HIPAA Compliance for Medical Practices
77.0K views | +5 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Protecting PHI: Managing HIPAA Risk with Outside Consultants 

Protecting PHI: Managing HIPAA Risk with Outside Consultants  | HIPAA Compliance for Medical Practices | Scoop.it

The rising complexity of healthcare, particularly as it relates to providers’ growing technical needs, is increasingly prompting healthcare organizations to seek the help of outside consultants. In engagements with healthcare entities, thought IT consultants try to minimize interaction with patient data, they often have access to protected health information (PHI). When working with HIPAA Covered Entities, consultants are treated as “business associates” and are required to comply with Privacy Rules designed to protect PHI.

 

Managing HIPAA compliance when engaging outside consultants requires that consultants enter into a Business Associate Agreement (BAA). The BAA must:

  • Describe the permitted and required uses of PHI by the business associate in the context of their role
  • Provide that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided for by the contract

Here are several best practices to follow to ensure the protection of PHI in consulting arrangements.

 

FTE Mentality

During the contract period, the expectation is that consultants act as if they were an employee of the hospital or provider organization and therefore treat PHI in this manner. It is important to know that consultant business associates could be held liable or equally responsible for a PHI data breach in the same way a full-time employee could be.

 

Role-Based Access Rules

Limit access to PHI based on role to ensure that only the parties that need PHI have access to it. An IT strategist, for example, does not need to see live patient data. Associates leading implementation projects, on the other hand, may need access to live PHI. Typically, this occurs late in the implementation process, when the time comes to test a system with live, identifiable patient data.

 

Safeguard Access Points

If a hospital wants a consultant to have regular access to PHI, it would be preferable that the hospital provides the consultant with a computer or device with appropriate access authorizations and restrictions in place. Avoid the use of personal devices whenever possible. Make sure that only approved and authorized devices can be used inside the firewall and require multi-factor authentication during log-in. Avoid inappropriate access to PHI by way of shared or public data access points. Don’t allow private access to PHI where others could intervene.

 

Keep it Local

Don’t take PHI away from the source of use. Consultants should avoid storing PHI on personal devices, including smart phones, which are particularly susceptible to theft and loss. Devices used to store or access PHI must be registered. Best practices often include controls giving IT staff advance permission to remotely wipe or lock a stolen registered device. Avoid leaving registered devices in cars or unprotected areas.

 

Paper-based reports also pose threat of PHI leak. Documents you take home over the weekend, for example, could be accessed by family members, lost, or stolen. Electronic, paper, verbal and image-based PHI should all be confidently secured. Of course the regulations also relate to visual and verbal protections. When accessing PHI avoid allowing others to view your screen over your shoulder. When discussing PHI make sure only those who need to know and have appropriate authority can hear the conversation.

 

The healthcare industry is making great strides in establishing digital infrastructure, much of which is cloud-based, putting new onus on providers and their business partners to ensure the security of that information. No one wants to make headlines for the latest data breach, least of all the IT consultants hired by providers to help guide their data management efforts. Rigorous attention to HIPAA Privacy Rule guidelines is not only required – it’s imperative to maintaining trust in the healthcare ecosystem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Benefits of Performing a HIPAA Risk Assessment

The Benefits of Performing a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates that covered entities must conduct a risk assessment of their healthcare company.

 

 A wide range of organizations – from healthcare insurance providers to hospitals – fall into this covered entity group. While it may seem taxing and time-consuming to provide standardized training to your employees, there are many reasons doing so can behoove you. For one, it’s the law. Since 2009, Security Risk Assessments (SRAs) have been a required annual practice set forth by the HIPAA Security Rule.

 

Don’t wait to become a breach headline; nip breaches in bud by detecting security issues before they wreak havoc. You can’t be secure if you are not compliant; and a HIPAA Risk Assessment will safeguard your organization in more ways than one. Technology is a timesaver that has simplified the medical filing and billing processes, but it leaves the potential for leaks and hacking.

 

A risk analysis will identify and document potential threats and liabilities that can cause a breach of sensitive data. An IT security consulting company can check all portable media (laptops), desktops, and networks to ensure they’re ironclad. IT security measures, such as encryption and two-factor authentication2, will be addressed in order to make it challenging for unwanted eyes to get a glimpse of patient information.  

 

Employees are the greatest threat to HIPAA compliance, so it’s important to make sure they’re well informed on how to prevent breaches. Annual HIPAA Security Awareness Training Programs provide a thorough understanding of each person’s role in preventing breaches and protecting physical and electronic information.

 

HIPAA training is a regulatory requirement, many employee actions that go awry could easily be prevented. A consultant will offer tips and tricks for minimizing that risk; a few include never leaving work phones and laptops unattended, never sharing passwords or company credentials, choosing to shred files as opposed to trashing them, and overcoming the temptation to “snoop” on patient information without just cause.

 

While many of these suggestions seem like common sense, there are also many lesser known incidences that arise while working in the medical field. Did you know that you cannot access your own medical records using your login credentials? While it may seem innocent enough, everyone is required to submit a request to access medical materials. 

 

Don’t deter a Risk Assessment out of indolence. HIPAA Risk Assessments must be accurate and extremely thorough.  Questions about all the administrative, technical, and physical safeguards an organization has in place must be asked about.

 

If outsourcing your HIPAA Risk Assessment, choose a company that provides comprehensive training courses. No two companies are alike so cookie-cutter answers don’t exist for compliancy; a client-facing doctor’s office and corporate health insurance agency will require that different preventive measures be put into place.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How HIPAA Helps Strengthen Patient Trust

How HIPAA Helps Strengthen Patient Trust | HIPAA Compliance for Medical Practices | Scoop.it

Trust is a vital factor that affects the success of any relationship, whether it be personal or professional. Without this foundational element, interpersonal and business relationships would be filled with suspicion and uncertainty leading to conflict and ultimately the disintegration of any bond that existed.

 

In today’s digitally-driven world, this core human value is now more critical than ever. Many of the transactions we perform daily force us to deal with entities we have never met in real life. Dealing with any organization that processes and stores our personal data requires us to trust that they will honor their commitments and keep our sensitive information secure.

 

When it comes to healthcare, patient trust is a core element of any practice. Any incident that jeopardizes patient trust can destroy the relationship and threaten the future of the organization.  As people are effectively placing their health and welfare under the direct care of a practitioner, trust is effectively the only human emotion at play in this relationship.

 

We not only trust them with our lives but with keeping our medical information private and secure. Should this data be compromised in any way, it would not only place the patient in a precarious position but would also destroy the trust relationship that existed with the practitioner.

HIPAA Strengthens Patient Trust

The Health Insurance Portability and Accountability Act (HIPAA) helps strengthen patient trust in various ways. It provides mechanisms that enhance the transparency, privacy, and security of electronic healthcare information. Not only does the Act help prevent sensitive patient data from compromise, but it also gives patients access and protects their private medical information.

 

Under HIPAA, medical organizations and practitioners that process and store patient healthcare information must implement measures that ensure compliance with the obligations stipulated under the statute.

 

Some of these measures include conducting regular security risk assessments and deploying technologies that protect access to patient information such as Multi-Factor Authentication (MFA) and encryption.

 

Complying with the provisions specified under HIPAA should not only be seen as a legal or regulatory obligation but as accreditation that the organization takes patient confidentiality and security seriously. It helps build that vital trust factor as patients know that the entity has implemented the necessary safeguards needed to protect the privacy of their sensitive medical information. Achieving HIPAA compliance should therefore not be seen as a regulatory obligation but as an essential business practice that builds patient trust.

The Healthcare Industry is Not Immune to Cybersecurity Risks

As the world has become more digital and many of the vital services that run our lives have moved online, cybersecurity is a fundamental principle that every organization needs to put into practice. No enterprise is immune from a cyberattack, and this fact is particularly true for organizations that operate in the healthcare industry.

 

According to the 2018 Verizon Protected Health Information Data Breach Report, 58% of incidents involved insiders. This statistic highlighted the fact that healthcare is the leading industry in which internal actors are the biggest threat to an organization. It’s interesting to note that the majority of these incidents involved human error.

 

Although malicious actions such as misuse of information, physical intrusion, and hacking also contributed to breaches involving the healthcare industry, human error was a leading cause of data compromise. These statistics show the vital role HIPAA can play in helping organizations reduce the risk of data breaches involving protected health information.

How to Comply with HIPAA Rules

HIPAA compliance is not a one time exercise but an ongoing assessment that involves a synchronized endeavor involving people, processes, and technology. As human error is the leading cause of data breaches in the healthcare industry, it is vitally important to implement the safeguards that HIPAA has created to reduce the risk of intentional or accidental compromise of patient healthcare information.

 

Under HIPAA, there are specific obligations that are required and others that are addressable. Required safeguards are mandatory for any organization that stores, processes, or transmits electronically protected healthcare information. Addressable provisions are not mandatory, but organizations need to either implement these or provide evidence that shows that these are not relevant to their specific circumstances.

 

The HIPAA Privacy Rule deals with protected health information (PHI) in general.  The HIPAA Security Rule provides compliance regulations for electronic PHI (ePHI). Under this section of the Act, there are various administrative, physical, and technical safeguards that offer the appropriate measures healthcare organizations need to implement to ensure patient privacy and the security of their ePHI.

 

Administrative safeguards include actions such as undertaking risk analysis and performing an information system activity review. It also recommends that organizations conduct regular cybersecurity awareness training and create an incident response plan.

 

Physical safeguards include measures such as deploying facility access controls and implementing the necessary steps to securely and safely dispose of media that contain ePHI.

Finally, the technical safeguards specified under HIPAA’s security rule include legislative obligations that healthcare organizations need to implement such as ensuring unique user identification, creating an emergency access procedure, and installing technologies that provide data integrity and transmission security.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Six Common HIPAA Violations and how you can prevent them

Six Common HIPAA Violations and how you can prevent them | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is an ongoing process.  Do you have security and privacy policies and procedures for your organization?  Do you review your policies and procedures periodically? Is your HIPAA training planned for new employees and to update everyone as necessary?  Do you know where the gaps are in your data security and do you have a plan to address these gaps?  Do your vendors and their staff follow a culture of privacy?

