HIPAA Compliance for Medical Practices
73.9K views | +29 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

How Do I Become HIPAA Compliant?

How Do I Become HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

For healthcare providers, HIPAA compliance is a must. HIPAA guidelines protect patients’ health information, ensuring that it is stored securely, and used correctly.

 

Sensitive data that can reveal a patient’s identity must be kept confidential to adhere to HIPAA rules. These rules work on multiple levels and require a specific organizational method to implement comprehensive privacy and security policies to achieve compliance.

 

Most organizations find this to be a daunting task. We have put together a HIPAA compliance checklist to make the process easier.

 

The first is to understand how HIPAA applies to your organization. The second is to learn how to implement an active process, technology, and training to prevent a HIPAA-related data breach or accidental disclosure. Finally, the third is to put physical and technical safeguards in place to protect patient data.

By the time you’re done with our list, you will know what you need to consider to have a better conversation with your compliance advisors.

What is HIPAA?

Before talking about compliance, let’s recap the basics of HIPAA.

Signed into law by President Bill Clinton in 1996, the Health Insurance Portability and Accountability Act provides rules and regulations for medical data protection.

HIPAA does several important things. It reduces health care abuse and fraud and sets security standards for electronic billing of healthcare. It also does the same for the storage of patients’ healthcare information. The Act mandates the protection and handling of medical data, ensuring that healthcare data is kept private.

The part of HIPAA we are concerned with relates to healthcare cybersecurity. To be compliant, you must protect patients’ confidential records.

HIPAA rules have evolved. When the law was first enacted, it did not mention specific technology. As the HIPAA compliant cloud has become commonplace, it has inspired additional solutions. For example, our Data Security Cloud (DSC) is being developed to create a base infrastructure for a HIPAA compliant solution. Providing a secure infrastructure platform to ride on top of, DSC makes creating a HIPAA-compliant environment easier.

Secure infrastructure handles things at the lowest technical level that creates data, providing the key features to keep data safe. These features include separation/segmentation, encryption at rest, a secure facility at the SOC2 level of compliance, and strict admin controls among other required security capabilities.

 
 

Why Is HIPAA Compliance Important?

HIPAA compliance guidelines are incredibly essential. Failure to comply can put patients’ health information at risk. Breaches can have a disastrous impact on a company’s reputation, and you could be subject to disciplinary action and strict violation fines and penalties by CMS/OCR.

Last year’s Wannacry ransomware attack affected more than 200,000 computers worldwide, including many healthcare organizations. Most notably, it affected Britain’s National Health Service, causing serious disruptions in the delivery of health services across the country.

To gain access to the systems, hackers exploited vulnerabilities in outdated versions of Windows that are still commonly used in many healthcare organizations. With medical software providers offering inadequate support for new OS’s and with medical devices such as MRIs lacking security controls, the attack was easy to carry out.

The attack demonstrated the strength of today’s hackers, highlighting the extent to which outdated technologies can pose a problem in modern organizations. This is precisely why HIPAA also regulates some aspects of technology systems used to store, manage, and transfer healthcare information.

The institutions that fail to implement adequate systems can suffer significant damage. If a breach takes place, the law requires affected organizations to submit various disclosure documents, which can include sending every subject a mailed letter. They may also be required to offer patients a year of identity protection services.  This can add up to significant dollars, even before confirming the extent of the breach.

 

What is the HIPAA Privacy Rule?

The HIPAA Privacy Rule creates national standards. Their goal is to protect medical records and other personally identifiable health information (PHI).

It applies to three types of companies: providers, supply chain (contractors, vendors, etc.) and now service providers (such as data centers and cloud services providers). All health plans and healthcare clearinghouses must be HIPAA compliant.

The rules also apply to healthcare providers who conduct electronic health-related transactions.

The Privacy Rule requires that providers put safeguards in place to protect their patients’ privacy. The safeguards must shield their PHI. The HIPAA Privacy Rule also sets limits on the disclosure of ePHI.

It’s because of the Privacy Rule that patients have legal rights over their health information.

These include three fundamental rights.

    • First, the right to authorize disclosure of their health information and records.
    • Second, the right to request and examine a copy of their health records at any time.
    • Third, patients have the right to request corrections to their records as needed.

The HIPAA Privacy Act requires providers to protect patients’ information. It also provides patients with rights regarding their health information.

 

What Is The HIPAA Security Rule

The HIPAA Security Rule is a subset of the HIPAA Privacy Rule. It applies to electronic protected health information (ePHI), which should be protected if it is created, maintained, received, or used by a covered entity.

The safeguards of the HIPAA Security Rule are broken down into three main sections. These include technical, physical, and administrative safeguards.

Entities affected by HIPAA must adhere to all safeguards to be compliant.

Technical Safeguards

The technical safeguards included in the HIPAA Security Rule break down into four categories.

