HIPAA Compliance for Medical Practices
72.1K views | +16 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA liability protections: business associate agreements are must for effective risk management

HIPAA liability protections: business associate agreements are must for effective risk management | HIPAA Compliance for Medical Practices | Scoop.it

The first step for a physician, known under the language of HIPAA as a “covered entity,” is to determine the need for a BAA with a vendor. A vendor is considered a “business associate” under HIPAA if the vendor creates, receives, maintains, or transmits patient health information (PHI) on the provider’s behalf.

 

Common services performed by a business associate (BA) include claims processing, data analysis, quality assurance, billing and collection, practice management, legal, accounting, and consulting.

 

Entities that only serve as conduits, such as the post office or Internet service providers, are not considered BAs even though they handle patient information.

 

What BAs must include

If a business associate is providing services to a covered entity, the parties must enter into a written BAA that:

 

  • establishes the permitted uses/disclosures of PHI,
  • stipulates that the BA must use appropriate safeguards to prevent unauthorized PHI uses and disclosures,
  • spells out that the BA reports to the covered entity any unauthorized uses and disclosures,
  • extends the terms of the BAA to its subcontracts, and
  • establishes that upon termination of the BAA, the vendor must either return or destroy all PHI.

 

The consequences of not having a written BAA can be severe. The Office of Civil Rights (OCR) could request a copy of a covered entity’s BAA if there is a complaint registered over a covered entity or if a breach occurs.

 

Violations under HIPAA can be penalized at anywhere between $100 to $50,000 per violation, up to a calendar year maximum penalty of $1,500,000 for a single violation. The OCR could take the position that every day that the BA and covered entity did not have a business associate agreement is a violation, and multiply the fine by the number of days no BAA penalty was in place, so the penalties can be steep.

 

Liability of agents

Under HIPAA, a covered entity is liable for the acts of its agents, which can include a BA.

 

Whether an agency relationship exists is determined case by case, with the essential factor being whether the provider has the right or authority to control the BA’s conduct. The authority of a provider to give instructions or directions is the control that can result in an agency relationship.

 

The language in the BAA will be considered in determining whether an agency relationship is present. If a covered entity is controlling the performance of its BA, the covered entity should closely monitor the BA’s performance since the covered entity will be held accountable for its performance.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time | HIPAA Compliance for Medical Practices | Scoop.it

For the first time, a HIPAA privacy complaint filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) has resulted in federal criminal prosecution.

 

A complaint was filed with OCR over an impermissible disclosure of a patient’s protected health information by a doctor. The doctor, Richard Alan Kaye of Suffolk, Va., was alleged to have shared PHI with the patient’s employer without consent from the patient – A violation of the HIPAA Privacy Rule.

 

The case against Kaye has been referred to the Department of Justice, which has pressed charges. While OCR has referred more than 500 HIPAA violation cases in the past, this if the first time that an investigation of a privacy complaint has resulted in criminal prosecution.

 

Kaye had previously worked at Sentara Obici Hospital in Suffolk, Va., as Medical Director of its Psychiatric Care Center. The patient had been enrolled in a mental health treatment program at the hospital and Kaye treated and subsequently discharged the patient. On discharge, Kaye stated that the patient was not a threat to the public.

 

Federal prosecutors allege Kaye shared PHI with the patient’s employer “under the false pretenses that the patient was a serious and imminent threat to the safety of the public, when in fact he knew that the patient was not such a threat.”

 

While it was previously possible for egregious HIPAA violations to result in criminal prosecutions for HIPAA covered entities, filing charges against individuals was problematic. When individuals were discovered to have violated the privacy of patients, and the violations warranted criminal prosecution, it was necessary to file charges under the aiding and abetting theory – The abuse of an individual’s position to violate HIPAA Rules.

 

However, the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) provided further clarification on criminal prosecutions for HIPAA violations, and made the process of prosecuting individuals for HIPAA privacy violations more straightforward.

 

If cases are investigated and OCR determines HIPAA Rules have been violated by covered entities, the cases are typically resolved by OCR, often via settlements. However, if individuals are alleged to have violated HIPAA Rules, criminal penalties may be appropriate. In such cases, OCR can refer the cases to the Department of Justice, the federal attorney general, and/or state attorneys general to pursue criminal charges against those individuals.

 

While criminal cases have been filed against individuals who violated HIPAA Rules and impermissibly disclosed PHI, the uncertainty of pursuing cases against individuals prior to the passing of the HITECH Act dissuaded federal prosecutors from pursuing cases. Since the HITECH Act was passed, there have been referrals of cases, although this is understood to be the first time that the Department of Justice has actively pursued criminal charges against an individual following the referral of a privacy complaint by OCR.

 

There is no private cause of action in HIPAA. While private citizens can file complaints with the OCR over alleged violations of HIPAA Rules, they are not permitted to file lawsuits against covered entities for HIPAA violations. The lack of criminal penalties for HIPAA violations may have dissuaded patients from filing complaints. Now the Department of Justice is taking action against an individual for an egregious HIPAA privacy violation, it may encourage more patients to file complaints with OCR.

 

This DOJ case shows federal authorities are now taking HIPAA Privacy Rule violations much more seriously. OCR is also training state attorneys general on HIPAA enforcement. After state attorney generals have received training, it is expected they too will take a more aggressive stance against covered entities that have violated the privacy of state residents.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Sees Meritus Medical Center Stop Media Announcements

HIPAA Sees Meritus Medical Center Stop Media Announcements | HIPAA Compliance for Medical Practices | Scoop.it

Meritus Medical Center is one of a number of hospitals that has stopped issuing information about patient conditions to the media. The hospital announced on September 22 that this courtesy would be stopped.

 

The Health Insurance Portability and Accountability Act places certain restrictions on the disclosure of Protected Health Information to third parties, including the media. Just a few years ago, reporters would be able to call a healthcare provider to make an enquiry about the health status of a patient.

 

The hospital staff would provide general information about a particular patient’s condition if they were asked about a patient by name. The information disclosed would be restricted, so reporters would be advised for instance, that a patient was good, fair, stable or in critical condition.

 

Under HIPAA Rules this information may be disclosed to the media; however it is not mandatory for a hospital or healthcare provider to give out any information, except when it is in the public health interest to do so or if required by law enforcement officers to assist with an investigation.

 

HIPAA Rules See Patient Privacy Improved
Since the HIPAA Privacy Rule is now being enforced, and covered entities can face considerable fines for violations of the Rules covering the disclosure of PHI, many hospitals have now taken the decision to stop releasing any information on patients. They see it as a measure that will improve privacy and help avoid any inadvertent HIPAA violations.

 

In the case of Meritus Medical Center it was not only the risk of HIPAA violations, but the policy was changed to improve privacy standards for patients. Meritus Communications Manager, Nicole Jovel, said in a media announcement “In conversations with clinicians and administrators, we determined we needed to really increase the level of privacy we were providing.”

 

A Patient’s Status can Rapidly Change
There are also problems with such a simple classification of status and providing information when it is likely to change. Patients may slip from serious to critical, or may improve from one day to the next. It would not be fair to report a condition, if that information may be incorrect just a few hours later. In the case of newspapers which are printed the following day, they may contain inaccurate information before they even hit consumers’ doorsteps.

 

Patient Safety is a Major Consideration
Then there is the issue of confirming the identity of the caller, which in often impossible. The hospital treats numerous victims of domestic violence, and Jovel pointed out that the staff cannot be sure if they are giving information to an abusing partner.

The problem faced by Meritus is typical. There are too many variables to consider, and in a busy healthcare setting it is too easy for mistakes to be made. Ultimately those mistakes could prove detrimental to patients and the decision is made to stop issuing all reports to the media.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

How to Comply with HIPAA

How to Comply with HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to protect patients' health information. Since its inception, health care providers have struggled with the need to protect patient privacy, share information, and keep paper work under control.


“When HIPAA came out, everyone was so afraid of penalties … but a lot of it was a reasonable recognition of patients' privacy that was already occurring in 99.9% of the cases,” said L. Lee Hamm, MD, Professor of Medicine and Executive Vice Dean at Tulane University School of Medicine in New Orleans.

 

“It added a lot of administrative burden and … it introduced a few things to make certain that people didn't inadvertently do something they shouldn't do.”

 

Electronic information


A part of HIPAA with which specialists in particular are concerned is sharing information among other health care providers. Entities covered under HIPAA are allowed to share private information with other health care professionals for the purposes of treatment, payment, and operations.

 

But Heinold said there are often delays during this process that can negatively impact quality of care and increase liability. This can occur when providers unnecessarily request patients' consent.

 

One of the most efficient ways to communicate among providers is via electronic communication. HIPAA was amended in 2009 to encompass the use of electronic health records with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

 

Fresenius staff is increasingly receiving communication about patients electronically through mediums such as text and instant messaging, Heinold said. While this can facilitate exchange of records, it also comes with inherent risks. Fresenius trains staff to provide the minimum necessary information when texting about patients.

 

Louis Liou, MD, Chief of Urology at Cambridge Health Alliance, said his organization's biggest HIPAA concerns relate to electronic information. To comply, Cambridge ensures that all physicians with smart phones have them password protected and that their e-mail is secure.

 

Cambridge physicians try to avoid texting patient information when possible, but if they must, they do not use any patient identifiers in the text messages.

 

“There are a lot of pitfalls that could potentially happen,” Dr. Liou said. “Thumb drives have given way to Cloud issues. I think potentially there can always be problems – no matter how failsafe you make the system, there is always human error.”