 

Our Managing director, Rema Deo has created a list of the top 6 HIPAA Violations 24By7Security staff have found, based on over 500 security risk assessments conducted by our security analysts for healthcare organizations ranging from one doctor practices to multi-location hospitals.  This list of HIPAA violations comes complete with appropriate risk mitigation recommendations that can help you in your organization. 

  

1. Lack of Business Associate Agreements (BAAs) with your vendors

Often healthcare organizations, especially the smaller to medium sized medical practices, fail to enter into Business Associate Agreements with their vendors or business associates. These vendors could range from a small IT vendor to large Electronic Health Record System (EHR).  Sometimes, smaller practices use free insecure email and even use insecure email to share or communicate PHI. This puts them at unnecessary risk.  Healthcare providers should also note that business associate agreements should be dated after the Omnibus Final Rule came into effect, i.e. after January 2013.   

How can you mitigate this risk when it comes to Business Associate Agreements?

  1. Prevent this risk by getting HIPAA-compliant Business Associate Agreements signed with all your vendors or business associates who have access to PHI.
  2. Be sure to always use secure means of transmission of PHI, and enter into a Business Associate Agreement with the vendors who are providing this secure transmission.  For example, secure email providers, external cloud storage solutions, EHR systems, and such providers usually have HIPAA-compliant service options where they provide business associate agreements.

 

2. Loss or theft of portable devices

Many covered entities take insufficient steps to safeguard PHI especially on thumb drives and other portable devices. The Office of Civil Rights (OCR) is clear that loss of PHI is not considered a breach if it is properly encrypted.

Mitigate your risk in case devices are lost or stolen

  1. Covered entities must ensure that their portable devices, thumb drives, laptops, computers and servers are all encrypted.
  2. Drives, storage devices and other portable devices storing PHI must be kept locked when not in use.
  3. Develop, implement and maintain an appropriate data backup policy.  Ensure that backups are encrypted as well.

 

3. Failure to complete an enterprise-wide Risk Analysis

OCR has also often found that failure to complete an enterprise-wide risk analysis is a HIPAA violation, and they have levied significant penalties and fines on entities who could not show evidence of having completed an enterprise-wide risk analysis.  The case of the large fine imposed on Anthem recently is an example of this.  We mentioned this breach and the monumental price tag that came with it in our October Newsletter.

Mitigate your risk of fines in the event of an audit

  1. All areas of the enterprise should be covered with periodic, thorough enterprise-wide security risk analysis.
  2. The risk assessment or analysis should be repeated periodically and after any major changes. We recommend doing this annually as a best practice.
  3. Review your findings from the Risk Analysis and prepare an action plan with remediation plans and target dates.

 

4. Insufficient physical safeguards or keeping PHI unlocked or easily accessible

Paper files are often kept unlocked. This practice carries a risk of penalties if your data is breached.

Mitigate your risk of unauthorized PHI access

  1. We recommend keeping paper files with PHI locked 
  2. IT closets/ network/ security/ server equipment should also be kept locked to prevent unauthorized access.

 

5. Lack of HIPAA security and privacy policies and procedures. 

Often covered entities do not maintain and implement satisfactory HIPAA security and privacy policies and procedures.  Or even if they have policies and procedures, not all of them review and update their policies and procedures periodically. 

Mitigate your risk

  1. Take the time to prepare and maintain policies and procedures.
  2. Review these policies and procedures annually or after a major change.
  3. Ensure that employees are trained on your policies and procedures, and follow them.

 

6. Delays in reporting breaches as per the breach notification rule.

Breaches affecting more than 500 patients are required to be reported to the Department of Health and Human Services (HHS) within 60 days of being discovered.  It’s bad enough to delay reporting to HHS, but covered entities may often not be aware of state-level breach notification requirements.  Some states like Florida can be very strict with breach notification delays. Florida, under the Florida Information Protection Act, has 30-day breach notification requirements and other specific rules depending on the number of records breached. The fines are also drastic, an example being $1000 per day for every day late for the first 30 days and more stringent penalties after that. All 50 states have enacted laws regarding breach notification.

Mitigate your risk of penalties for failing to report breaches in a timely manner

  1. If you suffer a breach, be sure to take legal advice in terms of all the requirements in your industry and location.
  2. Ensure that you are aware and comply with your state or location specific breach reporting requirements in addition to federal HIPAA breach notification rules.
  3. Cyber Insurance can help mitigate some of the expenses of a breach, but take a close look at what is covered and what you need to be doing in order to maintain coverage.

Don't risk making one of these costly mistakes!  Schedule your HIPAA risk assessment, HIPAA training for you and your staff, and prepare and/ or review your Policies and Procedures. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Audits of Covered Entities and Business Associates

HIPAA Audits of Covered Entities and Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

In August, Advocate Health Care Network agreed to pay a $5.55 million settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR), for multiple HIPAA violations. In addition, HHS also recently announced a $650,000 resolution settlement against the Catholic Health Care Services of the Archdiocese of Philadelphia.

 

These multi-million dollar penalties should be a warning for all covered entities or business associates.  Especially, with the next phase of audits now underway. During this phase, OCR is reviewing the policies and procedures utilized by covered entities and their business associates to ensure they meet the standards and specifications of the Privacy, Security, and Breach Notification Rules. These will mostly be desk audits. However, there will be some on-site audits conducted as well.

 

The audit process began in May 2016 when OCR audit sent emails to verify entity’s address and contact information. The next step was a pre-audit questionnaire that was used to gather information about the size, type, and operations of the facilities. Those who participate in the desk audits are required to provide a list of their business associates and their contact information. Emails will go out to the chosen business associates, who are expected to respond promptly. The audits are expected to focus heavily on breach responses. If a business associate does not respond within the timeframe, they will be scheduled in January 2017 for the comprehensive audits.

 

Some frequently asked questions regarding audits include:

Who Will Be Audited?

 

Every covered entity and business associate are eligible for an audit, including covered individual and organizational providers of health services; health plans, health care clearinghouses; and a range of business associates of these entities.

 

What is a Business Associate?

Business associates are considered any third-party contractor that performs work or activities on behalf of a healthcare organization or covered entity that involve the use or disclosure of protected health information.  A few examples may include:

  • Example of business associates: lawyer’s working on a case, a medical transcription or medical billing companies, document storage or disposal companies, answering services, software vendors, and consultants, patient safety and accreditation organizations, health information exchanges, etc.)
  • Examples NOT typically considered business associates: an employee, maintenance or repair personnel, a financial or banking institution that only performs payment activities or a janitorial service. 

 

What are Business Associate Agreements?

HIPAA and HITECH require practices to sign a business associate agreement (BA) with business associates that ensures they will protect all patient's PHI. The contract protects personal health information (PHI) by HIPAA guidelines. Business associates can be held accountable for any data breach and penalized for noncompliance.

 

Why are Business Associates Agreements important?

Business associate contracts are not only necessary for staying in compliance; they are crucial for the adequate protection of patient PHI.  The following are HIPAA requirements for business associate agreements:

  1. Establish the permitted and required uses and disclosures of protected health information by the business associate.
  2. Provide that the business associate will not use or further disclose the information other than as permitted or required by the contract or as required by law.
  3. Require the business associate to implement appropriate safeguards to prevent unauthorized use or disclosure of the information, including implementing requirements of the HIPAA Security Rule about electronic protected health information.
  4. Require the business associate to report to the covered entity any use or disclosure of the information not provided for by its contract, including incidents that constitute breaches of unsecured protected health information.
  5. Require the business associate to disclose protected health information as specified in its contract to satisfy a covered entity’s obligation with respect to individuals' requests for copies of their protected health information, as well as make available protected health information for amendments (and incorporate any amendments, if required) and accountings.
  6. To the extent the business associate is to carry out a covered entity’s obligation under the Privacy Rule, require the business associate to comply with the requirements applicable to the obligation.
  7. Require the business associate to make available to HHS its internal practices, books, and records relating to the use and disclosure of protected health information received from, or created or received by the business associate on behalf of, the covered entity for purposes of HHS determining the covered entity’s compliance with the HIPAA Privacy Rule.
  8. At termination of the contract, if feasible, require the business associate to return or destroy all protected health information received from, or created or received by the business associate on behalf of, the covered entity.
  9. Require the business associate to ensure that any subcontractors it may engage on its behalf that will have access to protected health information agree to the same restrictions and conditions that apply to the business associate with respect to such information.
  10. Authorize termination of the contract by the covered entity if the business associate violates a material term of the contract.  Contracts between business associates and business associates that are subcontractors are subject to these same requirements. (1)

 

How Will Auditees Be Selected?

OCR is identifying groups of covered entities and business associates that represent a broad range of health care providers, health plans, health care clearinghouses and business associates.  According to HHS, the sampling criteria for selection will include the size of the entity, affiliation with other healthcare organizations, the type of entity and its relationship to individuals, whether an organization is public or private, geographic factors, and present enforcement activity with OCR. OCR will not audit entities with an open complaint investigation or that are currently undergoing a compliance review.

 

What If an Entity Doesn’t Respond to OCR’s Requests for Information?

If an entity does not respond to requests for information from OCR, they will utilize publicly available information about the entity to create its audit pool.  An entity that does not respond to OCR may still be selected for an audit or subject to a compliance review.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

New HIPAA requirements target unsecured protected health information

New HIPAA requirements target unsecured protected health information | HIPAA Compliance for Medical Practices | Scoop.it

The American Recovery and Reinvestment Act of 2009, signed by President Barack Obama in February, modified the Health Insurance Portability and Accountability Act (HIPAA). In particular, the Health Information Technology for Economic and Clinical Health Act (HITECH) sets forth new requirements relating to business associates and notification of patients regarding breaches of unsecured protected health information. The new regulation covers breaches that occur after September 23, 2009.