    • First is access control. These controls are designed to limit access to ePHI. Only authorized persons may access confidential information.
    • Second is audit control. Covered entities must use hardware, software, and procedures to record ePHI. Audit controls also ensure that they are monitoring access and activity in all systems that use ePHI.
    • Third are integrity controls. Entities must have procedures in place to make sure that ePHI is not destroyed or altered improperly. These must include electronic measures to confirm compliance.
    • Finally, there must be transmission security. Covered entities must protect ePHI whenever they transmit or receive it over an electronic network.

The technical safeguards require HIPAA-compliant entities to put policies and procedures in place to make sure that ePHI is secure. They apply whether the ePHI is being stored, used, or transmitted.

Physical Safeguards

Covered entities must also implement physical safeguards to protect ePHI. The physical safeguards cover the facilities where data is stored, and the devices used to access them.

Facility access must be limited to authorized personnel. Many companies already have security measures in place. If you don’t, you’ll be required to add them. Anybody who is not considered an authorized will be prohibited from entry.

Workstation and device security are also essential. Only authorized personnel should have access to and use of electronic media and workstations.

Security of electronic media must also include policies for the disposal of these items. The removal, transfer, destruction, or re-use of such devices must be processed in a way that protects ePHI.

Administrative Safeguards

The third type of required safeguard is administrative. These include five different specifics.

    • First, there must be a security management process. The covered entity must identify all potential security risks to ePHI. It must analyze them. Then, it must implement security measures to reduce the risks to an appropriate level.
    • Second, there must be security personnel in place. Covered entities must have a designated security official. The official’s job is to develop and implement HIPAA-related security policies and procedures.
    • Third, covered entities must have an information access management system. The Privacy Rule limits the uses and disclosures of ePHI. Covered entities must put procedures in place that restrict access to ePHI to when it is appropriate based on the user’s role.
    • Fourth, covered entities must provide workforce training and management. They must authorize and supervise any employees who work with ePHI. These employees must get training in the entity’s security policies. Likewise, the entity must sanction employees who violate these policies.
    • Fifth, there must be an evaluation system in place. Covered entities must periodically assess their security policies and procedures.

Who Must Be HIPAA complaint?

There are four classes of business that must adhere to HIPAA rules. If your company fits one of them, you must take steps to comply.

The first class is health plans. These include HMOs, employer health plans, and health maintenance companies. This class contains schools who handle PHI for students and teachers. It also covers both Medicare and Medicaid.

The second class is healthcare clearinghouses. These include healthcare billing services and community, health management information systems. Also included are any entities that collect information from healthcare entities and process it into an industry-standard format.

The third class is healthcare providers. That means any individual or organization that treats patients. Examples include doctors, surgeons, dentists, podiatrists, and optometrists. It also includes lab technicians, hospitals, group practices, pharmacies, and clinics.

The final class is for business associates of the other three levels. It covers any company that handles ePHI such as contractors, and infrastructure services providers. Most companies’ HR departments also fall into this category because they handle ePHI of their employees. Additional examples include data processing firms and data transmission providers. This class also includes companies that store or shred documents. Medical equipment companies, transcription services, accountants, and auditors must also comply.

If your entity fits one of these descriptions, then you must take steps to comply with HIPAA rules.

What is the HIPAA Breach Notification Rule?

Even when security measures are in place, it’s possible that a breach may occur. If it does, the HIPAA Breach Notification Rule specifies how covered entities should deal with it.

The first thing you need to know is how to define a breach. A breach is a use or disclosure of PHI forbidden by the Privacy Rule.

The covered entity must assess the risk using these criteria:

    1. The nature of the PHI involved, including identifying information and the likelihood of re-identification;
    2. The identity of the unauthorized person who received or used the PHI;
    3. Whether the PHI was viewed or acquired; and
    4. The extent to which the risk to the PHI has been mitigated.

Sometimes, PHI may be acquired or disclosed without a breach.

The HIPAA rules specify three examples.

  • The first is when PHI is unintentionally acquired by an employee or person who acted in good faith and within the scope of their authority.
  • The second is inadvertent disclosure of PHI by one authorized person to another. The information must not be further disclosed or used in a way not covered by the Privacy Rule.
  • The third occurs if the covered entity determines that the unauthorized person who received the disclosure would not be able to retain the PHI.

 

If there is a breach as defined above, the entity must disclose it. The disclosures advise individuals and HHS that the breach has occurred.

 

Personal disclosures must be mailed or emailed to those affected by the breach. A media disclosure must be made in some circumstances. If more than 500 people in one area are affected, the media must be notified.

 

Finally, there must also be a disclosure to the HHS Secretary.

The HIPAA Breach Notification Rule protects PHI by holding covered entities accountable. It also ensures that patients are notified if their personal health information has been compromised.

 

What Are The HIPAA Requirements for Compliance

The common question is, how to become HIPAA compliant?

The key to HIPAA compliance certification is to take a systematic approach. If your entity is covered by HIPAA rules, you must be compliant. You must also perform regular audits and updates as needed.