 

Dialysis settings


Another concern is the communal open-floor nature of some clinical settings, as is often the case in dialysis centers, which may make it difficult to protect patient privacy. Still, training staff and implementing privacy procedures can go a long way to meeting HIPAA requirements.

 

Rosemary Heinold, Director of Communications for Fresenius Medical Care North America, a dialysis services provider and manufacturer of peritoneal and hemodialysis machines and equipment, said their organization has a handful of practices that help them comply with HIPAA.

 

Although patients are examined on the dialysis floor, Fresenius clinics also offer private examination rooms. Patients are never required to be examined in an open setting and may request a private room for physician consultations.

 

Like most providers, Fresenius staff gives patients a notice of privacy rights, which individuals must sign. They also post a notice of their privacy practices at all treatment sites.

 

Fresenius providers also work by the “minimum necessary” rule. The staff only shares the least amount of information necessary with patients on the clinic floor, particularly when others are within earshot.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

No Exception to HIPAA Privacy Rules, Nurse Learns

No Exception to HIPAA Privacy Rules, Nurse Learns | HIPAA Compliance for Medical Practices | Scoop.it

Ms. P, 45, was a nurse working in the cardiology department of a large hospital. Her duties were varied, and included, among other things, accessing patient medical records to review lab values and other diagnostic tests ordered by physicians, and writing progress notes in patients' charts.

When she was originally hired by the hospital, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient that was required to perform her duties.

Later, when the U.S. Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human resources seminar and sign a revised confidentiality agreement.

 

The revised agreement stated that she would not access or view information other than what was required to do her job, and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job.

 

Finally, the agreement contained a section saying that Ms. P acknowledged that violation of the facility's confidentially policy could result in disciplinary action up to and including termination.

Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers—with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.

 

Ms. P's mother had Parkinson's disease, was on numerous medications, and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this because it was her own family.

 

One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation that revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions.

 

When the human resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.

 

“Did you need to access information from their medical records in order to do your job as a clinical affiliate in the cardiology department?” the human resources director asked sternly.

“No,” Ms. P replied. “They were not cardiology patients.”

She was fired that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to see if she could sue the hospital for wrongful termination. The attorney was skeptical.

“HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”

 

Ms. P admitted that she'd had training.

“Were you asked to sign anything?” the attorney inquired.

“Well, yes,” Ms. P said. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”

 

“That's irrelevant,” the attorney said. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.

 

“How old are you?” he suddenly asked.

When she told him, he smiled. “I think we may have an angle. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you – a higher paid experienced nurse – and replace you with a less expensive junior person.”

 

The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Strategies for Measuring HIPAA Compliance Efforts

Strategies for Measuring HIPAA Compliance Efforts | HIPAA Compliance for Medical Practices | Scoop.it

About 40% of large health care organizations do not take the time to measure how well their HIPAA compliance measures are working, according to Brian Wells, Chief Technology Officer of the cybersecurity firm Merlin International, headquartered in Vienna, Virginia. Most are unaware if they have thwarted cyberattacks, blocked malicious emails or kept staff from releasing inappropriate information.

 

“If they can't report that to the board, then they may stop giving them money to do more,” Wells said.

 

Measuring an organization's HIPAA strategy can be challenging. It is difficult to know if efforts to thwart cyberattacks have actually prevented breaches. “When ransomware like WannaCry comes out, it may be possible to say you protected yourselves,” he said. “If nothing bad has happened in a while, you can assume you are either doing a good job or just haven't been a target.”

 

How are providers supposed to measure HIPAA compliance effectiveness? Here are a few strategies for determining if an organization is on the right path using both internal and external resources.

 

A human touch
Wells works with hospitals now, but when he was on the medical practice side, his group performed annual testing on HIPAA regulations. The test was not hard, but everyone in the practice had to pass it. This not only lets a provider know where education is slipping through the cracks, but also provides a paper trail to point to should a practice get audited.

 

Adam Greene, a partner with Seattle-based Davis Wright Tremaine, also recommends informal testing to make sure people

 

understand their obligations under HIPAA. For example, the person in charge of HIPAA security can make a checklist to ask staff that includes questions like: “If someone wants to see something in their medical record, how would you respond?” Staff should know the patient has a right to records and the process involved in turning them over, be it filling out a form or directing the patient to the staff member who handles requests.

 

Another option is to assign an individual who would be accountable for walking around an office to ensure protected health information is secured properly. A few points to include would be ensuring computers are not facing toward patients; locked cabinets do not have the key hanging next to them; and people are logging out when they leave their computers.

“There could be a 10- to 20-question checklist and they can use it to see how they are doing and compare it over time,” said Marti Arvin, Vice President of Audit Strategy for CynergisTek, which is headquartered in Mission Viejo, California.

 

Arvin said an internal audit can be used to make sure staff members know where privacy policies are and that they are understood; whether all patients at their initial visit are provided with notices of privacy procedures; and if all of the staff members are receiving HIPAA training as they should.

 

Technology testing
Because health IT is constantly under attack, it would be difficult, expensive, and “voluminous” to show all of the attacks an organization has defended against, Greene said.

One option instead is to perform vulnerability scanning on a regular basis to examine if a system has unpatched software or other vulnerabilities. Another good practice is a phishing test. Here, an organization generates its own malware link and sends it to staff to see if anyone clicks.

 

Wells said an IT department can put in place a program that will check to see that people are only doing what they are supposed to be doing with their devices. It can also detect unmanaged devices that appear in the system. Electronic audit logs can be monitored to ensure people are not abusing their access.

 

Encryption is a must-have under HIPAA, and Greene said the best way to look at it is demonstrating that laptops are encrypted and will remain that way. For instance, someone with administrative rights can turn off encryption if they choose. But technical measures can be used to limit someone's ability to turn it off and to maintain compliance.

 

“Those things are really more to let you know how compliant you think you are,” Wells said. “For a full security audit, you are typically going to have to hire out.”

Keep it simple


Most physician practices are “dramatically under-resourced” in HIPAA staffing, Greene said. “The office administrator might be the privacy officer and maybe the security officer, too,” he said. “That is a lot of responsibilities, so providers need to give it some thought … and be careful about laying [extra responsibilities] on an office administrator who doesn't have enough time to do their regular job.”

 

Some of these auditing duties may need to be spread throughout an organization or hired out, but practices need to have an individual who is held accountable for auditing HIPAA policies. “There should be some oversight,” Arvin said. “Lots of practices give the title of security officer, but don't give resources or educate them on the responsibilities of overseeing the program.”

Greene also recommends making this a long-term endeavor. Instead of trying to look at all areas of compliance at once, he recommends starting with places where an office has had problems, where similar practices have had settlements, or where the Office for Civil Rights offers guidance.

 

For example, an individual responsible for HIPAA compliance might first spend some time ensuring staff members are providing patients with access to their records and if they are charging the right amount for them. Then he or she could move to other areas, such as disclosure of privacy practice guidelines.

“You can ultimately look at different regulatory requirements and create a master plan for how you are going to audit them,” he said. “Prioritize some immediately and others next year or the year after because they are seemingly lower risk.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Important HIPAA Compliance Issues in 2018

Important HIPAA Compliance Issues in 2018 | HIPAA Compliance for Medical Practices | Scoop.it

As 2018 gets underway, experts offer advice on some important issues related to HIPAA compliance. One issue is patient access to medical records. Kathy Downing, vice president of information governance and standards at the American Health Information Management Association, said her organization receives many complaints from patients who have issues receiving medical information even though right of access has been in place since 2003.This area is what Downing calls “super low-hanging fruit on the HIPAA tree.” If patients request records, there is no need to make them wait 30 days. If the records are stored electronically, practices should allow patients to receive their information in that format.

 

“The reason this is important is because in a lot of the cases, patients may be seeing multiple providers for chronic conditions, and having their chart allows them to be more engaged in their care,” she said. “It's an important patient right, and important for population health and patient engagement.”

 

By giving patients their records, providers are also allowing them to do a quality review to ensure their information is correct. Electronic medical records commonly contain errors, mainly because of copying and pasting of data, Downing said.

 

If physicians are uncomfortable talking with patients about information in their charts, she recommends that practices appoint a nurse who can deal with patient queries. Portals can also be a good resource to guide patients through their information. If someone has been diagnosed with prediabetes, for instance, a portal can provide links to trusted online sources that can answer patient questions.

 

Increased enforcement?


Another HIPAA-related question facing medical practices this year is the Office for Civil Rights (OCR) approach to HIPAA enforcement. Michael Bossenbroek, a partner at Wachler & Associates, P.C. in Royal Oak, Michigan, listened to remarks at a HIPAA conference last fall from the new OCR director. OCR might be striking a different tone as a new administration takes the reins. “How they balance the objectives of education and compliance with enforcement remains to be seen,” Bossenbroek said.

 

The OCR director gave no specifics, Bossenbroek said. Whatever approach emerges from OCR, as before, providers need to ensure they have the basics completed, with a risk analysis performed and solid policies and procedures in place.

 

Chris Apgar, CEO and president of Apgar & Associates LLC, in Portland, Oregon, said OCR has made it clear there will be continued enforcement activity in the coming years. No one is immune from them, he said. He recently worked with a small entity that had their wrists slapped by OCR. He helped them prepare a response, and when they failed to follow through with their plan, he had to mediate between the organization and OCR.

 

“If you respond to OCR in an appropriate and timely manner and follow through, they go away,” he said. “If you don't, they stick around. They are not going away.”

