HIPAA Compliance for Medical Practices
70.8K views | +3 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time | HIPAA Compliance for Medical Practices | Scoop.it

For the first time, a HIPAA privacy complaint filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) has resulted in federal criminal prosecution.

 

A complaint was filed with OCR over an impermissible disclosure of a patient’s protected health information by a doctor. The doctor, Richard Alan Kaye of Suffolk, Va., was alleged to have shared PHI with the patient’s employer without consent from the patient – A violation of the HIPAA Privacy Rule.

 

The case against Kaye has been referred to the Department of Justice, which has pressed charges. While OCR has referred more than 500 HIPAA violation cases in the past, this if the first time that an investigation of a privacy complaint has resulted in criminal prosecution.

 

Kaye had previously worked at Sentara Obici Hospital in Suffolk, Va., as Medical Director of its Psychiatric Care Center. The patient had been enrolled in a mental health treatment program at the hospital and Kaye treated and subsequently discharged the patient. On discharge, Kaye stated that the patient was not a threat to the public.

 

Federal prosecutors allege Kaye shared PHI with the patient’s employer “under the false pretenses that the patient was a serious and imminent threat to the safety of the public, when in fact he knew that the patient was not such a threat.”

 

While it was previously possible for egregious HIPAA violations to result in criminal prosecutions for HIPAA covered entities, filing charges against individuals was problematic. When individuals were discovered to have violated the privacy of patients, and the violations warranted criminal prosecution, it was necessary to file charges under the aiding and abetting theory – The abuse of an individual’s position to violate HIPAA Rules.

 

However, the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) provided further clarification on criminal prosecutions for HIPAA violations, and made the process of prosecuting individuals for HIPAA privacy violations more straightforward.

 

If cases are investigated and OCR determines HIPAA Rules have been violated by covered entities, the cases are typically resolved by OCR, often via settlements. However, if individuals are alleged to have violated HIPAA Rules, criminal penalties may be appropriate. In such cases, OCR can refer the cases to the Department of Justice, the federal attorney general, and/or state attorneys general to pursue criminal charges against those individuals.

 

While criminal cases have been filed against individuals who violated HIPAA Rules and impermissibly disclosed PHI, the uncertainty of pursuing cases against individuals prior to the passing of the HITECH Act dissuaded federal prosecutors from pursuing cases. Since the HITECH Act was passed, there have been referrals of cases, although this is understood to be the first time that the Department of Justice has actively pursued criminal charges against an individual following the referral of a privacy complaint by OCR.

 

There is no private cause of action in HIPAA. While private citizens can file complaints with the OCR over alleged violations of HIPAA Rules, they are not permitted to file lawsuits against covered entities for HIPAA violations. The lack of criminal penalties for HIPAA violations may have dissuaded patients from filing complaints. Now the Department of Justice is taking action against an individual for an egregious HIPAA privacy violation, it may encourage more patients to file complaints with OCR.

 

This DOJ case shows federal authorities are now taking HIPAA Privacy Rule violations much more seriously. OCR is also training state attorneys general on HIPAA enforcement. After state attorney generals have received training, it is expected they too will take a more aggressive stance against covered entities that have violated the privacy of state residents.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

Do HIPAA Rules Create Barriers That Prevent Information Sharing? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care.

 

HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors.

 

The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected.

 

The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.

 

The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued.

 

Certain provisions of HIPAA Rules are perceived to be barriers to information sharing. The American Hospital Association has spoken out about some of these issues and has urged the HHS to take action.

 

While there are certainly elements of HIPAA Rules that would benefit from an update to improve the sharing of patient health information, in some cases, healthcare organizations are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other entities without the need to obtain prior authorization from patients.

 

The feedback HHS is seeking will be used to assess what aspects of HIPAA are causing problems, whether there is scope to remove certain restrictions to facilitate information sharing, and areas of misunderstanding that call for further guidance to be issued on HIPAA Rules.

