HIPAA Compliance for Medical Practices
84.7K views | +7 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

How to Report a HIPAA Violation

How to Report a HIPAA Violation | HIPAA Compliance for Medical Practices | Scoop.it

It is important for all employees in the healthcare and healthcare insurance industries to understand what constitutes a HIPAA violation and how to report a HIPAA violation. Understanding what constitutes a HIPAA violation should be included in the Covered Entity´s HIPAA training, as should the correct person to direct the report to – who then has the responsibility to determine whether ot not the HIPAA violation should be reported to the Department of Health and Human Services’ Office for Civil Rights (OCR).


Potential HIPAA violations must be investigated internally by HIPAA Covered Entities and – where applicable – their Business Associates to determine the severity of the breach, the risk to individuals impacted by the incident, and to ensure action is taken promptly to correct the violation and mitigate risk.


The sooner a potential HIPAA violation is reported, the easier it will be to limit the potential harm that may be caused and to prevent further violations of HIPAA Rules.

Reporting HIPAA Violations Internally

When healthcare or insurance professionals suspect a violation of HIPAA has occurred, the incident should be reported to a supervisor, the organization’s Privacy Officer, or to the individual responsible for HIPAA compliance in the organization.


Accidental HIPAA violations occur even when great care is taken by employees. The HIPAA complaint will have to be investigated internally and a decision made about whether it is a reportable breach under provisions of the HIPAA Breach Notification Rule. Oftentimes, minor incidents are so inconsequential that they do not warrant notifications to be issued, such as when minor errors are made in good faith or if PHI has been disclosed and there is little risk of knowledge of PHI being retained.


If you have made a mistake, accidentally viewed PHI of a patient that you are not authorized to view, or another individual in your organization is suspected of violating HIPAA Rules, you should report HIPAA violations promptly. The failure to do so is likely to be viewed unfavorably if it is later discovered.

How to Report a HIPAA Violation to HHS’ Office for Civil Rights

It is also permitted for employees and patients to bypass notifying the covered entity and make a HIPAA complaint directly with OCR if it is believed that a Covered Entity has violated the HIPAA Privacy, Security, or Breach Notification Rules.


In all cases, serious violations of HIPAA rules including potential criminal violations, willful/widespread neglect of HIPAA Rules, and multiple suspected HIPAA violations should be reported to the Office for Civil Rights directly.


HIPAA complaints can be submitted via the OCR’s Complaint Portal online,  although OCR will also accept complaints via fax, mail, or email. Contact information for HIPAA violation reporting can be found on the above link.


In order for OCR to determine whether a violation is likely to have occurred, the reason for the HIPAA complaint should be written stated along with the potential violation. Information will need to be supplied about the covered entity (or business associate), the date when the HIPAA violation is suspected of occurring, the address where the violation occurred – if known, and when the complainant learned of the possible HIPAA violation.


Complaints should be submitted within 180 days of the violation being discovered, although in certain cases, an extension to the HIPAA violation reporting time limit may be granted if there is good cause.


While complaints can be submitted anonymously, it is important to bear in mind that OCR will not investigate any HIPAA complaint if a name and contact information is not supplied.


All complaints will be read and assessed, and investigations into HIPAA complaints will be launched if HIPAA Rules are suspected of being violated and the complaint is submitted inside the 180-day timeframe.


Not all HIPAA violations result settlements or civil monetary penalties. Oftentimes, the issue is resolved through voluntary compliance, technical guidance, or if the covered entity or business associate agrees to take corrective action.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

3 Things Everyone Should Know About The HITECH ACT

3 Things Everyone Should Know About The HITECH ACT | HIPAA Compliance for Medical Practices | Scoop.it

The American Recovery and Reinvestment Act passed into law on February 17th, 2009. Included in this bill is a section titled the Health Information Technology for Economic and Clinical Health Act, or HITECH for short.


This law allocates $18 billion as incentives through Medicare and Medicaid reimbursement systems, providing grants and revolving loan funds to hospitals and physicians considered meaningful users of electronic health records.


These grants and loan funds may be used to purchase EHRs and new healthcare technology. If you’re a small to medium sized healthcare practice in need of a consultation regarding HITECH Act compliance, then look no further.


EHR has a compliance department that will assist you with matters such as this. Listed are three things both eligible and ineligible providers should be aware of when demonstrating meaningful use of EHR systems, thereby improving health care throughout the country.




The Department of Health and Human Services issued three final rules for the implementation of the requirements of the HITECH Act. The new rules stipulate that those who qualify for the incentive program can receive as much as $44,000 in grants and other incentives over a five-year term through Medicare.


Furthermore, up to $63,750 over 6 years through Medicaid. Hospitals can earn millions of dollars in grants and revolving loans for implementing and becoming meaningful users of certified electronic health records. The third rule establishes objectives for what is considered ‘meaningful use,’ also providing metrics eligible applicants must meet in order to reap all of the benefits of the EHR incentive program.




In order to be compliant with the HITECH Act, another stipulation addressed in The Department of Health and Human Services final rules was the Temporary Certification Program for Health Information Technology.


This certification program establishes a process for businesses and professionals to test and certify for using EHR technology. If you want to take advantage of all the benefits this program has to offer, then you must certify first.




Experts estimate that over the next ten years, the Federal government will spend over $26 billion in grants to medical professionals and hospitals implementing the standards set forth in the HITECH Act.



If you are a small to midsize healthcare practice looking to save money and benefit from the outstanding economic benefits the HITECH Act’s financial EHR implementation incentives provide, contact EHR1 today for a certified EHR and expert consulting.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Security Rule: Risk Analysis Review and Updating

HIPAA Security Rule: Risk Analysis Review and Updating | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI).


ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.


Performing a security risk analysis is the first step in identifying and implementing these safeguards.


A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.


Once the analysis has been completed, organizations should periodically conduct a risk analysis review.

What is the Scope of a Security Risk Analysis?

According to guidance issued by the Department of Health and Human Services (HHS), the scope of security risk analysis includes potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization:

  • Creates;
  • Receives;
  • Maintains; and
  • Transmits

Security risk analysis includes six elements:

  • Collecting Data
  • Identifying and Documenting Potential Threats and Vulnerabilities
  • Assessing Current Security Measures
  • Determining the Likelihood of Threat Occurrence
  • Determining the Potential Impact of Threat Occurrence
  • Determining the Level of Risk

What is a Security Rule Risk Analysis Review?

Once all of the above six elements have been addressed, all documentation should be finalized. In addition, the security risk assessment should be periodically reviewed, and updated, as needed


Continuous risk analysis review allows an organization to identify when updates to risk assessment policies and procedures are needed. 