 

Before HITECH, a covered entity, that is, a physician's office, hospital, clinic, etc.—only was required to mitigate the effects of an unauthorized disclosure, which may or may not have included notifying the patient Now, except for certain limited exceptions, a covered entity is required to notify a patient of an unauthorized disclosure of unsecured protected health information if a significant risk of "financial, reputational, or other" harm exists.

 

It is important to note that notification is only required for unsecured protected health information, not secured protected health information. The Department of Health and Human Services (HHS) issued guidance on what constitutes "secured" protected health information in April, stating that information is deemed secured if rendered "unusable, unreadable, or indecipherable" to unauthorized individuals.

 

To determine whether a "significant risk of harm" exists, the covered entity should consider what information was disclosed, to whom the information was disclosed, and what steps have been taken to eliminate or reduce the risk to the individual.

 

Any notification to the patient must include a brief description of what happened and the type of protected health information disclosed, any steps the patient should take to protect himself or herself, what the covered entity is doing to investigate and mitigate the breach, and information concerning who to contact for additional information. Any required notification must occur without unreasonable delay but no more than 60 days after the breach is discovered or should have been discovered with the exercise of reasonable diligence.

 

Notification must be in writing by mail (or by phone in urgent cases) or electronic means if the patient has consented to electronic notification. Also, specific rules exist regarding what to do if patients cannot be located. If a breach involves more than 500 patients—for instance, the loss of a laptop containing unsecured protected health information, then local media outlets must be notified. In addition, the HHS secretary must be notified—immediately for breaches involving more than 500 patients and annually for others.

 

With the new regulations, the knowledge of a covered entity's agents, including business associates, is imputed to the covered entity. Therefore, the clock for notifying patients could begin to run before the covered entity actually is aware of the disclosure. New agreements may be required, and education of business associates is important, to ensure that they are aware of these requirements and that they indemnify your practice if they fail to comply with the new rules and notify you promptly of any breach of protected health information.

 

The burden to disclose the breach or establish that no risk of harm to the patient exists is on the covered entity, even if the breach was the fault of one of its agents. A decision not to notify a patient because the covered entity does not believe that a significant risk of harm exists should be carefully investigated and documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Sees Meritus Medical Center Stop Media Announcements

HIPAA Sees Meritus Medical Center Stop Media Announcements | HIPAA Compliance for Medical Practices | Scoop.it

Meritus Medical Center is one of a number of hospitals that has stopped issuing information about patient conditions to the media. The hospital announced on September 22 that this courtesy would be stopped.

 

The Health Insurance Portability and Accountability Act places certain restrictions on the disclosure of Protected Health Information to third parties, including the media. Just a few years ago, reporters would be able to call a healthcare provider to make an enquiry about the health status of a patient.

 

The hospital staff would provide general information about a particular patient’s condition if they were asked about a patient by name. The information disclosed would be restricted, so reporters would be advised for instance, that a patient was good, fair, stable or in critical condition.

 

Under HIPAA Rules this information may be disclosed to the media; however it is not mandatory for a hospital or healthcare provider to give out any information, except when it is in the public health interest to do so or if required by law enforcement officers to assist with an investigation.

 

HIPAA Rules See Patient Privacy Improved
Since the HIPAA Privacy Rule is now being enforced, and covered entities can face considerable fines for violations of the Rules covering the disclosure of PHI, many hospitals have now taken the decision to stop releasing any information on patients. They see it as a measure that will improve privacy and help avoid any inadvertent HIPAA violations.

 

In the case of Meritus Medical Center it was not only the risk of HIPAA violations, but the policy was changed to improve privacy standards for patients. Meritus Communications Manager, Nicole Jovel, said in a media announcement “In conversations with clinicians and administrators, we determined we needed to really increase the level of privacy we were providing.”

 

A Patient’s Status can Rapidly Change
There are also problems with such a simple classification of status and providing information when it is likely to change. Patients may slip from serious to critical, or may improve from one day to the next. It would not be fair to report a condition, if that information may be incorrect just a few hours later. In the case of newspapers which are printed the following day, they may contain inaccurate information before they even hit consumers’ doorsteps.

 

Patient Safety is a Major Consideration
Then there is the issue of confirming the identity of the caller, which in often impossible. The hospital treats numerous victims of domestic violence, and Jovel pointed out that the staff cannot be sure if they are giving information to an abusing partner.

The problem faced by Meritus is typical. There are too many variables to consider, and in a busy healthcare setting it is too easy for mistakes to be made. Ultimately those mistakes could prove detrimental to patients and the decision is made to stop issuing all reports to the media.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Scoop.it!

Fax Sent to Wrong Number Results in HIPAA Violation

Fax Sent to Wrong Number Results in HIPAA Violation | HIPAA Compliance for Medical Practices | Scoop.it

One morning, the office manager got a call from one of the practice's patients, Mr. M, a 52-year-old, HIV-positive man who had been seeing Dr. G for a decade. Although he was happy with the treatment he had been receiving, Mr. M's company was promoting him and he was relocating to another town. He called to ask Dr. G to fax his medical records to his new urologist.

 

The office manager was juggling numerous tasks, but managed to send the fax out later that day. The office did not have personalized fax cover sheets, just sheets that the office manager printed off once a week which had spaces to fill in the “to” and “from” sections. She hurriedly filled them in and shot off the fax, one of several she had to do before checking in the next patient.

 

At the end of the day she told Dr. G that it had been done. He thought nothing of it until the following Monday when the office manager came into the back office to speak to him. She was pale and looked shaken, and the physician immediately asked if she was okay.

 

“It's Mr. M,” the office manager said. “He just called – absolutely furious. He says that we faxed his medical records to his employer rather than his new doctor, and that now his company is aware of his HIV status. He is extremely upset.”

 

“I'm so sorry,” the office manager said tearfully. “I was the one who sent that fax out. I must have accidentally grabbed the wrong number from his file. What should we do?” She looked at Dr. G for guidance.

 

Dr. G was holding his forehead, and trying to figure out how to remedy the situation. “The first thing we're going to do is to call Mr. M and apologize. Then we'll take it from there.”

 

The office manager and Dr. G called Mr. M and apologized profusely for the mix-up. Mr. M understood that it had not been done maliciously, but he was still not satisfied and reported the incident to the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR).

 

An initial investigation indicated that the incident was not criminal and so it was not referred to the Department of Justice.

 

Rather, it was handled by the OCR. OCR officials appeared at Dr. G's office to look into the matter, and after a thorough investigation, the OCR issued a letter of warning to the office manager, referred the office staff for HIPAA privacy training, and had the office revise the fax cover sheets to underscore that they contain a confidential communication for the intended recipient only.

 

Legal Background
The Health Insurance Portability and Accountability Act, commonly known as HIPAA, protects personally identifiable health information of patients, and specifies to providers how such information may be used. HIPAA has been in effect for about a decade, and in that time, the HHS has received a total of almost 80,000 complaints.

 

Of those, more than 44,000 were dismissed, 19,000 were investigated and resolved with changes to privacy practice, and 9,000 were investigated but no violations were found. According to HHS, private medical practices were the ones most often required to take corrective action as a result of enforcement.

 

The top two compliance issues most frequently investigated are impermissible use and disclosure of protected health information and lack of safeguards for protected health information.

 

When a HIPAA complaint is filed with the HHS, the first determination made is whether there was a possible privacy violation and whether it was of a criminal nature. If it was determined to be criminal, the case is referred to the Department of Justice for investigation and possible prosecution.

 

If it was determined that it was not a criminal issue (as in this case) the violation is investigated by the OCR. If it is determined that a HIPAA violation did, in fact, take place, the OCR can either obtain voluntary compliance, corrective action or some other voluntary agreement with the offender, or the OCR can issue a formal finding of violation and force the offender to change its practices.

 

In this particular case, the office manager and Dr. G recognized the mistake and immediately tried to take corrective action by apologizing to the patient. Dr. G's office also voluntarily agreed to extra compliance training for the staff and to a change in their faxing procedures to indicate that the faxed materials are confidential.

 

Protecting Yourself
This particular scenario was the result of a careless error. While a careless error can happen to anyone, one such as this could cause irreparable harm to the patient if his employer now views or treats him differently because of the new knowledge of his HIV-positive status.

 

Confidential patient records must be treated with the greatest of care as they contain information of an extremely personal nature. Many HIPAA cases have involved the unintentional divulging of the HIV or AIDS status of a patient.

 

In a similar case, a dental practice was reported for using red stickers and the word AIDS on the outside of patient folders. And in a case that took place in a hospital, a nurse and orderly lost their jobs for discussing a patient's HIV status within earshot of other patients.

 

A good rule of thumb is to treat a patient's confidential information as you would want yours to be treated, and then add a little extra security for good measure.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

No Exception to HIPAA Privacy Rules, Nurse Learns

No Exception to HIPAA Privacy Rules, Nurse Learns | HIPAA Compliance for Medical Practices | Scoop.it

Ms. P, 45, was a nurse working in the cardiology department of a large hospital. Her duties were varied, and included, among other things, accessing patient medical records to review lab values and other diagnostic tests ordered by physicians, and writing progress notes in patients' charts.

When she was originally hired by the hospital, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient that was required to perform her duties.

Later, when the U.S. Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human resources seminar and sign a revised confidentiality agreement.

 

The revised agreement stated that she would not access or view information other than what was required to do her job, and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job.

 

Finally, the agreement contained a section saying that Ms. P acknowledged that violation of the facility's confidentially policy could result in disciplinary action up to and including termination.

Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers—with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.

 

Ms. P's mother had Parkinson's disease, was on numerous medications, and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this because it was her own family.

 

One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation that revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions.

 

When the human resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.