 

HIPAA does permit healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without authorization from patients. However, there is some confusion about what constitutes treatment/healthcare operations in some cases, how best to share PHI, and when it is permissible to share PHI with entities other than healthcare providers. Simplification of HIPAA Rules could help in this regard, as could the creation of a safe harbor for good faith disclosures of PHI for the purposes of case management and care co-ordination.

 

While the HHS is keen to create an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any changes made to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered entities will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.

 

In addition to a general request for information, the HHS will specifically be seeking information on:

 

The methods of accounting of all disclosures of a patient’s protected health information
Patients’ acknowledgment of receipt of a providers’ notice of privacy practices


Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management
Disclosures of protected health information without a patient’s authorization for treatment, payment, and health care operations
The minimum necessary standard/requirement.


While the RFI is likely to be issued, there are no guarantees that any of the comments submitted will result in HIPAA rule changes.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Staff Nurse Faces Jail Time for HIPAA Violations

Staff Nurse Faces Jail Time for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

Her breach of a patient's privacy jeopardized the clinic from which she was subsequently fired.

 

What began as routine file maintenance ended in arrest and possible jail time for a licensed practical nurse who shared a patient's medical information with her spouse.

 

Ms. A, 29, had been employed by a midsize regional clinic for five years. While she enjoyed her job and got on well with her supervisor, Dr. P, she was known to bemoan what she saw as low pay and the financial strain it created for herself and her husband. That strain intensified when her husband was in an auto accident and then sued by people in the other car seeking compensation for their injuries.

 

One day, as Ms. A was flipping through charts to straighten up the files, she saw the plaintiff's name. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file. That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she'd taken earlier. “I think this will help,” she said.

 

The next day, Mr. A phoned the patient. During the conversation, he made it known that he had medical information which he believed weakened the man's case. Mr. A suggested that he consider dropping the lawsuit.

 

After hanging up with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney.

 

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her.

 

After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed them that no breach of these laws would be tolerated under any circumstances.

 

Meanwhile, Ms. A's problems were just beginning. The district attorney forwarded the patient's complaint to a federal prosecutor, and within a month, both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. Ms. A pleaded guilty to one count of wrongful disclosure of individual health information for personal gain. In exchange for her plea, the charges against her husband were dismissed.

 

Ms. A is awaiting sentencing. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation. The state nursing board is seeking to revoke her license.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Navigating Mobile Devices and HIPAA

Navigating Mobile Devices and HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The mobile technology revolution has impacted nearly every industry across the globe, with healthcare being no exception. Hospitals, clinics, and providers have all quickly embraced the use of smartphones and other mobile devices along with the convenience of accessing important medical information quickly.  

Many healthcare organizations are capitalizing on the benefits that mobile devices provide by permitting physicians, nurses, and other healthcare staff to bring their own personal devices (BYOD) to use at work. Other organizations choose to provide their staff with company-owned mobile devices, finding it easier to maintain control and protect their networks. 

 

Although the convenience of mobile technology provides many advantages, it also comes with risks. If mobile data security measures are inadequate, covered entities are at risk of violating HIPAA regulations that can incur heavy fines. HIPAA fines of up to $1.5 million per violation category, per year that the violation has been allowed to persist can be issued by the HHS. In addition, other federal agencies can issue fines, such as the state attorneys general. There is also the considerable cost of a breach response to cover if data is potentially exposed. 

 

The majority of mobile devices do not have robust security controls which can allow devices to be easily compromised. For example, if an unprotected device connects to a network via public Wi-Fi, there is an increased risk of theft. Cybercriminals view mobile devices as an accessible entry point into healthcare networks allowing them to access valuable electronic Protected Health Information.

 

As mobile devices are rapidly becoming an integral part of daily healthcare operations, it is important that organizations fully comprehend healthcare mobile security. (1) HIPAA covered entities that choose to use mobile devices in the workplace must implement controls to protect patient health data.  (2) It is also necessary they review and address all potential mobile data security risks.

 

The HIPAA Security Rule does not require specific technology solutions when it comes to technical safeguards for mobile devices. However, HHS does require organizations to implement reasonable and appropriate security measures for standard operating procedures. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA as an umbrella for county/municipal cybersecurity

HIPAA as an umbrella for county/municipal cybersecurity | HIPAA Compliance for Medical Practices | Scoop.it

Are you a covered entity?