 

Shortage of security talent


Health care organizations will continue to face a shortage of information technology (IT) security talent in 2018, Apgar said. A report released this past summer by the US Department of Health and Human Services found that 3 out of 4 hospitals do not have a designated information technology (IT) security professional.

 

Larger organizations are better able than small groups to afford hiring IT talent, which can be expensive, Apgar said. But smaller organizations, which often delegate IT security to office staff who are already busy with other tasks, have options. Apgar recommends looking for students graduating from information security programs and bringing them on board as interns. Small groups do not require the same kinds of security setup that a Cleveland Clinic or Kaiser might need, and young individuals can help build and run systems. Organizations can grow a position with them when they are new in the field, although these individuals could leave when they become seasoned and expect a higher salary.


Vendors


With OCR increasingly scrutinizing and auditing business associates, it is important for practitioners to ensure their vendors are compliant. Apgar said the vendors he works with are increasingly motivated to do this for fear of losing customers. These customers – health care practitioners – are demanding proof of compliance.

 

To better understand a vendor's compliance, providers can request policies and procedures and ask to see their risk analysis and any other pertinent documentation. Some ask that vendors fill out a security questionnaire. Others go even further. Groups like Apgar's company can act as a third party to conduct a risk assessment, then attest in writing that a vendor has either mitigated or accepted risks found in the analysis.

 

New tools


It used to cost anywhere from $75,000 to $100,000 for a tool that would automatically monitor audit logs and send alerts if an anomaly is found for a hospital or larger clinic, Apgar said. Over the past couple of years, new options have hit the market that lowered the cost to $35,000 or less, which is a game changer for HIPAA compliance, he said.

 

“As more technology becomes affordable, there is a higher likelihood that regulatory bodies will push back and say providers have to use it,” Agar said. “If a hospital is generating and not regularly reviewing audit logs, they will look negligent to regulators.”

 

Technology tends to move with the needs of the market. For instance, as cyber crime has become increasingly prevalent, tools have been developed and marketed to prevent attacks. Some tools look both internally and externally in a network to see if unusual behavior is occurring, and sends an alert if any anomaly is found.

 

Keeping track of technology as it becomes more affordable is not always simple. Apgar said providers can look at IT newsletters and check with their state associations to stay atop of new and affordable tools coming on the market.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

more...
No comment yet.
Scoop.it!

Case Management and HIPAA information

Case Management and HIPAA information | HIPAA Compliance for Medical Practices | Scoop.it

An employee of the Iowa’s Mahaska County government alleged that another employee committed a HIPAA violation when she locked a member of the public inside a building where files containing PHI were stored unsecured, the Oskaloosa News reported.

 

Kim Newendorp, general assistant director for Mahaska County, told the Board of Supervisors this month that a fellow county employee had locked a member of the public in the Annex Building and left that person alone in the facility.

 

“This person was waiting for me, but in doing so, she left all of the case management confidential and HIPAA information unlocked and accessible to that person. This is a HIPAA violation,” Newendorp told the board.

 

Newendorp said she notified her boss, one of the board members, about the incident but received no response. She then spoke with the county’s chief privacy officer, Jim Blomgren, who passed information about the incident on to the company that handles human resources for the county. No action was taken.

 

Newendorp said that she filed an official grievance with the Board of Supervisors, who passed it onto Blomgren, who then passed it on to the HR people, again with no result.

 

“I’m disappointed this situation has not been handled,” she told the board. “Especially due to the importance of HIPAA. The state DHS official has come forward to say that this situation is an issue, and yet nothing has been done.”

 

“I understand this topic may not be as important to you as roads, 911, and the airport, but I can tell you that the people’s right to have their personal information locked and secured is important to the hundreds of past clients of Mahaska County Case Management, and their families and myself.”

 

Willie Van Weelden, chairman of the Mahaska County Board of Supervisors, said he took action at the time, but declined to say what he specifically did to address Newendorp’s concerns.

Oskaloosa News asked Blomgren to comment on Newendorp’s testimony. “Since the comments of the employee at the meeting of the Board of Supervisors involves personnel issues and alleged HIPAA infractions I do not believe I am at liberty to discuss them,” he responded.

 

“I think in most counties, the board of supervisors, you would never do an investigation into HIPAA. You would never do a human resources investigation. No county I know of would have their board do that,” Paul Greufe of PJ Greufe & Associates told Oskaloosa News.

 

Greufe said that most counties hire professional services such as his to do the HR work and would direct those people to start an investigation. “And so that was the process that was followed to the letter.”

SIMILAR INCIDENT IN BOSTON RESULTS IN OCR REPORT

The incident alleged by Newendorp is similar to one that occurred at the Boston Healthcare for the Homeless Program (BHCHP) earlier this year. In that case, someone was not let into the facililty unattended but broke in.

 

There was unsecured PHI in the facility, but no evidence that the PHI was viewed by the intruder. Still, BHCHP did notify people affected about the incident and reported it to OCR. 

 

The unsecured PHI included handwritten staff notes, printed patient lists, referral forms, and insurance/benefits applications. BHCHP told OCR that 861 individuals were affected by the breach.

BHCHP said it conducted an internal investigation that included a search of the clinic to which the intruder would have had access and interviews with clinic and shelter staff.

 

The program also ensured that the clinic door was secure and implemented additional safety measures, including an additional lock on internal doors within the clinic and secure storage of keys to internal doors, file cabinets, and storage cabinets.

 

BHCHP also updated its policies governing how staff use and store patient information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Hospitals Fail at HIPAA Compliance Re Medical Records Requests

Hospitals Fail at HIPAA Compliance Re Medical Records Requests | HIPAA Compliance for Medical Practices | Scoop.it

Many hospitals failed at HIPAA compliance in response to simulated patients’ requests for medical records, according to a study by Yale researchers published in the JAMA Network Open.

 

The researchers surveyed 83 top-ranked US hospitals with independent medical records request processes and medical records departments reachable by telephone.

 

According to HIPAA, patient requests for medical record must be fulfilled within 30 days of receipt in the format requested by the patient if the records are readily producible in that format. OCR guidance says that hospitals can charge a cost-based fee to provide those records.

 

The researchers conducted scripted interviews with medical records departments in a simulated patient experience and also collected medical records release authorization forms. There was wide variation in the information provided on the authorization forms and from the telephone calls in terms of what data could be requested, release formats, costs, and processing times.

 

On the authorization forms, only 44 hospitals (53%) provided patients the option to acquire the entire medical record. On telephone calls, all 83 hospitals stated that they were able to release entire medical records to patients.

 

There were discrepancies in information given in telephone calls versus authorization forms among the formats hospitals said that they could use to release information: 69 versus 40 for pick up in person, 20 versus 14 for fax, 39 versus 27 for email, 55 versus 35 for CD, and 21 versus 33 for online patient portals. These results demonstrated noncompliance with HIPAA in refusing to provide records in the format requested by the patient, the study noted.

 

There were 48 hospitals that had costs of release above the federal recommendation of $6.50 for electronically maintained records. In one case, a hospital charged $541.50 for a 200-page medical record. At least seven of the hospitals were noncompliant with state requirements for processing times.

 

“Discrepancies in information provided to patients regarding medical records request processes and noncompliance with regulations appear to indicate the need for stricter enforcement of policies relating to patients’ access to their protected health information,” the researchers concluded.

 

The study is timely because the Trump administration has launched the MyHealthEData initiative, which is designed to improve EHR patient data access and use. MyHealthEData is intended to break down the barriers that prevent patients from having electronic access and control over their own health records from the device or application of their choice.

 

In 2017, President Donald Trump issued an executive order in which he directed government agencies to “improve access to and the quality of information that Americans need to make informed healthcare decisions, including data about healthcare prices and outcomes, while minimizing reporting burdens on affected plans, providers, or payers.” The order was part of a broader effort to increase market competition in the healthcare market.

 

“The MyHealthEData initiative will work to make clear that patients deserve to not only electronically receive a copy of their entire health record, but also be able to share their data with whomever they want, making the patient the center of the healthcare system. Patients can use their information to actively seek out providers and services that meet their unique healthcare needs, have a better understanding of their overall health, prevent disease, and make more informed decisions about their care,” explained a March 2018 CMS press release.

 

While the goals of MyHealthEData are lofty, the results of this Yale study call into question the ability of private healthcare organizations to fulfill the Trump administration’s initiative, never mind comply with existing HIPAA patient access requirements.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Your Dental or Medical Website Needs To Be HIPAA Compliant?

Why Your Dental or Medical Website Needs To Be HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

As the digital world becomes ever more entrenched in our lives, so does crime and information gathering start becoming more advanced. Patient privacy is a serious issue, and while the majority of websites can safely be hosted on the internet without special considerations regarding safety and security, healthcare has no such luxury. In fact, it is vital that all healthcare websites take extra steps to secure their site to be HIPAA compliant.

 

HIPAA And You, What Is It Exactly?

Developed some years ago, HIPAA stands for the Health Insurance Portability and Accountability Act (HIPAA) and was established to provides guidelines and regulations on the security of the personal information of patients. Two elements of this rule create conditions that must be met to be found in compliance with HIPAA rules. These rules are the Privacy Rule, outlining the protection of your patient’s private health information, and the security rule describing the requirements for data security measures.

 

How Can I Make My Website HIPAA Compliant?

It begins with going beyond basic encryption, websites that seek to be HIPAA compliant have to invest in higher level security measures. The only way you can avoid this as part of the medical industry would be if your site doesn’t do any collection or providing of personal information, and avoiding any third-party transactions of data.