 

With that in mind, we’ve compiled a comprehensive checklist for use in creating your HIPAA compliance policy.

HIPAA Compliance Checklist

These questions cover the components to make you are HIPAA-compliant. You can use the checklist to mark each task as you accomplish it. The list is intended to be used for self-evaluation.

Have you conducted the necessary audits and assessments according to National Institutes of Standards and Technology (NIST) Guidelines?

 

The audits in question involve security risk assessments, privacy assessments, and administrative assessments.

Have you identified all the deficiencies and issues discovered during the three audits?

 

There are several things to consider before doing the self-audit checklist. You need to ensure that all security, privacy, and administrative deficiencies and issues are appropriately addressed.

 

Have you created thorough remediation plans to address the deficiencies you have identified?

After covering the deficiencies and issues mentioned above, you need to provide remediation for each group.

Do you have policies and procedures in place that are relevant to the HIPAA Privacy Rule, the HIPAA Security Rule, and the HIPAA Breach Notification Rule?

 

You must be aware of these three critical aspects of a HIPAA compliance program and ensure each is adequately addressed.

    • Have you distributed the policies and procedures specified to all staff members?
      • Have all staff members read and attested to the HIPAA policies and procedures you have put in place?
      • Have you documented their attestation, so you can prove that you have distributed the rules?
      • Do you have documentation for annual reviews of your HIPAA policies and procedures?
    • Have all your staff members gone through basic HIPAA compliance training?
      • Have all staff members completed HIPAA training for employees?
      • Do you have documentation of their training?
      • Have you designated a staff member as the HIPAA Compliance, Privacy, or Security Officer as required by law?
    • Have you identified all business associates as defined under HIPAA rules?
      • Have you identified all associates who may receive, transmit, maintain, process, or have access to ePHI?
      • Do you have a Business Associate Agreement (Business Associate Contract) in place with each identify you have identified as a Business Associate?
      • Have you audited your Business Associates to make sure they are compliant with HIPAA rules?
      • Do you have written reports to prove your due diligence regarding your Business Associates?
    • Do you have a management system in place to handle security incidents or breaches?
      • Do you have systems in place to allow you to track and manage investigations of any incidents that impact the security of PHI?
      • Can you demonstrate that you have investigated each incident?
      • Can you provide reporting of all breaches and incidents, whether they are minor or meaningful?
      • Is there a system in place so staff members may anonymously report an incident if the need arises?

As you work your way through this checklist, remember to be thorough. You must be able to provide proper documentation of your audits, procedures, policies, training, and breaches.

As a final addition to our checklist, here is a review of the general instructions regarding a HIPAA compliance audit.

    • If a document refers to an entity, it means both the covered entity and all business associates unless otherwise specified
    • Management refers to the appropriate officials designated by the covered entity to implement policies, procedures, and standards under HIPAA rules.
    • The covered entity must provide all specified documents to the auditor. A compendium of all entity policies is not acceptable. It is not the auditor’s job to search for the requested information.
    • Any documents provided must be the versions in use as of the audit notification and document request unless otherwise specified.
    • Covered entities or business associates must submit all documents via OCR’s secure online web portal in PDF, MS Word, or MS Excel.
    • If the appropriate documentation of implementation is not available, the covered entity must provide examples from “equivalent previous time periods” to complete the sample. If no such documentation is available, a written statement must be provided.
    • Workforce members include:
      • Entity employees
      • On-site contractors
      • Students
      • Volunteers
    • Information systems include:
      • Hardware
      • Software
      • Information
      • Data
      • Applications
      • Communications
      • People

Proper adherence to audit rules is necessary. A lack of compliance will impact your ability to do business.

In Closing, HIPAA Questions and Answers

HIPAA rules are designed to ensure that any entity that collects, maintains, or uses confidential patient information handles it appropriately. It may be time-consuming to work your way through this free HIPAA self-audit checklist. However, it is essential that you cover every single aspect of it. Your compliance is mandated by law and is also the right thing to do to ensure that patients can trust you with their personal health information.

One thing to understand is that it is an incredible challenge to try to do this by yourself. You need professional help such as a HIPAA technology consultant. Gone are the days you can have a server in your closet at the office, along with your office supplies. The cleaning personnel seeing a print out of a patient’s file constitutes a ‘disclosable’ event.

Screen servers, privacy screens, and professionally-managed technology solutions are a must. Just because you use a SAS-based MR (Medical Records) solution, does not mean you are no longer responsible for the privacy of that data. If they have lax security, it is still the providers’ responsibility to protect that data. Therefore the burden of due diligence is still on the provider.

Phoenix NAP’s HIPAA compliant hosting solutions have safeguards in place, as audited in its SOC2 certifications. We provide 100% uptime guarantees and compliance-ready platform that you can use to build secure healthcare infrastructure.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time | HIPAA Compliance for Medical Practices | Scoop.it

For the first time, a HIPAA privacy complaint filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) has resulted in federal criminal prosecution.