The Security Rule does not specify how frequently to perform risk analysis review. According to risk analysis guidance provided by the Department of Health and Human Services (HHS), some covered entities may perform risk analysis review annually or as needed (e.g., twice a year, every 3 years), depending on the circumstances of their environment.

What Factors Influence Whether Risk Analysis Review Should be Performed? 

Factors to consider include:

  • Changes in technology and business operations. When an entity implements new technologies and plans new business operations, the entity should consider performing a security risk analysis assessment. Adopting new technologies and new business operations may pose potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; a risk analysis review can identify these risks and vulnerabilities.


  • An organization has experienced a recent security incident.  If a covered entity has recently experienced a security incident, such as a data breach, a risk analysis review should be conducted to determine whether and what additional security measures are needed.


  • An organization has experienced a change in ownership or turnover in key staff or management. An organization that undergoes a change in ownership or that experiences key staff turnover, should evaluate, in light of the expertise of the departed and incoming individuals, whether existing security measures are sufficient to protect against risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.  In addition, part of risk analysis consists of an assessment of current security measures. Important security measures include policies and procedures, contained in an employee handbook or similar document, that address data security and define staff obligations to protect ePHI. Before incoming workforce members begin their jobs, policies and procedures contained in the handbook should be evaluated for sufficiency and accuracy, so that when these policies and procedures are distributed, new employees have the most up-to-date information required for them to protect ePHI.


  • Regulatory and legislative changes. New legislation and regulations may impose additional or modified obligations under the Security Rule. If your risk assessment references a law or regulation, you should review that assessment to make sure it still complies with any changes made to the regulation. When new legislation is passed, or when new regulations become effective, the risk assessment should be reviewed and updated to incorporate the requirements of the new legislation or regulations.


Performing risk analysis review, and then making necessary updates to the risk analysis assessment, allows for your organization to reduce review identified risks to reasonable and appropriate levels.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Privacy Rules, Mental Health, and Addiction: When can PHI be shared without consent?

HIPAA Privacy Rules, Mental Health, and Addiction: When can PHI be shared without consent? | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA is designed to protect patient confidentiality.

What happens when patient confidentiality conflicts with a patient being able to receive the best care possible? 


In cases of mental health and addiction, such as the current opioid overdose crisis, there are situations in which a covered healthcare provider may share protected health information (PHI) to help the patient. 


In this post, we’ll share guidance on sharing protected information to prevent harm in both mental health and opioid overdose situations.


While HIPAA may permit disclosure of patient information, there may be other overlapping privacy laws related to individual states or other regulations that need to be taken into consideration before the information is shared.

Mental Health and Privacy

When addressing mental health issues, HIPAA rules provide guidance on sharing patient information to ensure that the patient receives the best treatment and care possible. Disclosure of information is also acceptable when the health and safety of the patient and others are at risk. 


Communicate with a patient’s family members, friends, and others involved in the patient’s care. If a patient is present and has the capacity to make decisions, and does not object; a healthcare professional can discuss treatment or payment issues. 


If not present or incapacitated (intoxicated or experiencing temporary psychosis, for example), the patient’s information can be shared if the provider, in his or her professional judgment, determines that doing so in the patient’s best interests. Section 164.510(b)(3) of the HIPAA Privacy Rule explains this permission.


Patient with mental illness not taking medication. If a patient doesn’t object, a provider can share patient information with family members.


If a patient does object, but the provider believes that the unmedicated patient poses a serious and imminent danger to herself or others, then the provider can share pertinent information, if consistent with applicable law and standards of ethical conduct. 


Communications with law enforcement. The Privacy Rule permits a doctor to contact family or law enforcement if the doctor believes that such a warning is needed to prevent or at least lessen an imminent threat to the health or safety of the patient or others.


For instance, if a patient makes a credible threat to do harm to someone, a mental health professional can alert police, school administrators, family, and others who may be able to intervene.

HIPAA Privacy and Opioid Overdose

Sadly, opioid addiction continues to hold sway across much of the United States. Despite HIPAA regulations that allow healthcare providers to share PHI with family members, confusion remains. 


Healthcare providers can share information related to the care and treatment of a patient in a crisis situation, such as a drug overdose.


If the provider determines that the best interests of an incapacitated or unconscious patient involve sharing information with family or close friends, they can do so. 


However, while they can share information about the overdose, a healthcare provider cannot share medical information unrelated to the ongoing care and treatment of the patient. 

HIPAA and Changes to Decision-Making Capacity

Regardless of whether a patient can or cannot make a decision due to mental health or an overdose issue, the situation can change. 


Because the inability to make a decision can be temporary, a healthcare provider must give the patient a chance to decide whether to continue to share information or not when the patient is once again able to make a decision.


For instance, someone intoxicated to the point of unconsciousness or incoherence will eventually become sober. The patient can then object to future information sharing. However, as already described, the provider can still share PHI if, in their professional judgment, the patient poses a serious and imminent threat to himself or others. 

Healthcare Power of Attorney

A patient’s “personal representative” has authority, under applicable law, to make healthcare decisions for a patient.


They have the same rights of access to health information as the patient. A provider may refuse to share information if they believe that the personal representative has subjected the patient to violence, abuse, or neglect. 

Patient Care Outweighs Patient Privacy

Simply stated, the rules around HIPAA privacy are designed to ensure the best possible healthcare outcome for the patient. For patients who are unable to make decisions for themselves, their PHI can be shared with loved ones to ensure care.


There is also a “duty to warn” in situations where the patient is a danger to him/herself or others. 


Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

The Intersection Of HIPAA & The Hitech Act

The Intersection Of HIPAA & The Hitech Act | HIPAA Compliance for Medical Practices | Scoop.it

Since it passed in 2009, the HITECH (Health Information Technology for Economic and Clinical Health) Act was meant to enforce certain rules within the HIPAA Omnibus Rule. It’s important that those in healthcare IT understand the relationship between the two.




The HITECH Act’s stated aim was to improve the on-boarding and meaningful use of HIT. In doing so, the HITECH Act also affected the standards of Health and Human Services (HHS) used to evaluate hospitals and expanded the scope of jurisdiction.


It also bolstered the HHS OCR’s (Office for Civil Rights) tools of enforcement. Georgina Verdugo, director of the OCR, said that added vigilance would help convince consumers of the privacy and security of their health information and protected personal information (PPI).




By broadening the scope of HIPAA, the HITECH Act increased the number of participating stakeholders or business associates. Previously, HIPAA described a business associate as a person performing functions or activities for or on the behalf of a covered entity.


HITECH changed HIPAA’s definition of business associates to include:

*Health Information Organizations (HIO)
*Patient Safety Organizations (PSO)
*Gateways, portals, and e-prescribers
*Certain people providing PPI on behalf of another covered entity
*People involved in data transmission including subcontractors and delegates


HITECH also created new categories of HIPAA penalties. This was meant to distinguish violations based on nature, extent, and the harm caused to patients. Currently, there are three categories which correspond with three civil penalties outlined in the HITECH Interim Final Rule.




