HIPAA Compliance for Medical Practices
84.8K views | +9 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Employer HIPAA Violations and COVID-19 Testing

Employer HIPAA Violations and COVID-19 Testing | HIPAA Compliance for Medical Practices | Scoop.it

As more and more businesses reopen and make the transition back to the office, many employers are requiring COVID-19 testing.


This has led many to ask, if testing employees for COVID-19 is a HIPAA violation. Employer HIPAA violations and COVID-19 testing are discussed below.

What are Employer HIPAA Violations?

Does HIPAA apply to employers? HIPAA requires covered entities and business associates to secure protected health information (PHI).


PHI is individually identifiable health information that is used to communicate past, present, or future health, the provision of healthcare, or the payment for the provision of healthcare. Employers’ human resources departments often collect information on employees that may be considered PHI. However, if the information isn’t used for the previously mentioned purposes, the employer is not subject to HIPAA.


However, employers’ self-insured health plans do fall under HIPAA jurisdiction, since they would have access to PHI to administer the health plan. As such, the employer would be required to safeguard PHI. If the employer failed to safeguard their employees’ PHI, this would be an employer HIPAA violation.

Employer HIPAA Violations and COVID-19 Testing

The Equal Employment Opportunity Commission (EEOC) released guidance on employee testing stating that testing must be consistent with business necessity, mandatory medical tests must be job related, and tests should be reliable and accurate.


“Applying this standard to the current circumstances of the COVID-19 pandemic, employers may take steps to determine if employees entering the workplace have COVID-19 because an individual with the virus will pose a direct threat to the health of others,” stated the EEOC.


Christopher Durham, an attorney with Duane Morris in Philadelphia, has made the following recommendations for employer COVID-19 testing:

◈ If employers decide to test employees for COVID-19, they must do so on a nondiscriminatory basis. This means that if an employer tests one employee, they must test all employees.

◈ Testing records must be confidential. If an employee tests positive, their identity  cannot be revealed.

◈ Testing, screening, or inquiries that are not necessary to address potential direct threat are prohibited.

◈ If an employee has a medical condition that requires alternative testing, the employer must make accommodations for such testing.

◈ If an employee refuses testing, employers will need to consider how to handle an employee’s refusal. For example, the employer could refuse access to the worksite for employees that refuse testing.

◈ If an employee cannot access the worksite while waiting to be tested, or awaiting test results, there may be an obligation to compensate the employee under wage and hour laws for time spent waiting.

◈ Employees should be required to consent in writing to the screening.

◈ Employers should consider test accuracy when selecting a test to use.

◈ There should be predetermined conditions for an employee who tests positive to be able to return to the workplace. 

◈ Employers must consider the implications of a positive test result (i.e., exposure implications for employees that may have come into contact with the positive employee in the days leading up to the positive test).

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Now: What you Need to Know About HIPAA Compliance

HIPAA Now: What you Need to Know About HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Now: Effective HIPAA Compliance Program

An effective HIPAA compliance program must ensure the confidentiality, integrity, and availability with safeguards. These safeguards include administrative, technical, and physical. An effective HIPAA compliance program consists of several components. 

  • Risk Assessments. Covered entities are required to conduct six self-audits annually. Completing self-audits measures an organization’s administrative, physical, and technical safeguards against HIPAA standards.


  • Gap Identification and Remediation. Upon completion of self-audits, gaps in safeguards are identified. To be HIPAA compliant, organizations must address gaps with remediation plans. Remediation efforts close gaps so that an organization’s safeguards are adequately securing PHI.


  • Policies and Procedures. A major component of HIPAA now is illustrating compliance through documentation. As such, organizations must have customized policies and procedures dictating how they adhere to the HIPAA Security, Privacy, and Breach Notifications Rules.


  • Employee Training. To ensure that employees properly use and disclose PHI, they must be trained annually. HIPAA training should include HIPAA basics, their organization’s policies and procedures, proper use of social media, and cybersecurity. 


  • Business Associate Management. Before working with a vendor, it is essential to assess their safeguards. Vendors (business associates) are required to be HIPAA compliant to work with healthcare clients. They must also be willing to sign a business associate agreement (BAA). A BAA must be signed before it is permitted to share PHI with the business associate. A BAA is a legal document that dictates the safeguards the business associate is required to have in place, it also requires each party to be responsible for maintaining their compliance.  


  • Incident Response. Organizations that experience a breach have an obligation to report it. Depending on the size of the breach, reporting requirements differ. Breaches affecting 500 or more patients must be reported within 60 days of discovery to the HHS, affected patients, and the media. Breaches affecting less than 500 patients must be reported within 60 days from the end of the calendar year in which the breach was discovered (March 1) to the HHS and affected patients. 
Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

4 Tips: HIPAA Compliance for Small Practices

4 Tips: HIPAA Compliance for Small Practices | HIPAA Compliance for Medical Practices | Scoop.it

When determining what HIPAA safeguards are appropriate for your organization it is important to address the following:


    1. Policies and Procedures. HIPAA compliance for small practices requires you to create customized policies and procedures. This ensures that the policies and procedures that you implement apply directly to the way your practice operates.To be HIPAA compliant, policies and procedures must be written and must be reviewed annually to account for any changes in business operations. Policies and procedures dictate privacy and security protocols for your organization, as well as the proper uses and disclosures of protected health information (PHI)
    2. Self-audits. Self-audits measure your practice’s administrative, physical, and technical safeguards against HIPAA standards. Conducting self-audits allows you to identify the gaps in your safeguards so that you may create remediation plans to bolster your safeguards.
    3. Notice of Privacy Practices. A Notice of Privacy Practices (NPP) is a written notice that covered entities are required to provide to their patients. The Notice provides patients with information regarding how their PHI will be used and disclosed by the covered entity. It also dictates the patient’s rights in regards to their PHI.
    4. Business Associate Agreements. Business associate agreements (BAAs) are legally binding contracts signed between a covered entity and their business associates. A business associate is any entity that creates, maintains, stores, receives, or transmits on your behalf. A BAA mandates the protections that the business associate must have in place before PHI can be shared with them. 
Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Is Freshdesk HIPAA Compliant?

Is Freshdesk HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

Under HIPAA, Freshworks, the SaaS provider offering Freshdesk, is considered a business associate when working with healthcare clients to manage their CRM. In the past, Freshdesk HIPAA compliance was not possible, as the company was unwilling to sign a business associate agreement (BAA).


A BAA is a legal document that is required by the Health Insurance Portability and Accountability Act (HIPAA), mandating that HIPAA business associates (BAs) have safeguards in place securing electronic protected health information (ePHI) in order to be compliant.


Freshworks has recently enabled Freshdesk HIPAA compliance by signing BAAs with their healthcare clients. However, the BAA ONLY covers Freshdesk, not extending to Freshworks’ other services. To use Freshdesk in accordance with HIPAA standards, there are other requirements that must be configured and enabled other than signing a BAA.

What is Required for Freshdesk HIPAA Compliance?

Freshdesk HIPAA compliance comes down to how it is configured. 

The following configurations must be implemented for Freshdesk HIPAA compliance:

  • Freshconnect: this Freshdesk feature must be disabled for HIPAA compliance.
  • Custom Mailbox: this feature allows users to configure their own custom mail server with Freshdesk. With custom mailbox turned on, users have full control over incoming and outgoing emails, allowing users to manage emails. Learn more here.
  • IP Whitelisting: allows administrators to allow access to their support portal to only users with an IP address approved by the administrator. Learn more here.
  • SAML SSO: Security Assertion Markup Language (SAML) is a means for communicating identities between two web applications. SAML enables the utilization of single-sign-on (SSO); SSO is a means for users to use a single login credential for multiple platforms. SSO reduces identity theft by validating users logging into the support portal. Learn more here.
  • SSL: SSL is enabled for all users that host their support portal on freshdesk.com (yourcompany.freshdesk.com). However, when companies utilize a custom domain for their support portal (support.yourcompany.com), they need to configure a custom SSL certificate. Learn more here.

Other Configuration Recommendations

There are additional protections that Freshworks recommends Freshdesk users implement for Fredesk HIPAA compliance. Although they are not required, users should consider implementing them to further their ePHI security.

  • Secure Data Migration: Freshdesk enables secure data migration without the need for user’s data to be stored in Freshworks local database. Learn more here.
  • Data Sanitization: masks sensitive data in the patient conversation, preventing unauthorized access.
  • Data Encryption: although not mandated for Freshdesk HIPAA compliance, data encryption converts sensitive data into a format that is unreadable for anyone without a decryption key. Freshdesk enables users to add an encrypted single line field in users’ forms. However, default fields cannot be encrypted, and therefore should not be used for ePHI. Freshworks recommends that any PHI be stored in a custom encrypted field.
Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

PHI Protection: How to Secure Healthcare Data

PHI Protection: How to Secure Healthcare Data | HIPAA Compliance for Medical Practices | Scoop.it

Healthcare data breaches have been highlighted recently, with several large breaches occurring over the last few months. Hackers target the healthcare industry as they hold a wealth of sensitive information on their patients, and often have less secure data than in other industries.