 

The first step to securing your website is to utilize SSL security or Secure Sockets Layer. You’ve likely noticed sites like this when they contain the https:// prefix instead of http://. Those sites that have an SSL certificate encrypts communication between the web browser and the server. This is required to be found in compliant with HIPAA laws.

 

You can also make sure that your site is HIPAA compliant by using high security data collection forms that provide additional protection. The basic CMS (Content Management System) provided with most web hosts don’t provide that level of security, so it’s often wise to select a third party form builder that meets the requirements of HIPAA. 

 

Healthcare Website Design

HIPAA compliance is a vital element of your design for a healthcare website, especially as access to technology increases and becomes further integrated with our day to day lives. It is your responsibility as the owner of the website to ensure that your security system meets the strident requirements of this act. Whether you’re a public institution or serve the community as a private practice, your website design company can aid you in providing a secure website that will be approachable and informative for your clientele while maintaining the necessary security protocols.

 

Don’t put your practice at risk with a site that doesn’t protect your patients information appropriately,  To begin designing an attractive website that will serve your patients with the security and peace of mind they deserve. Violations of HIPAA are a serious concern and can result in costly fines and, more importantly, the compromising of your patients privacy.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

9 keys to having a HIPAA-compliant cloud

9 keys to having a HIPAA-compliant cloud | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare organizations are increasingly open to the idea of using public cloud services, whether it be applications or infrastructure. But to do so requires thorough planning and vigilant execution of IT operations.

 

Chris Bowen, founder and chief privacy and security officer for ClearDATA, a company that helps healthcare organizations use public cloud services, provides nine examples of controls that can be put in place. 

 

  1. Implement audit controls: Use tools such as AWS’ Cloudtrail and S3 buckets as key components of a logging infrastructure.
  2. Review system activity: Leverage audit logs to enable the review of activity within your system.
  3. Identity and Access management control: Keep track of every user who logs into a cloud environment and what they do; alert administrators if settings are changed. 
  4. Disaster recovery: Ensure there are backups of all data to satisfy contingency plan requirements, including emergency mode operation.
  5. Evaluate your security posture: Conduct vulnerability scans, penetration tests, and code scan on systems processing Personal Health Information (PHI).
  6. Establish a proper Business Associate Agreement: Outline key responsibilities between you and your vendors. These should address responsibilities for keeping data safe, how to provide patients with access to their data, and what to do in the case of a data breach.
  7. Access Controls: Ensure users are unique and logged. Enable auto logoff features, robust authentication features, and stateful security groups.
  8. Encrypt PHI and other sensitive data: Encrypt all data in motion and in rest using a purpose-designed approach.
  9. Ensure transmission security: Effectively enable the proper encryption of data in transit using AES 256 encryption (SSL and TLS) as well as object keys where feasible.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA as an umbrella for county/municipal cybersecurity

HIPAA as an umbrella for county/municipal cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Are you a covered entity?

Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.

 

How do you know if you have or are a CE? If some department or division within your organization is a health care provider, a health plan or a health care clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), health care clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.

Are you in compliance?

If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.

 

In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?

 

I suspect what often happens is that executives look at something like information security policy requirements and say:

This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.

 

What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.'

Trust but verify

There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances, and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.

Extend HIPAA to your enterprise

If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that level while also getting compliant with federal law.

 

Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted good practices.

Develop your policy with the HIPAA Security Rule

There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.

The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).

The security standards in HIPAA are broken down into three sections, each of which has multiple layers and subcomponents:

  • Administrative Safeguards (9 components)
  • Physical Safeguards (4 components)
  • Technical Safeguards (5 components)

 

These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.

 

Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.

 

These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.

Next Steps

1. Find out where your organization stands in terms of information security policies and procedures.

2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?

3. Meet with your IG committee to discuss your findings.

4. If you don’t have an IG committee — start one!

5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.

6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintaining continuous improvement.

7. Begin building a culture of security in your organization.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Easiest Complete HIPAA Compliance Checklist You'll Ever See

The Easiest Complete HIPAA Compliance Checklist You'll Ever See | HIPAA Compliance for Medical Practices | Scoop.it
The Best HIPAA Checklist Is…HIPAA Itself?

Yes, basically. First, let’s make sure we’re on the same page about what HIPAA is exactly. HIPAA is federal legislation, as is the HITECH act that updated parts of it. Title II of that legislation relates to the privacy and security of protected health information, and this is the meat of what most physicians need to care about when “HIPAA compliance” comes up.

 

Title II of HIPAA also requires HHS to create federal regulations that implement the ideas in the rest of the act. These regulations spell out exactly what healthcare providers must do, and they are now complete and published in the Code of Federal Regulations (CFR),

 

Luckily, HHS also grouped these regulations into six sections, called “rules,” and these are really the ultimate HIPAA compliance checklist. If you can understand and comply with each of these six rules, you’ll have a good claim to HIPAA compliance. So let’s do it; let’s count down the checklist that HHS gives us:

The Six Rules of the HIPAA Compliance Checklist:

#1: Standardize Your Coding and Electronic Transmissions

This one is easy. HIPAA seeks to make sure that everybody is communicating about healthcare issues in one unified way, and regulations in its “Transactions and Code Sets” rule accomplish this.

One part of this rule specifies what code sets are allowable for describing medical data, including ICD-CM for conditions, NDC for drug names, and CPT/HCPCS for procedures. Another part then defines and mandates the specific electronic transmission formats that can be used to convey the encoded data.

 HIPAA Checklist: How to Comply with Rule 1

  1. Use a compliant electronic health record (EHR).

Simply pick a modern EHR to use in your practice. They will typically use the correct encoding and transmission formats automatically, and you can confirm this with the vendor before you buy anything.

That’s it. Done. Check.

#2: Get Unique Identifiers for You and Your Organization

In the “Identifier Standards” rule, HIPAA mandates that every individual or organization that renders healthcare have a unique 10-digit National Provider Identifier (NPI). Type 1 NPIs are for individuals, and type 2 NPIs are for organizations. NPIs are used in encoding and transmitting healthcare data, and they help enforce clarity. Two doctors may have the same name and practice in the same city, but their differing NPIs will ensure that they are not mistaken for one another.

 HIPAA Checklist: How to Comply with Rule 2

  1. Make sure that all HIPAA-covered entities in your practice have an NPI.

You probably already have an NPI. If you don’t,  you can get one through the National Plan and Provider Enumeration System (NPPES) that HHS runs.

That’s it. Done. Check.

#3: Protect Your Patients’ Privacy

The HIPAA Privacy Rule, in conjunction with the HIPAA Security Rule, constitutes the most important part of HIPAA for most providers. Fundamentally, the Privacy Rule is all about individuals’ health information, termed “protected health information (PHI).” The rule spells out how healthcare entities may use PHI, and it also delineates patients’ rights to be informed of and control those uses.

HHS has written an important summary of the Privacy Rule, and it’s worth a read. High-level points from the summary to internalize:

  • The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. The Privacy Rule calls this information “PHI.”
  • A central aspect of the Privacy Rule is the principle of “minimum necessary” use and disclosure. A [healthcare] entity must make reasonable efforts to use, disclose, and request only the minimum amount of PHI needed to accomplish [an intended purpose].
  • Except in certain circumstances, individuals have the right to review and obtain a copy of their PHI and any of its uses and disclosures. They may also demand corrections to it.
  • Each [healthcare] entity, with certain exceptions, must provide a notice of its privacy practices.

 HIPAA Checklist: How to Comply with Rule 3

  1. Designate a “privacy official” in your organization who will be tasked with developing and implementing your privacy policies and procedures and ensure that this person is available to receive requests and complaints related to the Privacy Rule.
  2. Understand the definition of PHI and identify information in your practice that is PHI.
  3. Keep a record of all uses and disclosures of PHI in your practice.
  4. Understand the things your practice must do under the Privacy Rule, especially including those things that relate to your patients’ control over their own PHI.
  5. Understand the things your practice may do under the Privacy Rule, especially including those uses and disclosures of PHI that are allowable without explicit, written patient consent. Always use the concept of “minimum necessary” to guide your uses and disclosures.
  6. Identify your “business associates,” as defined by HIPAA. If another company interacts with PHI from your practice, they are likely a business associate, and you need to have a formal “business associate contract” with them that extends the duties of HIPAA to their operations.
  7. Create a Notice of Privacy Practices. This must contain specific items, and it’s best to start with a template that HHS provides. Know when, where, and to whom this notice must be made available.
  8. Implement administrative, technical, and physical safeguards to prevent impermissible intentional or unintentional use or disclosure of PHI. These should also act to limit incidental uses or disclosures.
  9. Ensure ongoing training of your practice’s workforce on your privacy policies and procedures.
  10. Have your privacy official create and maintain a written document of the policies and procedures that you have developed to accomplish the above items.

Well, this section was a bit longer than the first two, but that’s because the Privacy Rule is so crucial to HIPAA. It is, unfortunately, also critical that you review the Privacy Rule yourself. The checklist above is a good start on minimum necessary activities, but there is no perfect, comprehensive checklist that will work for every type of practice. HIPAA is about ensuring best practices in every type of healthcare provider, and there is no substitute for figuring out what that means for you and your exact practice.

HHS states that the Privacy Rule is comprised of 45 CFR Part 160 and Subparts A and E of 45 CFR Part 164, and you can refer to these directly or, at least, to the HHS Privacy Rule summary to make sure that you are creating and following all of the privacy policies and procedures that your specific practice needs.