There are, of course, other areas where HIPAA and HITECH overlap. They are both sweeping and exhaustive legislation that often cover similar areas, especially where electronic medical records, are concerned.


This includes meaningful use and PHI. HITECH incentivizes the meaningful use of electronic medical records in order to improve health care and outcomes.


Other areas covered in both HIPAA and HITECH are breach reporting requirements, patient access to PHI, and facilitation of medical research.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to Prepare For A HIPAA Compliance Audit in 2019

How to Prepare For A HIPAA Compliance Audit in 2019 | HIPAA Compliance for Medical Practices | Scoop.it

1. Focus on HIPAA training for employees

Staff training is critical for an understanding of HIPAA compliance requirements. Employees who haven’t been trained or don’t have experience with compliance regulations can increase the risk of a failed audit.


Document your training to show the OCR (Office of Civil Rights), that you are dedicated to employee instruction. Create and publish policies that make training and education a priority. Make sure your team is thoroughly trained before the audit because OCR will ask questions to ensure everyone understands HIPAA regulations and compliance rules.

2. Create a Risk Management Plan and Conduct a Risk Analysis

A risk management plan and a risk analysis are required.

A HIPAA risk analysis looks for any security risks your company might be exposed to – all risks. The risk management plan is a strategy to address those risks.


In conducting the risk assessment, you should also prepare your security documents. Compliance rules state reports should be recorded, written, and kept in an easily accessible location. Rules should be specific to all aspects of your business, and not isolated to one area.


For example, all policies regarding the HIPAA privacy and security rule should be documented. Documents that cover incident response, breach notification, IT and firewalls, and physical security should be included. These documents will not only help in the audit process but provide clear direction in the operation of the business.


3. Select a Security Assessment and Privacy Officer

HIPAA requires a security and privacy officer for each covered entity and business. This does not have to be a new hire, but you do need someone responsible for the security and privacy of PHI. They are responsible for showing the effort being made to meet regulations.


The officer should also review business associate agreements. The OCR will discuss the third-party relationships that involve electronic protected health information. Create a list of vendors and suppliers, and the security and safeguards they have in place through the business associates agreement.


This officer should schedule a regular review of security policies and conduct a risk analysis on IT systems and data security. They should also have a record of any breaches or incidents. Don’t try to hide any problems or data breaches during the audit. Be honest. Incidents happen, and the OCR wants to know how you responded to the security breach.

4. Review Policy Implementation

As important as it is to document policies and procedures, it’s also important to see how those policies are being implemented. The OCR will review how those policies and procedures apply to the daily business operation, and if they are implemented consistently.

Talk to your team to see how the policies are working.


If employees are struggling to follow policy, then take the time to analyze the problems and make adjustments as needed. Create an implementation schedule to include in the audit. The OCR wants to see the policies in action. If you are still implementing the plans, then show them the schedule, so that they know progress is being made.

5. Conduct an Internal Audit

An internal audit program is the best way to identify problems in your system before the OCR audit. Regularly conducting internal audits will not only help you solve problems before they turn into a fine, but also keep your team sharp and take pressure off during the actual review.


It’s often a good idea to work with an organization that specializes in compliance or data security to help conduct the internal audit. They can review your security and compliance standards and take a close look at your risk analysis and risk management plan. With an outside perspective, they may be able to identify problems that didn’t show up in your internal risk assessment. Partnering with an IT and data security provider will help ensure a complete and thorough internal audit.


As a best practice, review your policies and procedures as the auditor might. Consider if the policies are meeting the intent of the regulation and improving patient privacy and security. By critically analyzing these methods, you can find areas of improvement in both business operations and HIPAA compliance.

6. Create an Internal Remediation Plan

Once you’ve gone through the above steps and conducted an internal audit in preparation for your HIPAA audit, you should create a remediation plan to reduce risks and correct findings. Attach a schedule with timelines to the remediation plan and be prepared to discuss the plan with OCR during the audit.


While HIPAA sets guidelines and standards for protected health information, it’s also essential to see HIPAA as a continual process. A remediation plan and a schedule help to keep covered entities and businesses on track and compliant, even between audits.


Finally, make sure you limit your internal audit concerns to the policies and procedures of your business. While the business associate agreements are an important part of HIPAA, focusing on vendors and suppliers can leave your operations at risk. Your primary concern with the remediation plan and audit should be internal processes.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

The Benefits of Performing a HIPAA Risk Assessment

The Benefits of Performing a HIPAA Risk Assessment | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule mandates that covered entities must conduct a risk assessment of their healthcare company.


 A wide range of organizations – from healthcare insurance providers to hospitals – fall into this covered entity group. While it may seem taxing and time-consuming to provide standardized training to your employees, there are many reasons doing so can behoove you. For one, it’s the law. Since 2009, Security Risk Assessments (SRAs) have been a required annual practice set forth by the HIPAA Security Rule.


Don’t wait to become a breach headline; nip breaches in bud by detecting security issues before they wreak havoc. You can’t be secure if you are not compliant; and a HIPAA Risk Assessment will safeguard your organization in more ways than one. Technology is a timesaver that has simplified the medical filing and billing processes, but it leaves the potential for leaks and hacking.


A risk analysis will identify and document potential threats and liabilities that can cause a breach of sensitive data. An IT security consulting company can check all portable media (laptops), desktops, and networks to ensure they’re ironclad. IT security measures, such as encryption and two-factor authentication2, will be addressed in order to make it challenging for unwanted eyes to get a glimpse of patient information.  


Employees are the greatest threat to HIPAA compliance, so it’s important to make sure they’re well informed on how to prevent breaches. Annual HIPAA Security Awareness Training Programs provide a thorough understanding of each person’s role in preventing breaches and protecting physical and electronic information.


HIPAA training is a regulatory requirement, many employee actions that go awry could easily be prevented. A consultant will offer tips and tricks for minimizing that risk; a few include never leaving work phones and laptops unattended, never sharing passwords or company credentials, choosing to shred files as opposed to trashing them, and overcoming the temptation to “snoop” on patient information without just cause.


While many of these suggestions seem like common sense, there are also many lesser known incidences that arise while working in the medical field. Did you know that you cannot access your own medical records using your login credentials? While it may seem innocent enough, everyone is required to submit a request to access medical materials. 


Don’t deter a Risk Assessment out of indolence. HIPAA Risk Assessments must be accurate and extremely thorough.  Questions about all the administrative, technical, and physical safeguards an organization has in place must be asked about.