 

A complaint was filed with OCR over an impermissible disclosure of a patient’s protected health information by a doctor. The doctor, Richard Alan Kaye of Suffolk, Va., was alleged to have shared PHI with the patient’s employer without consent from the patient – A violation of the HIPAA Privacy Rule.

 

The case against Kaye has been referred to the Department of Justice, which has pressed charges. While OCR has referred more than 500 HIPAA violation cases in the past, this if the first time that an investigation of a privacy complaint has resulted in criminal prosecution.

 

Kaye had previously worked at Sentara Obici Hospital in Suffolk, Va., as Medical Director of its Psychiatric Care Center. The patient had been enrolled in a mental health treatment program at the hospital and Kaye treated and subsequently discharged the patient. On discharge, Kaye stated that the patient was not a threat to the public.

 

Federal prosecutors allege Kaye shared PHI with the patient’s employer “under the false pretenses that the patient was a serious and imminent threat to the safety of the public, when in fact he knew that the patient was not such a threat.”

 

While it was previously possible for egregious HIPAA violations to result in criminal prosecutions for HIPAA covered entities, filing charges against individuals was problematic. When individuals were discovered to have violated the privacy of patients, and the violations warranted criminal prosecution, it was necessary to file charges under the aiding and abetting theory – The abuse of an individual’s position to violate HIPAA Rules.

 

However, the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH Act) provided further clarification on criminal prosecutions for HIPAA violations, and made the process of prosecuting individuals for HIPAA privacy violations more straightforward.

 

If cases are investigated and OCR determines HIPAA Rules have been violated by covered entities, the cases are typically resolved by OCR, often via settlements. However, if individuals are alleged to have violated HIPAA Rules, criminal penalties may be appropriate. In such cases, OCR can refer the cases to the Department of Justice, the federal attorney general, and/or state attorneys general to pursue criminal charges against those individuals.

 

While criminal cases have been filed against individuals who violated HIPAA Rules and impermissibly disclosed PHI, the uncertainty of pursuing cases against individuals prior to the passing of the HITECH Act dissuaded federal prosecutors from pursuing cases. Since the HITECH Act was passed, there have been referrals of cases, although this is understood to be the first time that the Department of Justice has actively pursued criminal charges against an individual following the referral of a privacy complaint by OCR.

 

There is no private cause of action in HIPAA. While private citizens can file complaints with the OCR over alleged violations of HIPAA Rules, they are not permitted to file lawsuits against covered entities for HIPAA violations. The lack of criminal penalties for HIPAA violations may have dissuaded patients from filing complaints. Now the Department of Justice is taking action against an individual for an egregious HIPAA privacy violation, it may encourage more patients to file complaints with OCR.

 

This DOJ case shows federal authorities are now taking HIPAA Privacy Rule violations much more seriously. OCR is also training state attorneys general on HIPAA enforcement. After state attorney generals have received training, it is expected they too will take a more aggressive stance against covered entities that have violated the privacy of state residents.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Comply with HIPAA

How to Comply with HIPAA | HIPAA Compliance for Medical Practices | Scoop.it

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to protect patients' health information. Since its inception, health care providers have struggled with the need to protect patient privacy, share information, and keep paper work under control.


“When HIPAA came out, everyone was so afraid of penalties … but a lot of it was a reasonable recognition of patients' privacy that was already occurring in 99.9% of the cases,” said L. Lee Hamm, MD, Professor of Medicine and Executive Vice Dean at Tulane University School of Medicine in New Orleans.

 

“It added a lot of administrative burden and … it introduced a few things to make certain that people didn't inadvertently do something they shouldn't do.”

 

Electronic information


A part of HIPAA with which specialists in particular are concerned is sharing information among other health care providers. Entities covered under HIPAA are allowed to share private information with other health care professionals for the purposes of treatment, payment, and operations.

 

But Heinold said there are often delays during this process that can negatively impact quality of care and increase liability. This can occur when providers unnecessarily request patients' consent.

 

One of the most efficient ways to communicate among providers is via electronic communication. HIPAA was amended in 2009 to encompass the use of electronic health records with the Health Information Technology for Economic and Clinical Health (HITECH) Act.

 

Fresenius staff is increasingly receiving communication about patients electronically through mediums such as text and instant messaging, Heinold said. While this can facilitate exchange of records, it also comes with inherent risks. Fresenius trains staff to provide the minimum necessary information when texting about patients.

 

Louis Liou, MD, Chief of Urology at Cambridge Health Alliance, said his organization's biggest HIPAA concerns relate to electronic information. To comply, Cambridge ensures that all physicians with smart phones have them password protected and that their e-mail is secure.

 

Cambridge physicians try to avoid texting patient information when possible, but if they must, they do not use any patient identifiers in the text messages.