#4: Secure Your Electronic Medical Information

The HIPAA Security Rule is a nitty-gritty rundown of “the technical and non-technical safeguards that organizations […] must put in place to secure individuals’ electronic PHI.” That quote comes directly from a Security Rule summary that HHS has written, in which they explain that the Security Rule takes the somewhat amorphous concepts of the Privacy Rule and lays out a more exact framework to implement them.

Unlike the Privacy Rule, which applies to all PHI, the Security Rule applies only to PHI that your practice “receives, maintains or transmits in electronic form.” To comply with the Security Rule, your organization must adopt an ongoing process of risk analysis that has the following general form:

  1. Assess risks to electronic PHI in your organization, the current state of your security measures, and any gaps between the two
  2. Implement “administrative, technical, and physical safeguards” to address the gaps
  3. Document all of steps 1 and 2 and keep the records
  4. Repeat steps 1 to 3 on a periodic basis

That’s it, really. And continuing their pattern of being hugely helpful, HHS has created a seven-part educational paper series that will walk you through this. For the checklist in this section, we’ll lean on these papers heavily…since HHS literally provides checklists in them.

 HIPAA Checklist: How to Comply with Rule 4

  1. Perform a risk analysis for electronic PHI in your organization
  2. Implement safeguards to address security gaps identified by the risk analysis:
    1. Administrative
    2. Physical
    3. Technical
  3. Make sure everything is documented appropriately
  4. Repeat steps 1 to 3 on a periodic basis

Each HHS document linked above has a reproduction of Appendix A of the actual Security Rule, which is effectively a checklist of necessary items to consider for the administrative, physical, and technical safeguards that you need. Some of the documents extend this list with other items, such as the document linked in step 3 above.

As with the Privacy Rule, it’s important that you read the Security Rule yourself at least one time. HHS wrote the rules generally so that they could function for organizations of any size, from one person to thousands, and because of this, only you can decide exactly how your organization can best comply. Per HHS, “The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.” And again, they’ve also written a summary of it.

#5: Understand the Penalties for Violations

The HIPAA Enforcement Rule (codified at 45 CFR Part 160, Subparts C, D, and E) establish procedures for the investigation of possible HIPAA violations and sets civil fines for infractions. Fines can be up to $50,000 per violation per day, so it can add up quickly and is not a joke. Violations can also carry criminal penalties, including fines and jail time, but these are not covered by HHS regulation.

 HIPAA Checklist: How to Comply with Rule 5

  1. You don’t have to do anything ahead of time

If HHS investigates your practice, then this rule becomes relevant to you, but there’s nothing here that you need to do proactively.

#6: Learn How to Handle Information Breaches

The HIPAA Breach Notification Rule (codified at 45 CFR §§ 164.400-414) requires healthcare organizations to provide notification after breaches of PHI. A “breach” is, basically, an impermissible use or disclosure of PHI, as detailed in the HIPAA Privacy Rule. Depending on the type of breach, the notification might need to be made to the affected individuals, the media, or the HHS Secretary. HHS has further guidance available on the topic.

 HIPAA Checklist: How to Comply with Rule 6

  1. You don’t have to do anything ahead of time

Once again, you only need to worry about this rule if you identify a PHI breach, which you should be monitoring for as part of your compliance with the HIPAA Privacy Rule and Security Rule.

 

HIPAA compliance is all about adopting good processes in your organization, and HHS has laid out a path to compliance that is nearly a checklist. All you have to do is follow it.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

New HIPAA requirements target unsecured protected health information

New HIPAA requirements target unsecured protected health information | HIPAA Compliance for Medical Practices | Scoop.it

The American Recovery and Reinvestment Act of 2009, signed by President Barack Obama in February, modified the Health Insurance Portability and Accountability Act (HIPAA). In particular, the Health Information Technology for Economic and Clinical Health Act (HITECH) sets forth new requirements relating to business associates and notification of patients regarding breaches of unsecured protected health information. The new regulation covers breaches that occur after September 23, 2009.

 

Before HITECH, a covered entity, that is, a physician's office, hospital, clinic, etc.—only was required to mitigate the effects of an unauthorized disclosure, which may or may not have included notifying the patient Now, except for certain limited exceptions, a covered entity is required to notify a patient of an unauthorized disclosure of unsecured protected health information if a significant risk of "financial, reputational, or other" harm exists.

 

It is important to note that notification is only required for unsecured protected health information, not secured protected health information. The Department of Health and Human Services (HHS) issued guidance on what constitutes "secured" protected health information in April, stating that information is deemed secured if rendered "unusable, unreadable, or indecipherable" to unauthorized individuals.

 

To determine whether a "significant risk of harm" exists, the covered entity should consider what information was disclosed, to whom the information was disclosed, and what steps have been taken to eliminate or reduce the risk to the individual.

 

Any notification to the patient must include a brief description of what happened and the type of protected health information disclosed, any steps the patient should take to protect himself or herself, what the covered entity is doing to investigate and mitigate the breach, and information concerning who to contact for additional information. Any required notification must occur without unreasonable delay but no more than 60 days after the breach is discovered or should have been discovered with the exercise of reasonable diligence.

 

Notification must be in writing by mail (or by phone in urgent cases) or electronic means if the patient has consented to electronic notification. Also, specific rules exist regarding what to do if patients cannot be located. If a breach involves more than 500 patients—for instance, the loss of a laptop containing unsecured protected health information, then local media outlets must be notified. In addition, the HHS secretary must be notified—immediately for breaches involving more than 500 patients and annually for others.

 

With the new regulations, the knowledge of a covered entity's agents, including business associates, is imputed to the covered entity. Therefore, the clock for notifying patients could begin to run before the covered entity actually is aware of the disclosure. New agreements may be required, and education of business associates is important, to ensure that they are aware of these requirements and that they indemnify your practice if they fail to comply with the new rules and notify you promptly of any breach of protected health information.

 

The burden to disclose the breach or establish that no risk of harm to the patient exists is on the covered entity, even if the breach was the fault of one of its agents. A decision not to notify a patient because the covered entity does not believe that a significant risk of harm exists should be carefully investigated and documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Texas Expands HIPAA Privacy Laws to Bolster EHR Security

Texas Expands HIPAA Privacy Laws to Bolster EHR Security | HIPAA Compliance for Medical Practices | Scoop.it

Governor of Texas, Rick Perry, has signed a new law to give Texas residents even greater protection than required by the Health Insurance Portability and Accountability Act and has increased penalties for healthcare organizations that fail to implement the appropriate security measures to protect the health data of patients.

 

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), covered entities have a number of responsibilities including reporting data breaches to the Office for Civil Rights (OCR). Data breaches are reportable to the OCR, either in an end of year report or after an investigation, depending on the number of individuals affected.

 

HIPAA places a number of restrictions on how ePHI is used and stored, and all covered entities are required to conduct a full risk analysis to assess systems for security vulnerabilities to allow risk to be managed. It also lays down the procedures that must be followed after a data breach, such as notifying potential victims. Covered organizations are also required to conduct an investigation into how a breach occurred as well as a risk of harm analysis.

 

One of the main aims of HIPAA has been to improve the standard of data security and protect the privacy of patients. HIPAA and HITECH can be seen as minimum standards that must be followed, and states are allowed to increase data security rules, provided that all HIPAA requirements are met.

 

Texas has now exercised the right to tighten state privacy laws to ensure electronic Protected Health Information is kept private and confidential.

 

Greater Protection for Texas Residents
The new Texas law follows HITECH, although it makes a number of amendments to further restrict the use of ePHI. The penalties have been increased for wrongful disclosure, breach notifications have been updated and healthcare organizations must provide more training to staff. A new requirement is that data privacy and security training must now be provided to employees every two years. Training courses must be documented and all attendees must sign to confirm that they have received training. A 60-day time restriction has also now applies for providing new employees with training.

 

According to the new law, “an individual’s PHI may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, healthcare operations, insurance purposes, and as otherwise authorized by state or federal law”

 

Harsher Penalties for Wrongful Disclosure of ePHI
Failure to comply with the new legislation will result in increased financial penalties and possibly criminal penalties – the theft of ePHI is now considered a felony – being applied for the wrongful disclosure of ePHI. The state is also able to revoke both professional and institutional licenses. Financial penalties have been increased to a maximum of $250,000 for intentional disclosure of ePHI for financial gain, $25,000 for intentional or knowing violation and $5,000 for each individual negligent violation, although the maximum penalty for repeat offenders is $1.5 million and enforced withdrawal from Medicaid, the Children’s Health Insurance Program and other state funded healthcare initiatives is also a possibility.

 

When assessing violations, the seriousness of the data breach will be considered along with significant risk of harm, past history of the organization, certification, the efforts made to mitigate any damage caused and the amount necessary to deter the organization from allowing further violations to occur. Failure to issue breach notifications to affected individuals will also be penalized at a rate of $100 per day, per individual, up to a maximum fine of $250,000.

 

HIPAA regulations require employers to provide training on data Privacy and Security Rules, although this is only required within a short time frame of the commencement of employment and after a material change in Privacy and security policies. Under the new Texas law there is a requirement for ongoing training to be provided to staff and this must also be tailored to the employee’s position within the company. Rules have also changed on breach notifications to include all HIPAA covered entities including business associates, as well as non HIPAA-covered entities that wrongfully disclose ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

Do HIPAA Rules Create Barriers That Prevent Information Sharing? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care.

 

HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors.

 

The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected.

 

The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.

 

The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued.