If outsourcing your HIPAA Risk Assessment, choose a company that provides comprehensive training courses. No two companies are alike so cookie-cutter answers don’t exist for compliancy; a client-facing doctor’s office and corporate health insurance agency will require that different preventive measures be put into place.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Training is not HIPAA Compliance

HIPAA Training is not HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

We hear from so many doctors’ and dentists’ offices that they are “HIPAA-compliant” because they have completed the required annual HIPAA training for their staff.   FALSE! HIPAA Training is not HIPAA Compliance. HIPAA Training is only one of the components of HIPAA Compliance – thinking otherwise could lead to a false sense of security.


HIPAA law consists of various requirements in the areas of security and privacy, use and disclosure of PHI (protected health information) and in breach notification rules.

Minimum steps needed for HIPAA Compliance:

At the very minimum, a doctor’s or dentist’s office must do the following for HIPAA Compliance:

  1. Exercise privacy in the office everywhere.   Be careful about accidental disclosure of patient information.
  2. Display the Notice of Privacy Practices prominently in your office lobby and on your website.
  3. Exercise caution in the use and disclosure of PHI (Protected Health Information).     Patients have the right to review and obtain their PHI.   The onus falls on the medical practice to secure and protect PHI from unauthorized disclosure of any kind.
  4. Conduct the mandatory annual risk assessment, or hire an expert to conduct it for you.   The assessor must take into consideration all the security and privacy-related criteria while conducting the assessment, including all your administrative, physical and technical safeguards.   A detailed list of recommendations and action items should follow as a result of the risk assessment.
  5. Prepare and follow security and privacy policies and procedures.   Your risk assessment should highlight the minimum required policies and procedures that you would need to prepare or obtain.   Physicians and staff members should be familiar with and should follow these policies and procedures on a daily basis.
  6. Provide annual HIPAA Training to your staff and physicians.

Breach notification:

Breaches have unfortunately become only too common these days in an environment where medical records are extremely valuable in the black market.   HIPAA law also specifies strict breach notification requirements in the event of a breach.   The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) requires the practice to inform all individuals whose data might have been lost or stolen.  


A breach of more than 500 records is considered a reportable breach, that is, the practice must notify HHS.   This could result in an audit of the practice by federal agencies, and the first thing they are going to ask you for is a copy of your last annual risk assessment.

Small practices may be targets of breaches too:

Many small practices think that they are too small to be targeted.   False again!   If you look at the HHS "Wall of Shame" which lists reported breaches of more than 500 patient records, you will see several small practices listed there who have undergone breaches.   The reality is that smaller practices are likely to be even more affected by a breach considering the high expenses and workload that follow.    The Ponemon Institute has calculated the average healthcare data breach cost to be $380 per record - for 500 records, that comes to approximately $190,000, which can be highly damaging for a small healthcare practice.


We often hear from dentists that they do not believe they need to comply.   Also False!  In fact, just recently, on January 2018, Steven Yang, DDS of California and Zachary Adkins, DDS of New Mexico had breaches of 3000+ patient records each due to the theft of a laptop and other portable electronic devices respectively.   


Robert Smith, DMD of Tennessee reported 1500 records breached after a hack.  Several other providers such as physicians, hospitals, pharmacies, health plans, and business associates have experienced breaches in the recent past.   It can and will happen to anyone regardless of size - please do not think that it won't happen to you!

Culture of Security and Privacy:

HIPAA Training is not HIPAA Compliance.   Practices should take these requirements seriously as they are here to protect patients and medical professionals.   Protect yourself and your patients by incorporating a culture of security and privacy compliance in your medical practice.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Fax Sent to Wrong Number Results in HIPAA Violation

Fax Sent to Wrong Number Results in HIPAA Violation | HIPAA Compliance for Medical Practices | Scoop.it

One morning, the office manager got a call from one of the practice's patients, Mr. M, a 52-year-old, HIV-positive man who had been seeing Dr. G for a decade. Although he was happy with the treatment he had been receiving, Mr. M's company was promoting him and he was relocating to another town. He called to ask Dr. G to fax his medical records to his new urologist.


The office manager was juggling numerous tasks, but managed to send the fax out later that day. The office did not have personalized fax cover sheets, just sheets that the office manager printed off once a week which had spaces to fill in the “to” and “from” sections. She hurriedly filled them in and shot off the fax, one of several she had to do before checking in the next patient.


At the end of the day she told Dr. G that it had been done. He thought nothing of it until the following Monday when the office manager came into the back office to speak to him. She was pale and looked shaken, and the physician immediately asked if she was okay.


“It's Mr. M,” the office manager said. “He just called – absolutely furious. He says that we faxed his medical records to his employer rather than his new doctor, and that now his company is aware of his HIV status. He is extremely upset.”


“I'm so sorry,” the office manager said tearfully. “I was the one who sent that fax out. I must have accidentally grabbed the wrong number from his file. What should we do?” She looked at Dr. G for guidance.


Dr. G was holding his forehead, and trying to figure out how to remedy the situation. “The first thing we're going to do is to call Mr. M and apologize. Then we'll take it from there.”


The office manager and Dr. G called Mr. M and apologized profusely for the mix-up. Mr. M understood that it had not been done maliciously, but he was still not satisfied and reported the incident to the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR).


An initial investigation indicated that the incident was not criminal and so it was not referred to the Department of Justice.


Rather, it was handled by the OCR. OCR officials appeared at Dr. G's office to look into the matter, and after a thorough investigation, the OCR issued a letter of warning to the office manager, referred the office staff for HIPAA privacy training, and had the office revise the fax cover sheets to underscore that they contain a confidential communication for the intended recipient only.


Legal Background
The Health Insurance Portability and Accountability Act, commonly known as HIPAA, protects personally identifiable health information of patients, and specifies to providers how such information may be used. HIPAA has been in effect for about a decade, and in that time, the HHS has received a total of almost 80,000 complaints.


Of those, more than 44,000 were dismissed, 19,000 were investigated and resolved with changes to privacy practice, and 9,000 were investigated but no violations were found. According to HHS, private medical practices were the ones most often required to take corrective action as a result of enforcement.


The top two compliance issues most frequently investigated are impermissible use and disclosure of protected health information and lack of safeguards for protected health information.


When a HIPAA complaint is filed with the HHS, the first determination made is whether there was a possible privacy violation and whether it was of a criminal nature. If it was determined to be criminal, the case is referred to the Department of Justice for investigation and possible prosecution.


If it was determined that it was not a criminal issue (as in this case) the violation is investigated by the OCR. If it is determined that a HIPAA violation did, in fact, take place, the OCR can either obtain voluntary compliance, corrective action or some other voluntary agreement with the offender, or the OCR can issue a formal finding of violation and force the offender to change its practices.


In this particular case, the office manager and Dr. G recognized the mistake and immediately tried to take corrective action by apologizing to the patient. Dr. G's office also voluntarily agreed to extra compliance training for the staff and to a change in their faxing procedures to indicate that the faxed materials are confidential.