 

“Did you need to access information from their medical records in order to do your job as a clinical affiliate in the cardiology department?” the human resources director asked sternly.

“No,” Ms. P replied. “They were not cardiology patients.”

She was fired that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to see if she could sue the hospital for wrongful termination. The attorney was skeptical.

“HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”

 

Ms. P admitted that she'd had training.

“Were you asked to sign anything?” the attorney inquired.

“Well, yes,” Ms. P said. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”

 

“That's irrelevant,” the attorney said. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.

 

“How old are you?” he suddenly asked.

When she told him, he smiled. “I think we may have an angle. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you – a higher paid experienced nurse – and replace you with a less expensive junior person.”

 

The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Massachusetts Physician Guilty in HIPAA Case

Massachusetts Physician Guilty in HIPAA Case | HIPAA Compliance for Medical Practices | Scoop.it

Recently, a gynecologist was sentenced to 1 year of probation for violating HIPAA laws and obstructing an investigation into a federal health care probe.

 

Rita Luthra, MD, who treated women in a low-income area of Springfield, Massachusetts, was convicted this past April of allowing a pharmaceutical representative from Warner Chilcott improper access to patient records. While the case is unique—providers have rarely been charged criminally under HIPAA—it is a cautionary tale about the potential implications for improper disclosure.

 

Federal charges
Dr Luthra's conviction stemmed from a larger Department of Justice (DOJ) investigation into Warner Chilcott's practices. The pharmaceutical company, which was purchased in 2015 by Allergan plc, was investigated on allegations of paying kickbacks to physicians to entice them to prescribe its medications to patients; false marketing for Actonel, a drug prescribed for treatment of osteoporosis; and manipulating prior authorizations for its other osteoporosis drug, Atelvia.

 

The DOJ reached a $125 million settlement with the company in 2015. Dr Luthra was found to be one of the physicians accused of taking part in Warner Chilcott's practices. She was originally brought up on kickback charges, with investigators claiming she received more than $23,000 for prescribing their osteoporosis medication. They claimed she was paid approximately $750 on numerous occasions to hold educational events in her office for the pharmaceutical company.

 

But those charges were dropped, and a revised indictment for HIPAA charges was filed. Prosecutors claimed she gave a sales representative patient information in order to fill out forms to get an insurer to cover the drugs. She was also convicted on an obstruction charge for allegedly lying to the DOJ about why she was paid by the pharmaceutical company.

 

Luthra could have received up to 6 years in prison and a $300,000 fine for both charges. The judge on the case, however, said that the loss of her license and probation was enough of a sentence. He reportedly considered her work for years serving patients in lower-income communities during sentencing.

 

Pandora's box
Criminal prosecutions under HIPAA are not common, but Conor Duffy, a lawyer with Robinson & Cole LLP, said it is reflective of a growing trend.

 

“Prosecutors appear to utilize criminal charges under HIPAA in part as a fall back or as leverage against a provider, because proving HIPAA violations can be easier than proving the existence of an illegal kickback arrangement,” Duffy said. “The Massachusetts case is notable in that the government ended up dropping its kickback allegations but nonetheless prosecuted the physician for a HIPAA violation.”

 

There have been a few other cases where criminal charges were applied through HIPAA, most involving providers improperly using the information or providing it to others for financial gain. In one such case, a Florida nurse used the information of more than 600 of her patients to file false tax returns with potential refunds of more than $220,000. She was sentenced to more than 3 years in prison and fined.

 

“Some people are doing it for personal benefit, and it's happening more often than would be hoped for,” said Matthew Fisher, a law partner at Mirick, O'Connell, DeMallie & Lougee LLP.

When prosecutors file criminal charges, “they will come up with every single charge they can think of so one will stick,” Fisher said. Filing multiple charges allows them not only to find one that's valid, but also allows for negotiation. And when the government begins investigating, they will likely find some issues.

 

“Once they start looking around they will find something even if it's not why they came in the door,” Fisher continued “The regulations are so complex it's difficult to be 100% compliant and as a physician, you have to live with what comes out of that.”

 

Stay in compliance
This case provides a good warning, particularly for smaller organizations, that HIPAA applies to practices of all sizes, according to Amy Joseph, senior counsel at Hooper Lundy & Bookman PC. It is a reminder to avoid disclosing information unless it is for treatment, claim payment, internal health care operations, the patient has authorized the disclosure, or another limited exception applies.

 

“Disclosure for purposes other than treatment, payment, or health care operations need to be scrutinized,” Joseph said. “Get help, talk to your counsel. Just because someone else is in health care it doesn't mean they are going to protect the information or are asking for it for legitimate purposes. It's better to be more cautious than not.”

 

Duffy said personal relationships, such as those with some pharmaceutical sales representatives, should be monitored. These salespeople are “trained to cultivate business by building such relationships.”

 

“Providers also need to be careful to not rationalize potentially illegal acts—like allowing a sales representative to use identifiable health information to facilitate prescriptions of a drug for a patient—on the basis that a patient could ultimately benefit from a drug or device, because the laws governing these interactions do not take that into account,” he said.

 

If a provider gets into a situation where a pharmaceutical representative, medical device company, or other similar health care organization is calling and asking for patient information, Fisher recommends taking a step back before providing it. Providers should look at the relationship they have with the organization. They might be using it for valid purposes such as clinical trials or reporting to the FDA.

 

Most providers will shrug and say they would never get into the kind of situation Dr Luthra did, but Fisher said it is not always such an obvious delineation between when information should and should not be given out.

 

“If they are calling out of the blue and you're not clear why the connection is being made, question it and don't just volunteer that information,” Fisher said. “It's not a defense to say, ‘They told me it was OK and I never really thought about it.' You're always responsible for your own actions; no one is forcing you to do anything.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Privacy Rule Can Be Tool for Health Information Exchange

HIPAA Privacy Rule Can Be Tool for Health Information Exchange | HIPAA Compliance for Medical Practices | Scoop.it

Rather than being a barrier to information sharing and interoperability, the HIPAA Privacy Rule can be seen as a tool to facilitate health information exchange and flow across the health ecosystem, argued OCR and ONC in an Aug. 30 blog post. 

 

The HIPAA Privacy Rule provides individuals with a right to access information in their medical and other health records maintained by a HIPAA covered entity, such as an individual’s healthcare provider or health plan, noted ONC Chief Privacy Officer Kathryn Marchesini and OCR Acting Deputy Director for Health Information Privacy Timothy Noonan.

 

The authors wrote that the 21st Century Cures Act, enacted in 2016, among other things called for greater individual access to information and interoperability of healthcare records. The act directed HHS to address information blocking and promote the trusted exchange of health information.

 

 

“Information blocking occurs when a person or entity – typically a health care provider, IT developer, or EHR vendor – knowingly and unreasonably interferes with the exchange and use of electronic health information,” ONC explained.

 

ONC and OCR recently began a campaign encouraging individuals to access and use copies of their healthcare records.

The two HHS offices are offering training for healthcare providers about the HIPAA right of access and have developed guidance to help consumers take more control of decisions regarding their health.

 

These guidelines include access guidance for professionals, HIPAA right of access training for healthcare providers, and the Get It. Check It. Use It. website for individuals.

The authors also noted that the HIPAA Privacy Rule supports the sharing of health information among healthcare providers, health plans, and those operating on their behalf, for treatment, payment, and healthcare operations. It also provides ways for transmitting health information to relatives involved in an individual’s care as well as for research, public health, and other important activities.

 

“To further promote the portability of health information, we encourage the development, refinement, and use of health information technology (health IT) to provide healthcare providers, health plans, and individuals and their personal representatives the ability to more rapidly access, exchange, and use health information electronically,” they commeted.

 

The Centers for Medicare & Medicaid Services (CMS) and the National Institutes for Health (NIH), along with the White House Office of American Innovation, are working to support the exchange of health information and encourage the sharing of health information electronically.

 

For example, CMS is calling on healthcare providers and health plans to share health information directly with patients, upon their request.

 

Also, NIH has established a research program to help improve healthcare for all individuals that will require the portability of health information.

 

The White House’s MyHealthEData initiative, which originated from President Donald Trump’s 2017 executive order to promote healthcare choice and competition, aims to break down the barriers preventing patients from having access to their health records.

 

The executive order directed government agencies to “improve access to and the quality of information that Americans need to make informed healthcare decisions.” The order is part of a broader effort to increase market competition in the healthcare market.

 

ONC developed a guide intended to educate individuals and caregivers about the value of online medical records as well as how to access and use their information. ONC also produced videos and fact sheets to inform individuals about their right to access their health information under HIPAA.

 

“It’s important that patients and their caregivers have access to their own health information so they can make decisions about their care and treatments,” said National Coordinator for Health Information Technology Don Rucker. “This guide will help answer some of the questions that patients may have when asking for their health information.”

 

The agency said that an individual’s ability to access and use health information electronically is a cornerstone of its efforts to increase patient engagement, improve health outcomes, and advance person-centered health.

 

ONC noted that the guide supports both the 21st Century Cures Act goal of improving patient access to their electronic health information and the MyHealthEData initiative.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Navigating Mobile Devices and HIPAA

Navigating Mobile Devices and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The mobile technology revolution has impacted nearly every industry across the globe, with healthcare being no exception. Hospitals, clinics, and providers have all quickly embraced the use of smartphones and other mobile devices along with the convenience of accessing important medical information quickly.  

Many healthcare organizations are capitalizing on the benefits that mobile devices provide by permitting physicians, nurses, and other healthcare staff to bring their own personal devices (BYOD) to use at work. Other organizations choose to provide their staff with company-owned mobile devices, finding it easier to maintain control and protect their networks. 

 

Although the convenience of mobile technology provides many advantages, it also comes with risks. If mobile data security measures are inadequate, covered entities are at risk of violating HIPAA regulations that can incur heavy fines. HIPAA fines of up to $1.5 million per violation category, per year that the violation has been allowed to persist can be issued by the HHS. In addition, other federal agencies can issue fines, such as the state attorneys general. There is also the considerable cost of a breach response to cover if data is potentially exposed. 