 

Certain provisions of HIPAA Rules are perceived to be barriers to information sharing. The American Hospital Association has spoken out about some of these issues and has urged the HHS to take action.

 

While there are certainly elements of HIPAA Rules that would benefit from an update to improve the sharing of patient health information, in some cases, healthcare organizations are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other entities without the need to obtain prior authorization from patients.

 

The feedback HHS is seeking will be used to assess what aspects of HIPAA are causing problems, whether there is scope to remove certain restrictions to facilitate information sharing, and areas of misunderstanding that call for further guidance to be issued on HIPAA Rules.

 

HIPAA does permit healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without authorization from patients. However, there is some confusion about what constitutes treatment/healthcare operations in some cases, how best to share PHI, and when it is permissible to share PHI with entities other than healthcare providers. Simplification of HIPAA Rules could help in this regard, as could the creation of a safe harbor for good faith disclosures of PHI for the purposes of case management and care co-ordination.

 

While the HHS is keen to create an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any changes made to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered entities will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.

 

In addition to a general request for information, the HHS will specifically be seeking information on:

 

The methods of accounting of all disclosures of a patient’s protected health information
Patients’ acknowledgment of receipt of a providers’ notice of privacy practices


Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management
Disclosures of protected health information without a patient’s authorization for treatment, payment, and health care operations
The minimum necessary standard/requirement.


While the RFI is likely to be issued, there are no guarantees that any of the comments submitted will result in HIPAA rule changes.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Few Things Physicians are Not Doing to Comply with HIPAA.

Few Things Physicians are Not Doing to Comply with HIPAA. | HIPAA Compliance for Medical Practices | Scoop.it

Shortly after the Health Insurance Portability and Accountability Act (HIPAA) was implemented, David Zetter was at a doctor's office helping the group build a compliance plan. He was in the back of the practice training some of the staff when the receptionist walked in and handed him a piece of paper.

 

The note was from a patient saying she could see everyone's names and files at the front desk and she knew that was a HIPAA violation.

 

More than a decade later, HIPAA compliance has become ingrained: Files are not left out in the open, patient information is not improperly disclosed, and doctors do not leave health-related messages on answering machines. It is routine to have every patient sign a HIPAA release and go about your business.

 

But compliance is not a one-and-done activity as much as an evolution of rules and procedures. Compliance gurus bet there are at least a few things physicians are not doing to comply with HIPAA.

 

Make a plan
One main thing that practices should have is a compliance plan, but many do not, said Zetter, founder of Zetter Healthcare Management Consultants. “They buy a cheap manual off of the internet and think that works,” he said. “But it cannot be implemented that way; it wasn't set up for your practice.”

 

Even state medical societies sell how-to manuals, but Zetter said this is only a document meant to guide you through creating a compliance plan, not the plan itself.

 

Sample HIPAA compliance plans and instructions for completing one can be found online. The Massachusetts Medical Society provides a document with a checklist and tips to help doctors develop their own documents.

 

Analyzing compliance
The second thing that needs to be completed is a gap analysis. These are used to determine what the organization is doing and what they should be doing. Zetter said an office needs to take each section of the regulation, see what is required and compare it with what is being done. Detailed information on creating a gap analysis can be found at the North Carolina Department of Health and Human Services Website.

 

Once gaps are identified, it is important to find ways to mitigate the potential problem areas. Physicians can do this by performing a risk analysis, which provides the basis for developing ways to cover themselves if an information breach should occur.

 

A risk analysis can arrive at whether there is a low, medium, or high risk of a HIPAA violation occurring, Zetter said. The greater the risk, the more resources are needed for prevention. All of this should be documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Staff Nurse Faces Jail Time for HIPAA Violations

Staff Nurse Faces Jail Time for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

Her breach of a patient's privacy jeopardized the clinic from which she was subsequently fired.

 

What began as routine file maintenance ended in arrest and possible jail time for a licensed practical nurse who shared a patient's medical information with her spouse.

 

Ms. A, 29, had been employed by a midsize regional clinic for five years. While she enjoyed her job and got on well with her supervisor, Dr. P, she was known to bemoan what she saw as low pay and the financial strain it created for herself and her husband. That strain intensified when her husband was in an auto accident and then sued by people in the other car seeking compensation for their injuries.

 

One day, as Ms. A was flipping through charts to straighten up the files, she saw the plaintiff's name. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file. That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she'd taken earlier. “I think this will help,” she said.

 

The next day, Mr. A phoned the patient. During the conversation, he made it known that he had medical information which he believed weakened the man's case. Mr. A suggested that he consider dropping the lawsuit.

 

After hanging up with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney.

 

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her.

 

After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed them that no breach of these laws would be tolerated under any circumstances.

 

Meanwhile, Ms. A's problems were just beginning. The district attorney forwarded the patient's complaint to a federal prosecutor, and within a month, both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. Ms. A pleaded guilty to one count of wrongful disclosure of individual health information for personal gain. In exchange for her plea, the charges against her husband were dismissed.

 

Ms. A is awaiting sentencing. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation. The state nursing board is seeking to revoke her license.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Massachusetts Physician Guilty in HIPAA Case

Massachusetts Physician Guilty in HIPAA Case | HIPAA Compliance for Medical Practices | Scoop.it

Recently, a gynecologist was sentenced to 1 year of probation for violating HIPAA laws and obstructing an investigation into a federal health care probe.

 

Rita Luthra, MD, who treated women in a low-income area of Springfield, Massachusetts, was convicted this past April of allowing a pharmaceutical representative from Warner Chilcott improper access to patient records. While the case is unique—providers have rarely been charged criminally under HIPAA—it is a cautionary tale about the potential implications for improper disclosure.

 

Federal charges
Dr Luthra's conviction stemmed from a larger Department of Justice (DOJ) investigation into Warner Chilcott's practices. The pharmaceutical company, which was purchased in 2015 by Allergan plc, was investigated on allegations of paying kickbacks to physicians to entice them to prescribe its medications to patients; false marketing for Actonel, a drug prescribed for treatment of osteoporosis; and manipulating prior authorizations for its other osteoporosis drug, Atelvia.

 

The DOJ reached a $125 million settlement with the company in 2015. Dr Luthra was found to be one of the physicians accused of taking part in Warner Chilcott's practices. She was originally brought up on kickback charges, with investigators claiming she received more than $23,000 for prescribing their osteoporosis medication. They claimed she was paid approximately $750 on numerous occasions to hold educational events in her office for the pharmaceutical company.

 

But those charges were dropped, and a revised indictment for HIPAA charges was filed. Prosecutors claimed she gave a sales representative patient information in order to fill out forms to get an insurer to cover the drugs. She was also convicted on an obstruction charge for allegedly lying to the DOJ about why she was paid by the pharmaceutical company.

 

Luthra could have received up to 6 years in prison and a $300,000 fine for both charges. The judge on the case, however, said that the loss of her license and probation was enough of a sentence. He reportedly considered her work for years serving patients in lower-income communities during sentencing.

 

Pandora's box
Criminal prosecutions under HIPAA are not common, but Conor Duffy, a lawyer with Robinson & Cole LLP, said it is reflective of a growing trend.

 

“Prosecutors appear to utilize criminal charges under HIPAA in part as a fall back or as leverage against a provider, because proving HIPAA violations can be easier than proving the existence of an illegal kickback arrangement,” Duffy said. “The Massachusetts case is notable in that the government ended up dropping its kickback allegations but nonetheless prosecuted the physician for a HIPAA violation.”

 

There have been a few other cases where criminal charges were applied through HIPAA, most involving providers improperly using the information or providing it to others for financial gain. In one such case, a Florida nurse used the information of more than 600 of her patients to file false tax returns with potential refunds of more than $220,000. She was sentenced to more than 3 years in prison and fined.

 

“Some people are doing it for personal benefit, and it's happening more often than would be hoped for,” said Matthew Fisher, a law partner at Mirick, O'Connell, DeMallie & Lougee LLP.

When prosecutors file criminal charges, “they will come up with every single charge they can think of so one will stick,” Fisher said. Filing multiple charges allows them not only to find one that's valid, but also allows for negotiation. And when the government begins investigating, they will likely find some issues.

 

“Once they start looking around they will find something even if it's not why they came in the door,” Fisher continued “The regulations are so complex it's difficult to be 100% compliant and as a physician, you have to live with what comes out of that.”

 

Stay in compliance
This case provides a good warning, particularly for smaller organizations, that HIPAA applies to practices of all sizes, according to Amy Joseph, senior counsel at Hooper Lundy & Bookman PC. It is a reminder to avoid disclosing information unless it is for treatment, claim payment, internal health care operations, the patient has authorized the disclosure, or another limited exception applies.

 

“Disclosure for purposes other than treatment, payment, or health care operations need to be scrutinized,” Joseph said. “Get help, talk to your counsel. Just because someone else is in health care it doesn't mean they are going to protect the information or are asking for it for legitimate purposes. It's better to be more cautious than not.”

 

Duffy said personal relationships, such as those with some pharmaceutical sales representatives, should be monitored. These salespeople are “trained to cultivate business by building such relationships.”

 

“Providers also need to be careful to not rationalize potentially illegal acts—like allowing a sales representative to use identifiable health information to facilitate prescriptions of a drug for a patient—on the basis that a patient could ultimately benefit from a drug or device, because the laws governing these interactions do not take that into account,” he said.

 

If a provider gets into a situation where a pharmaceutical representative, medical device company, or other similar health care organization is calling and asking for patient information, Fisher recommends taking a step back before providing it. Providers should look at the relationship they have with the organization. They might be using it for valid purposes such as clinical trials or reporting to the FDA.