Protecting Yourself
This particular scenario was the result of a careless error. While a careless error can happen to anyone, one such as this could cause irreparable harm to the patient if his employer now views or treats him differently because of the new knowledge of his HIV-positive status.


Confidential patient records must be treated with the greatest of care as they contain information of an extremely personal nature. Many HIPAA cases have involved the unintentional divulging of the HIV or AIDS status of a patient.


In a similar case, a dental practice was reported for using red stickers and the word AIDS on the outside of patient folders. And in a case that took place in a hospital, a nurse and orderly lost their jobs for discussing a patient's HIV status within earshot of other patients.


A good rule of thumb is to treat a patient's confidential information as you would want yours to be treated, and then add a little extra security for good measure.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

The HIPAA Timeline

The HIPAA Timeline | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act was passed on August 21, 1996, during the re-election campaign of President Bill Clinton.


The law was the end-product of twin concerns of Congress as America entered into the 21st century. One of these twin principal concerns was, of course, a fear that as new technologies were developing, existing laws – mostly a patchwork of laws on the state level – were inadequate to protect the privacy and security of patient health information.


Regulation of this privacy and security is embodied in Title II of HIPAA. Title I of HIPAA, however, addresses an equally important concern and is an equally important part of the HIPAA timeline.


Title I was passed to ensure that a change in employment would not result in termination of health insurance coverage.

What is the Importance of Title I in the HIPAA Timeline?

Title I of HIPAA plays an important role not only in the HIPAA timeline but in the timeline of health insurance coverage developments in America generally. In 1985, a federal law, the Consolidated Omnibus Budget Reconciliation Act (COBRA) was passed.


That law required employers of a certain size to offer continuation of health plan benefits to employees after termination of their employment.


In 2010, the Patient Protection and Affordable Care Act (PPACA) passed. That law strengthens existing COBRA law. For example, under the PPACA, an insurer generally cannot refuse to sell a policy of healthcare insurance to an individual because that individual has a preexisting medical condition.


Therefore, when an individual becomes eligible for COBRA coverage, that individual cannot be denied this coverage because of a preexisting medical condition.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Tips for Covered Entities & Employees

HIPAA Tips for Covered Entities & Employees | HIPAA Compliance for Medical Practices | Scoop.it

Covered entities’ employees play an important role in keeping PHI and ePHI secure. The following HIPAA covered entity employee tips can be used by your organization as part of broader privacy and security effort. 


Five HIPAA Covered Entity Employee Tips – reminders that covered entity employees should give their workforce – include:


HIPAA Covered Entity Employee Tips:


Tip 1: Employees should never share login credentials. Since login information is used to track the actions of both authorized (i.e., users who have a legitimate need to access ePHI) and non-authorized users of ePHI, login credentials should neither be shared nor written down.


Tip 2: Employees who work for a covered entity, with whom employees have also treated, should not be permitted to access their medical records using their own login credentials.


Rather, covered entities should require employees to go through the same process for obtaining access as patients go through. As a general matter, employees who are authorized to access patient PHI are only authorized to access just that – patient PHI, as in PHI of others.


Employees who seek a copy of their medical records should submit a request for a copy of these records via HR. In order to gain access to their health data, they must submit a request for a copy of their health information via their HIM department.


Tip 3: Employees should be reminded that medical records are the property of the covered entity; accordingly, employees should not be allowed, upon their departure from a covered entity’s employ, to take medical records containing PHI with them.


Such information can be used for a variety of purposes that constitute data theft. These purposes include using the information to “recruit” patients to a different facility, or using the information to market or sell pharmaceutical products, just to name two examples. 


Tip 4: Employees should NEVER share ePHI on social media sites or through social media channels. Covered entities who have not already developed policies prohibiting such activities, should implement such policies at their earliest convenience.


The prohibition should extend to every type of social media, even to a social media platform (i.e., Twitter) that restricts the number of characters that a message can contain, and even so-called “closed” groups on sites such as Facebook. Once information is posted on social media, the information, by definition, has been made public.


In addition, ePHI that should never be shared includes not only data but also photographs or videos that could be used to identify a patient.  


Tip 5: Employees should be reminded that portable devices and documents containing ePHI or PHI should never be left unattended.


Devices can be misplaced or stolen, and the ePHI contained therein then taken by data thieves or cyber attackers.


The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has not hesitated to fine organizations that suffered a data breach as a result of devices containing ePHI being hacked because the devices were left unattended. 


Devices should be encrypted and left attended at all times. In addition, care should be taken not to misplace or use paper documents. Such documents should not be kept in areas where they can be viewed by unauthorized individuals.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Achieving HIPAA Compliance: Guide to Properly Disposing of PHI Hardware

Achieving HIPAA Compliance: Guide to Properly Disposing of PHI Hardware | HIPAA Compliance for Medical Practices | Scoop.it

What is HIPAA Compliance?

HIPAA, or The Health Insurance Portability and Accountability Act, sets the standard for PHI protection.


Any company or organization that handles PHI must have security measures in place and adhere to them. There are two main categories of organizations covered by HIPAA:  ·


Covered Entities (CEs): This includes anyone that provides treatment, payment, or operations (commonly known as TPO) within a healthcare setting.


Business Associates: This includes anyone outside of the covered entity who may have access to patient information or provides any kind of support in treatment, payment, or operations of the organization.

Devices That May Contain PHI

It’s important to understand what types of hardware you may have in your office that could contain PHI; these include but are not limited to:

  • Laptops
  • Desktops
  • Smartphones
  • Printers
  • Copiers
  • USB Drives
  • Servers
  • Tablets
  • Fax Machines
  • X-Ray Machines
  • Pacemakers
  • Defibrillators
  • CT and MRI Scan Machines

Essentially, almost any connected device within a healthcare organization is vulnerable and may contain PHI that needs to be protected and disposed of properly when the time comes.


Under HIPAA law, your organization is required to document its disposal policy in your Security Policies and Procedures. Your organization should maintain an inventory of all your equipment, whether each device can store or access PHI, serial number and other relevant information. 

How to Securely Dispose of Hardware With PHI

The US Department of Health and Human Services (HHS) recommends the following three techniques for properly removing any sensitive information from workplace hardware. Before you can get rid of the physical device, you must delete any and all PHI related information from the device.

The procedures for securely disposing of PHI include:


1. Clearing 

Clearing, also referred to as overwriting, is the process of replacing PHI on a device with non-sensitive data. This method should be performed, at a minimum, of seven times so that the PHI is completely irretrievable.


2. Purging 

You can purge your organization’s hardware through a method called degaussing. This refers to the process of clearing a device through the use of magnets.


Hard drives rely on magnetic fields to store information; therefore, you can disrupt the equipment’s function and render its data unreadable by using a strong magnetic field.  


