HIPAA Compliance for Medical Practices
69.8K views | +19 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Compliance Guidelines for Email & Social Media 

HIPAA Compliance Guidelines for Email & Social Media  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA applies to both the storage and transfer of electronic protected health information, so electronic communications that may include patient data must be handled with care. This includes email communication between patients and healthcare providers, as well as social posts from healthcare companies and their employees. As more patients adopt an email communication preference and more healthcare providers succumb to the pressures of maintaining a social presence, the possibilities of HIPAA violations grow.

 

To ensure you’re taking the necessary steps to uphold HIPAA compliance standards in your electronic communications, follow these guidelines:

#1: Validate Your Email Security

If you’re sharing sensitive patient data via email, you must use encryption to protect patient privacy. How do you ensure your emails are encrypted and fully HIPAA compliant? Here are a few tips:

  • Adopt a HIPAA compliant email service.
  • Check your current email client for an encryption security setting and request a signed business associate agreement.
  • Set up a secure patient portal for provider-patient communications.
  • Avoid including electronic protected health information (ePHI) in the body of your emails.
  • Manually encrypt any ePHI files sent via email.
  • Include a privacy statement at the bottom of every email.

#2: Get Proper Patient Consent

Consent is an important—and necessary—part of ensuring patient privacy. If you want to engage patients in any sort of electronic communication, you must get them to accept the inherent risks and provide documented consent. Here are some scenarios where this consent is a must:

  • Before communicating with your patient via email
  • Before transmitting any sensitive patient data via email
  • Before publishing a patient testimonial on your website
  • Before sharing a patient photograph on your social channels
  • Before posting details of a patient procedure on your social channels

#3: Create Detailed Office Policies

To ensure HIPAA data privacy remains a top priority for employees during email or social media exchanges, you should develop clear office policies for these types of communication. Here are some of the guidelines your policies should include:

  • When and where to share privacy statements
  • What types of information may or may not be sent via email
  • How to avoid HIPAA pitfalls when using social media
  • Which employees may or may not transmit ePHI
  • When to obtain patient consent

#4: Err on the Side of Caution

If you want to stay on the right side of HIPAA, the best policy is to be extremely cautious about the information you share electronically. Simply avoid any electronic communication that falls into a HIPAA compliance gray area. Here are a few best practices to get you started:

  • Don’t publish a social post that includes any details about a patient’s circumstances
  • Establish appropriate electronic boundaries with patients
  • Don’t give medical advice via email or social comment
  • Allow just one or two individuals to post to social media on your office’s behalf
  • Don’t address complaints on social media
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Keep Your ePHI Protected with HIPAA Compliance? 

How to Keep Your ePHI Protected with HIPAA Compliance?  | HIPAA Compliance for Medical Practices | Scoop.it

There has been quite a fuss lately over offering patients greater access to their health records, particularly with the introduction of Apple’s EHR app, which promises to bring electronic health records into patients’ pockets and introduce the era of bring-your-own-data in healthcare. But often that desire to bring patients into the fold gets quashed by a fear of cybersecurity and HIPAA compliance around health information.

 

Recently, for instance, a man was stopped from taking a photo of his own X-ray when a radiologist feared it might violate HIPAA regulations, which kicked off a discussion of similar incidents on Twitter. These incidents arise mainly because providers simply don’t understand the ramifications of HIPAA and other health IT laws — and where to draw the line with access.

 

Indeed, understanding the nuances of these regulations is particularly difficult now that technology affects all corners of healthcare: from telemedicine to remote patient monitoring to consumer glucose monitors to smartphones with thousands of health apps. This ubiquity has created new challenges for providers and patients, particularly when it comes to ensuring the privacy and security of patients’ protected health information (PHI) in accordance with regulations, such as HIPAA and the HITECH Act.

 

What Is the HITECH Act of 2009?


The Health Information Technology for Economic and Clinical Health Act, better known as the HITECH Act, was signed into law in February 2009 as part of the American Recovery and Reinvestment Act, which sought to address new needs as healthcare IT infrastructure began to expand and change exponentially. In particular, this legislation incentivized providers to adopt EHR systems, as well as expanded security and compliance requirements.