 

“There are a lot of pitfalls that could potentially happen,” Dr. Liou said. “Thumb drives have given way to Cloud issues. I think potentially there can always be problems – no matter how failsafe you make the system, there is always human error.”

 

Dialysis settings


Another concern is the communal open-floor nature of some clinical settings, as is often the case in dialysis centers, which may make it difficult to protect patient privacy. Still, training staff and implementing privacy procedures can go a long way to meeting HIPAA requirements.

 

Rosemary Heinold, Director of Communications for Fresenius Medical Care North America, a dialysis services provider and manufacturer of peritoneal and hemodialysis machines and equipment, said their organization has a handful of practices that help them comply with HIPAA.

 

Although patients are examined on the dialysis floor, Fresenius clinics also offer private examination rooms. Patients are never required to be examined in an open setting and may request a private room for physician consultations.

 

Like most providers, Fresenius staff gives patients a notice of privacy rights, which individuals must sign. They also post a notice of their privacy practices at all treatment sites.

 

Fresenius providers also work by the “minimum necessary” rule. The staff only shares the least amount of information necessary with patients on the clinic floor, particularly when others are within earshot.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

No Exception to HIPAA Privacy Rules, Nurse Learns

No Exception to HIPAA Privacy Rules, Nurse Learns | HIPAA Compliance for Medical Practices | Scoop.it

Ms. P, 45, was a nurse working in the cardiology department of a large hospital. Her duties were varied, and included, among other things, accessing patient medical records to review lab values and other diagnostic tests ordered by physicians, and writing progress notes in patients' charts.

When she was originally hired by the hospital, she was given a lecture from human resources about the importance of patient confidentiality. Ms. P was required to sign an agreement stating that she would protect patient confidentiality by only seeking or obtaining information regarding a patient that was required to perform her duties.

Later, when the U.S. Health Insurance Portability and Accountability Act (HIPAA) went into effect, Ms. P was required to go to another human resources seminar and sign a revised confidentiality agreement.

 

The revised agreement stated that she would not access or view information other than what was required to do her job, and that she would immediately ask her supervisor for clarification if she had any questions about whether information was required for her job.

 

Finally, the agreement contained a section saying that Ms. P acknowledged that violation of the facility's confidentially policy could result in disciplinary action up to and including termination.

Ms. P understood the importance of patient confidentiality and would never look in the records of patients that weren't hers—with two exceptions. Ms. P's mother and sister both had serious chronic conditions that frequently resulted in hospital visits over the years.

 

Ms. P's mother had Parkinson's disease, was on numerous medications, and was prone to falls. Ms. P's older sister, who lived with her, had Down syndrome. Ms. P would periodically look up her mother's and sister's health records on the hospital computer to get information or to access their treatment plans. She didn't see anything wrong with this because it was her own family.

 

One of her colleagues, however, had noticed Ms. P looking at the records on more than one occasion, and anonymously reported her. The hospital's HIPAA compliance officer began an investigation that revealed that Ms. P had accessed her mother's charts on 44 separate occasions and her sister's charts on 28 occasions.

 

When the human resources director confronted her with the results of the investigation, Ms. P admitted that she had accessed the records, but that they were the records of her family members and therefore she didn't see anything wrong with it.

 

“Did you need to access information from their medical records in order to do your job as a clinical affiliate in the cardiology department?” the human resources director asked sternly.

“No,” Ms. P replied. “They were not cardiology patients.”

She was fired that day. Angered by the loss of her job, Ms. P sought the advice of an attorney to see if she could sue the hospital for wrongful termination. The attorney was skeptical.

“HIPAA violations are taken very seriously,” he said. “Did they give you training about patient privacy?”

 

Ms. P admitted that she'd had training.

“Were you asked to sign anything?” the attorney inquired.

“Well, yes,” Ms. P said. “I did sign a confidentiality agreement, and the hospital does have a policy that you could lose your job for violating it. But this was my mother and sister! They don't mind that I looked at their records!”

 

“That's irrelevant,” the attorney said. “It doesn't matter if they are family or not. You still didn't have the right to look at the records. I don't think we have a leg to stand on, unless…” the attorney trailed off, thinking.

 

“How old are you?” he suddenly asked.

When she told him, he smiled. “I think we may have an angle. We can try suing the hospital for age discrimination. We can claim that the privacy violation was merely a pretext to get rid of you – a higher paid experienced nurse – and replace you with a less expensive junior person.”

 

The attorney filed the papers against the hospital. The hospital's attorney promptly filed a motion to dismiss. The court, after reviewing all the facts, dismissed Ms. P's case.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

NueMD HIPAA Survey Results 

NueMD HIPAA Survey Results  | HIPAA Compliance for Medical Practices | Scoop.it

In 2014, NueMD, an Electronic Health Record (EHR) and billing software company, distributed a questionnaire to medical practices and billing companies to gain insights on their knowledge of HIPAA regulations, compliance measures, and communication methods.¹ There were 1197 responses, with 1037 medical practices and 160 billing companies. Two years later in 2016, the survey was distributed again to determine how much has changed in relation to the participants’ knowledge.² This time it was a total of 927 responses, with 799 medical practices and 58 billing companies. The respondents were clients of NueMD.