Ransomware attacks continue to rise as healthcare organizations often need to pay the ransom to get their data back.


A ransomware attack occurs when a hacker gains access to data, often encrypting the data until a sum of money is paid.


A healthcare organization losing access to their data can mean a matter of life or death, so they often pay the hackers.


As protected health information (PHI) is ten times more valuable than financial information on the darkweb, it is important to know how to implement PHI protection. 

How to Implement PHI Protection

PHI protection is an essential part of preventing or mitigating a healthcare breach. The first step to implementing PHI protection is to know where the sensitive data is stored, how it is transmitted, and how it is used.


Identifying these will allows an organization to determine what protections should be in place for each device, enabling more thorough security measures to be implemented. 

In addition organizations should:

  • Complete a security risk assessment (SRA) to determine where security measures may be lacking. Once gaps are identified, organizations should create remediation plans to ensure PHI protection. To be HIPAA compliant, covered entities and business associates must conduct thorough SRAs annually.
  • Encrypt data to reduce the risk of healthcare breaches. Encrypted data cannot be viewed without a decryption key, making it the most effective for PHI protection. Although not explicitly mandated by the Department of Health and Human Services (HHS), it is recommended.
  • Train employees on organization policies and procedures as well as HIPAA requirements. The majority of healthcare breaches occur as a result of human error. Employees must be trained on what constitutes PHI, and how to properly handle it. Additionally, employees should be able to recognize phishing emails and what to do if they suspect an email is malicious.
  • Vet vendors by sending them an SRA to complete. Covered entities have an obligation to ensure that the vendors that they are working with have the proper measures in place for PHI protection. If the vendor lacks security measures, they must implement adequate safeguards before they are permitted to receive PHI.
  • Sign business associate agreements (BAAs) with all vendors before PHI is shared. BAAs limit the liability for both parties in the event of a breach as they state that each party has agreed to be HIPAA compliant, and they are responsible for their own compliance.

PHI protection should be a top priority for anyone working in healthcare. Healthcare organizations that have the proper security measures surrounding PHI will limit the risk of experiencing a breach.


If a breach should occur, an organization that has proper PHI protection will be better prepared to respond to the breach. 


Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

What Is HIPAA And How To Comply With The HIPAA Security Rule

What Is HIPAA And How To Comply With The HIPAA Security Rule | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US legalization that requires healthcare professionals and institutions to secure health information from deletions and data breaches.


This law has become relevant in today’s dental practice due to increased data breaches caused by ransomware and cyber attacks.


The law’s requirements on HIPAA can be demanding and challenging to understand, but we’ve made it easy for you below. There are three areas you need to be compliant with HIPAA.


• PHYSICAL – these are measures that prevent loss of devices and physical theft on medical information e.g. keeping workstations away from the public eye and limiting physical access to computers.


• ADMINISTRATIVE – measures that make sure patient data is accessible to authorized personnel and is correct. For example, identifying which employees have access to medical information.


• TECHNICAL – these are measures that protect your devices and networks from unauthorized access and data breaches e.g. encrypting files that you upload to a cloud or send via email.


The components above represent every aspect of your dental practice from your record-keeping and policies to your building safety and technology.


HIPAA also requires all your staff members to work together to protect patient data and be on the same page.




The administrative, physical, and technical requirements for HIPAA security may be a lot of information for you to take in. Additionally, it can be overwhelming for you to handle its compliance in your dental practice solely.


To make it easier, HIPAA compliance is an organization-wide issue. This means all your employees will have to understand and know their role in securing dental information.


Alternatively, you can outsource your HIPAA compliance to consultants, web services, and IT contractors.


This ensures your dental practice meets the required standards and makes your life easier. However, outsourcing your HIPAA responsibilities doesn’t mean you ignore your legal obligations.


Your company should always stay on top of any HIPAA changes in recommendations and adopt advanced practices to improve medical information security.


Ultimately, ensure your dental practice upgrades all its old technology for better and efficient systems that contribute to medical information security.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

3 Things Everyone Should Know About The HITECH ACT

3 Things Everyone Should Know About The HITECH ACT | HIPAA Compliance for Medical Practices | Scoop.it

The American Recovery and Reinvestment Act passed into law on February 17th, 2009. Included in this bill is a section titled the Health Information Technology for Economic and Clinical Health Act, or HITECH for short.


This law allocates $18 billion as incentives through Medicare and Medicaid reimbursement systems, providing grants and revolving loan funds to hospitals and physicians considered meaningful users of electronic health records.


These grants and loan funds may be used to purchase EHRs and new healthcare technology. If you’re a small to medium sized healthcare practice in need of a consultation regarding HITECH Act compliance, then look no further.


EHR has a compliance department that will assist you with matters such as this. Listed are three things both eligible and ineligible providers should be aware of when demonstrating meaningful use of EHR systems, thereby improving health care throughout the country.




The Department of Health and Human Services issued three final rules for the implementation of the requirements of the HITECH Act. The new rules stipulate that those who qualify for the incentive program can receive as much as $44,000 in grants and other incentives over a five-year term through Medicare.


Furthermore, up to $63,750 over 6 years through Medicaid. Hospitals can earn millions of dollars in grants and revolving loans for implementing and becoming meaningful users of certified electronic health records. The third rule establishes objectives for what is considered ‘meaningful use,’ also providing metrics eligible applicants must meet in order to reap all of the benefits of the EHR incentive program.




In order to be compliant with the HITECH Act, another stipulation addressed in The Department of Health and Human Services final rules was the Temporary Certification Program for Health Information Technology.


This certification program establishes a process for businesses and professionals to test and certify for using EHR technology. If you want to take advantage of all the benefits this program has to offer, then you must certify first.




Experts estimate that over the next ten years, the Federal government will spend over $26 billion in grants to medical professionals and hospitals implementing the standards set forth in the HITECH Act.



If you are a small to midsize healthcare practice looking to save money and benefit from the outstanding economic benefits the HITECH Act’s financial EHR implementation incentives provide, contact EHR1 today for a certified EHR and expert consulting.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Tips for Covered Entities & Employees

HIPAA Tips for Covered Entities & Employees | HIPAA Compliance for Medical Practices | Scoop.it

Covered entities’ employees play an important role in keeping PHI and ePHI secure. The following HIPAA covered entity employee tips can be used by your organization as part of broader privacy and security effort. 


Five HIPAA Covered Entity Employee Tips – reminders that covered entity employees should give their workforce – include:


HIPAA Covered Entity Employee Tips:


Tip 1: Employees should never share login credentials. Since login information is used to track the actions of both authorized (i.e., users who have a legitimate need to access ePHI) and non-authorized users of ePHI, login credentials should neither be shared nor written down.


Tip 2: Employees who work for a covered entity, with whom employees have also treated, should not be permitted to access their medical records using their own login credentials.


Rather, covered entities should require employees to go through the same process for obtaining access as patients go through. As a general matter, employees who are authorized to access patient PHI are only authorized to access just that – patient PHI, as in PHI of others.


Employees who seek a copy of their medical records should submit a request for a copy of these records via HR. In order to gain access to their health data, they must submit a request for a copy of their health information via their HIM department.


Tip 3: Employees should be reminded that medical records are the property of the covered entity; accordingly, employees should not be allowed, upon their departure from a covered entity’s employ, to take medical records containing PHI with them.


Such information can be used for a variety of purposes that constitute data theft. These purposes include using the information to “recruit” patients to a different facility, or using the information to market or sell pharmaceutical products, just to name two examples. 


Tip 4: Employees should NEVER share ePHI on social media sites or through social media channels. Covered entities who have not already developed policies prohibiting such activities, should implement such policies at their earliest convenience.


The prohibition should extend to every type of social media, even to a social media platform (i.e., Twitter) that restricts the number of characters that a message can contain, and even so-called “closed” groups on sites such as Facebook. Once information is posted on social media, the information, by definition, has been made public.


In addition, ePHI that should never be shared includes not only data but also photographs or videos that could be used to identify a patient.  


Tip 5: Employees should be reminded that portable devices and documents containing ePHI or PHI should never be left unattended.


Devices can be misplaced or stolen, and the ePHI contained therein then taken by data thieves or cyber attackers.


The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has not hesitated to fine organizations that suffered a data breach as a result of devices containing ePHI being hacked because the devices were left unattended. 