 

Most providers will shrug and say they would never get into the kind of situation Dr Luthra did, but Fisher said it is not always such an obvious delineation between when information should and should not be given out.

 

“If they are calling out of the blue and you're not clear why the connection is being made, question it and don't just volunteer that information,” Fisher said. “It's not a defense to say, ‘They told me it was OK and I never really thought about it.' You're always responsible for your own actions; no one is forcing you to do anything.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Privacy Rule Can Be Tool for Health Information Exchange

HIPAA Privacy Rule Can Be Tool for Health Information Exchange | HIPAA Compliance for Medical Practices | Scoop.it

Rather than being a barrier to information sharing and interoperability, the HIPAA Privacy Rule can be seen as a tool to facilitate health information exchange and flow across the health ecosystem, argued OCR and ONC in an Aug. 30 blog post. 

 

The HIPAA Privacy Rule provides individuals with a right to access information in their medical and other health records maintained by a HIPAA covered entity, such as an individual’s healthcare provider or health plan, noted ONC Chief Privacy Officer Kathryn Marchesini and OCR Acting Deputy Director for Health Information Privacy Timothy Noonan.

 

The authors wrote that the 21st Century Cures Act, enacted in 2016, among other things called for greater individual access to information and interoperability of healthcare records. The act directed HHS to address information blocking and promote the trusted exchange of health information.

 

 

“Information blocking occurs when a person or entity – typically a health care provider, IT developer, or EHR vendor – knowingly and unreasonably interferes with the exchange and use of electronic health information,” ONC explained.

 

ONC and OCR recently began a campaign encouraging individuals to access and use copies of their healthcare records.

The two HHS offices are offering training for healthcare providers about the HIPAA right of access and have developed guidance to help consumers take more control of decisions regarding their health.

 

These guidelines include access guidance for professionals, HIPAA right of access training for healthcare providers, and the Get It. Check It. Use It. website for individuals.

The authors also noted that the HIPAA Privacy Rule supports the sharing of health information among healthcare providers, health plans, and those operating on their behalf, for treatment, payment, and healthcare operations. It also provides ways for transmitting health information to relatives involved in an individual’s care as well as for research, public health, and other important activities.

 

“To further promote the portability of health information, we encourage the development, refinement, and use of health information technology (health IT) to provide healthcare providers, health plans, and individuals and their personal representatives the ability to more rapidly access, exchange, and use health information electronically,” they commeted.

 

The Centers for Medicare & Medicaid Services (CMS) and the National Institutes for Health (NIH), along with the White House Office of American Innovation, are working to support the exchange of health information and encourage the sharing of health information electronically.

 

For example, CMS is calling on healthcare providers and health plans to share health information directly with patients, upon their request.

 

Also, NIH has established a research program to help improve healthcare for all individuals that will require the portability of health information.

 

The White House’s MyHealthEData initiative, which originated from President Donald Trump’s 2017 executive order to promote healthcare choice and competition, aims to break down the barriers preventing patients from having access to their health records.

 

The executive order directed government agencies to “improve access to and the quality of information that Americans need to make informed healthcare decisions.” The order is part of a broader effort to increase market competition in the healthcare market.

 

ONC developed a guide intended to educate individuals and caregivers about the value of online medical records as well as how to access and use their information. ONC also produced videos and fact sheets to inform individuals about their right to access their health information under HIPAA.

 

“It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” said National Coordinator for Health Information Technology Don Rucker. “This guide will help answer some of the questions that patients may have when asking for their health information.”

 

The agency said that an individual’s ability to access and use health information electronically is a cornerstone of its efforts to increase patient engagement, improve health outcomes, and advance person-centered health.

 

ONC noted that the guide supports both the 21st Century Cures Act goal of improving patient access to their electronic health information and the MyHealthEData initiative.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Health insurer Reaches Settlements Over HIPAA Violations 

Health insurer Reaches Settlements Over HIPAA Violations  | HIPAA Compliance for Medical Practices | Scoop.it

Health insurer Aetna has reached settlements with a number of state attorney generals over HIPAA violations resulting from mailings to HIV/AIDS and cardiac patients, the New Jersey attorney general announced

 

The three states and district involved in the Aetna settlements are Connecticut, the District of Columbia (DC), New Jersey, and Washington. Aetna agreed to pay Connecticut around $100,000, DC around $175,000, and New Jersey $365,000. Washington has not yet disclosed how much it will receive from Aetna.

 

As part of the settlements, Aetna has agreed to implement policy, protocol, and training reforms designed to safeguard individuals’ PHI and ensure the confidentiality of mailings containing that information. The company has also agreed to hire an independent consultant to evaluate and report on its privacy protection practices and to monitor its compliance with the settlements’ terms.

 

 

“Companies entrusted with individuals’ protected health information have a duty to avoid improper disclosures,” said NJ Attorney General Gurbir Grewal. “Aetna fell short here, potentially subjecting thousands of individuals to the stigma and discrimination that, unfortunately, still may accompany disclosure of their HIV/AIDS status. I am pleased that our investigation has led Aetna to adopt measures to prevent this from happening again.”

 

The investigation revealed that Aetna disclosed HIV/AIDS-related information on about 12,000 individuals through a third-party mailing on July 28, 2017. The envelopes used in the mailing had a transparent address window, which revealed recipients’ names, addresses, and text that included the words “HIV medications.”

 

The second breach occurred in September 2017 and involved a mailing sent to 1,600 individuals about a study of patients with atrial fibrilation (AFib). The envelopes for the mailing included the name and logo for the study, IMPACT AFib, which could have been interpreted as indicating that the addressee had an AFib diagnosis.

 

DC Attorney General Karl Racine said in a statement: “Aetna failed to protect the health information of District residents and illegally disclosed their HIV status. Every patient should feel confident that their insurance company or health provider will safeguard their confidential medical information. Today’s action will prevent further disclosures and warns other insurance companies that they are responsible for protecting consumers’ private information.”

 

The three states and DC alleged that Aetna not only violated HIPAA but also state laws pertaining to the PHI of individuals in general and of persons with AIDS or HIV infection in particular.

 

In January 2018, Aetna settled a class action lawsuit that required it to pay $17 million in relief to the 12,000 individuals regarding the HIV mailing.

 

Lead plaintiff Andrew Beckett, which is a pseudonym, alleged in his original complaint that PHI and confidential HIV-related information “was disclosed improperly by Aetna and/or Aetna-related or affiliated entities, or on their behalf, to third parties, including, without limitation, Aetna’s legal counsel and a settlement administrator, and through a subsequent mailing of written notices that were required to be sent as part of a settlement of legal claims that had been filed against certain Aetna-related entities or affiliates.”

 

The letters from Aetna had originally been sent in response to a settlement over previous data privacy violation worry. The healthcare company had been sued in two separate class-action lawsuits in 2014 and 2015.

 

“Those lawsuits alleged that Aetna jeopardized the privacy of people taking HIV medications by requiring its insureds to receive their HIV medications through mail and not allowing them to pick up their medications in person at the pharmacy,” according to the 2017 lawsuit.

 

In response to the January 2018 lawsuit settlement, Aetna said that it is “implementing measures designed to ensure something like this does not happen again as part of our commitment to best practices in protecting sensitive health information.”

 

“Through our outreach efforts, immediate relief program and this settlement we have worked to address the potential impact to members following this unfortunate incident,” Aetna said in a statement.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Tips for Mobile Data Security 

HIPAA Compliance Tips for Mobile Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance Tips for Mobile Data Security

Nearly 4 out of 5 healthcare providers use a mobile device for professional purposes. These numbers continue to rise as healthcare organizations place an increased focus on efficiency and productivity. (1) Although mobile devices are incredibly efficient and convenient, they also harbor measurable risks for data breach and the exposure of protected health information (PHI).

 

Mobile devices are often more susceptible to theft because they lack the appropriate security controls. In fact, mobile device malware infections have surged 96% from 2015 to 2016. (2)  To avoid hefty penalties and the risk of a data breach, healthcare organizations must develop and implement mobile device procedures and policies that will protect the patient’s health information.

 

Below are five recommendations from HHS (The Department of Health and Human Services) that organizations can take to help manage mobile devices in the healthcare setting:

 

  1. Understand the risks before allowing the use of mobile devices- Decide whether healthcare providers or medical staff will be permitted to use mobile devices to access, receive, transmit, or store patients’ health information or if they will be used as part of the organization’s internal network or systems, such as an electronic health record system.
  2. Conduct a risk analysis to identify threats and vulnerabilities- Consider the risks to your organization when permitting the use of mobile devices to transmit health information Solo providers may conduct the risk analysis on their practice, however, those working for a large provider, the organization may conduct it.
  3. Identify a mobile device risk management strategy, including privacy and security safeguards- A risk management strategy will help healthcare organizations develop and implement mobile device safeguards to reduce risks identified in the risk analysis. Include the evaluation and regular maintenance of the mobile device safeguards put in place.
  4. Develop, document, and implement mobile device policies and procedures to safeguard health information. Some topics to consider when developing mobile device policies and procedures are:
    1. Mobile device management
    2. Using your own device
    3. Restrictions on mobile device use
    4. Security or configuration settings for mobile devices
  5. Conduct mobile device privacy and security awareness and ongoing training/education for providers and professionals.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What's in Our 2018 SecurityMetrics HIPAA Guide?