In this blog, we compare the data found in these two surveys. The results are surprising.

HIPAA Audits

2014: In 2014, only 32% of those surveyed were aware of HIPAA audits

2016: In 2016, 40% participants reported that they knew about HIPAA audits

Currently, audits of business associates are taking place. The first round in 2016 looked at covered entities (primarily healthcare providers). In October 2016, HIPAA audits expanded to include business associates. HHS is drawing from a list of 20,000 BAs identified in the first round of audits. Next year, OCR plans to conduct full audits for a selected group of covered entities and business associates. These audits will be more intense than previous ones because they involve auditors coming onsite for several days. HHS gives the practice 10 days to prepare. For those organizations that have not started the compliance process in advance, there is almost no way to prepare in time if you are selected for an audit.3

HIPAA Compliance Plan

2014:In 2014, 58% of those surveyed stated they had a HIPAA compliance plan in place. However, there was a disconnect between managers and staff. 68% of managers claimed to have a HIPAA compliance plan but only43% of staff.

2016:In 2016, a whopping 70% of respondents reported that they have a HIPAA compliance plan.

All organizations that come in contact with PHI should have a compliance plan in place. There are several important documents that a medical practice must complete to have a comprehensive  plan. This includes Privacy and Security Policies and Procedures, Business Associate Agreements and a Risk Assessment. Based on the response to the next two questions, it is likely that not as many healthcare providers are really as compliant as they indicate.

Business Associate Agreement (BAA)

2014: 60% of those surveyed were aware that the Omnibus Ruling requires BAAs with third party vendors.

2016: The number rose to 68% of participants knowing about the BAA rules.

Business Associate Agreements Reviewed and Updated

2014: 24% of respondents had “all” of their BAAs reviewed and updated since the 2013 Omnibus Rule, and 21% surveyed said “some”.

2016: There was an increase from 2014 to 2016, with 29% responding “all” BAAs are updated and reviewed, and 19% having “some” of their BAAs up to date.

Recently OCR was notified that Women and Infants Hospital (WIH) of Rhode Island lost unencrypted backup tapes of ultrasounds of over 14,000 patients. The tapes also included PHI like names and dates of birth. WIH is a covered entity member of Care New England Health Center (CNE). CNE provides centralized corporate support for its covered entities. The two organizations signed their BAA in 2005 and had not updated it since. he Omnibus Ruling in 2013 added extra requirements to Business Associate Agreements. Failure to update their BAA to incorporate these new requirements rendered their 2005 Agreement ineffective. In the end, the outdated BAA resulted in a $400,000 settlement.

Risk Assessment

2014: Only 33% said they performed a risk analysis

2016: This question was not included in the NueMD 2016 HIPAA Survey Update

If there is a audit, one of the first things OCR will ask to see is a Risk Assessment. This helps organizations realize their potential areas of risk in regards to the PHI they handle. Failing to assess potential areas of risk in your organization is failing to protect PHI.

In July 2016, a settlement was reached with U-Miss Medical Center after a breach that affected 10,000 people. It was found that UMMC did not take adequate risk management security measures. They settled with OCR for $2.75 million.5

HIPAA Training

2014: 62% of managers reported that they provided HIPAA training for their employees.

2016: This number surprisingly dropped over the 2 years. Only 58% of organizations surveyed claimed to have provided HIPAA training.

Proper HIPAA training should educate people on the Law. Lack of training equals lack of knowledge and translates into more risk. On October 17, 2016, St. Joseph Health (SJH) settled potential violations with HHS following the report that files containing PHI were publicly accessible through internet search engines from 2011 until 2012. SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan. As part of the corrective action plan, with HHS’ final approval of the training materials, SJH must train all appropriate workforce members, in accordance with SJH’s applicable administrative procedures and provide annual retraining.6

To help comply with the current compliance regulation, check out Total HIPAA’s latest service, HIPAA Prime™. HIPAA Prime is an easy-to-follow, cost-effective online solution for quickly developing and implementing your personalized HIPAA Compliance Plan. Whether you are a small or large organization, HIPAA Prime will satisfy all of your documentation and training requirements.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
Scoop.it!

Legislation Changes and New HIPAA Regulations

Legislation Changes and New HIPAA Regulations | HIPAA Compliance for Medical Practices | Scoop.it

The policy of two out for every new regulation introduced means there are likely to be few, if any, new HIPAA regulations in 2018. However, that does not mean it will be all quiet on the HIPAA front. HHS’ Office for Civil Rights (OCR) director Roger Severino has indicated there are some HIPAA changes under consideration.