3. Physical Destruction 

Physical destruction is the only surefire way to prevent a leak of PHI data. Destruction of PHI hardware requires pulverizing, burning/melting, disintegrating or shredding.


This method, however, is not always viable. If you have equipment that you would like to clear and re-use, or if your equipment is rented, destroying it may not be feasible.

Conventional Methods of “Wiping” Your Hard Drive Won’t Cut It 

If your organization is selling or discarding any hardware, you may be tempted to simply erase the hard drive components. Deleting files will not permanently delete PHI. Although the information will no longer be visible to you, it is still there and can be retrieved.


You need secure data destruction that permanently eliminates PHI data from every piece of hardware so that your patients’ information is not put in jeopardy.


There are companies who specialize in the proper disposal of PHI hardware. These companies should offer a HIPAA Certificate of Destruction as validation that the equipment was disposed of properly, and within HIPAA guidelines.

Training Employees on PHI Disposal

HIPAA law regarding disposal of protected health information dictates that you train your employees on how to properly dispose of PHI.


According to HIPAA law, any workforce member who is involved in disposing of PHI or who supervises others who dispose of PHI, must receive proper PHI training.


PHI should be maintained in a secure area, such as a locked depository bin, and disposed of through a qualified vendor. 

Requirements for Keeping PHI Hardware

HIPAA requires businesses to store PHI for six years, sometimes seven years, depending on the state in which you operate.


It is important to keep this in mind when you are preparing to dispose of hardware that may have PHI on it that still needs to be retained. Make sure you have a backup plan in place for PHI before disposing of hardware.


Your business reputation depends on your ability to serve your clients or patients. This includes making sure that the personal information they trusted you with is never compromised by improper or careless disposal of hardware. 



Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to be HIPAA compliant on social media

How to be HIPAA compliant on social media | HIPAA Compliance for Medical Practices | Scoop.it

Social media can be a minefield for any business to navigate. When it comes to the combination of patient privacy and social media, healthcare organizations and other HIPAA-covered entities need to tread carefully. 


As a HIPAA-covered entity, you should use social media (Facebook, Twitter, and Pinterest to name three examples) for the same reason other companies do:

  • Share information about products and services to educate existing clients
  • Attract new customers
  • Branding and advertising
  • Creating connections by sharing tips and insights about health news


At the same time, your employees may also be active on social media,  sharing tweets or Facebook status updates about their workday like the tens of millions of other social media users. 

They just need to follow HIPAA rules about sharing patient information.

Be careful when sharing Protected Health Information (PHI)

Even though HIPAA was written and enacted before social media became popular and a source of education and entertainment, the rules extend to these sites as well. Fortunately, with education and training, staying within the boundaries of HIPAA to protect clients’ PHI while taking advantage of the benefits social media offers, is achievable.  


The HIPAA Privacy Rule says you cannot share PHI except for Treatment, Payment or Operations (TPO) without the written consent of the patient. Many doctors will share photos of various procedures to educate clients. They may post messages about patients. Unless you have explicit permission, do not share any information about a patient. 

How Healthcare Providers Can (and Should) Use Social Media

There are many ways in which social media can benefit both providers and patients. There’s no reason for healthcare providers to refrain from using social media to educate, inform, and keep in touch with patients or to attract new business. The following are a few examples of things you can share on social media as a covered entity:

  • Events that a patient might be interested in
  • Research updates, findings, and even analysis of what it means in your area of expertise
  • Staff introductions and profiles, videos, and/or bios
  • Promotions regarding your services
  • Health tips and advice
  • Advertisements for your services (pay-per-click ads on Google, Facebook ads, etc.) that don’t violate patient confidentiality and privacy

All of these things can be shared to provide better patient service without conflicting with HIPAA guidelines.

Social Media Rules for Employees on Both Professional and Personal Platforms

For employees of a covered entity, social media rules related to patient interactions need to extend to their personal use of social media as well. In a nutshell, any information about a patient is protected, from nicknames to numbers (phone, social security, age, etc.) to treatment information to biographical details (marital status, siblings, etc.). 


You cannot share any text about specific patients. However, images and video that could result in a patient being identified should also be avoided. For instance, if you take a photo of your dental office to use on your website you need to be sure there are no patients in the photo. Or, if there are, ensure that you have their written permission to use the photo. 


Employee interactions with patients on social media can be problematic. Employees of covered entities must be careful in their work-related posting. Here are three actions all employees should take on social media:

  • Employees who have identified themselves as an employee of a covered entity need to state that any views expressed are their own and do not represent their employer
  • If a patient posts a picture with a “tag” that makes a picture appear in your timeline, remove that tag
  • Respond to comments, for example on a business’ Facebook page, but do not mention or allude to any treatment given

These four actions are things your employees should never do:

  • Talk about your workday as it relates to your job or activities interacting with patients
  • Post photos or videos of patients, even if the patient cannot be identified in the photo
  • Gossip about a patient, even if a name isn’t given
  • Post to a patient’s social media account

Texting Protected Health Information

Texting apps aren’t often considered as part of social media. In short, a texting app “could” be HIPAA-compliant if it has a number of features such as encryption and a record of the conversation. 


In general, while using secure phone texting solutions to confirm upcoming appointments and to send reminders is fine; using text or text apps like Facebook Messenger or SnapChat, is discouraged as they lack features that would render them HIPAA compliant.


Here are three tips for staying HIPAA-compliant on social media.

Develop a Social Media Policy

Every covered entity should have the policy to guide employees on the do’s and don’ts of social media relevant to patients and PHI, including those mentioned earlier in this post. 


Your social media policy and guidelines should include a definition of social media, which should aim to include future social media platforms yet to be released. 


Whatis.com defines social media as follows:

Social media is the collective of online communications channels dedicated to community-based input, interaction, content-sharing and collaboration. Websites and applications dedicated to forums, microblogging, social networking, social bookmarking, social curation, and wikis are among the different types of social media.

A best practice is to revisit this policy yearly and revise it as needed.

Train Employees

After developing a social media policy, you must train employees to follow it. Ongoing employee training is crucial to reinforce the importance of following HIPAA privacy guidelines. All employees should receive social media training before they begin their job or as quickly as possible afterward to minimize the chance of a HIPAA privacy violation. 


Social media violations on social media happen. Recently, a dental practice revealed PHI when responding to a patient’s Yelp review. The penalty was $10,000. You can read about the PHI disclosure here. 

Use Social Media Wisely

Healthcare providers and other covered entities can use social media for the same reasons as other businesses -- educating and attracting existing and new clients for their services. 

As long as they follow the HIPAA privacy rule in their social media communications, covered entities can have a robust social media presence that does not violate HIPAA guidelines.



Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Do you Know the Recent Changes in HIPAA?