Devices should be encrypted and left attended at all times. In addition, care should be taken not to misplace or use paper documents. Such documents should not be kept in areas where they can be viewed by unauthorized individuals.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Requirements for Sending PHI

HIPAA Requirements for Sending PHI | HIPAA Compliance for Medical Practices | Scoop.it
HIPAA Requirements for Sending PHI

Healthcare entities require a means to easily share protected health information (PHI). When sending PHI it is imperative to keep HIPAA requirements in mind. The Health Insurance Portability and Accountability Act (HIPAA) set forth industry standards for creating, storing, and maintaining of PHI, including proper procedures for sending PHI.

  • Email

The most convenient means of sending PHI is via email, however when sending PHI through email, organizations must have proper protections in place.


The best way to protect email communications is through encryption. Encryption masks data by translating it into text that is unreadable without a decryption key.


Most professional versions of email services offer encryption as part of their package. However, encrypting PHI is not enough.


Before sending PHI using email, it is essential to verify the identity of the person receiving the email to ensure that they are permitted to receive the PHI.


In addition, there must be means to revoke access to the PHI if the email was sent to the wrong person, or if access to PHI data is no longer necessary.


  • Fax

Faxing PHI is permitted under certain circumstances. Sending PHI via fax is a similarly easy way to share patient data quickly. 


HIPAA law requires that access to PHI is only given to authorized individuals that need access to perform a job function. As such, fax machines must be kept in a locked area, limiting the risk of access by unauthorized individuals.


Additionally, faxes should not be automatically printed. Faxes that automatically print pose the risk of being viewed by individuals that are not permitted to view PHI.


Faxes containing PHI should be stored in the memory of the fax machine until it can be printed by an authorized user. 

  • U.S. Mail

When sending PHI via U.S. mail, it is not permitted to use the regular mailing service. At a minimum PHI must be sent through first class mail.


However, under some circumstances PHI must be sent using certified mail. Certified mail requires recipients to sign for it, as such it can only be delivered to the intended recipient.


Certified mail can also be tracked ensuring that PHI is not accessed by unauthorized individuals.

Sending PHI: Business Associate Agreement

Before it is permitted to fax or email PHI, healthcare organizations must have a signed business associate agreement(BAA) with their providers. When using email or fax to send PHI, the data is stored on their servers, which gives them the means to access the data.


A BAA limits the liability for both parties as it states that each organization agrees to be HIPAA compliant, and each are responsible for their own compliance. 

Sending PHI: HIPAA Conduit Exception Rule

When sending PHI through U.S. mail, a BAA is not required. Mail couriers are considered conduits under HIPAA law as they do not have means to access PHI sent through their service.

HIPAA Requirements for Sending PHI

When choosing a method to send PHI, healthcare entities must look to HIPAA requirements to ensure that they are sending PHI in a HIPAA compliant manner.


Email must be encrypted, faxes must be stored in the machines memory, and U.S. mail must be sent through first class mail. Lastly, there must be signed BAAs with email and fax machine vendors. 

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Privacy Rules, Mental Health, and Addiction: When can PHI be shared without consent?

HIPAA Privacy Rules, Mental Health, and Addiction: When can PHI be shared without consent? | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA is designed to protect patient confidentiality.

What happens when patient confidentiality conflicts with a patient being able to receive the best care possible? 


In cases of mental health and addiction, such as the current opioid overdose crisis, there are situations in which a covered healthcare provider may share protected health information (PHI) to help the patient. 


In this post, we’ll share guidance on sharing protected information to prevent harm in both mental health and opioid overdose situations.


While HIPAA may permit disclosure of patient information, there may be other overlapping privacy laws related to individual states or other regulations that need to be taken into consideration before the information is shared.

Mental Health and Privacy

When addressing mental health issues, HIPAA rules provide guidance on sharing patient information to ensure that the patient receives the best treatment and care possible. Disclosure of information is also acceptable when the health and safety of the patient and others are at risk. 


Communicate with a patient’s family members, friends, and others involved in the patient’s care. If a patient is present and has the capacity to make decisions, and does not object; a healthcare professional can discuss treatment or payment issues. 


If not present or incapacitated (intoxicated or experiencing temporary psychosis, for example), the patient’s information can be shared if the provider, in his or her professional judgment, determines that doing so in the patient’s best interests. Section 164.510(b)(3) of the HIPAA Privacy Rule explains this permission.


Patient with mental illness not taking medication. If a patient doesn’t object, a provider can share patient information with family members.


If a patient does object, but the provider believes that the unmedicated patient poses a serious and imminent danger to herself or others, then the provider can share pertinent information, if consistent with applicable law and standards of ethical conduct. 


Communications with law enforcement. The Privacy Rule permits a doctor to contact family or law enforcement if the doctor believes that such a warning is needed to prevent or at least lessen an imminent threat to the health or safety of the patient or others.


For instance, if a patient makes a credible threat to do harm to someone, a mental health professional can alert police, school administrators, family, and others who may be able to intervene.

HIPAA Privacy and Opioid Overdose

Sadly, opioid addiction continues to hold sway across much of the United States. Despite HIPAA regulations that allow healthcare providers to share PHI with family members, confusion remains. 


Healthcare providers can share information related to the care and treatment of a patient in a crisis situation, such as a drug overdose.


If the provider determines that the best interests of an incapacitated or unconscious patient involve sharing information with family or close friends, they can do so. 


However, while they can share information about the overdose, a healthcare provider cannot share medical information unrelated to the ongoing care and treatment of the patient. 

HIPAA and Changes to Decision-Making Capacity

Regardless of whether a patient can or cannot make a decision due to mental health or an overdose issue, the situation can change. 


Because the inability to make a decision can be temporary, a healthcare provider must give the patient a chance to decide whether to continue to share information or not when the patient is once again able to make a decision.


For instance, someone intoxicated to the point of unconsciousness or incoherence will eventually become sober. The patient can then object to future information sharing. However, as already described, the provider can still share PHI if, in their professional judgment, the patient poses a serious and imminent threat to himself or others. 

Healthcare Power of Attorney

A patient’s “personal representative” has authority, under applicable law, to make healthcare decisions for a patient.


They have the same rights of access to health information as the patient. A provider may refuse to share information if they believe that the personal representative has subjected the patient to violence, abuse, or neglect. 

Patient Care Outweighs Patient Privacy

Simply stated, the rules around HIPAA privacy are designed to ensure the best possible healthcare outcome for the patient. For patients who are unable to make decisions for themselves, their PHI can be shared with loved ones to ensure care.


There is also a “duty to warn” in situations where the patient is a danger to him/herself or others. 


Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Law Enforcement

HIPAA Law Enforcement | HIPAA Compliance for Medical Practices | Scoop.it

The battle between individuals’ privacy rights and the needs of law enforcement, has raged for centuries in one form or another. When the HIPAA Privacy Rule was implemented, the authors of this rule tried to appease, as it were, both sides.


The resulting “compromise” is that protected health information – the information the HIPAA Privacy Rule affords some protection from disclosure – can be disclosed when disclosure is needed by law enforcement.


There are limits, however, as to how, where, when, and why, law enforcement may obtain this information.


The HIPAA law enforcement exception to the general rule restricting use and disclosure of PHI (unless an exception permits or requires use or disclosure), is discussed below.

What is the HIPAA Law Enforcement Exception?

The HIPAA law enforcement exception can be found in the text of the HIPAA Privacy Rule. 


Did you vet your vendors? If not you’re at risk! Learn how to send your vendors risk assessments here.


The Privacy Rule provision that addresses whether PHI can be disclosed to law enforcement is 45 CFR § 164.512. This provision is entitled, “Uses and disclosures for which an authorization or opportunity to agree or object is not required.” 


The provision then lists circumstances under which PHI may be used or disclosed, despite the general rule. Circumstances allowing use of PHI without written authorization (or an opportunity to agree or object) include (among others):


  • A specific state or federal law requires the disclosure of PHI.
  • Public health activities, which include (among other things):
    • Reporting of disease or injury
    • Reporting vital events such as birth or death
    • Conducting of public health surveillance
    • Conducting of public health investigations
    • Conducting of public health interventions.
  • When a covered entity reasonably believes an individual is a victim of abuse, neglect, or domestic violence.
  • When a health oversight agency seeks to conduct health oversight activities authorized by law. These activities include: 
    • Inspections
    • Licensure or disciplinary actions
    • civil, administrative, or criminal proceedings or actions
    • Other activities necessary for appropriate oversight of the healthcare system, government benefit programs, and of:
      • Entities subject to government regulatory programs for which health information is necessary for determining compliance with program standards; or
      • Entities subject to civil rights laws for which health information is necessary for determining compliance.
      • Disclosures for judicial and administrative proceedings.
      • Law enforcement purposes

The HIPAA Law Enforcement Exception: What Does it Cover?

