breach Reporting Tool allows you to search the full archive of breaches, and gives access to an “Under Investigation” tab. The tool has been redesigned to make it easier than ever before to look through OCR’s investigation history. This makes the consequences of a data breach or HIPAA violation a permanent reputational issue for your organization–especially now that prospective patients are doing more and more research into behavioral health specialists they’re looking to work with.

Protecting your practice with a HIPAA compliance program is an essential way to keep your name off the Wall of Shame. Below, we take a look at exactly what the regulation requires so you know what to look for in a HIPAA compliance program for your practice.

The HIPAA Breach Notification Rule

HIPAA breach reporting and breach notification are essential parts of any organization’s HIPAA compliance. HIPAA breach reporting is regulated by the HIPAA Breach Notification Rule, which was first enacted in 2009 along with the HITECH Act.

The HIPAA Breach Notification Rule categorizes data breaches into two categories with specific requirements for follow-through on each. The two kinds of breaches that the Breach Notification Rule identifies are:

  • Minor Breach: any breach of protected health information that affects fewer than 500 individuals. Individuals must be notified of the breach within 60 days of discovery of the breach. ALL minor breaches that have occurred over the course of the year must be reported to OCR NO LATER than 60 days after the end of the calendar year. This date usually falls on March 1st or February 29th.
  • Meaningful Breach: any breach of protected health information that affects more than 500 individuals. Individuals must be notified within 30 days of the discovery of the breach, and local media must also be notified of the breach. Meaningful breaches must be reported to OCR immediately, within 60 days of the discovery of the breach itself.

Trends in HIPAA Enforcement

In January of 2017, OCR levied its first fine for a violation of the HIPAA Breach Notification Rule in the history of HIPAA enforcement.

The fine was levied against Presence Health, one of the largest health care networks in Illinois. The organization was fined $475,000 after more than 500 individuals were implicated in a meaningful breach. Over the course of its investigation, OCR found that Presence failed to notify the individuals within the 60 days mandated by the Breach Notification Rule.

This is just one example of the recent trend in unconventional HIPAA enforcement efforts that have been targeting health care professionals of all kind across the country.

The best way to mitigate your risk of being targeted by these breaches is to adopt a total HIPAA compliance program in your organization that addresses the full extent of the law. Don’t get caught unprepared!

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

HIPAA Survey Reveals A Reportable Benchmarking Breaches

HIPAA Survey Reveals A Reportable Benchmarking Breaches | HIPAA Compliance for Medical Practices | Scoop.it

In early, HCPro’s Medical Records Briefing (MRB)newsletter conducted a HIPAA benchmarking survey to gauge compliance with the HIPAA Omnibus Rule shortly after its September 23, implementation date. This year, MRBasked healthcare professionals to give us an update on their HIPAA compliance more than one year after implementation.

 

With the March 1 deadline for reporting breaches of PHI to HHS just around the corner, it seemed appropriate to ask respondents about breach notification. The percentage of respondents that said their organizations experienced a HIPAA breach in the past two years remained at 55% .However, more than half of respondents (54%) said their organizations have not experienced an increase in reportable breaches and do not anticipate an increase.

 

Some of this may be related to how organizations define a breach. In fact, one respondent said that his or her facility struggled most with determining whether an incident is a reportable breach.

 

The HIPAA Omnibus Rule eliminated the harm threshold and expanded the definition of a breach to include all PHI that is compromised, which some industry experts predicted would lead to an increase in reportable breaches.

 

The expansion of the definition of a breach may explain why some respondents say they have not experienced a breach in the last two years, says Chris Simons, MS, RHIA, HIM director and privacy officer at Cheshire Medical Center in Keene, New Hampshire. “I suspect they are not using the Omnibus standard for determining a breach, but instead relying on the old assessment of potential harm,” Simons says.

 

This year, 42% of respondents were HIM directors or managers, 30% were privacy officers, and 19% were compliance officers or managers. Based on this data, an increased number of HIM directors or managers appear to be serving as privacy officers at their facility. More specifically, 65% of HIM directors and managers responding to the survey also serve as the privacy officer.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

No comment yet.
Scoop.it!

Did Doctor Violate HIPAA for Political Campaign?

Did Doctor Violate HIPAA for Political Campaign? | HIPAA Compliance for Medical Practices | Scoop.it

Federal regulators are reportedly investigating whether a physician in Richmond, Va., violatedHIPAA privacy regulations by using patient information to help her campaign for the state senate.


The Philadelphia office of the Department of Health and Human Services' Office for Civil Rights is investigating potential HIPAA violations by Siobhan Dunnavant, M.D., a Republican state senate candidate, after a complaint alleged the obstetrician-gynecologist used her patients' protected health information - including names and addresses - to solicit contributions, volunteers and votes, according to an NBC news report.