What's in Our 2018 SecurityMetrics HIPAA Guide? | HIPAA Compliance for Medical Practices | Scoop.it
 We are thrilled to announce the release of our brand-new HIPAA Guide! No matter the size of your organization, you can use this guide to understand and handle the more challenging requirements of HIPAA. In fact, it's already coming in handy for many of our partners. See what some of them have to say:

"The HIPAA Guidebook is one of the best references. It's well-organized and easy for our medical office staff and providers to understand." -Hedy Haun, Sr. Process Analyst,  SHARP Medical Group

"Words cannot express what the HIPAA Guide represents to me and all of Curis. It's like an encyclopedia for us." -George Arnau,  Curis Practice Solutions

A better way to read and utilize our HIPAA guide


Just like many of our partners report back to us, our HIPAA Guide is best utilized as "desk-side reference." In order to increase the guide's usefulness to you, we've added a new section called "How to Read This Guide." It includes a color-coded system, with reading suggestions based on your familiarity with HIPAA: beginning, intermediate, and advanced. This section discusses the skill levels likely required for policy and procedure implementation.

We understand there are many job descriptions that require HIPAA understanding, so whether you're a brand-new employee or a seasoned systems administrator--our guide is meant for you.

 We also include a "Terms and Definitions" glossary at the end of the 135-page guide. This is meant to help familiarize you with data security and tech terms you may not already know.

Ultimately, we want to help you keep your patients' and customers' data safe and secure. By helping you address the most complicated aspects of data security and HIPAA , we aim to equip you with practical knowledge you can use in meetings and trainings, while drafting policies and procedures, and when making decisions about security at your practice.

Survey Data and HIPAA industry trends

This year, we conducted four surveys and received responses from over 300 healthcare professionals. These professionals are responsible for HIPAA compliance at their organizations, and work primarily at companies with less than 500 employees. And while larger organizations tend to have better HIPAA compliance, it's important that those larger organizations still take note of compliance trends at organizations of all sizes, since they will likely share data and interact with them (for instance, when a large hospital sends patient records to a smaller specialty clinic).

We asked respondents about security habits at their organizations. Training and encryption continue to challenge HIPAA teams, while many organizations fare well in the area of risk analysis. Here are just a few of our survey results:

  • 6% of organizations do not conduct a formal risk analysis
  • 16% of organizations report they send emails with unencrypted patient data
  • 34% of organizations train employees on the HIPAA Breach Notification Rule

Top Tips for Better Data Security 

As lead SecurityMetrics HIPAA auditor Brand Barney says, "Our guide was specifically created to help covered entities and business associates address the most problematic issues within HIPAA compliance.”

So, the guide focuses on commonly challenging aspects of the HIPAA Privacy, Breach Notification, and Security Rules, including:

•   Incident response plans
•   PHI encryption
•   Business associate agreements
•   Mobile device security
•   HIPAA-compliant emails
•   Remote access
•   Vulnerability scanning
•   Penetration testing

A proactive, offense-minded approach

Even with steep penalties in place, HIPAA compliance--particularly when it comes to security--is often not as complete as is thought or hoped for. In fact, according to the Identity Theft Resource Center , 24.7% of data breaches in 2017 were healthcare-related. Education is the first line of defense, so becoming familiar with the guide is one of the best ways you can proactively protect your organization from a potentially devastating data breach.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

6 things software vendors need to know about HIPAA compliance

6 things software vendors need to know about HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance

 

Many people are loosely familiar with the Health Insurance Portability and Accountability Act (HIPAA) and usually associate it with hospitals, clinics, and health insurance companies. However, it can be less clear how HIPAA compliance standards apply to countless other software vendors, SaaS providers that work with healthcare-related businesses or handle protected health information (PHI). In recent months, the Office for Civil Rights has been coming down hard on HIPAA violators, doling out some of the large fines – upwards of $5 million. So in order to ensure your business is protected and to maintain your brand reputation, it is vital to know the ins and outs of HIPAA compliance. With this in mind,

 

How do you know if you need to be HIPAA compliant?

 

In short, HIPAA rules apply to both Covered Entities (health insurance companies, HMOs, company health plans, etc.) and their business associates (a vendor or subcontractor who has access to PHI). What this means for business associates is that even if you’re a service provider or vendor who isn’t in the healthcare industry - like an all-flash storage company - you may still need to be HIPAA compliant indirectly due to the fact that your organization stores PHI. The first step here is to determine whether your organization handles PHI. If you do, your next step is to look through the

 

Look to your current vendors for guidance

 

Once you determine that you need to be compliant, there’s no need to go on a hiring spree to ensure you have the necessary resources in-house. Many of your existing vendors may already cover key HIPAA compliance requirements. Any good service provider should be able to tell you whether they are HIPAA compliant and what controls they can cover. If so, it is important that they are also willing to sign a Business Associate Agreement (BAA) - a negotiation between Covered Entities and any third-party vendors that have access to their PHI.

 

Look for specific types of technology that can help to streamline the process

 

If none of your existing vendors can help with HIPAA compliance, turn to a managed service provider to do the heavy lifting and help your business attain and maintain compliance, so you can focus resources on driving business. Additionally, they can strengthen the security technology, processes, and controls they use to keep customer information secure. For example, if you’re looking for a secure way to continue work-from-home programs at your organization through remote desktops, HIPAA compliant Desktop-as-a-Service (DaaS) vendors are a great option to both fill specific needs for your business and drastically simplify compliance.

 

Don’t forget about maintenance

 

A key stumbling block for many organizations tends to be maintaining a constantly evolving set of compliance standards. HIPAA compliance certification is valid only at that moment – it is then up to the company to maintain compliance which is easier said than done. Some important things to keep the top of mind for maintenance include 1) completing a HIPAA Risk Analysis document and audit at least once a year, and 2) assessing employees year-round to make sure they are doing their jobs in a HIPAA compliant manner, following all stated company policies and procedures.

 

Know who is responsible for HIPAA compliance

 

Another challenge accompanying HIPAA compliance may sound simple, but is one that oftentimes goes overlooked - precisely who internally is responsible for compliance? For non-healthcare organizations, a company is unlikely to have a designated in-house role such as a Privacy and Security Officer, and therefore the responsibility often falls on security or operations departments. However, it’s likely that neither of these departments has a full understanding or stake in HIPAA compliance. Regardless of who is taking the reins, it is important that the role is clearly demarcated and that person or department knows what is expected of them. Additionally, it’s critical that they work together with other departments as needed to ensure a well-rounded HIPAA strategy. Case in point - a recent

 

Keep HIPAA compliance top of mind for staff

 

Regardless of who is in charge, it is important that all your staff be mindful of maintaining HIPAA compliance. Human error can become one of the biggest obstacles to maintaining compliance, especially when employees may not even realize their company deals with PHI. For example, the same NueMD survey also found that only 58% of respondents were providing training for their staff annually. HR teams can proactively assist with this by reminding staff of regular HIPAA training, updates on compliance standards changes and keeping visible HIPAA compliance checklists posted in work areas.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Keep Your Practice’s Communication HIPAA-Compliant

How to Keep Your Practice’s Communication HIPAA-Compliant | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is a top concern for medical practices, and for good reason–violations can result in serious consequences, including large fines and potentially even jail time. To make things more complicated, the laws themselves tend to be rather vague on what actions practices need to take to become HIPAA-compliant.

Medical practices need to protect private patient data, but they also need to be able to go about the daily business of running a practice as efficiently as possible. Technology can certainly make day-to-day operations more efficient, but new technologies also bring about new concerns with HIPAA compliance. Many practices are hesitant to adopt new technology for that very reason.

When practices do decide that they want to use technology to communicate with patients and other practices, it can be difficult to figure out where to begin because HIPAA laws can be quite vague. Practices don’t want to slip up and have to pay the price (often, quite literally) for a violation.

 

So, what can you do to keep your practice’s communications on the right side of HIPAA guidelines? We highly recommend working with an expert on HIPAA laws to make sure your communication is always compliant.

 

If you’d like to learn more on what HIPAA-compliant communication entails throughout your practice, including marketing efforts, emails, appointment reminders, patient portals, and communication with other practices, we have put together this list of helpful resources to help you stay up to date on the latest recommended best practices for HIPAA-compliant communication.

Emailing Patients

Patients who are always on-the-go may prefer to communicate with you via email. If patients request email communication, you must make that option available to them, but you still need to take the proper precautions to protect your patients and your practice from HIPAA violations.

Appointment Reminders

Even appointment reminders can be considered private health information if done improperly. You may wish to use technology to automate this routine process and free up your employees’ time for other tasks, but you need to make sure that you aren’t inadvertently giving away private patient information in the process.

Patient Portals

Practices are required to implement and use a patient portal to meet Meaningful Use requirements. However, patient portals are still subject to HIPAA laws and may, in fact, pose the greatest security risk of all practice communications because of the amount of information they contain. Always do your research before choosing a vendor for your patient portal to make sure they will keep you covered.

 

Communicating with Other Practices

It’s important for your practice to be able to communicate with your patients’ other health care providers to be able to provide the most comprehensive care possible. However, it can be quite challenging to communicate with other practices in a manner that is both efficient and HIPAA-compliant. These resources include suggestions on improving your communication strategies while protecting private information.

 

The Dangers of Sharing Patient Information via Text/IM

As a healthcare provider, your days are usually very busy, and it’s likely that the doctors you need to communicate with are equally as busy. When you need to share information, whether it’s a quick update on a patient or a request for a consult, it can be tempting to just send a quick text or instant message. If texting/instant messaging is your preferred form of communication with other doctors, you need to approach with caution.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.