Covered entities may disclose protected health information to law enforcement officials for law enforcement purposes under the following six circumstances (subject to certain conditions): 

  • As required by law (including court orders, court-ordered warrants, subpoenas) and administrative requests; 
  • To identify or locate a suspect, fugitive, material witness, or missing person; 
  • In response to a law enforcement official’s request for information about a victim or suspected victim of a crime; 
  • To alert law enforcement of a person’s death, if the covered entity suspects that criminal activity caused the death; 
  • When a covered entity believes that protected health information is evidence of a crime that occurred on its premises; and 
  • By a covered health care provider in a medical emergency not occurring on its premises, when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or crime victims, and the perpetrator of the crime.
Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice

Why You Should Follow HIPAA Compliance For The Success Of Your Dental Practice | HIPAA Compliance for Medical Practices | Scoop.it

In 2018, ten companies had to pay $28.7 Million to HIPAA as fines. The United States law requires all covered entities to comply with HIPAA. Covered entities, in this case, refers to health care providers, such as hospitals, dental clinics, and pharmacies.


The American Dental Association conducted research which indicated a significant increase in dental practices, both in terms of size and number.


Statistics show that US Citizens who had access to dental care rose to 248 Million in 2016, from 170 Million in 2006.


The increase in dental practices across the States makes them prone to cyber hacking.


This is where HIPAA comes in. For dentists, the HIPAA rule is inclusive of;


• A Security Rule
• Privacy Rule
• Breach Notification Rule




HIPAA compliance refers to the process through which covered entities and business associates adhere to set rules which seek to protect Protected Health Information.


In simple terms, it seeks to ensure a patient’s healthcare data remains private. Protected Health Information is anyone’s healthcare data. The privacy and security rule control what healthcare professionals such as dentists can, or cannot do with your PHI.




HIPAA was initially introduced in 1996 to address insurance coverage for people working two jobs. It also sought to avoid health care fraud, and protect patients’ health information.




• Immensely help you transition from manual to electronic health records.
• Streamline your administrative healthcare functions.
• Protect your client’s health information.
• Set boundaries regarding using and releasing health records.
• Boost the efficiency of your clinic.
• Hold violators answerable if they violate a patient’s rights, through both criminal and civil penalties.




• Safeguard their personal and sensitive health information.
• Give them control over who gets access to their information.
• They get a right to obtain and go through their health records, and they get to request corrections when necessary.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to Prepare For A HIPAA Compliance Audit in 2019

How to Prepare For A HIPAA Compliance Audit in 2019 | HIPAA Compliance for Medical Practices | Scoop.it

1. Focus on HIPAA training for employees

Staff training is critical for an understanding of HIPAA compliance requirements. Employees who haven’t been trained or don’t have experience with compliance regulations can increase the risk of a failed audit.


Document your training to show the OCR (Office of Civil Rights), that you are dedicated to employee instruction. Create and publish policies that make training and education a priority. Make sure your team is thoroughly trained before the audit because OCR will ask questions to ensure everyone understands HIPAA regulations and compliance rules.

2. Create a Risk Management Plan and Conduct a Risk Analysis

A risk management plan and a risk analysis are required.

A HIPAA risk analysis looks for any security risks your company might be exposed to – all risks. The risk management plan is a strategy to address those risks.


In conducting the risk assessment, you should also prepare your security documents. Compliance rules state reports should be recorded, written, and kept in an easily accessible location. Rules should be specific to all aspects of your business, and not isolated to one area.


For example, all policies regarding the HIPAA privacy and security rule should be documented. Documents that cover incident response, breach notification, IT and firewalls, and physical security should be included. These documents will not only help in the audit process but provide clear direction in the operation of the business.


3. Select a Security Assessment and Privacy Officer

HIPAA requires a security and privacy officer for each covered entity and business. This does not have to be a new hire, but you do need someone responsible for the security and privacy of PHI. They are responsible for showing the effort being made to meet regulations.


The officer should also review business associate agreements. The OCR will discuss the third-party relationships that involve electronic protected health information. Create a list of vendors and suppliers, and the security and safeguards they have in place through the business associates agreement.


This officer should schedule a regular review of security policies and conduct a risk analysis on IT systems and data security. They should also have a record of any breaches or incidents. Don’t try to hide any problems or data breaches during the audit. Be honest. Incidents happen, and the OCR wants to know how you responded to the security breach.

4. Review Policy Implementation

As important as it is to document policies and procedures, it’s also important to see how those policies are being implemented. The OCR will review how those policies and procedures apply to the daily business operation, and if they are implemented consistently.

Talk to your team to see how the policies are working.


If employees are struggling to follow policy, then take the time to analyze the problems and make adjustments as needed. Create an implementation schedule to include in the audit. The OCR wants to see the policies in action. If you are still implementing the plans, then show them the schedule, so that they know progress is being made.

5. Conduct an Internal Audit

An internal audit program is the best way to identify problems in your system before the OCR audit. Regularly conducting internal audits will not only help you solve problems before they turn into a fine, but also keep your team sharp and take pressure off during the actual review.


It’s often a good idea to work with an organization that specializes in compliance or data security to help conduct the internal audit. They can review your security and compliance standards and take a close look at your risk analysis and risk management plan. With an outside perspective, they may be able to identify problems that didn’t show up in your internal risk assessment. Partnering with an IT and data security provider will help ensure a complete and thorough internal audit.


As a best practice, review your policies and procedures as the auditor might. Consider if the policies are meeting the intent of the regulation and improving patient privacy and security. By critically analyzing these methods, you can find areas of improvement in both business operations and HIPAA compliance.

6. Create an Internal Remediation Plan

Once you’ve gone through the above steps and conducted an internal audit in preparation for your HIPAA audit, you should create a remediation plan to reduce risks and correct findings. Attach a schedule with timelines to the remediation plan and be prepared to discuss the plan with OCR during the audit.


While HIPAA sets guidelines and standards for protected health information, it’s also essential to see HIPAA as a continual process. A remediation plan and a schedule help to keep covered entities and businesses on track and compliant, even between audits.


Finally, make sure you limit your internal audit concerns to the policies and procedures of your business. While the business associate agreements are an important part of HIPAA, focusing on vendors and suppliers can leave your operations at risk. Your primary concern with the remediation plan and audit should be internal processes.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA and Coronavirus Privacy: Retail, Restaurants, and Theme Parks

HIPAA and Coronavirus Privacy: Retail, Restaurants, and Theme Parks | HIPAA Compliance for Medical Practices | Scoop.it

As the spread of the coronavirus seems to be slowing, many people are preparing to get back to life as usual.


Consumers are anxiously awaiting the reopening of the country, with some states further along than others. The goal is to safely reopen retail stores, restaurants, and theme parks.


This has led some of these establishments to require proof of negative COVID-19 test results, causing many consumers to cry HIPAA violation. Is this a HIPAA violation? HIPAA and coronavirus privacy is discussed below.

HIPAA and Coronavirus Privacy

The coronavirus pandemic has caused many businesses to reevaluate how well they are protecting consumers.


Many businesses have increased cleaning protocols to prevent the spread of the virus, as well as implemented new standards for consumers entering the establishments.


Several businesses are requiring employees and consumers to wear masks, are conducting temperature checks on anyone entering the business, and requiring proof of negative COVID-19 test results. These new requirements have many consumers concerned that their privacy rights under HIPAA are being violated.


HIPAA established industry standards for the privacy of protected health information (PHI). Under HIPAA, coronavirus test results are considered PHI. As PHI, covered entities and business associates cannot disclose a patient’s coronavirus test results outside of treatment, payment, or healthcare operations. 


But what about during a global pandemic? These entities are permitted to disclose coronavirus test results to public health authorities for the purpose of public safety.


This is to notify people who may have come into contact with a coronavirus positive patient. However, disclosed information must only be the minimum necessary information to accomplish the purpose of the disclosure.

Can Consumer Businesses Ask Patrons for Test Results?

Consumer businesses such as retail stores, restaurants, and theme parks are neither covered entities nor business associates. Since they are neither covered entities or business associates, these establishments do not fall under the jurisdiction of HIPAA law.


As such, they can ask patrons for proof of negative COVID-19 test results, without fear of violating HIPAA, before they are permitted entry to these establishments. 

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Study Shows Improvement in Provider HIPAA Right of Access Compliance

Study Shows Improvement in Provider HIPAA Right of Access Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Privacy Rule’s “Right of Access” provision requires providers to make patient medical records available for viewing, inspecting, and copying. In early 2019, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) launched a HIPAA Right of Access enforcement initiative. 


A recent study by citizen.com revealed that since the initiative was launched, provider Right of Access compliance has increased.  

How Did the Study Measure Provider Right of Access Compliance?

To measure provider right of access compliance, Citizen compiled a scorecard for 820 healthcare providers.


A wide range of healthcare providers were assessed for the study, from single physician practices to large, integrated healthcare delivery systems.