 

Moreover, it allowed the Health and Human Services Department to expand its enforcement of HIPAA requirements with the aim to increase provider vigilance and consumer confidence in how patient data is handled and secured. With this in mind, it can seem understandable that the waters around patients’ access to data can be quite murky.

 

New Data Privacy Challenges for Providers


Traditionally, healthcare providers have been held responsible for all aspects of privacy and security of patient data because they have created and controlled it. But boundaries shifted once electronic medical records came into play. The roles surrounding data privacy and ownership are now blurred.

 

One of the main challenges that come with this change in ownership involves the use of smartphones by patients — in particular, patients using those devices to capture elements of their own medical data. The story of the man who was stopped from taking a photo of his own X-ray is not unusual. Often providers are reluctant to grant certain types of access, claiming that it would violate HIPAA, but most of the time that’s not the case.

 

SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks!

 

What Are the Medical Records Release Laws?


In September 2015, the Office of Civil Rights, a division of HHS, issued guidance for consumers regarding medical record release laws that sought to encompass both HIPAA and HITECH guidance.

 

Patients have the right to:

 

  • See and get a copy of their medical records
  • Have errors and omissions in their medical records corrected (or their disagreements documented)
  • Get a paper or electronic copy of their medical records
  • Request the provider send their medical records to another party with permission


While there is fear from a provider’s point of view, the language in this guidance is clear and specific. It broadly provides patients access to their medical data and does not specifically limit patients’ methods of acquisition.

 

Patients have the right to see any single element of their record or the entire set of data, except for the few exclusions HIPAA has set aside (these exclusions are minimal and not relevant in this discussion). Diagnoses, lab results, a picture of a cut or an X-ray image are all part of the medical record.

 

If patients are legally permitted to see and obtain a copy of their records in their preferred form and format, then it follows that the patient should be able to take a picture of that information during an office visit or consultation with their provider.

 

While the story of the man who was stopped from taking a photo of his X-ray garnered plenty of attention, many times doctors do allow patients to take pictures. For example, a patient in an emergency department had a gash in her hand from a dropped glass. She asked the doctor if she could take a picture of her hand while the glass was being removed. The doctor said yes. The patient posted a few of the pictures on her social media site. The photos include the physician’s hands but no identification of the provider.

 

Provider Concerns in the Bring-Your-Own-Data Era


While there is some hesitation around protecting ePHI, HIPAA is clear: Patients have the right to their own medical data in any form or format. Although the provider traditionally owns the systems that record and manage that data, they don’t own the data itself. A patient can use technology (including a smartphone) to copy that data, even if it’s on a computer screen in a physician’s office. Some providers will ask for a signed release, but that is not specifically required.

 

Patients must also understand that once they are in possession of that data, whether it’s a photocopy, electronic copy or photograph, they are solely responsible for the privacy and security of that data.

 

Provider concerns are twofold. First, there is a concern they will still be held accountable for the privacy and security of patient data they no longer control. Second, providers have traditionally controlled access to medical records because, as the creators of the data, they were uniquely qualified to interpret and act upon that data. With the consumerization of healthcare, many patients are taking an active and informed role in their own care. This requires access to the entire medical record, not just limited portions decided by the provider.

 

Studies show that engaged and informed patients have better outcomes. Providing access to medical records through viable technologies, including web portals, apps or even smartphone cameras, is the new reality of care. Patients are now included as part of the care team and are responsible for the privacy and security of the data they handle — their own. The next step may be helping patients understand the importance of protecting that health data.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility? 

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility?  | HIPAA Compliance for Medical Practices | Scoop.it

If your healthcare practice must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations, a breach of protected health information may require patient and government notifications.  

HIPAA provides data privacy and security provisions for safeguarding medical information, and if that information is compromised either through a breach of your information system or sheer carelessness on the part of an employee, you may be subject to heavy monetary penalties.

But what qualifies as a HIPAA breach, what happens if it affects a limited number of your patients, and what are you required to do?