Basing a county/municipal information security (infosec) and cybersecurity framework on HIPAA is a logical choice, especially if you have one or more covered entities (CE) in your organization.

 

How do you know if you have or are a CE? If some department or division within your organization is a health care provider, a health plan or a health care clearinghouse, they are a CE. If you have clinics, doctors, psychologists, clinical social workers, chiropractors, nursing homes or pharmacies, you are a CE [i]. Moreover, many counties have divisions or departments that function as accountable care organizations (ACO), managed care organizations (MCO), health care clearinghouses or health maintenance organizations (HMO). These are all common functions, especially within large county governments.

Are you in compliance?

If anything described above applies to your county or municipal organization, one or more divisions of your organization is a CE and is required to be in compliance with both the HIPAA Security Rule and the HIPAA Privacy Rule.

 

In my experience, most county governments that have covered entities are out of compliance. Where does your organization stand?

 

I suspect what often happens is that executives look at something like information security policy requirements and say:

This has tech words in it. IT handles tech stuff. Therefore, I’ll turn it over to IT to handle.

 

What a huge mistake. An organizational policy dealing with the manner in which information is handled, regardless of whether or not HIPAA regulations apply, requires communication and coordination with legal, HR, IT, information security, risk management, archives, county clerks and other divisions within your organization. It’s not a tech issue; it’s a high-level, interdisciplinary executive function. It is an information governance (IG) issue, and it shouldn’t be handed off to your IT director or CIO to address unilaterally.'

Trust but verify

There are a number of reasons why IT should not be delegated sole responsibility for organizational information security. For one, a successful information security program requires checks, balances, and oversight. Trust but verify! A successful program also requires expert knowledge of departmental business processes that often exceeds the knowledge of the IT staff. Moreover, if your department heads have equivalent status within the organization, it is not appropriate for a CIO or IT director to unilaterally dictate policy to his or her colleagues of equal status. There are far too many IT departments that have adversarial relations with their end users because of their autocratic and often illogical decrees. Information security requires a team approach with executive and board oversight.

Extend HIPAA to your enterprise

If you have covered entities in your organization and have limited or nonexistent enterprise security policies, I would recommend that you consider building your entire enterprise information security policy on the HIPAA Security Rule in order to raise the entire organization up to that level while also getting compliant with federal law.

 

Why? It is highly probable that your organization uses shared facilities, shared IT infrastructure and shared services. Multiple information security levels create a significant management challenge and are certain to cause chaos and confusion. Multiple security stances will lead to security gaps and ultimately to breaches. Keep it simple and operate at the highest standard using generally accepted good practices.

Develop your policy with the HIPAA Security Rule

There are two major components to HIPAA, the Privacy Rule and the Security Rule. For the purpose of this discussion, only the Security Rule matters, but we’ll definitely discuss privacy another day.

The original HIPAA Security Rule document, 45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards; Final Rule, is 49 pages of small print. However, the meat of the document is contained within the final six pages and includes a handy matrix on page 48 (8380 of the federal register).

The security standards in HIPAA are broken down into three sections, each of which has multiple layers and subcomponents:

  • Administrative Safeguards (9 components)
  • Physical Safeguards (4 components)
  • Technical Safeguards (5 components)

 

These three major areas break down into at least 43 separate policy areas where your organization must build safeguards, including risk analysis, contingency planning, backup, passwords, HR sanctions and terminations, disaster recovery, encryption and many more.

 

Using the components in the matrix should enable you and your IG committee to quickly generate a suite of security policies and procedures that, when implemented and enforced, will vastly improve your current information security stance.

 

These are all policy areas that must be addressed as a matter of good practice whether or not you are a covered entity. This is why HIPAA is an excellent starting point for municipal governments that are infosec policy deficient.

Next Steps

1. Find out where your organization stands in terms of information security policies and procedures.

2. Find out whether or not you have covered entities in your organization. Must you comply with HIPAA? Are you compliant?