 

The majority of mobile devices do not have robust security controls which can allow devices to be easily compromised. For example, if an unprotected device connects to a network via public Wi-Fi, there is an increased risk of theft. Cybercriminals view mobile devices as an accessible entry point into healthcare networks allowing them to access valuable electronic Protected Health Information.

 

As mobile devices are rapidly becoming an integral part of daily healthcare operations, it is important that organizations fully comprehend healthcare mobile security. (1) HIPAA covered entities that choose to use mobile devices in the workplace must implement controls to protect patient health data.  (2) It is also necessary they review and address all potential mobile data security risks.

 

The HIPAA Security Rule does not require specific technology solutions when it comes to technical safeguards for mobile devices. However, HHS does require organizations to implement reasonable and appropriate security measures for standard operating procedures. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why Your Dental or Medical Website Needs To Be HIPAA Compliant?

Why Your Dental or Medical Website Needs To Be HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

As the digital world becomes ever more entrenched in our lives, so does crime and information gathering start becoming more advanced. Patient privacy is a serious issue, and while the majority of websites can safely be hosted on the internet without special considerations regarding safety and security, healthcare has no such luxury. In fact, it is vital that all healthcare websites take extra steps to secure their site to be HIPAA compliant.

 

HIPAA And You, What Is It Exactly?

Developed some years ago, HIPAA stands for the Health Insurance Portability and Accountability Act (HIPAA) and was established to provides guidelines and regulations on the security of the personal information of patients. Two elements of this rule create conditions that must be met to be found in compliance with HIPAA rules. These rules are the Privacy Rule, outlining the protection of your patient’s private health information, and the security rule describing the requirements for data security measures.

 

How Can I Make My Website HIPAA Compliant?

It begins with going beyond basic encryption, websites that seek to be HIPAA compliant have to invest in higher level security measures. The only way you can avoid this as part of the medical industry would be if your site doesn’t do any collection or providing of personal information, and avoiding any third-party transactions of data.

 

The first step to securing your website is to utilize SSL security or Secure Sockets Layer. You’ve likely noticed sites like this when they contain the https:// prefix instead of http://. Those sites that have an SSL certificate encrypts communication between the web browser and the server. This is required to be found in compliant with HIPAA laws.

 

You can also make sure that your site is HIPAA compliant by using high security data collection forms that provide additional protection. The basic CMS (Content Management System) provided with most web hosts don’t provide that level of security, so it’s often wise to select a third party form builder that meets the requirements of HIPAA. 

 

Healthcare Website Design

HIPAA compliance is a vital element of your design for a healthcare website, especially as access to technology increases and becomes further integrated with our day to day lives. It is your responsibility as the owner of the website to ensure that your security system meets the strident requirements of this act. Whether you’re a public institution or serve the community as a private practice, your website design company can aid you in providing a secure website that will be approachable and informative for your clientele while maintaining the necessary security protocols.

 

Don’t put your practice at risk with a site that doesn’t protect your patients information appropriately,  To begin designing an attractive website that will serve your patients with the security and peace of mind they deserve. Violations of HIPAA are a serious concern and can result in costly fines and, more importantly, the compromising of your patients privacy.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Regulations for Radiologists 101

HIPAA Regulations for Radiologists 101 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are a complex set of rules and regulations that are designed to promote a more patient oriented medical system that enhances patient care. HIPAA regulations that promote the accessibility of medical records to patients and increase the security of electronic patient health information are also included in the HIPAA Omnibus Rule. Radiologists often receive patients through a referral system or send patient files to another medical doctor or facility after x-rays and other scans are interpreted. This constant sharing of sensitive patient information makes learning what are HIPAA regulations and how do they affect radiologists an important task for any radiologist.

 

HIPAA Omnibus Rule

The HIPAA Omnibus Rule has changed the way that patient information is collected, stored, transmitted and created in response to the HITECH Act. The HITECH Act offers organizations incentives for using electronic patient health information while improving the security of that data. When asking what are HIPAA regulations one of the most important things to consider is your organization’s privacy policy. New HIPAA regulations state that organizations and entities must update their privacy policies and business agreements to comply with the current standards.

 

Current HIPAA standards require that all businesses sharing patient information must be HIPAA compliant. For instance, if a radiologist receives referrals or bills insurance companies on behalf of clients, the insurance company and the organization referring clients should both be HIPAA compliant. Current business associate agreements will be allowed until late September of 2014, but after that date all business associates will need to comply with the HIPAA Security Rule to avoid penalties or fines.

 

What is Affected by HIPAA?

Nearly every aspect of creating, sharing and transmitting electronic patient health information has been affected by new HIPAA regulations. In addition to revising and updating your organization’s privacy policies and business agreements, you will also need to look at your internal records storage and the accessibility of patient records. For instance, your internal computer systems must be secure and protected from data loss or third-party access. Data encryption is required anytime that you transmit electronic patient information. If your organization is using a third-party storage system for patient health information, the company providing web-based storage services will also need to be HIPAA compliant.

 

One of the areas that will be most affected for radiologists is how patient information is disclosed. Since radiology is a field where referrals are very common, care must be taken to ensure formal, written consent is provided each time you share patient health information. For example, a radiologist sending the results of an x-ray to a general practitioner will need to have written consent by the patient to do so. In order to understand and comply with current HIPAA regulations, it is best to use a HIPAA compliance checklist and HIPAA compliance software. HIPAA compliance software will walk you through the process of meeting current HIPAA regulations and help you avoid the confusion of updating and revising your current policies and practices on your own.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why should you care about HIPAA?

Why should you care about HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

Why should you care about HIPAA?

Can you afford a $50,000 fine for a HIPAA violation? The healthcare industry is extremely vulnerable to cyber-attacks and data theft. According to the HIPAA enforcement rule, penalties can reach up to $1,500,000 per year per violation depending upon the type of HIPAA violation.

Look at some of the biggest HIPAA penalties enforced by the Office for Civil Rights:

In October 2018, Anthem Insurance pays OCR $16 Million in Record HIPAA Settlement after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronically protected health information of almost 79 million people. OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.

 

A judge ruled in June 2018 that MD Anderson Cancer Center has to pay $4,348,000 in civil money penalties to OCR following an investigation of the theft of 3 unencrypted devices that resulted in a breach of ePHI (electronic Protected Health Information) of over 33,500 individuals.

 

Fresenius Medical Care North America (FMCNA) is paying 3.5 million dollars with a corrective action plan after 5 separate data breaches in 2012 because they failed to implement policies and procedures and to implement proper protection of PHI (Protected Health Information).

 

CardioNet has been fined 2.5 million with a corrective action plan after a laptop was stolen from an employee's vehicle. Further investigation revealed insufficient risk analysis and risk management at the company. Their policies and procedures were in draft status and had not been implemented.

 

One surprise inspection can expose a HIPAA violation and change your business forever.  New legislation now allows patients in Connecticut to sue healthcare providers for privacy violations or PHI disclosure as well.  You may say that your job as a healthcare provider is only to treat your patients, that you don't need to worry about Cybersecurity or technology. 

 

Bear in mind though - it is a fact that Cybersecurity issues can impact and have impacted patient care on several occasions! Protect the integrity of your business and your patients' private health information to avoid a HIPAA violation that could cost you money, respect, and patients!

 

You may understand that HIPAA violations can lead to fines, but you may also be wondering: What is a corrective action plan? Often, when the Office of Civil Rights (OCR) imposes a fine for a HIPAA violation, they also enforce a Corrective Action Plan with a strict timeline to correct underlying compliance problems and a goal to prevent breaches from recurring.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
Hdvnglobal's comment, July 29, 1:09 PM
Go to Vietnam travel: https://buff.ly/2tdBsbK - tks.
Scoop.it!

HIPAA Training is not HIPAA Compliance

HIPAA Training is not HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

We hear from so many doctors’ and dentists’ offices that they are “HIPAA-compliant” because they have completed the required annual HIPAA training for their staff.   FALSE! HIPAA Training is not HIPAA Compliance. HIPAA Training is only one of the components of HIPAA Compliance – thinking otherwise could lead to a false sense of security.

 

HIPAA law consists of various requirements in the areas of security and privacy, use and disclosure of PHI (protected health information) and in breach notification rules.

Minimum steps needed for HIPAA Compliance:

At the very minimum, a doctor’s or dentist’s office must do the following for HIPAA Compliance:

  1. Exercise privacy in the office everywhere.   Be careful about accidental disclosure of patient information.
  2. Display the Notice of Privacy Practices prominently in your office lobby and on your website.
  3. Exercise caution in the use and disclosure of PHI (Protected Health Information).     Patients have the right to review and obtain their PHI.   The onus falls on the medical practice to secure and protect PHI from unauthorized disclosure of any kind.
  4. Conduct the mandatory annual risk assessment, or hire an expert to conduct it for you.   The assessor must take into consideration all the security and privacy-related criteria while conducting the assessment, including all your administrative, physical and technical safeguards.   A detailed list of recommendations and action items should follow as a result of the risk assessment.
  5. Prepare and follow security and privacy policies and procedures.   Your risk assessment should highlight the minimum required policies and procedures that you would need to prepare or obtain.   Physicians and staff members should be familiar with and should follow these policies and procedures on a daily basis.
  6. Provide annual HIPAA Training to your staff and physicians.

Breach notification:

Breaches have unfortunately become only too common these days in an environment where medical records are extremely valuable in the black market.   HIPAA law also specifies strict breach notification requirements in the event of a breach.   The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) requires the practice to inform all individuals whose data might have been lost or stolen.  

 

A breach of more than 500 records is considered a reportable breach, that is, the practice must notify HHS.   This could result in an audit of the practice by federal agencies, and the first thing they are going to ask you for is a copy of your last annual risk assessment.