The “grade” Citizen assigned to each provider on the card reflects the providers’ responses to patient requests for access for their healthcare data from the period of 2/10/19 through 2/13/20.


The patients who made the requests for access were Citizen users. Based on the feedback these users submitted to Citizen as to the timeliness of the provider’s response, Citizen developed a “compliance score” for each provider. The score ranges from a low of “1” to a high of “5.” 


A 1-star rating represents a non-HIPAA compliant response. 2-stars were awarded when requests were eventually resolved satisfactorily, but only after multiple escalations to supervisors. A 3-star rating was given when the request was satisfied with minimal intervention, and a 4-star rating was given to providers that are fully compliant and that gave a seamless response.


A 5-star rating was given to those providers who, in providing access, went above and beyond the requirements of HIPAA.

What Were the Results of the Right of Access Compliance Study?

Under the scorecard, only 27% of providers received a “1”; that is, only 27% were not compliant with the HIPAA Right of Access. This figure is a significant improvement from the previous scorecard, which revealed that a majority of providers – 51% – were not compliant with the Right of Access.


In addition, the percentage of providers awarded 4 stars for their responses increased from 40% to 67%, and the percentage of providers awarded 5 stars increased from 20% to 28%.


Not only are more people being given more timely access to their records, they are paying less for that access as well.


Under the Right of Access, providers may charge patients a reasonable, cost-based fee (i.e., costs of reproduction of records, including copying costs and mailing costs) for record production. Only 6% of the 820 healthcare providers on the scorecard actually charged a fee.


In addition, the latest scorecard information reveals that providers are not subjecting patients to burdensome paperwork requirements as much as in past years.


In previous studies, many healthcare providers required patients to complete a standard form, yet this year, most providers accepted any form of written request and did not require patients to complete a particular form before the request was processed.


Citizen attributes the improvements to right of access compliance not only to the enforcement initiative, but to new rules recently published by HHS’ Centers for Medicare and Medicaid Services and the HHS’ Office of the National Coordinator for Health IT, which makes it easier for patients to obtain copies of their healthcare data.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

Leone Mane's curator insight, May 25, 2:46 AM


Buy Oxycodone Online HERE at RX Pharmacy Online Store. Patients should buy Oxycodone Online from RX Pharmacy Online store which is the best online store for your pain pills.  Oxycodone is an opioid analgesic medication synthesized from the base. It was developed in 1916 in Germany, as one of several new semi-synthetic opioids with several benefits over the older traditional opiates and opioids; morphine, diacetylmorphine(heroin) and codeine. It was introduced to the pharmaceutical market as Eukodal or Eucodal and Darkon. Its chemical name is derived from codeine – the chemical structures are very similar, differing only in that the hydroxyl group of codeine has been oxidized to a carbonyl group (as in ketones), hence the -one suffix, the 7,8-dihydro-feature (codeine has a double-bond between those two carbons), and the hydroxyl group at carbon-14 (codeine has just hydrogen in its place), hence oxycodone. So buy oxycodone online


Tendencies towards the use of the internet pharmacies are observed not only in developed countries such as the USA and Canada but also within the territory of other countries. The advantages of internet shopping cannot be overstated. Every user can order the delivery of medications in a couple of minutes.


Tendencies towards the sale of the over-the-counter (OTC) drugs are also observed because it helps to save money and time. If a person does not have insurance covering all medical services, it is necessary to pay for the doctor’s consultations and quality medications. Expensive drugs become less demanded and popular under the conditions of the modern pharmaceutical market.



At Marijuana weed online Shop, we have made it our mission to provide customers with high-quality services and high-quality marijuana at affordable prices! Marijuana weed online Shop is your one-stop-shop for affordable, quality marijuana delivered right to your door. We are a safe, secure, and discreet mail-order marijuana service in the USA. Easy to order, quick delivery, and some of the best quality marijuana, you’ll never have to stress about ordering your medical marijuana. Why did we choose the marijuana industry? Throughout the years we have seen just how amazing medicinal marijuana can be for people who suffer from a variety of different diseases, disorders, and conditions. We are passionate about helping people with the medicinal benefits of marijuana, which is exactly why we offer the services that we do. With our mail order service, we strive to get our customers the medical marijuana they need, when they need it. Buy kush online online dispensary | medicated marijuana










Buy Oxycodone Pills Online|Buy Oxycodone Pills Online without prescription

Adderall Online without a doctor's prescription|Buy Adderall Online

Buy hydrocodone online|Hydrocodone is an opioid pain medication

Buy Oxycontin Online Cheap Without Prescription|Buy Oxycontin Online

Buy Demerol Online Without Prescription|Buy Cancer pills online

Buy Dilaudid Online Overnight|Buy Dilaudid Online 

Buy Percocet Online without Prescription|Buy Percocet Online

Buy Morphine Sulfate Online Without Prescription|Buy Morphine Sulfate Online

Buy Roxicodone 30 mg Online Without Prescription|Buy Roxicodone 30 mg Online 

Buy Ambien Online|Order Ambien online without prescription


buy sodium cyanide


buy sodium cyanide online

buy sodium cyanide in china 

buy sodium cyanide in  USA 

buy sodium cyanide in Uk 

BUY RESEARCH CHEMICALS IN CHINA |Buy sodium cyanide online|Sodium cyanide for Euthanasia

Buy Etizolam Powder in the USA|BUY Etizolam online |BUY Etizolam online in China



buy etizolam online

Buy Ketamine powder|Buy pills online in China|Order Ketamine online

Buy Flakka A-PVP online(alpha-PVP)|Buy Flaka A-PVP in china

Buy METHAMPHETAMINE Online|Buy Crystal meth online


2 Month Hard Core Stack

AlphaSize Alpha GPC

Massacr3 with Laxogenin | 60 capsules

Laxosterone | 50 mg | 60 Capsules

Ecdysterone (95% Beta Ecdysterone) 90 Capsules





Buy 8 Mg Red Devil alprazolam online

Buy Adderall XR 30 MG








Buy Actavis Cough Syrup Online

Ecdysterone (95% Beta Ecdysterone) 90 Capsules

Buy Methamphetamine (meth crystal)

Buy Ketamine powder

JUUL Pod Menthol 4 Pod Pack

Buy Stiiizy online

Buy Golden Teacher Mushrooms online






Köp Valium (Diazepam) 10mg


Köp Oxikodon 30mg


The HIPAA Privacy Rule and Facility Directories

The HIPAA Privacy Rule and Facility Directories | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Privacy Rule generally permits hospitals and other healthcare facilities to maintain facility directories that provide certain basic information about patients within the facilities.


The HIPAA Privacy Rule and facility directories is discussed below.

What are Facility Directories?

Under the HIPAA Privacy Rule, covered entities, including hospitals and other covered health care providers, may use the following protected health information (PHI) in facility directories:

  • A patient’s name;
  • A patient’s location in the covered entity’s facility;
  • A patient’s condition described in general terms, that does not communicate specific information about the individual; and
  • The individual’s religious affiliation.

Covered entities may disclose the appropriate directory information listed above – except for religious affiliation – to anyone who specifically asks for a patient by name. Religious affiliation may be disclosed to members of the clergy. 


 For example, the HIPAA Privacy Rule and facility directories regulations allows a hospital to disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure. 

What Rights Does the HIPAA Privacy Rule and Facility Directories Regulations Allow Patients?

The patient must be informed about the information to be included in the directory, and to whom the information may be released. In addition, patients must have the opportunity to restrict the information or to whom it is disclosed. Patients also have the right to opt out of being included in the directory.


The patient may be informed about the information to be included, to whom it may be released, and the right to restrict and to opt out. A patient may make his or her preferences about being included in the directory known, either orally or in writing.  

Can Directory Information be Made Available During an Emergency?

Even when, due to emergency treatment circumstances or incapacity, the patient has not been provided an opportunity to express his or her preference about how, or if, the information may be disclosed, directory information about the patient may still be made available if doing so is in the individual’s best interest.


Directory information about a patient may not be made available during an emergency, if making such information available is inconsistent with any known preference expressed by the patient.


In emergency scenarios, the covered entity, as soon as practicable, must inform the patient about the directory, and provide the patient an opportunity to express his or her preferences about how, or if, the directory information may be disclosed. 

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

The HIPAA Privacy Rule and Provider to Provider Communications

The HIPAA Privacy Rule and Provider to Provider Communications | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Privacy Rule allows for provider to provider communications – for providers that are part of a patient’s care team – to exchange clinical information, including protected health information (PHI) among each other. 


Circumstances under which provider to provider communications involving use and disclosure of PHI are addressed below.

When Are Provider to Provider Communications Permitted Under the HIPAA Privacy Rule?