 

OCR is planning on removing some of the outdated and labor-intensive elements of HIPAA that provide little benefit to patients, although before HIPAA changes are made, OCR will seek feedback from healthcare industry stakeholders.

 

As with previous updates, OCR will submit notices of proposed rulemaking and will seek comment on the proposed changes. Those comments will be carefully considered before any HIPAA changes are made.

 

The full list of proposed changes to the HIPAA Privacy Rule have not been made public, although Severino did provide some insight into what can be expected in 2018 at a recent HIPAA summit in Virginia.

 

Severino explained there were three possible changes to HIPAA regulations in 2018, the first relates to enforcement of HIPAA Rules by OCR.

 

Since the introduction of the Enforcement Rule, OCR has had the power to financially penalize HIPAA covered entities that are discovered to have violated HIPAA Rules or not put sufficient effort into compliance. Since the incorporation of HITECH Act into HIPAA in 2009, OCR has been permitted to retain a proportion of the settlements and CMPs it collects through its enforcement actions. Those funds are used, in part, to cover the cost of future enforcement actions and to provide restitution to victims. To date, OCR has not done the latter.

 

OCR is considering requesting information on how a proportion of the settlements and civil monetary penalties it collects can be directed to the victims of healthcare data breaches and HIPAA violations.

 

One area of bureaucracy that OCR is considering changing is the requirement for covered entities to retain signed forms from patients confirming they have received a copy of the covered entity’s notice of privacy practices. In many cases, the forms are signed by patients who just want to see a doctor. The forms are not actually read.

 

One potential change is to remove the requirement to obtain and store signed forms and instead to inform patients of privacy practices via a notice in a prominent place within the covered entity’s facilities.

 

Severino also said OCR is considering changing HIPAA regulations in 2018 relating to good faith disclosures of PHI. OCR is considering formally clarifying that disclosing PHI in certain circumstances is permitted without first obtaining consent from patients – The sharing of PHI with family members and close friends when a patient is incapacitated or in cases of opioid drug abuse for instance.

 

While HIPAA does permit healthcare providers to disclose PHI when a patient is in imminent harm, further rulemaking is required to cover good faith disclosures.

 

While these HIPAA changes are being considered, it could take until 2019 before they are implemented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Do HIPAA Rules Create Barriers That Prevent Information Sharing?

Do HIPAA Rules Create Barriers That Prevent Information Sharing? | HIPAA Compliance for Medical Practices | Scoop.it

The HHS has drafted a Request for Information (RFI) to discover how HIPAA Rules are hampering patient information sharing and are making it difficult for healthcare providers to coordinate patient care.

 

HHS wants comments from the public and healthcare industry stakeholders on any provisions of HIPAA Rules which are discouraging or limiting coordinated care and case management among hospitals, physicians, patients, and payors.

 

The RFI is part of a new initiative, named Regulatory Sprint to Coordinated Care, the aim of which is to remove barriers that are preventing healthcare organizations from sharing patient information while retaining protections to ensure patient and data privacy are protected.

 

The comments received through the RFI will guide the HHS on how HIPAA can be improved, and which policies should be pursued in rulemaking to help the healthcare industry transition to coordinated, value-based health care.

 

The RFI was passed to the Office of Management and Budget for review on November 13, 2018. It is currently unclear when the RFI will be issued.

 

Certain provisions of HIPAA Rules are perceived to be barriers to information sharing. The American Hospital Association has spoken out about some of these issues and has urged the HHS to take action.

 

While there are certainly elements of HIPAA Rules that would benefit from an update to improve the sharing of patient health information, in some cases, healthcare organizations are confused about the restrictions HIPAA places on information sharing and the circumstances under which PHI can be shared with other entities without the need to obtain prior authorization from patients.

 

The feedback HHS is seeking will be used to assess what aspects of HIPAA are causing problems, whether there is scope to remove certain restrictions to facilitate information sharing, and areas of misunderstanding that call for further guidance to be issued on HIPAA Rules.

 

HIPAA does permit healthcare providers to share patients’ PHI with other healthcare providers for the purposes of treatment or healthcare operations without authorization from patients. However, there is some confusion about what constitutes treatment/healthcare operations in some cases, how best to share PHI, and when it is permissible to share PHI with entities other than healthcare providers. Simplification of HIPAA Rules could help in this regard, as could the creation of a safe harbor for good faith disclosures of PHI for the purposes of case management and care co-ordination.

 

While the HHS is keen to create an environment where patients’ health information can be shared more freely, the HHS has made it clear is that there will not be any changes made to the HIPAA Security Rule. Healthcare providers, health plans, and business associates of HIPAA-covered entities will still be required to implement controls to ensure risks to the confidentiality, integrity, and availability of protected health information are managed and reduced to a reasonable and acceptable level.