Do you Know the Recent Changes in HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

The recent HIPAA changes extend the scope and extent of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (HITECH). Many of the new HIPAA rules for 2013 account for changes in working practices and advances in technology since the original legislation was enacted in 1996.


Within the recent HIPAA changes, the Security Rule introduces three “safeguards” to protect the integrity of electronically stored and transmitted Protected Health Information (ePHI). These three safeguards are:

  • Administrative Safeguards – covering factors such as the assigning of an information security officer, business associate agreements, risk assessments, training and the development of appropriate policies.
  • Physical Safeguards – covering equipment specifications, controls for devices and media used to store ePHI (including flash drives), and physical access to servers and other hardware on which ePHI is stored.
  • Technical Safeguards – covering issues such as who can remotely access a database on which ePHI is stored, audit controls, transmission security and how access to and the communication of ePHI is monitored.


These safeguards are of particular significance to covered entities that have implemented BYOD policies, have storage issues with the requirement to save six years of ePHI, or who provide unfiltered Internet access.


In order to comply with the recent HIPAA changes, covered entities must implement mechanisms that ensure the end-to-end security of patient data and have processes in place to prevent a data breach.

A Revised Definition of Data Breaches

Also included among the new HIPAA rules for 2013 was a revised definition of what constitutes a data breach. A data breach will now be presumed to have occurred when there has been the unauthorized exposure of ePHI unless the healthcare organization, health insurance provider, employer or vendor/business associate can demonstrate that there is a low probability that patient data was compromised.


One of the best ways of demonstrating a low probability that patient data was compromised is through encryption. The encryption of data is an “addressable” requirement of the HIPAA Security Rule, meaning that it does not have to be implemented if a covered entity can show it is not necessary, or if a suitable alternative to the requirement is instigated.


However, by encrypting all personal identifiers and health-related data any unauthorized exposure of ePHI will be undecipherable, unreadable and unusable – resulting in a low probability that patient data was compromised.


The encryption of data in databases, on servers, on flash drives or as it moves through a network can also help covered entities avoid OCR fines for failing to comply with the recent HIPAA changes.

The Implementation of Encryption in Healthcare

The implementation of encryption in healthcare is not difficult to achieve. Many covered entities are switching their primary method of communication to secure messaging. Secure messaging compliments the BYOD policies that many covered entities have introduced, and eliminates the risk of a data breach – not only through encrypted communications, but also by encapsulating communications within a private network that provides full message accountability.

Secure messaging not only helps to comply with the recent HIPAA changes, but the mechanisms intended to provide an audit trail for ePHI also accelerate the communications cycle in many areas of healthcare. Secure messaging has also been proven to foster collaboration and enhance productivity – improving the speed of diagnoses, the accuracy with which prescriptions are filled and reducing the volume of adverse events.

Whereas secure messaging resolves the issue of encryption in healthcare since the new HIPAA rules for 2013 were introduced, secure email archiving is an appropriate solution for communications sent and received prior to the recent HIPAA changes. Covered entities have to keep healthcare data for a minimum of six years, and secure email archiving not only stores them in an encrypted format, but also indexes emails and their content for easy retrieval in the event of discovery or compliance audit.

The Cyber Threat to the Integrity of ePHI

The single largest cause of data breaches has been, to date, human error. Employees mislaying USB Flash drives, unencrypted laptops stolen from the back seat of a car and the improper disposal of ePHI have been responsible for many millions of records being exposed. Aware that employees are the weakest link in a covered entity´s cybersecurity defenses, criminals are targeting them through phishing campaigns and malware downloads.

One of the strongest defenses against cyber threats is the implementation of a web filter. With a suitably robust web filter, covered entities can prevent employees being directed to bogus websites that request their login credentials and sites that harbor malware. Web filtering solutions can also be configured to prevent the download of certain file types, making it harder for a cybercriminal to break through a covered entity´s cybersecurity defenses.

Web filters also have a productivity-enhancing benefit. With the ability to restrict access to any website, administrators can prevent employees from using social media channels, visiting shopping portals or watching live-streamed videos during working hours. Restricting access to certain areas of the Internet can also eliminate potential HR issues and create a more user-friendly working environment.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Regulations for Radiologists 101

HIPAA Regulations for Radiologists 101 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA regulations are a complex set of rules and regulations that are designed to promote a more patient oriented medical system that enhances patient care. HIPAA regulations that promote the accessibility of medical records to patients and increase the security of electronic patient health information are also included in the HIPAA Omnibus Rule. Radiologists often receive patients through a referral system or send patient files to another medical doctor or facility after x-rays and other scans are interpreted. This constant sharing of sensitive patient information makes learning what are HIPAA regulations and how do they affect radiologists an important task for any radiologist.


HIPAA Omnibus Rule

The HIPAA Omnibus Rule has changed the way that patient information is collected, stored, transmitted and created in response to the HITECH Act. The HITECH Act offers organizations incentives for using electronic patient health information while improving the security of that data. When asking what are HIPAA regulations one of the most important things to consider is your organization’s privacy policy. New HIPAA regulations state that organizations and entities must update their privacy policies and business agreements to comply with the current standards.


Current HIPAA standards require that all businesses sharing patient information must be HIPAA compliant. For instance, if a radiologist receives referrals or bills insurance companies on behalf of clients, the insurance company and the organization referring clients should both be HIPAA compliant. Current business associate agreements will be allowed until late September of 2014, but after that date all business associates will need to comply with the HIPAA Security Rule to avoid penalties or fines.


What is Affected by HIPAA?

Nearly every aspect of creating, sharing and transmitting electronic patient health information has been affected by new HIPAA regulations. In addition to revising and updating your organization’s privacy policies and business agreements, you will also need to look at your internal records storage and the accessibility of patient records. For instance, your internal computer systems must be secure and protected from data loss or third-party access. Data encryption is required anytime that you transmit electronic patient information. If your organization is using a third-party storage system for patient health information, the company providing web-based storage services will also need to be HIPAA compliant.


One of the areas that will be most affected for radiologists is how patient information is disclosed. Since radiology is a field where referrals are very common, care must be taken to ensure formal, written consent is provided each time you share patient health information. For example, a radiologist sending the results of an x-ray to a general practitioner will need to have written consent by the patient to do so. In order to understand and comply with current HIPAA regulations, it is best to use a HIPAA compliance checklist and HIPAA compliance software. HIPAA compliance software will walk you through the process of meeting current HIPAA regulations and help you avoid the confusion of updating and revising your current policies and practices on your own.
Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why should you care about HIPAA?

Why should you care about HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

Why should you care about HIPAA?

Can you afford a $50,000 fine for a HIPAA violation? The healthcare industry is extremely vulnerable to cyber-attacks and data theft. According to the HIPAA enforcement rule, penalties can reach up to $1,500,000 per year per violation depending upon the type of HIPAA violation.