Small practices may be targets of breaches too:

Many small practices think that they are too small to be targeted.   False again!   If you look at the HHS "Wall of Shame" which lists reported breaches of more than 500 patient records, you will see several small practices listed there who have undergone breaches.   The reality is that smaller practices are likely to be even more affected by a breach considering the high expenses and workload that follow.    The Ponemon Institute has calculated the average healthcare data breach cost to be $380 per record - for 500 records, that comes to approximately $190,000, which can be highly damaging for a small healthcare practice.

 

We often hear from dentists that they do not believe they need to comply.   Also False!  In fact, just recently, on January 2018, Steven Yang, DDS of California and Zachary Adkins, DDS of New Mexico had breaches of 3000+ patient records each due to the theft of a laptop and other portable electronic devices respectively.   

 

Robert Smith, DMD of Tennessee reported 1500 records breached after a hack.  Several other providers such as physicians, hospitals, pharmacies, health plans, and business associates have experienced breaches in the recent past.   It can and will happen to anyone regardless of size - please do not think that it won't happen to you!

Culture of Security and Privacy:

HIPAA Training is not HIPAA Compliance.   Practices should take these requirements seriously as they are here to protect patients and medical professionals.   Protect yourself and your patients by incorporating a culture of security and privacy compliance in your medical practice.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA compliance tips for small medical practices

HIPAA compliance tips for small medical practices | HIPAA Compliance for Medical Practices | Scoop.it

But data breaches don’t just affect large corporate entities, they affect small healthcare organizations as well. Take the case of Holland Eye Laser Surgery in March 2018. Their five-provider group practice saw a data breach which made available the patient records of 42,000 patients. Hackers were able to access Social Security numbers, birth records, and other sensitive protected health information (PHI).

 

In fact, some of the medical records of these patients were sold off by data hackers. Officials from the practice stated that they’re now working to strengthening their security system. But once patient trust is lost, sometimes it just cannot be restored.

 

Brief primer on HIPAA and data breaches

• The Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal

• Each entity must analyze the risks to e-PHI in its environment and create solutions appropriate for its own situation.

• The HIPAA Breach Notification Rule requires providers to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without delay and no later than 60 days following the discovery of a breach.

 

5 tips to help you and your medical staff to avoid data breaches

1. CMS requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Conduct a detailed risk analysis to evaluate the current staff and product deficiencies and create corrective measures.

2. Designate a staff member to train employees on your practice’s HIPAA policies and procedures and spend time going over typical breaches.

3. Hire an outside expert to help your organization with compliance support. Your outside organization should set up monthly meetings with the business owners to evaluate your company compliance program and work with your organization to identify cost-effective resources to keep your company compliant.

4. Customize your internet toolbars with anti-phishing protection. These applications can run website checks and compare them to lists of known phishing sites and alert users.

5. Be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself.  Practice groups and or staff members should never reply to or click the links in such a messages.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What is required for HIPAA Compliance?

What is required for HIPAA Compliance? | HIPAA Compliance for Medical Practices | Scoop.it

Lots of our visitors ask us “what is required for HIPAA compliance?” Because this is such an important question, we try to direct our visitors to the most trusted sources for HIPAA education. The most important aspect to remember is that a checklist based “solution” is my no means affective. What we do endorse is the ability to use a checklist to understand what aspect of HIPAA you are doing, and to recognize ones you may have looked over or need to address in further detail. We recommend taking a look at Compliancy Group who has two resources for your organization, whether you’re a Covered Entity or a Business Associate. First, we recommend reading and downloading their HIPAA compliance checklist. Or you can register for their HIPAA compliance checklist webinar!

 

Some of the key findings in the checklist highlight Business Associate Agreements, and also help point out the need for more than just a security risk assessment. As many are familiar with there is a need for HIPAA training, but we do appreciate how it points out the need for documentation of training and other attestations.

 

HIPAA Compliance Checklist: What You Need to Know

The divide between what is required for compliance under HIPAA regulation and the misconceptions that healthcare professionals have about being compliant is more extensive than ever. When she was appointed in late 2015, Jocelyn Samuels, director of the Office of Civil Rights (OCR) announced her plan to start on a new wave of audits. Extensively reported upon, these Phase 2 audits are reaffirming that the over $10 million in fines levied against non-compliant Covered Entities (CE’s) and Business Associates (BA’s) seen in 2015 alone is set to become the norm, and perhaps even grow over the coming months.

 

Compliancy Group is here to make sure that you’re not the one being hit with these fines. We’ve compiled this HIPAA checklist to help guide you through some of the most often overlooked components of total HIPAA compliance, and to help ready you for this sweeping new series of audits that OCR has lined up.

 

The HIPAA Compliance Checklist: The Privacy Rule

The HIPAA Privacy & Security Rule is a series of national regulations concerned with safeguarding patients’ PHI and medical records from unauthorized access. It gives patients the primary rights over their own health information. The rule applies to health plans, healthcare clearinghouses, and health care providers that make certain electronic healthcare transactions. These groups are required to have appropriate limitations and conditions on the use and disclosure of PHI.

  • Implement written policies, procedures, and standards of conduct: Ensure that you have written training standards as well as written penalties that employees are informed of in the case of a violation.
  • Have BA agreements in place: When conducting business with a BA, you need to ensure that you have comprehensive, up-to-date agreements in place to protect your firm from liability in the event that a BA breaches HIPAA regulation.
  • Data safeguards: Maintain administrative, technical, and physical safeguards to monitor use or disclosure of PHI.
  • Complaints procedures: Implement procedures where patients can file a complaint to the CE about its HIPAA compliance, and patients must be informed that complaints may also be submitted to HHS.
  • Retaliation and waiver: Retaliation can’t be taken out against a patient who exercises their rights under the Privacy Rule. Patients cannot be made to waive their Privacy Rule rights as a means of obtaining treatment, payment, or enrollment.
  • Documentation and record retention: Records of all privacy policies, privacy practice notices, complaints, remediation plans, and other documentation must be stored and accessible for six years after their initial creation.
  • Privacy personnel: Ensure that an appointed privacy officer is in place to develop and implement the rest of these privacy policies.

 

The HIPAA Compliance Checklist: The Security Rule

The HIPAA Security Rule outlines specific regulations that are meant to prevent breaches in the creation, sharing, storage, and disposal of ePHI. Since its adoption, the rule has been used to manage patients’ confidentiality alongside changing technology. And now, with the growing trends of cloud computing and online and remote document sharing, the protection of ePHI is becoming more important than ever.

 

These safeguards each require different standards that need to be implemented in order to be deemed fully compliant. The legal jargon that surrounds each safeguard and standard can be confusing, so we’ve broken them down into a simple, but comprehensive list below.

 

The HIPAA Security Rule Checklist: Administrative Safeguards

Administrative safeguards should be in place to establish policies and procedures that employees can reference and follow to ensure that they’re maintaining compliance. Each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Security Management Process

 

  • Risk Analysis should be done to assess confidentiality of ePHI
  • Risk Management measures should be implemented to assess potential breaches in ePHI
  • Sanction Policies should be extended to employees who fail to comply with policies and procedures
  • Information System Activity Reviews should be in place so that system activity is regularly monitored

Standard 2. Assigned Security Responsibility

  • Security Responsibility should be assigned to an employee who can regularly monitor, develop, and maintain privacy policies and procedures

Standard 3. Workforce Security

  • Employees who are meant to deal with ePHI should undergo Authorization and Supervision
  • Workforce Clearance Procedures should govern who is and isn’t allowed access to ePHI
  • Termination Procedures should be in place so that employees who have left a practice can no longer have access to ePHI that they’ve previously had access to

Standard 4. Information Access Management

  • Clearinghouses that are part of larger organizations need to have properly Isolated Access to ePHI
  • Employees should be given Access Authorization depending on whether or not their role requires that they handle ePHI
  • Access to ePHI should be governed by strict rules for when and how it is granted, Established, or Modified

Standard 5. Security Awareness and Training

  • Security Reminders should be regularly communicated
  • Protection from Malicious Software should be a priority to prevent ePHI from being compromised
  • Log-in Monitoring should be in place to detect any unauthorized access to ePHI
  • Password Management should be implemented for creating, changing, and protecting employees’ passwords

Standard 6. Security Incident Procedures

  • Breaches and their ramifications need to have documented Response and Reporting procedures

Standard 7. Contingency Plan

  • Data Backup Plan is required to ensure that there are ways to retrieve ePHI that has been lost because of a malfunction or a breach
  • Disaster Recovery Plans should be in place to ensure that any lost ePHI can be fully restored
  • Emergency Mode Operation Plans should be established so that employees can properly access and handle ePHI, while maintaining privacy, in the event of an emergency
  • Contingency procedures should be Tested and Revised on an ongoing basis to address faults or flaws
  • Contingency procedures should be go through Applications and Data Criticality Analysis to ensure that contingency plans are as streamlined as possible

Standard 8. Evaluation

  • The technical and non-technical elements of ePHI security should be regularly Evaluated, particularly when moving offices or changing operations

Standard 9. Business Associate Contracts and Other Arrangements

  • Written Contracts or Other Arrangements need to document that BAs will comply with all ePHI security measures.

 

The HIPAA Security Rule Checklist: Physical Safeguards

Physical safeguards should guide the creation of policies and procedures that focus on protecting electronic systems and ePHI from potential threats, environmental hazards, and unauthorized intrusion. And as is the case with administrative safeguards, each of these standards should be documented as a written policy, accessible to all employees so that they understand the necessary steps they should be taking to maintain patients’ confidentiality.