 

In addition to a general request for information, the HHS will specifically be seeking information on:

 

The methods of accounting of all disclosures of a patient’s protected health information
Patients’ acknowledgment of receipt of a providers’ notice of privacy practices


Creation of a safe harbor for good faith disclosures of PHI for purposes of care coordination or case management
Disclosures of protected health information without a patient’s authorization for treatment, payment, and health care operations
The minimum necessary standard/requirement.


While the RFI is likely to be issued, there are no guarantees that any of the comments submitted will result in HIPAA rule changes.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Few Things Physicians are Not Doing to Comply with HIPAA.

Few Things Physicians are Not Doing to Comply with HIPAA. | HIPAA Compliance for Medical Practices | Scoop.it

Shortly after the Health Insurance Portability and Accountability Act (HIPAA) was implemented, David Zetter was at a doctor's office helping the group build a compliance plan. He was in the back of the practice training some of the staff when the receptionist walked in and handed him a piece of paper.

 

The note was from a patient saying she could see everyone's names and files at the front desk and she knew that was a HIPAA violation.

 

More than a decade later, HIPAA compliance has become ingrained: Files are not left out in the open, patient information is not improperly disclosed, and doctors do not leave health-related messages on answering machines. It is routine to have every patient sign a HIPAA release and go about your business.

 

But compliance is not a one-and-done activity as much as an evolution of rules and procedures. Compliance gurus bet there are at least a few things physicians are not doing to comply with HIPAA.

 

Make a plan
One main thing that practices should have is a compliance plan, but many do not, said Zetter, founder of Zetter Healthcare Management Consultants. “They buy a cheap manual off of the internet and think that works,” he said. “But it cannot be implemented that way; it wasn't set up for your practice.”

 

Even state medical societies sell how-to manuals, but Zetter said this is only a document meant to guide you through creating a compliance plan, not the plan itself.

 

Sample HIPAA compliance plans and instructions for completing one can be found online. The Massachusetts Medical Society provides a document with a checklist and tips to help doctors develop their own documents.

 

Analyzing compliance
The second thing that needs to be completed is a gap analysis. These are used to determine what the organization is doing and what they should be doing. Zetter said an office needs to take each section of the regulation, see what is required and compare it with what is being done. Detailed information on creating a gap analysis can be found at the North Carolina Department of Health and Human Services Website.

 

Once gaps are identified, it is important to find ways to mitigate the potential problem areas. Physicians can do this by performing a risk analysis, which provides the basis for developing ways to cover themselves if an information breach should occur.

 

A risk analysis can arrive at whether there is a low, medium, or high risk of a HIPAA violation occurring, Zetter said. The greater the risk, the more resources are needed for prevention. All of this should be documented.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Staff Nurse Faces Jail Time for HIPAA Violations

Staff Nurse Faces Jail Time for HIPAA Violations | HIPAA Compliance for Medical Practices | Scoop.it

Her breach of a patient's privacy jeopardized the clinic from which she was subsequently fired.

 

What began as routine file maintenance ended in arrest and possible jail time for a licensed practical nurse who shared a patient's medical information with her spouse.

 

Ms. A, 29, had been employed by a midsize regional clinic for five years. While she enjoyed her job and got on well with her supervisor, Dr. P, she was known to bemoan what she saw as low pay and the financial strain it created for herself and her husband. That strain intensified when her husband was in an auto accident and then sued by people in the other car seeking compensation for their injuries.

 

One day, as Ms. A was flipping through charts to straighten up the files, she saw the plaintiff's name. Reading the chart with great interest, she jotted some notes, stuck them in her bag, and replaced the file. That night, as her husband complained about the impending lawsuit and its potential financial consequences, Ms. A smiled and reached into her bag for the notes she'd taken earlier. “I think this will help,” she said.

 

The next day, Mr. A phoned the patient. During the conversation, he made it known that he had medical information which he believed weakened the man's case. Mr. A suggested that he consider dropping the lawsuit.

 

After hanging up with Mr. A, the patient made two phone calls. First he called the clinic where Ms. A worked. Then he called the district attorney.

 

The next morning, Ms. A was summarily fired. “You may very well have put this whole clinic in jeopardy,” Dr. P told her.

 

After Ms. A left the building, Dr. P called a meeting of all the nurses, physician assistants, and support staff and explained why Ms. A had been fired. Outlining the laws on patient privacy, he informed them that no breach of these laws would be tolerated under any circumstances.

 

Meanwhile, Ms. A's problems were just beginning. The district attorney forwarded the patient's complaint to a federal prosecutor, and within a month, both Ms. A and her husband were indicted. Ms. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with “conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute.” Her husband was charged with witness tampering. The couple hired a criminal defense attorney, who negotiated a plea agreement with the federal prosecutor. Ms. A pleaded guilty to one count of wrongful disclosure of individual health information for personal gain. In exchange for her plea, the charges against her husband were dismissed.

 

Ms. A is awaiting sentencing. She faces up to 10 years in prison, a fine of as much as $250,000, and up to three years of supervised probation. The state nursing board is seeking to revoke her license.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.