Generally, under the HIPAA Privacy Rule, which imposes restrictions on the use and disclosure of PHI by covered entities (including healthcare providers), any pertinent clinical care information, including mental health treatment information, can be disclosed and discussed between a patient’s current treatment providers (that is, can be the subject of provider to provider communications) without written authorization by the patient, representative, or guardian, except for the content of written psychotherapy notes.

What Constitutes Psychotherapy Note Information?

The HIPAA Privacy Rule definition of a “psychotherapy note” is quite restrictive. Under HIPAA, psychotherapy notes consist of:

  • A mental health professional’s written analysis, of
  • A conversation that occurred, during
  • A private counseling session

The written analysis must be maintained separately from the medical record to qualify as “psychotherapy notes.”


Generally, patients do not have the right to obtain a copy of these under HIPAA. When a psychologist denies a patient access to these notes, generally, the denial is not subject to appeal or review.


A provider may, in the exercise of his or her discretion, choose to provide a copy of the patient’s psychotherapy notes to the patient, consistent with applicable state law.

The Privacy Rule does permit psychotherapy notes to be disclosed under very limited circumstances:

  1. A covered entity may disclose protected health information contained in psychotherapy notes to a coroner or medical examiner for the purpose of identifying a deceased person, determining a cause of death, or other duties as authorized by law. 
  2. A covered entity may use or disclose protected health information in psychotherapy notes to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law.
  3. A covered entity may use or disclose psychotherapy notes for its own training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling.
  4. A covered entity may use or disclose psychotherapy notes to defend itself in a legal action or other proceeding brought by the patient.
  5. A covered entity may, consistent with applicable law and standards of ethical conduct, use or disclose psychotherapy notes, if the covered entity, in good faith, believes the use or disclosure:
    • Is necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public; and
    • Is to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.


A covered entity MUST disclose psychotherapy notes, when disclosure is required by the Secretary of Health and Human Services, to determine whether the entity is HIPAA compliant.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Does the HIPAA Privacy Rule apply to the Novel Coronavirus (COVID-19)?

Does the HIPAA Privacy Rule apply to the Novel Coronavirus (COVID-19)? | HIPAA Compliance for Medical Practices | Scoop.it

The Novel Coronavirus is spreading so rapidly that it will most likely become a pandemic.


The World Health Organization says that a pandemic is the worldwide spread of a new disease. A pandemic is when an epidemic spreads between countries, per David Jones, MD, Ph.D.


Even in times of crisis like this, HIPAA-covered entities must follow all reasonable safeguards to protect the privacy of their patients who may be infected with the disease concerned, in this case, we are talking about the novel coronavirus. 


However, the HIPAA Privacy rule does offer some accommodation in such cases.

Special considerations in the HIPAA Privacy Rule

The HIPAA Privacy Rule provides special considerations in the event of an epidemic or pandemic. As a covered entity or business associate, you should be aware of these individual cases.


The Privacy Rule recognizes that public health authorities need some access to protected health information (PHI) to ensure public health and safety in the event of an emergency such as the one we are experiencing with the novel coronavirus.


Covered entities are authorized to disclose PHI, without a patient’s consent, if that PHI disclosure is needed to treat the patient or even to treat another patient.


Business Associates may also be able to disclose necessary information on behalf of the covered entity, as long as this disclosure is permitted within the parameters of the Business Associate Agreement.

What can you share with public health or disaster relief organizations?

The Department of Health and Human Services has stated explicitly that covered entities are permitted to disclose needed PHI to the Centers for Disease Control and Prevention (CDC) or a state or local health department when this disclosure is expected to help prevent or control a disease.


A hospital may, for instance, report periodically to the CDC about patients potentially or actually exposed to the novel coronavirus.


Similarly, they may also share protected health information with disaster relief organizations like the American Red Cross, that are authorized to coordinate relief effort and notify family members or others involved in the patient’s care.

Disclosing PHI to other individuals, family, and friends

Interestingly, covered entities are also permitted to disclose the minimum necessary PHI to persons at risk of contracting or spreading the disease, as long as another law allows the covered entity to make such a notification. 


Sharing needed PHI with family and friends is also allowed as long it is done in the best interests of the patient concerned.


Here the doctor or another healthcare provider must exercise his or her best professional judgment and make the decision appropriately.


What can you tell the media?

Protected health information that can identify a patient should typically not be disclosed to the media without the written authorization of the patient. There are definite exceptions for certain limited cases here, for which you may refer to the HIPAA Privacy Rule for guidance.

In conclusion

The summary is: In the event of an epidemic or pandemic, such as what the Novel Coronavirus is likely to be, follow HIPAA Privacy precautions carefully.


Disclose only the minimum necessary Protected Health Information (PHI) to public health organizations and friends and family of the affected patient, and only to the extent that this disclosure helps treat the patient or other patients, and is in the patient’s best interests.


Make sure that all your employees and health care workers are trained and well informed to make any decision using their best judgment.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

The HIPAA Timeline

The HIPAA Timeline | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act was passed on August 21, 1996, during the re-election campaign of President Bill Clinton.


The law was the end-product of twin concerns of Congress as America entered into the 21st century. One of these twin principal concerns was, of course, a fear that as new technologies were developing, existing laws – mostly a patchwork of laws on the state level – were inadequate to protect the privacy and security of patient health information.


Regulation of this privacy and security is embodied in Title II of HIPAA. Title I of HIPAA, however, addresses an equally important concern and is an equally important part of the HIPAA timeline.


Title I was passed to ensure that a change in employment would not result in termination of health insurance coverage.

What is the Importance of Title I in the HIPAA Timeline?

Title I of HIPAA plays an important role not only in the HIPAA timeline but in the timeline of health insurance coverage developments in America generally. In 1985, a federal law, the Consolidated Omnibus Budget Reconciliation Act (COBRA) was passed.


That law required employers of a certain size to offer continuation of health plan benefits to employees after termination of their employment.


In 2010, the Patient Protection and Affordable Care Act (PPACA) passed. That law strengthens existing COBRA law. For example, under the PPACA, an insurer generally cannot refuse to sell a policy of healthcare insurance to an individual because that individual has a preexisting medical condition.


Therefore, when an individual becomes eligible for COBRA coverage, that individual cannot be denied this coverage because of a preexisting medical condition.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Making The Most Out Of HIPAA/HITECH Compliance Consulting

Making The Most Out Of HIPAA/HITECH Compliance Consulting | HIPAA Compliance for Medical Practices | Scoop.it

Times are changing, and as new laws affect the health care sector, you can’t afford any future issues due to non-compliance. Planning is essential to avoid unnecessary costs and save time.


Though a federal mandate, at iHealthOne we believe this proactive measure will enhance the privacy and security of your electronic health records.


If customers establish you are HIPAA/HITECH non-compliant, you risk affecting their willingness to disclose essential health information to you.


Thanks to HIPAA/HITECH compliance consultancy, you have no reason for any concerns. In this article, we’ll walk you through this essential regulatory process.




Whether a seasoned or new practice, it helps to accept guidance from a consultancy on all phases of compliance.


A consultancy does extra research on the necessary and up-to-date information your staff require for implementation. It can provide further training for stress-free self-administration and subsequent compliance.


Consultant professionals conduct a risk analysis and advise on setting up safeguards to avoid HIPAA/HITECH violations. They provide detailed reports on risk exposure, as well as checklists and customized forms that suit your company.


This includes breach notifications, disaster recovery, and risk management solutions. Consequently, this can play an important role in improving your health strategy plans for smooth operation.




If you’re an entity that covers or provides healthcare payments and treatments, and you have access to patient information, HIPAA/HITECH compliance consultancy is vital. This also includes subcontractors and healthcare business associates.




Ensure you always comply on time. This will pave the way for effective management of patient data security and assessment services. Also, it will save you unneeded lawsuits or hefty fines for non-compliance.


EHR1 has a compliance department that can help you recognize potential gaps while guaranteeing 100 percent client data security and confidentiality.


You gain the most out of our quality technical safeguards. With the EHR1 certified cloud-based dental software, we counsel you on corrective measures to adopt before a compliance review or OCR audit. You also have access to our:

• Vulnerability scans
• Network penetration testing
• Electronic health records software upgrades
• Effective incident response planning
• Implementation of an information security program
• Improved customer trust and organizational reputation services, among others.


Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

HIPAA Security Rule: Risk Analysis Review and Updating

HIPAA Security Rule: Risk Analysis Review and Updating | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards to protect the confidentiality, integrity, and availability of electronically protected health information (ePHI).


ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format.


Performing a security risk analysis is the first step in identifying and implementing these safeguards.


A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.


Once the analysis has been completed, organizations should periodically conduct a risk analysis review.

What is the Scope of a Security Risk Analysis?