3. Meet with your IG committee to discuss your findings.

4. If you don’t have an IG committee — start one!

5. Download and review the HIPAA Security Rule. Use it to build your organization’s information security policies.

6. Use either the PDCA (Plan, Do, Check, Act) approach or the DMAIC (Define, Measure, Analyze, Improve, Control) approach to maintaining continuous improvement.

7. Begin building a culture of security in your organization.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Texas Expands HIPAA Privacy Laws to Bolster EHR Security

Texas Expands HIPAA Privacy Laws to Bolster EHR Security | HIPAA Compliance for Medical Practices | Scoop.it

Governor of Texas, Rick Perry, has signed a new law to give Texas residents even greater protection than required by the Health Insurance Portability and Accountability Act and has increased penalties for healthcare organizations that fail to implement the appropriate security measures to protect the health data of patients.

 

Under the Health Information Technology for Economic and Clinical Health Act (HITECH), covered entities have a number of responsibilities including reporting data breaches to the Office for Civil Rights (OCR). Data breaches are reportable to the OCR, either in an end of year report or after an investigation, depending on the number of individuals affected.

 

HIPAA places a number of restrictions on how ePHI is used and stored, and all covered entities are required to conduct a full risk analysis to assess systems for security vulnerabilities to allow risk to be managed. It also lays down the procedures that must be followed after a data breach, such as notifying potential victims. Covered organizations are also required to conduct an investigation into how a breach occurred as well as a risk of harm analysis.

 

One of the main aims of HIPAA has been to improve the standard of data security and protect the privacy of patients. HIPAA and HITECH can be seen as minimum standards that must be followed, and states are allowed to increase data security rules, provided that all HIPAA requirements are met.

 

Texas has now exercised the right to tighten state privacy laws to ensure electronic Protected Health Information is kept private and confidential.

 

Greater Protection for Texas Residents
The new Texas law follows HITECH, although it makes a number of amendments to further restrict the use of ePHI. The penalties have been increased for wrongful disclosure, breach notifications have been updated and healthcare organizations must provide more training to staff. A new requirement is that data privacy and security training must now be provided to employees every two years. Training courses must be documented and all attendees must sign to confirm that they have received training. A 60-day time restriction has also now applies for providing new employees with training.

 

According to the new law, “an individual’s PHI may not be disclosed without the patient’s authorization, except for purposes of treatment, payment, healthcare operations, insurance purposes, and as otherwise authorized by state or federal law”

 

Harsher Penalties for Wrongful Disclosure of ePHI
Failure to comply with the new legislation will result in increased financial penalties and possibly criminal penalties – the theft of ePHI is now considered a felony – being applied for the wrongful disclosure of ePHI. The state is also able to revoke both professional and institutional licenses. Financial penalties have been increased to a maximum of $250,000 for intentional disclosure of ePHI for financial gain, $25,000 for intentional or knowing violation and $5,000 for each individual negligent violation, although the maximum penalty for repeat offenders is $1.5 million and enforced withdrawal from Medicaid, the Children’s Health Insurance Program and other state funded healthcare initiatives is also a possibility.

 

When assessing violations, the seriousness of the data breach will be considered along with significant risk of harm, past history of the organization, certification, the efforts made to mitigate any damage caused and the amount necessary to deter the organization from allowing further violations to occur. Failure to issue breach notifications to affected individuals will also be penalized at a rate of $100 per day, per individual, up to a maximum fine of $250,000.

 

HIPAA regulations require employers to provide training on data Privacy and Security Rules, although this is only required within a short time frame of the commencement of employment and after a material change in Privacy and security policies. Under the new Texas law there is a requirement for ongoing training to be provided to staff and this must also be tailored to the employee’s position within the company. Rules have also changed on breach notifications to include all HIPAA covered entities including business associates, as well as non HIPAA-covered entities that wrongfully disclose ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Comply with HIPAA

How to Comply with HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to protect patients' health information. Since its inception, health care providers have struggled with the need to protect patient privacy, share information, and keep paper work under control.