Standard 1. Facility Access Controls

  • Procedures should be in place to establish Contingency Operations plans that allow access to the physical office and stored data in the event of an emergency
  • Facility Security Plan needs to be well established to protect equipment that stores ePHI from unauthorized access and theft
  • Access Controls and Validation Procedures should govern when, how, and to whom access to equipment is granted
  • Maintenance Records should document modifications to the physical facility such as renovations or changing doors or locks

Standard 2. Workstation Use

  • Workstation Use policies need to specify the use, performance, and physical attributes of equipment and workstations where ePHI is accessed

Standard 3. Workstation Security

  • Workstation Security should entail physical safeguards that govern who can access workstations and equipment where ePHI is accessible

Standard 4. Device and Media Controls

  • Disposal of hardware or equipment where ePHI has been stored needs to be strictly managed
  • Policies should be in place to determine how and when ePHI should be removed from equipment or electronic media before Re-use
  • Hardware and equipment that has access to ePHI should be Accountable and, if necessary, tracked
  • Data Backup and Storage procedures should entail the creation of exact copies of ePHI

 

The HIPAA Security Rule Checklist: Technical Safeguards

Technical safeguards are the last piece of the Security Rule. They’re meant to provide written, accessible, policies and procedures that monitor user access to systems that store ePHI.

Standard 1. Access Control

  • Employees should be granted Unique User Identification in the form of a username or ID number that can be used to identify and track system usage
  • Procedures should be in place that determine Emergency Access protocols and authorization
  • Systems that store ePHI should be built with an Automatic Logoff function after inactivity
  • Encryption and Decryption methods should be built into systems that store ePHI

Standard 2. Audit Controls

  • Audit Controls must regularly monitor, record, and store system usage and ePHI access

Standard 3. Integrity

  • In order to ensure that ePHI hasn’t been accessed, altered, or destroyed without authorization, a Mechanism to Authenticate ePHI should be built into the system

Standard 4. Person or Entity Authentication

  • Person or Entity Authentication needs to be in place to ensure that only authorized employees or users have access to certain data and ePHI

Standard 5. Transmission Security

  • Any ePHI that is transmitted electronically needs to be protected by Integrity Controls to ensure that it hasn’t been modified in the process
  • Any stored ePHI should be Encrypted
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time | HIPAA Compliance for Medical Practices | Scoop.it

For the first time, a HIPAA privacy complaint filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) has resulted in federal criminal prosecution.

 

A complaint was filed with OCR over an impermissible disclosure of a patient’s protected health information by a doctor. The doctor, Richard Alan Kaye of Suffolk, Va., was alleged to have shared PHI with the patient’s employer without consent from the patient – A violation of the HIPAA Privacy Rule.

 

The case against Kaye has been referred to the Department of Justice, which has pressed charges. While OCR has referred more than 500 HIPAA violation cases in the past, this if the first time that an investigation of a privacy complaint has resulted in criminal prosecution.

 

Kaye had previously worked at Sentara Obici Hospital in Suffolk, Va., as Medical Director of its Psychiatric Care Center. The patient had been enrolled in a mental health treatment program at the hospital and Kaye treated and subsequently discharged the patient. On discharge, Kaye stated that the patient was not a threat to the public.

 

Federal prosecutors allege Kaye shared PHI with the patient’s employer “under the false pretenses that the patient was a serious and imminent threat to the safety of the public, when in fact he knew that the patient was not such a threat.”

 

While it was previously possible for egregious HIPAA violations to result in criminal prosecutions for HIPAA covered entities, filing charges against individuals was problematic. When individuals were discovered to have violated the privacy of patients, and the violations warranted criminal prosecution, it was necessary to file charges under the aiding and abetting theory – The abuse of an individual’s position to violate HIPAA Rules.

 

However, the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) provided further clarification on criminal prosecutions for HIPAA violations, and made the process of prosecuting individuals for HIPAA privacy violations more straightforward.

 

If cases are investigated and OCR determines HIPAA Rules have been violated by covered entities, the cases are typically resolved by OCR, often via settlements. However, if individuals are alleged to have violated HIPAA Rules, criminal penalties may be appropriate. In such cases, OCR can refer the cases to the Department of Justice, the federal attorney general, and/or state attorneys general to pursue criminal charges against those individuals.

 

While criminal cases have been filed against individuals who violated HIPAA Rules and impermissibly disclosed PHI, the uncertainty of pursuing cases against individuals prior to the passing of the HITECH Act dissuaded federal prosecutors from pursuing cases. Since the HITECH Act was passed, there have been referrals of cases, although this is understood to be the first time that the Department of Justice has actively pursued criminal charges against an individual following the referral of a privacy complaint by OCR.

 

There is no private cause of action in HIPAA. While private citizens can file complaints with the OCR over alleged violations of HIPAA Rules, they are not permitted to file lawsuits against covered entities for HIPAA violations. The lack of criminal penalties for HIPAA violations may have dissuaded patients from filing complaints. Now the Department of Justice is taking action against an individual for an egregious HIPAA privacy violation, it may encourage more patients to file complaints with OCR.

 

This DOJ case shows federal authorities are now taking HIPAA Privacy Rule violations much more seriously. OCR is also training state attorneys general on HIPAA enforcement. After state attorney generals have received training, it is expected they too will take a more aggressive stance against covered entities that have violated the privacy of state residents.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

Do HIPAA Rules Create Barriers That Prevent Information Sharing? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care.

 

HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors.

 

The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected.

 

The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.

 

The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued.

 

Certain provisions of HIPAA Rules are perceived to be barriers to information sharing. The American Hospital Association has spoken out about some of these issues and has urged the HHS to take action.

 

While there are certainly elements of HIPAA Rules that would benefit from an update to improve the sharing of patient health information, in some cases, healthcare organizations are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other entities without the need to obtain prior authorization from patients.

 

The feedback HHS is seeking will be used to assess what aspects of HIPAA are causing problems, whether there is scope to remove certain restrictions to facilitate information sharing, and areas of misunderstanding that call for further guidance to be issued on HIPAA Rules.

 

HIPAA does permit healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without authorization from patients. However, there is some confusion about what constitutes treatment/healthcare operations in some cases, how best to share PHI, and when it is permissible to share PHI with entities other than healthcare providers. Simplification of HIPAA Rules could help in this regard, as could the creation of a safe harbor for good faith disclosures of PHI for the purposes of case management and care co-ordination.

 

While the HHS is keen to create an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any changes made to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered entities will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.

 

In addition to a general request for information, the HHS will specifically be seeking information on:

 

The methods of accounting of all disclosures of a patient’s protected health information
Patients’ acknowledgment of receipt of a providers’ notice of privacy practices


Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management
Disclosures of protected health information without a patient’s authorization for treatment, payment, and health care operations
The minimum necessary standard/requirement.


While the RFI is likely to be issued, there are no guarantees that any of the comments submitted will result in HIPAA rule changes.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Few Things Physicians are Not Doing to Comply with HIPAA.

Few Things Physicians are Not Doing to Comply with HIPAA. | HIPAA Compliance for Medical Practices | Scoop.it

Shortly after the Health Insurance Portability and Accountability Act (HIPAA) was implemented, David Zetter was at a doctor's office helping the group build a compliance plan. He was in the back of the practice training some of the staff when the receptionist walked in and handed him a piece of paper.

 

The note was from a patient saying she could see everyone's names and files at the front desk and she knew that was a HIPAA violation.

 

More than a decade later, HIPAA compliance has become ingrained: Files are not left out in the open, patient information is not improperly disclosed, and doctors do not leave health-related messages on answering machines. It is routine to have every patient sign a HIPAA release and go about your business.

 

But compliance is not a one-and-done activity as much as an evolution of rules and procedures. Compliance gurus bet there are at least a few things physicians are not doing to comply with HIPAA.

 

Make a plan
One main thing that practices should have is a compliance plan, but many do not, said Zetter, founder of Zetter Healthcare Management Consultants. “They buy a cheap manual off of the internet and think that works,” he said. “But it cannot be implemented that way; it wasn't set up for your practice.”

 

Even state medical societies sell how-to manuals, but Zetter said this is only a document meant to guide you through creating a compliance plan, not the plan itself.

 

Sample HIPAA compliance plans and instructions for completing one can be found online. The Massachusetts Medical Society provides a document with a checklist and tips to help doctors develop their own documents.

 

Analyzing compliance
The second thing that needs to be completed is a gap analysis. These are used to determine what the organization is doing and what they should be doing. Zetter said an office needs to take each section of the regulation, see what is required and compare it with what is being done. Detailed information on creating a gap analysis can be found at the North Carolina Department of Health and Human Services Website.

 

Once gaps are identified, it is important to find ways to mitigate the potential problem areas. Physicians can do this by performing a risk analysis, which provides the basis for developing ways to cover themselves if an information breach should occur.

 

A risk analysis can arrive at whether there is a low, medium, or high risk of a HIPAA violation occurring, Zetter said. The greater the risk, the more resources are needed for prevention. All of this should be documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Staff Nurse Faces Jail Time for HIPAA Violations

Staff Nurse Faces Jail Time for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

Her breach of a patient's privacy jeopardized the clinic from which she was subsequently fired.

 

What began as routine file maintenance ended in arrest and possible jail time for a licensed practical nurse who shared a patient's medical information with her spouse.

 

Ms. A, 29, had been employed by a midsize regional clinic for five years. While she enjoyed her job and got on well with her supervisor, Dr. P, she was known to bemoan what she saw as low pay and the financial strain it created for herself and her husband. That strain intensified when her husband was in an auto accident and then sued by people in the other car seeking compensation for their injuries.

 

One day, as Ms. A was flipping through charts to straighten up the files, she saw the plaintiff's name. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file. That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she'd taken earlier. “I think this will help,” she said.

 

The next day, Mr. A phoned the patient. During the conversation, he made it known that he had medical information which he believed weakened the man's case. Mr. A suggested that he consider dropping the lawsuit.

 

After hanging up with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney.

 

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her.

 

After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed them that no breach of these laws would be tolerated under any circumstances.

 

Meanwhile, Ms. A's problems were just beginning. The district attorney forwarded the patient's complaint to a federal prosecutor, and within a month, both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. Ms. A pleaded guilty to one count of wrongful disclosure of individual health information for personal gain. In exchange for her plea, the charges against her husband were dismissed.