Look at some of the biggest HIPAA penalties enforced by the Office for Civil Rights:

In October 2018, Anthem Insurance pays OCR $16 Million in Record HIPAA Settlement after a series of cyberattacks led to the largest U.S. health data breach in history and exposed the electronically protected health information of almost 79 million people. OCR’s investigation revealed that Anthem failed to conduct an enterprise-wide risk analysis, had insufficient procedures to regularly review information system activity, failed to identify and respond to suspected or known security incidents, and failed to implement adequate minimum access controls to prevent the cyber-attackers from accessing sensitive ePHI, beginning as early as February 18, 2014.


A judge ruled in June 2018 that MD Anderson Cancer Center has to pay $4,348,000 in civil money penalties to OCR following an investigation of the theft of 3 unencrypted devices that resulted in a breach of ePHI (electronic Protected Health Information) of over 33,500 individuals.


Fresenius Medical Care North America (FMCNA) is paying 3.5 million dollars with a corrective action plan after 5 separate data breaches in 2012 because they failed to implement policies and procedures and to implement proper protection of PHI (Protected Health Information).


CardioNet has been fined 2.5 million with a corrective action plan after a laptop was stolen from an employee's vehicle. Further investigation revealed insufficient risk analysis and risk management at the company. Their policies and procedures were in draft status and had not been implemented.


One surprise inspection can expose a HIPAA violation and change your business forever.  New legislation now allows patients in Connecticut to sue healthcare providers for privacy violations or PHI disclosure as well.  You may say that your job as a healthcare provider is only to treat your patients, that you don't need to worry about Cybersecurity or technology. 


Bear in mind though - it is a fact that Cybersecurity issues can impact and have impacted patient care on several occasions! Protect the integrity of your business and your patients' private health information to avoid a HIPAA violation that could cost you money, respect, and patients!


You may understand that HIPAA violations can lead to fines, but you may also be wondering: What is a corrective action plan? Often, when the Office of Civil Rights (OCR) imposes a fine for a HIPAA violation, they also enforce a Corrective Action Plan with a strict timeline to correct underlying compliance problems and a goal to prevent breaches from recurring.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

Hdvnglobal's comment, July 29, 2019 1:09 PM
Go to Vietnam travel: https://buff.ly/2tdBsbK - tks.

HIPAA compliance tips for small medical practices

HIPAA compliance tips for small medical practices | HIPAA Compliance for Medical Practices | Scoop.it

But data breaches don’t just affect large corporate entities, they affect small healthcare organizations as well. Take the case of Holland Eye Laser Surgery in March 2018. Their five-provider group practice saw a data breach which made available the patient records of 42,000 patients. Hackers were able to access Social Security numbers, birth records, and other sensitive protected health information (PHI).


In fact, some of the medical records of these patients were sold off by data hackers. Officials from the practice stated that they’re now working to strengthening their security system. But once patient trust is lost, sometimes it just cannot be restored.


Brief primer on HIPAA and data breaches

• The Privacy Rule protects individually identifiable health information held or transmitted by a covered entity or its business associate, in any form, whether electronic, paper, or verbal

• Each entity must analyze the risks to e-PHI in its environment and create solutions appropriate for its own situation.

• The HIPAA Breach Notification Rule requires providers to notify affected individuals, HHS, and in some cases, the media of a breach of unsecured PHI. Most notifications must be provided without delay and no later than 60 days following the discovery of a breach.


5 tips to help you and your medical staff to avoid data breaches

1. CMS requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Conduct a detailed risk analysis to evaluate the current staff and product deficiencies and create corrective measures.

2. Designate a staff member to train employees on your practice’s HIPAA policies and procedures and spend time going over typical breaches.

3. Hire an outside expert to help your organization with compliance support. Your outside organization should set up monthly meetings with the business owners to evaluate your company compliance program and work with your organization to identify cost-effective resources to keep your company compliant.

4. Customize your internet toolbars with anti-phishing protection. These applications can run website checks and compare them to lists of known phishing sites and alert users.

5. Be suspicious of any email message that asks you to enter or verify personal information through a website or by replying to the message itself.  Practice groups and or staff members should never reply to or click the links in such a messages.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

OIG to CMS: Make EHR fraud prevention efforts a priority

OIG to CMS: Make EHR fraud prevention efforts a priority | HIPAA Compliance for Medical Practices | Scoop.it

The Office of Inspector General is once again calling out CMSfor failing to adequately address fraud vulnerabilities in electronic health records. Despite submitting recommendations back in 2013, a new OIG report underscored that the agency is still dragging its feet with implementing EHR fraud safeguards.  

Part of the Office of Inspector General's role is to audit and evaluate HHSprocesses and procedures and put forth recommendations based on deficiencies or abuses identified. Turns out, a lot of these recommendations are ignored, disagreed upon or unimplemented, according to OIG's new Compendium of Unimplemented Recommendations report. And EHR fraud is on that list. 
"HHS must do more to ensure that all hospitals' EHRs contain safeguards and that hospitals use them to protect against electronically enabled healthcare fraud," OIG officials wrote in the report. 
Specifically, audit logs should actually be operational when an EHR is available. And CMS should also develop concrete guidelines around the use of copy-and-paste functions in an electronic health record. According to OIG data, most hospitals using EHRs had RTI International audit functions in place, but they were significantly underutilized. What's more, only some 25 percent of hospitals even had policies in place regarding copy-and-paste functions. 
These recommendations have come up repeatedly in recent OIG reports, and despite CMS officials agreeing with the outlined recommendations, the agency is still not making it enough of a priority.  
In a January 2014 report, OIG also called out CMS for failing to make EHR fraud a priority. Specifically, OIG said, the CMS neglected to provide adequate guidance to its contractors tasked with identifying said EHR fraud, citing the fact that the majority of these contractors reviewed paper records in the same manner they reviewed EHRs, disregarding the differences. Moreover, only three out of 18 Medicarecontractors were found to have used EHR audit data in their review process. 
When it came to identifying copy-and-paste usage or over documentation, many contractors reported they were unable to do so. Considering some 74 percent to 90 percent of physicians use the copy/paste feature daily, according to a recent AHIMA report, the implications are significant. 
As Diana Warner, director of HIM practice excellence at AHIMA, recounted back at the October 2013 MGMA conference, that dueto copy-and-paste usage, they had a patient at her previous medical practice who went from having a family history of breast cancer to having a history of breast cancer. The error was caught by the insurance company, which thought the patient had lied, was poised to change her healthcare coverage. "We had to work for months to get that cleared up with the insurance company so her coverage would not be dropped," Warner said. "We had to then find all the records that it got copy and pasted into" incorrectly and then track down the locations the data was sent to.

No comment yet.