“When HIPAA came out, everyone was so afraid of penalties … but a lot of it was a reasonable recognition of patients' privacy that was already occurring in 99.9% of the cases,” said L. Lee Hamm, MD, Professor of Medicine and Executive Vice Dean at Tulane University School of Medicine in New Orleans.

 

“It added a lot of administrative burden and … it introduced a few things to make certain that people didn't inadvertently do something they shouldn't do.”

 

Electronic information


A part of HIPAA with which specialists in particular are concerned is sharing information among other health care providers. Entities covered under HIPAA are allowed to share private information with other health care professionals for the purposes of treatment, payment, and operations.

 

But Heinold said there are often delays during this process that can negatively impact quality of care and increase liability. This can occur when providers unnecessarily request patients' consent.

 

One of the most efficient ways to communicate among providers is via electronic communication. HIPAA was amended in 2009 to encompass the use of electronic health records with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

 

Fresenius staff is increasingly receiving communication about patients electronically through mediums such as text and instant messaging, Heinold said. While this can facilitate exchange of records, it also comes with inherent risks. Fresenius trains staff to provide the minimum necessary information when texting about patients.

 

Louis Liou, MD, Chief of Urology at Cambridge Health Alliance, said his organization's biggest HIPAA concerns relate to electronic information. To comply, Cambridge ensures that all physicians with smart phones have them password protected and that their e-mail is secure.

 

Cambridge physicians try to avoid texting patient information when possible, but if they must, they do not use any patient identifiers in the text messages.

 

“There are a lot of pitfalls that could potentially happen,” Dr. Liou said. “Thumb drives have given way to Cloud issues. I think potentially there can always be problems – no matter how failsafe you make the system, there is always human error.”

 

Dialysis settings


Another concern is the communal open-floor nature of some clinical settings, as is often the case in dialysis centers, which may make it difficult to protect patient privacy. Still, training staff and implementing privacy procedures can go a long way to meeting HIPAA requirements.

 

Rosemary Heinold, Director of Communications for Fresenius Medical Care North America, a dialysis services provider and manufacturer of peritoneal and hemodialysis machines and equipment, said their organization has a handful of practices that help them comply with HIPAA.

 

Although patients are examined on the dialysis floor, Fresenius clinics also offer private examination rooms. Patients are never required to be examined in an open setting and may request a private room for physician consultations.

 

Like most providers, Fresenius staff gives patients a notice of privacy rights, which individuals must sign. They also post a notice of their privacy practices at all treatment sites.

 

Fresenius providers also work by the “minimum necessary” rule. The staff only shares the least amount of information necessary with patients on the clinic floor, particularly when others are within earshot.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Strategies for Measuring HIPAA Compliance Efforts

Strategies for Measuring HIPAA Compliance Efforts | HIPAA Compliance for Medical Practices | Scoop.it

About 40% of large health care organizations do not take the time to measure how well their HIPAA compliance measures are working, according to Brian Wells, Chief Technology Officer of the cybersecurity firm Merlin International, headquartered in Vienna, Virginia. Most are unaware if they have thwarted cyberattacks, blocked malicious emails or kept staff from releasing inappropriate information.

 

“If they can't report that to the board, then they may stop giving them money to do more,” Wells said.

 

Measuring an organization's HIPAA strategy can be challenging. It is difficult to know if efforts to thwart cyberattacks have actually prevented breaches. “When ransomware like WannaCry comes out, it may be possible to say you protected yourselves,” he said. “If nothing bad has happened in a while, you can assume you are either doing a good job or just haven't been a target.”

 

How are providers supposed to measure HIPAA compliance effectiveness? Here are a few strategies for determining if an organization is on the right path using both internal and external resources.

 

A human touch
Wells works with hospitals now, but when he was on the medical practice side, his group performed annual testing on HIPAA regulations. The test was not hard, but everyone in the practice had to pass it. This not only lets a provider know where education is slipping through the cracks, but also provides a paper trail to point to should a practice get audited.