According to guidance issued by the Department of Health and Human Services (HHS), the scope of security risk analysis includes potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization:

  • Creates;
  • Receives;
  • Maintains; and
  • Transmits

Security risk analysis includes six elements:

  • Collecting Data
  • Identifying and Documenting Potential Threats and Vulnerabilities
  • Assessing Current Security Measures
  • Determining the Likelihood of Threat Occurrence
  • Determining the Potential Impact of Threat Occurrence
  • Determining the Level of Risk

What is a Security Rule Risk Analysis Review?

Once all of the above six elements have been addressed, all documentation should be finalized. In addition, the security risk assessment should be periodically reviewed, and updated, as needed


Continuous risk analysis review allows an organization to identify when updates to risk assessment policies and procedures are needed. 


The Security Rule does not specify how frequently to perform risk analysis review. According to risk analysis guidance provided by the Department of Health and Human Services (HHS), some covered entities may perform risk analysis review annually or as needed (e.g., twice a year, every 3 years), depending on the circumstances of their environment.

What Factors Influence Whether Risk Analysis Review Should be Performed? 

Factors to consider include:

  • Changes in technology and business operations. When an entity implements new technologies and plans new business operations, the entity should consider performing a security risk analysis assessment. Adopting new technologies and new business operations may pose potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; a risk analysis review can identify these risks and vulnerabilities.


  • An organization has experienced a recent security incident.  If a covered entity has recently experienced a security incident, such as a data breach, a risk analysis review should be conducted to determine whether and what additional security measures are needed.


  • An organization has experienced a change in ownership or turnover in key staff or management. An organization that undergoes a change in ownership or that experiences key staff turnover, should evaluate, in light of the expertise of the departed and incoming individuals, whether existing security measures are sufficient to protect against risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.  In addition, part of risk analysis consists of an assessment of current security measures. Important security measures include policies and procedures, contained in an employee handbook or similar document, that address data security and define staff obligations to protect ePHI. Before incoming workforce members begin their jobs, policies and procedures contained in the handbook should be evaluated for sufficiency and accuracy, so that when these policies and procedures are distributed, new employees have the most up-to-date information required for them to protect ePHI.


  • Regulatory and legislative changes. New legislation and regulations may impose additional or modified obligations under the Security Rule. If your risk assessment references a law or regulation, you should review that assessment to make sure it still complies with any changes made to the regulation. When new legislation is passed, or when new regulations become effective, the risk assessment should be reviewed and updated to incorporate the requirements of the new legislation or regulations.


Performing risk analysis review, and then making necessary updates to the risk analysis assessment, allows for your organization to reduce review identified risks to reasonable and appropriate levels.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Achieving HIPAA Compliance: Guide to Properly Disposing of PHI Hardware

Achieving HIPAA Compliance: Guide to Properly Disposing of PHI Hardware | HIPAA Compliance for Medical Practices | Scoop.it

What is HIPAA Compliance?

HIPAA, or The Health Insurance Portability and Accountability Act, sets the standard for PHI protection.


Any company or organization that handles PHI must have security measures in place and adhere to them. There are two main categories of organizations covered by HIPAA:  ·


Covered Entities (CEs): This includes anyone that provides treatment, payment, or operations (commonly known as TPO) within a healthcare setting.


Business Associates: This includes anyone outside of the covered entity who may have access to patient information or provides any kind of support in treatment, payment, or operations of the organization.

Devices That May Contain PHI

It’s important to understand what types of hardware you may have in your office that could contain PHI; these include but are not limited to:

  • Laptops
  • Desktops
  • Smartphones
  • Printers
  • Copiers
  • USB Drives
  • Servers
  • Tablets
  • Fax Machines
  • X-Ray Machines
  • Pacemakers
  • Defibrillators
  • CT and MRI Scan Machines

Essentially, almost any connected device within a healthcare organization is vulnerable and may contain PHI that needs to be protected and disposed of properly when the time comes.


Under HIPAA law, your organization is required to document its disposal policy in your Security Policies and Procedures. Your organization should maintain an inventory of all your equipment, whether each device can store or access PHI, serial number and other relevant information. 

How to Securely Dispose of Hardware With PHI

The US Department of Health and Human Services (HHS) recommends the following three techniques for properly removing any sensitive information from workplace hardware. Before you can get rid of the physical device, you must delete any and all PHI related information from the device.

The procedures for securely disposing of PHI include:


1. Clearing 

Clearing, also referred to as overwriting, is the process of replacing PHI on a device with non-sensitive data. This method should be performed, at a minimum, of seven times so that the PHI is completely irretrievable.


2. Purging 

You can purge your organization’s hardware through a method called degaussing. This refers to the process of clearing a device through the use of magnets.


Hard drives rely on magnetic fields to store information; therefore, you can disrupt the equipment’s function and render its data unreadable by using a strong magnetic field.  


3. Physical Destruction 

Physical destruction is the only surefire way to prevent a leak of PHI data. Destruction of PHI hardware requires pulverizing, burning/melting, disintegrating or shredding.


This method, however, is not always viable. If you have equipment that you would like to clear and re-use, or if your equipment is rented, destroying it may not be feasible.

Conventional Methods of “Wiping” Your Hard Drive Won’t Cut It 

If your organization is selling or discarding any hardware, you may be tempted to simply erase the hard drive components. Deleting files will not permanently delete PHI. Although the information will no longer be visible to you, it is still there and can be retrieved.


You need secure data destruction that permanently eliminates PHI data from every piece of hardware so that your patients’ information is not put in jeopardy.


There are companies who specialize in the proper disposal of PHI hardware. These companies should offer a HIPAA Certificate of Destruction as validation that the equipment was disposed of properly, and within HIPAA guidelines.

Training Employees on PHI Disposal

HIPAA law regarding disposal of protected health information dictates that you train your employees on how to properly dispose of PHI.


According to HIPAA law, any workforce member who is involved in disposing of PHI or who supervises others who dispose of PHI, must receive proper PHI training.


PHI should be maintained in a secure area, such as a locked depository bin, and disposed of through a qualified vendor. 

Requirements for Keeping PHI Hardware

HIPAA requires businesses to store PHI for six years, sometimes seven years, depending on the state in which you operate.


It is important to keep this in mind when you are preparing to dispose of hardware that may have PHI on it that still needs to be retained. Make sure you have a backup plan in place for PHI before disposing of hardware.


Your business reputation depends on your ability to serve your clients or patients. This includes making sure that the personal information they trusted you with is never compromised by improper or careless disposal of hardware. 



Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

How to be HIPAA compliant on social media

How to be HIPAA compliant on social media | HIPAA Compliance for Medical Practices | Scoop.it

Social media can be a minefield for any business to navigate. When it comes to the combination of patient privacy and social media, healthcare organizations and other HIPAA-covered entities need to tread carefully. 


As a HIPAA-covered entity, you should use social media (Facebook, Twitter, and Pinterest to name three examples) for the same reason other companies do:

  • Share information about products and services to educate existing clients
  • Attract new customers
  • Branding and advertising
  • Creating connections by sharing tips and insights about health news


At the same time, your employees may also be active on social media,  sharing tweets or Facebook status updates about their workday like the tens of millions of other social media users. 

They just need to follow HIPAA rules about sharing patient information.

Be careful when sharing Protected Health Information (PHI)

Even though HIPAA was written and enacted before social media became popular and a source of education and entertainment, the rules extend to these sites as well. Fortunately, with education and training, staying within the boundaries of HIPAA to protect clients’ PHI while taking advantage of the benefits social media offers, is achievable.  


The HIPAA Privacy Rule says you cannot share PHI except for Treatment, Payment or Operations (TPO) without the written consent of the patient. Many doctors will share photos of various procedures to educate clients. They may post messages about patients. Unless you have explicit permission, do not share any information about a patient. 

How Healthcare Providers Can (and Should) Use Social Media

There are many ways in which social media can benefit both providers and patients. There’s no reason for healthcare providers to refrain from using social media to educate, inform, and keep in touch with patients or to attract new business. The following are a few examples of things you can share on social media as a covered entity:

  • Events that a patient might be interested in
  • Research updates, findings, and even analysis of what it means in your area of expertise
  • Staff introductions and profiles, videos, and/or bios
  • Promotions regarding your services
  • Health tips and advice
  • Advertisements for your services (pay-per-click ads on Google, Facebook ads, etc.) that don’t violate patient confidentiality and privacy

All of these things can be shared to provide better patient service without conflicting with HIPAA guidelines.

Social Media Rules for Employees on Both Professional and Personal Platforms

For employees of a covered entity, social media rules related to patient interactions need to extend to their personal use of social media as well. In a nutshell, any information about a patient is protected, from nicknames to numbers (phone, social security, age, etc.) to treatment information to biographical details (marital status, siblings, etc.). 