 

Ms. A is awaiting sentencing. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation. The state nursing board is seeking to revoke her license.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Important HIPAA Compliance Issues in 2018

Important HIPAA Compliance Issues in 2018 | HIPAA Compliance for Medical Practices | Scoop.it

As 2018 gets underway, experts offer advice on some important issues related to HIPAA compliance. One issue is patient access to medical records. Kathy Downing, vice president of information governance and standards at the American Health Information Management Association, said her organization receives many complaints from patients who have issues receiving medical information even though right of access has been in place since 2003.This area is what Downing calls “super low-hanging fruit on the HIPAA tree.” If patients request records, there is no need to make them wait 30 days. If the records are stored electronically, practices should allow patients to receive their information in that format.

 

“The reason this is important is because in a lot of the cases, patients may be seeing multiple providers for chronic conditions, and having their chart allows them to be more engaged in their care,” she said. “It's an important patient right, and important for population health and patient engagement.”

 

By giving patients their records, providers are also allowing them to do a quality review to ensure their information is correct. Electronic medical records commonly contain errors, mainly because of copying and pasting of data, Downing said.

 

If physicians are uncomfortable talking with patients about information in their charts, she recommends that practices appoint a nurse who can deal with patient queries. Portals can also be a good resource to guide patients through their information. If someone has been diagnosed with prediabetes, for instance, a portal can provide links to trusted online sources that can answer patient questions.

 

Increased enforcement?


Another HIPAA-related question facing medical practices this year is the Office for Civil Rights (OCR) approach to HIPAA enforcement. Michael Bossenbroek, a partner at Wachler & Associates, P.C. in Royal Oak, Michigan, listened to remarks at a HIPAA conference last fall from the new OCR director. OCR might be striking a different tone as a new administration takes the reins. “How they balance the objectives of education and compliance with enforcement remains to be seen,” Bossenbroek said.

 

The OCR director gave no specifics, Bossenbroek said. Whatever approach emerges from OCR, as before, providers need to ensure they have the basics completed, with a risk analysis performed and solid policies and procedures in place.

 

Chris Apgar, CEO and president of Apgar & Associates LLC, in Portland, Oregon, said OCR has made it clear there will be continued enforcement activity in the coming years. No one is immune from them, he said. He recently worked with a small entity that had their wrists slapped by OCR. He helped them prepare a response, and when they failed to follow through with their plan, he had to mediate between the organization and OCR.

 

“If you respond to OCR in an appropriate and timely manner and follow through, they go away,” he said. “If you don't, they stick around. They are not going away.”

 

Shortage of security talent


Health care organizations will continue to face a shortage of information technology (IT) security talent in 2018, Apgar said. A report released this past summer by the US Department of Health and Human Services found that 3 out of 4 hospitals do not have a designated information technology (IT) security professional.

 

Larger organizations are better able than small groups to afford hiring IT talent, which can be expensive, Apgar said. But smaller organizations, which often delegate IT security to office staff who are already busy with other tasks, have options. Apgar recommends looking for students graduating from information security programs and bringing them on board as interns. Small groups do not require the same kinds of security setup that a Cleveland Clinic or Kaiser might need, and young individuals can help build and run systems. Organizations can grow a position with them when they are new in the field, although these individuals could leave when they become seasoned and expect a higher salary.


Vendors


With OCR increasingly scrutinizing and auditing business associates, it is important for practitioners to ensure their vendors are compliant. Apgar said the vendors he works with are increasingly motivated to do this for fear of losing customers. These customers – health care practitioners – are demanding proof of compliance.

 

To better understand a vendor's compliance, providers can request policies and procedures and ask to see their risk analysis and any other pertinent documentation. Some ask that vendors fill out a security questionnaire. Others go even further. Groups like Apgar's company can act as a third party to conduct a risk assessment, then attest in writing that a vendor has either mitigated or accepted risks found in the analysis.

 

New tools


It used to cost anywhere from $75,000 to $100,000 for a tool that would automatically monitor audit logs and send alerts if an anomaly is found for a hospital or larger clinic, Apgar said. Over the past couple of years, new options have hit the market that lowered the cost to $35,000 or less, which is a game changer for HIPAA compliance, he said.

 

“As more technology becomes affordable, there is a higher likelihood that regulatory bodies will push back and say providers have to use it,” Agar said. “If a hospital is generating and not regularly reviewing audit logs, they will look negligent to regulators.”

 

Technology tends to move with the needs of the market. For instance, as cyber crime has become increasingly prevalent, tools have been developed and marketed to prevent attacks. Some tools look both internally and externally in a network to see if unusual behavior is occurring, and sends an alert if any anomaly is found.

 

Keeping track of technology as it becomes more affordable is not always simple. Apgar said providers can look at IT newsletters and check with their state associations to stay atop of new and affordable tools coming on the market.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

more...
No comment yet.
Scoop.it!

Case Management and HIPAA information

Case Management and HIPAA information | HIPAA Compliance for Medical Practices | Scoop.it

An employee of the Iowa’s Mahaska County government alleged that another employee committed a HIPAA violation when she locked a member of the public inside a building where files containing PHI were stored unsecured, the Oskaloosa News reported.

 

Kim Newendorp, general assistant director for Mahaska County, told the Board of Supervisors this month that a fellow county employee had locked a member of the public in the Annex Building and left that person alone in the facility.

 

“This person was waiting for me, but in doing so, she left all of the case management confidential and HIPAA information unlocked and accessible to that person. This is a HIPAA violation,” Newendorp told the board.

 

Newendorp said she notified her boss, one of the board members, about the incident but received no response. She then spoke with the county’s chief privacy officer, Jim Blomgren, who passed information about the incident on to the company that handles human resources for the county. No action was taken.

 

Newendorp said that she filed an official grievance with the Board of Supervisors, who passed it onto Blomgren, who then passed it on to the HR people, again with no result.

 

“I’m disappointed this situation has not been handled,” she told the board. “Especially due to the importance of HIPAA. The state DHS official has come forward to say that this situation is an issue, and yet nothing has been done.”

 

“I understand this topic may not be as important to you as roads, 911, and the airport, but I can tell you that the people’s right to have their personal information locked and secured is important to the hundreds of past clients of Mahaska County Case Management, and their families and myself.”

 

Willie Van Weelden, chairman of the Mahaska County Board of Supervisors, said he took action at the time, but declined to say what he specifically did to address Newendorp’s concerns.

Oskaloosa News asked Blomgren to comment on Newendorp’s testimony. “Since the comments of the employee at the meeting of the Board of Supervisors involves personnel issues and alleged HIPAA infractions I do not believe I am at liberty to discuss them,” he responded.

 

“I think in most counties, the board of supervisors, you would never do an investigation into HIPAA. You would never do a human resources investigation. No county I know of would have their board do that,” Paul Greufe of PJ Greufe & Associates told Oskaloosa News.

 

Greufe said that most counties hire professional services such as his to do the HR work and would direct those people to start an investigation. “And so that was the process that was followed to the letter.”

SIMILAR INCIDENT IN BOSTON RESULTS IN OCR REPORT

The incident alleged by Newendorp is similar to one that occurred at the Boston Healthcare for the Homeless Program (BHCHP) earlier this year. In that case, someone was not let into the facililty unattended but broke in.

 

There was unsecured PHI in the facility, but no evidence that the PHI was viewed by the intruder. Still, BHCHP did notify people affected about the incident and reported it to OCR. 

 

The unsecured PHI included handwritten staff notes, printed patient lists, referral forms, and insurance/benefits applications. BHCHP told OCR that 861 individuals were affected by the breach.

BHCHP said it conducted an internal investigation that included a search of the clinic to which the intruder would have had access and interviews with clinic and shelter staff.

 

The program also ensured that the clinic door was secure and implemented additional safety measures, including an additional lock on internal doors within the clinic and secure storage of keys to internal doors, file cabinets, and storage cabinets.

 

BHCHP also updated its policies governing how staff use and store patient information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance Tips for Mobile Data Security 

HIPAA Compliance Tips for Mobile Data Security  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance Tips for Mobile Data Security

Nearly 4 out of 5 healthcare providers use a mobile device for professional purposes. These numbers continue to rise as healthcare organizations place an increased focus on efficiency and productivity. (1) Although mobile devices are incredibly efficient and convenient, they also harbor measurable risks for data breach and the exposure of protected health information (PHI).

 

Mobile devices are often more susceptible to theft because they lack the appropriate security controls. In fact, mobile device malware infections have surged 96% from 2015 to 2016. (2)  To avoid hefty penalties and the risk of a data breach, healthcare organizations must develop and implement mobile device procedures and policies that will protect the patient’s health information.

 

Below are five recommendations from HHS (The Department of Health and Human Services) that organizations can take to help manage mobile devices in the healthcare setting:

 

  1. Understand the risks before allowing the use of mobile devices- Decide whether healthcare providers or medical staff will be permitted to use mobile devices to access, receive, transmit, or store patients’ health information or if they will be used as part of the organization’s internal network or systems, such as an electronic health record system.
  2. Conduct a risk analysis to identify threats and vulnerabilities- Consider the risks to your organization when permitting the use of mobile devices to transmit health information Solo providers may conduct the risk analysis on their practice, however, those working for a large provider, the organization may conduct it.
  3. Identify a mobile device risk management strategy, including privacy and security safeguards- A risk management strategy will help healthcare organizations develop and implement mobile device safeguards to reduce risks identified in the risk analysis. Include the evaluation and regular maintenance of the mobile device safeguards put in place.
  4. Develop, document, and implement mobile device policies and procedures to safeguard health information. Some topics to consider when developing mobile device policies and procedures are:
    1. Mobile device management
    2. Using your own device
    3. Restrictions on mobile device use
    4. Security or configuration settings for mobile devices
  5. Conduct mobile device privacy and security awareness and ongoing training/education for providers and professionals.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.