 

Adam Greene, a partner with Seattle-based Davis Wright Tremaine, also recommends informal testing to make sure people

 

understand their obligations under HIPAA. For example, the person in charge of HIPAA security can make a checklist to ask staff that includes questions like: “If someone wants to see something in their medical record, how would you respond?” Staff should know the patient has a right to records and the process involved in turning them over, be it filling out a form or directing the patient to the staff member who handles requests.

 

Another option is to assign an individual who would be accountable for walking around an office to ensure protected health information is secured properly. A few points to include would be ensuring computers are not facing toward patients; locked cabinets do not have the key hanging next to them; and people are logging out when they leave their computers.

“There could be a 10- to 20-question checklist and they can use it to see how they are doing and compare it over time,” said Marti Arvin, Vice President of Audit Strategy for CynergisTek, which is headquartered in Mission Viejo, California.

 

Arvin said an internal audit can be used to make sure staff members know where privacy policies are and that they are understood; whether all patients at their initial visit are provided with notices of privacy procedures; and if all of the staff members are receiving HIPAA training as they should.

 

Technology testing
Because health IT is constantly under attack, it would be difficult, expensive, and “voluminous” to show all of the attacks an organization has defended against, Greene said.

One option instead is to perform vulnerability scanning on a regular basis to examine if a system has unpatched software or other vulnerabilities. Another good practice is a phishing test. Here, an organization generates its own malware link and sends it to staff to see if anyone clicks.

 

Wells said an IT department can put in place a program that will check to see that people are only doing what they are supposed to be doing with their devices. It can also detect unmanaged devices that appear in the system. Electronic audit logs can be monitored to ensure people are not abusing their access.

 

Encryption is a must-have under HIPAA, and Greene said the best way to look at it is demonstrating that laptops are encrypted and will remain that way. For instance, someone with administrative rights can turn off encryption if they choose. But technical measures can be used to limit someone's ability to turn it off and to maintain compliance.

 

“Those things are really more to let you know how compliant you think you are,” Wells said. “For a full security audit, you are typically going to have to hire out.”

Keep it simple


Most physician practices are “dramatically under-resourced” in HIPAA staffing, Greene said. “The office administrator might be the privacy officer and maybe the security officer, too,” he said. “That is a lot of responsibilities, so providers need to give it some thought … and be careful about laying [extra responsibilities] on an office administrator who doesn't have enough time to do their regular job.”

 

Some of these auditing duties may need to be spread throughout an organization or hired out, but practices need to have an individual who is held accountable for auditing HIPAA policies. “There should be some oversight,” Arvin said. “Lots of practices give the title of security officer, but don't give resources or educate them on the responsibilities of overseeing the program.”

Greene also recommends making this a long-term endeavor. Instead of trying to look at all areas of compliance at once, he recommends starting with places where an office has had problems, where similar practices have had settlements, or where the Office for Civil Rights offers guidance.

 

For example, an individual responsible for HIPAA compliance might first spend some time ensuring staff members are providing patients with access to their records and if they are charging the right amount for them. Then he or she could move to other areas, such as disclosure of privacy practice guidelines.

“You can ultimately look at different regulatory requirements and create a master plan for how you are going to audit them,” he said. “Prioritize some immediately and others next year or the year after because they are seemingly lower risk.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

6 things software vendors need to know about HIPAA compliance

6 things software vendors need to know about HIPAA compliance | HIPAA Compliance for Medical Practices | Scoop.it

Maintaining HIPAA compliance

 

Many people are loosely familiar with the Health Insurance Portability and Accountability Act (HIPAA) and usually associate it with hospitals, clinics, and health insurance companies. However, it can be less clear how HIPAA compliance standards apply to countless other software vendors, SaaS providers that work with healthcare-related businesses or handle protected health information (PHI). In recent months, the Office for Civil Rights has been coming down hard on HIPAA violators, doling out some of the large fines – upwards of $5 million. So in order to ensure your business is protected and to maintain your brand reputation, it is vital to know the ins and outs of HIPAA compliance. With this in mind,

 

How do you know if you need to be HIPAA compliant?