You cannot share any text about specific patients. However, images and video that could result in a patient being identified should also be avoided. For instance, if you take a photo of your dental office to use on your website you need to be sure there are no patients in the photo. Or, if there are, ensure that you have their written permission to use the photo. 


Employee interactions with patients on social media can be problematic. Employees of covered entities must be careful in their work-related posting. Here are three actions all employees should take on social media:

  • Employees who have identified themselves as an employee of a covered entity need to state that any views expressed are their own and do not represent their employer
  • If a patient posts a picture with a “tag” that makes a picture appear in your timeline, remove that tag
  • Respond to comments, for example on a business’ Facebook page, but do not mention or allude to any treatment given

These four actions are things your employees should never do:

  • Talk about your workday as it relates to your job or activities interacting with patients
  • Post photos or videos of patients, even if the patient cannot be identified in the photo
  • Gossip about a patient, even if a name isn’t given
  • Post to a patient’s social media account

Texting Protected Health Information

Texting apps aren’t often considered as part of social media. In short, a texting app “could” be HIPAA-compliant if it has a number of features such as encryption and a record of the conversation. 


In general, while using secure phone texting solutions to confirm upcoming appointments and to send reminders is fine; using text or text apps like Facebook Messenger or SnapChat, is discouraged as they lack features that would render them HIPAA compliant.


Here are three tips for staying HIPAA-compliant on social media.

Develop a Social Media Policy

Every covered entity should have the policy to guide employees on the do’s and don’ts of social media relevant to patients and PHI, including those mentioned earlier in this post. 


Your social media policy and guidelines should include a definition of social media, which should aim to include future social media platforms yet to be released. 


Whatis.com defines social media as follows:

Social media is the collective of online communications channels dedicated to community-based input, interaction, content-sharing and collaboration. Websites and applications dedicated to forums, microblogging, social networking, social bookmarking, social curation, and wikis are among the different types of social media.

A best practice is to revisit this policy yearly and revise it as needed.

Train Employees

After developing a social media policy, you must train employees to follow it. Ongoing employee training is crucial to reinforce the importance of following HIPAA privacy guidelines. All employees should receive social media training before they begin their job or as quickly as possible afterward to minimize the chance of a HIPAA privacy violation. 


Social media violations on social media happen. Recently, a dental practice revealed PHI when responding to a patient’s Yelp review. The penalty was $10,000. You can read about the PHI disclosure here. 

Use Social Media Wisely

Healthcare providers and other covered entities can use social media for the same reasons as other businesses -- educating and attracting existing and new clients for their services. 

As long as they follow the HIPAA privacy rule in their social media communications, covered entities can have a robust social media presence that does not violate HIPAA guidelines.



Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

The Intersection Of HIPAA & The Hitech Act

The Intersection Of HIPAA & The Hitech Act | HIPAA Compliance for Medical Practices | Scoop.it

Since it passed in 2009, the HITECH (Health Information Technology for Economic and Clinical Health) Act was meant to enforce certain rules within the HIPAA Omnibus Rule. It’s important that those in healthcare IT understand the relationship between the two.




The HITECH Act’s stated aim was to improve the on-boarding and meaningful use of HIT. In doing so, the HITECH Act also affected the standards of Health and Human Services (HHS) used to evaluate hospitals and expanded the scope of jurisdiction.


It also bolstered the HHS OCR’s (Office for Civil Rights) tools of enforcement. Georgina Verdugo, director of the OCR, said that added vigilance would help convince consumers of the privacy and security of their health information and protected personal information (PPI).




By broadening the scope of HIPAA, the HITECH Act increased the number of participating stakeholders or business associates. Previously, HIPAA described a business associate as a person performing functions or activities for or on the behalf of a covered entity.


HITECH changed HIPAA’s definition of business associates to include:

*Health Information Organizations (HIO)
*Patient Safety Organizations (PSO)
*Gateways, portals, and e-prescribers
*Certain people providing PPI on behalf of another covered entity
*People involved in data transmission including subcontractors and delegates


HITECH also created new categories of HIPAA penalties. This was meant to distinguish violations based on nature, extent, and the harm caused to patients. Currently, there are three categories which correspond with three civil penalties outlined in the HITECH Interim Final Rule.




There are, of course, other areas where HIPAA and HITECH overlap. They are both sweeping and exhaustive legislation that often cover similar areas, especially where electronic medical records, are concerned.


This includes meaningful use and PHI. HITECH incentivizes the meaningful use of electronic medical records in order to improve health care and outcomes.


Other areas covered in both HIPAA and HITECH are breach reporting requirements, patient access to PHI, and facilitation of medical research.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Do you Know the Recent Changes in HIPAA?

Do you Know the Recent Changes in HIPAA? | HIPAA Compliance for Medical Practices | Scoop.it

The recent HIPAA changes extend the scope and extent of the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act (HITECH). Many of the new HIPAA rules for 2013 account for changes in working practices and advances in technology since the original legislation was enacted in 1996.


Within the recent HIPAA changes, the Security Rule introduces three “safeguards” to protect the integrity of electronically stored and transmitted Protected Health Information (ePHI). These three safeguards are:

  • Administrative Safeguards – covering factors such as the assigning of an information security officer, business associate agreements, risk assessments, training and the development of appropriate policies.
  • Physical Safeguards – covering equipment specifications, controls for devices and media used to store ePHI (including flash drives), and physical access to servers and other hardware on which ePHI is stored.
  • Technical Safeguards – covering issues such as who can remotely access a database on which ePHI is stored, audit controls, transmission security and how access to and the communication of ePHI is monitored.


These safeguards are of particular significance to covered entities that have implemented BYOD policies, have storage issues with the requirement to save six years of ePHI, or who provide unfiltered Internet access.


In order to comply with the recent HIPAA changes, covered entities must implement mechanisms that ensure the end-to-end security of patient data and have processes in place to prevent a data breach.

A Revised Definition of Data Breaches

Also included among the new HIPAA rules for 2013 was a revised definition of what constitutes a data breach. A data breach will now be presumed to have occurred when there has been the unauthorized exposure of ePHI unless the healthcare organization, health insurance provider, employer or vendor/business associate can demonstrate that there is a low probability that patient data was compromised.


One of the best ways of demonstrating a low probability that patient data was compromised is through encryption. The encryption of data is an “addressable” requirement of the HIPAA Security Rule, meaning that it does not have to be implemented if a covered entity can show it is not necessary, or if a suitable alternative to the requirement is instigated.


However, by encrypting all personal identifiers and health-related data any unauthorized exposure of ePHI will be undecipherable, unreadable and unusable – resulting in a low probability that patient data was compromised.


The encryption of data in databases, on servers, on flash drives or as it moves through a network can also help covered entities avoid OCR fines for failing to comply with the recent HIPAA changes.

The Implementation of Encryption in Healthcare

The implementation of encryption in healthcare is not difficult to achieve. Many covered entities are switching their primary method of communication to secure messaging. Secure messaging compliments the BYOD policies that many covered entities have introduced, and eliminates the risk of a data breach – not only through encrypted communications, but also by encapsulating communications within a private network that provides full message accountability.

Secure messaging not only helps to comply with the recent HIPAA changes, but the mechanisms intended to provide an audit trail for ePHI also accelerate the communications cycle in many areas of healthcare. Secure messaging has also been proven to foster collaboration and enhance productivity – improving the speed of diagnoses, the accuracy with which prescriptions are filled and reducing the volume of adverse events.

Whereas secure messaging resolves the issue of encryption in healthcare since the new HIPAA rules for 2013 were introduced, secure email archiving is an appropriate solution for communications sent and received prior to the recent HIPAA changes. Covered entities have to keep healthcare data for a minimum of six years, and secure email archiving not only stores them in an encrypted format, but also indexes emails and their content for easy retrieval in the event of discovery or compliance audit.

The Cyber Threat to the Integrity of ePHI

The single largest cause of data breaches has been, to date, human error. Employees mislaying USB Flash drives, unencrypted laptops stolen from the back seat of a car and the improper disposal of ePHI have been responsible for many millions of records being exposed. Aware that employees are the weakest link in a covered entity´s cybersecurity defenses, criminals are targeting them through phishing campaigns and malware downloads.

One of the strongest defenses against cyber threats is the implementation of a web filter. With a suitably robust web filter, covered entities can prevent employees being directed to bogus websites that request their login credentials and sites that harbor malware. Web filtering solutions can also be configured to prevent the download of certain file types, making it harder for a cybercriminal to break through a covered entity´s cybersecurity defenses.

Web filters also have a productivity-enhancing benefit. With the ability to restrict access to any website, administrators can prevent employees from using social media channels, visiting shopping portals or watching live-streamed videos during working hours. Restricting access to certain areas of the Internet can also eliminate potential HR issues and create a more user-friendly working environment.

Technical Dr. Inc.s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.