Conservative blogger Thomas White tells Information Security Media Group that he reported to HHS earlier this year that letters and emails about Dunnavant's candidacy were sent to her patients prior to the June primary race in the state's 12th district, which includes western Hanover County. White says he notified HHS after receiving a copy of a letter from a Dunnavant patient who was annoyed at receiving the campaign-related communications from her doctor.


"I would love for you to be involved," Dunnavant wrote to patients, also reassuring them that their care would not be impacted if she's elected, according to a copy of a campaign letter posted on the NBC website."You can connect and get information on my website. There you can sign up to get information, a bumper sticker or yard sign and volunteer," the posted letter states. Other campaign-related material included emails sent to patients that were signed by "Friends of Siobhan Dunnavant," NBC reports and White confirmed, citing reports from patients.


The physician is one of three candidates seeking the state senate seat in the Nov. 3 election.

Patient Confidentiality

A spokeswoman for Dunnavant's medical practice declined to confirm to Information Security Media Group whether OCR is investigating Dunnavant for alleged HIPAA privacyviolations. However, in a statement, the spokeswoman said, "We are aware of concerns regarding patient communication, and we are reviewing the issue with the highest rigor and diligence. Please be assured we hold confidentiality of patient information of paramount importance, and thank patients for entrusting us with their care."


A spokeswoman in OCR's Washington headquarters also declined to comment on the situation. "As a matter of policy, the Office for Civil Rights does not release information about current or potential investigations, nor can we opine on this case," she says.


White, editor of varight.com, says he first received a copy of one of Dunnavant's campaign letters in May, and that he was the first to report on the issues raised by the letters. He tells ISMG he filed a complaint with the federal government after he confirmed that the use of patient information for campaign purposes was a potential violation of privacy laws.


Nearly four months later, an investigator in OCR's regional office in Philadelphia, which is responsible for Virginia, on Sept. 29 responded to White's complaint, indicating the doctor's actions would be examined. White says he also confirmed again in a call to OCR on Oct. 28 that the case is still under investigation.


"You allege that Dr. Dunnavant impermissibly used the protected health information of her patients. We have carefully reviewed your allegation and are initiating an investigation to determine if there has been a failure to comply with the requirements of the applicable regulation," OCR wrote to White, according to a copy of the OCR letter that appears on White's website.

HIPAA Regulations

Privacy attorney Adam Greene of the law firm Davis Wright Tremaine says Dunnavant's alleged use of patient information raises several HIPAA compliance concerns.


"HHS interprets HIPAA to cover demographic information held by a HIPAA-covered healthcare provider if it is in a context that indicates that the individuals are patients of the provider," he notes. "Healthcare providers must be careful when using patient contact information to mail anything to the patient - even if no specific diagnostic or payment information is used. If a patient's address is used to send marketing communications or other communications unrelated to treatment, payment, or healthcare operations without the patient's authorization, then this may be an impermissible use of protected health information under HIPAA."


If patient contact information is shared with someone else, such as a political campaign, that also could be a HIPAA violation, Greene adds. "The same information that can be found in a phone book - to the extent anyone uses phone books - may be restricted in the hands of healthcare providers."


Privacy attorney David Holtzman, vice president of compliance at the security consulting firm CynergisTek, notes that the HIPAA Privacy Rule has "a blanket prohibition" on a HIPAA covered entity disclosing the protected health information of their patients without first seeking authorization of the individual - except where specifically permitted or required by the rule.


"There is no provision in the privacy rule where a healthcare provider who is a HIPAA covered entity can disclose patient information to a political campaign," he points out.


Because of those restrictions, federal regulators will carefully scrutinize the case, Holtzman predicts. "It is likely that OCR will look closely at the doctor's correspondence for its communication about her candidacy for political office, how to contact the campaign or obtain campaign products as well as the statement that the letter was paid for and authorized by the campaign organization."


An OCR investigation into the alleged violations of the HIPAA Privacy Rule could result in HHS imposing a civil monetary penalty, Holtzman notes. "There are criminal penalties under the HIPAA statute for 'knowingly obtaining or disclosing identifiable health information in violation of the HIPAA statute,'" he adds.

Potential Penalties

Offenses committed with the intent to view, transfer or use individually identifiable health information for commercial advantage, personal gain or malicious harm are punishable by a fine of up to $250,000 and imprisonment for up to 10 years, Holtzman notes.


"The Department of Justice is responsible for investigating and prosecuting criminal violations of the HIPAA statute," he says. "And changes in the HITECH Act clarified that a covered entity can face both civil penalties for violations of the privacy rule and criminal prosecution for the same incident involving the prohibited disclosure of patient health information."


The U.S. Department of Justice did not respond to ISMG's request for comment on whether it's planning to investigate the Dunnavant case.

No comment yet.