 

In short, HIPAA rules apply to both Covered Entities (health insurance companies, HMOs, company health plans, etc.) and their business associates (a vendor or subcontractor who has access to PHI). What this means for business associates is that even if you’re a service provider or vendor who isn’t in the healthcare industry - like an all-flash storage company - you may still need to be HIPAA compliant indirectly due to the fact that your organization stores PHI. The first step here is to determine whether your organization handles PHI. If you do, your next step is to look through the

 

Look to your current vendors for guidance

 

Once you determine that you need to be compliant, there’s no need to go on a hiring spree to ensure you have the necessary resources in-house. Many of your existing vendors may already cover key HIPAA compliance requirements. Any good service provider should be able to tell you whether they are HIPAA compliant and what controls they can cover. If so, it is important that they are also willing to sign a Business Associate Agreement (BAA) - a negotiation between Covered Entities and any third-party vendors that have access to their PHI.

 

Look for specific types of technology that can help to streamline the process

 

If none of your existing vendors can help with HIPAA compliance, turn to a managed service provider to do the heavy lifting and help your business attain and maintain compliance, so you can focus resources on driving business. Additionally, they can strengthen the security technology, processes, and controls they use to keep customer information secure. For example, if you’re looking for a secure way to continue work-from-home programs at your organization through remote desktops, HIPAA compliant Desktop-as-a-Service (DaaS) vendors are a great option to both fill specific needs for your business and drastically simplify compliance.

 

Don’t forget about maintenance

 

A key stumbling block for many organizations tends to be maintaining a constantly evolving set of compliance standards. HIPAA compliance certification is valid only at that moment – it is then up to the company to maintain compliance which is easier said than done. Some important things to keep the top of mind for maintenance include 1) completing a HIPAA Risk Analysis document and audit at least once a year, and 2) assessing employees year-round to make sure they are doing their jobs in a HIPAA compliant manner, following all stated company policies and procedures.

 

Know who is responsible for HIPAA compliance

 

Another challenge accompanying HIPAA compliance may sound simple, but is one that oftentimes goes overlooked - precisely who internally is responsible for compliance? For non-healthcare organizations, a company is unlikely to have a designated in-house role such as a Privacy and Security Officer, and therefore the responsibility often falls on security or operations departments. However, it’s likely that neither of these departments has a full understanding or stake in HIPAA compliance. Regardless of who is taking the reins, it is important that the role is clearly demarcated and that person or department knows what is expected of them. Additionally, it’s critical that they work together with other departments as needed to ensure a well-rounded HIPAA strategy. Case in point - a recent

 

Keep HIPAA compliance top of mind for staff

 

Regardless of who is in charge, it is important that all your staff be mindful of maintaining HIPAA compliance. Human error can become one of the biggest obstacles to maintaining compliance, especially when employees may not even realize their company deals with PHI. For example, the same NueMD survey also found that only 58% of respondents were providing training for their staff annually. HR teams can proactively assist with this by reminding staff of regular HIPAA training, updates on compliance standards changes and keeping visible HIPAA compliance checklists posted in work areas.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Our Partners at Compliancy Group Help Client Pass HIPAA Audit

Our Partners at Compliancy Group Help Client Pass HIPAA Audit | HIPAA Compliance for Medical Practices | Scoop.it

Compliancy Group announced today that it has helped a long-time client pass a HIPAA audit. The Department of Health

and Human Services (HHS) Office for Civil Rights (OCR) investigation into a potential HIPAA violation resulted in no fine for a user of their web-based compliance solution, The Guard.

HIPAA audits target hundreds of healthcare professionals a year, according to the HHS Wall of Shame.

 

Compliance Group is the only HIPAA solution on the market today that gives clients access to a HIPAA Audit Response Program (ARP). The Compliance Group HIPAA Audit Response Program gives clients the ability to formulate all the necessary reports that OCR auditors are requesting in order to illustrate their compliance efforts. Compliance Group’s team of expert Compliance Coaches gather the reports and adhere to strict audit deadlines to ensure that clients stand their best chance at emerging from an audit without being fined.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.