Rules That Apply

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  Such impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least these factors:

1.     The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2.     The unauthorized person who used the protected health information or to whom the disclosure was made;

3.     Whether the protected health information was actually acquired or viewed; and

4.     The extent to which the risk to the protected health information has been mitigated.

Those affected by this rule have discretion to provide the required breach notifications without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first applies to “the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”

The second exception involves” the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.”

In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

The final exception applies “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”

In addition to notifying affected individuals and the media (when appropriate), you must notify the Office of Civil Rights (OCR) of breaches of unsecured protected health information. by visiting the Health and Human Services (HHS) web site and filling out and electronically submitting a breach report form. If the breach affects 500 or more individuals, covered entities must notify the OCR without unreasonable delay and no later than 60 days following the breach.

Deadline Approaching

If the breach affects fewer than 500 individuals, your practice has no later than 60 days after the end of the calendar year in which the breach is discovered.  This means that if your practice has experienced a breach of fewer than 500 individuals and it has not been reported yet, you have until March 1, only a few days away to file the notification.

If you experience a breach affecting more than 500 residents of your State or jurisdiction you must provide notice to media outlets serving the State or jurisdiction, as well as notifying the affected individuals.  This notification will likely be in the form of a press release to the appropriate media outlets and must be provided no later than 60 days following the discovery of the breach and must include the same information required for the individual notice.

Don’t Leave Anything to Chance

As you can see, HIPAA breach notification requirements are quite stringent and can be complex. If your practice has experienced a breach, the HIPAA compliance experts and former criminal investigators at Colington Consulting can rapidly respond on-site to assist your practice in conducting a HIPAA breach investigation.  Their investigative process uses systematic approach to quickly determine how the breach was caused. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance and the HITECH Act in 2018

HIPAA Compliance and the HITECH Act in 2018 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance is an essential part of running a medical practice. The current incarnation of the HIPAA regulations has been in place since 2003 and they haven’t changed much in the intervening years — until now, that is.

 

The HITECH Act (Health Information Technology for Economic and Clinical Health), which was signed into law in 2009, is expected to be fully adopted this year. What does the HITECH Act mean for HIPAA compliance, and what are the changes you need to make to your practice to ensure you’re in compliance with both HIPAA and HITECH?

 

Overview of the HITECH Act


The HITECH Act was designed to expand the types of businesses covered by HIPAA. It requires not only medical professionals to be HIPAA compliant, but any subcontractors, companies that cover the transmission of protected health information (PHI), electronic prescription gateways and patient safety organizations to also be in compliance with HIPAA regulations.

 

This doesn’t make any changes to the currently established exceptions to HIPAA’s business associate standard.

 

HITECH was also designed to focus more on the patient than HIPAA, allowing patients to more directly access their electronic health records (EHR). This also demands patients be informed by their provider if their health records are compromised in any way.

 

The act encouraged “meaningful use” of electronic health records, helping to improve communication between healthcare facilities in direct relation to patient care.

 

Universal Compliance


If your practice or facility has an IT security department, it’s probably entirely different than the ones that are part of other businesses surrounding you. Network security is usually managed by many different departments or even different businesses, making universal security compliance difficult to manage.

 

The new HIPAA/HITECH overlap mandates universal compliance. This makes security simpler and easier to maintain for workers while still ensuring the safety of patient PHI.

 

One solution that is being suggested is the use of “smart cards” which will act as employee identification, a security access token, and authenticator, all in one simple card. This helps to keep the system more regulated because you don’t have to worry about carrying — and potentially losing — multiple cards or remembering long identification numbers.

 

Know Your Compliance
How can you determine if your practice is compliant with both HIPAA and the HITECH Act? You can go over the rules yourself, but these laws are so sweeping and expansive that it’s easy to miss something that could end up costing you thousands of dollars.

 

If you’re still concerned about your current HIPAA and HITECH Act compliance, hiring a professional Privacy Officer can help you evaluate your current practices and ensure that you are checking all the boxes when it comes to meeting your obligations.

 

Changes in Fines


HIPAA fines, until now, have been standard — unfortunately, they often weren’t costly enough to discourage HIPAA violations. Before HITECH was enacted, it was impossible to impose fines of more than $100 for individual offenses or $25,000 for all offenses at the same time.

 

The new overlap has changed the cost of violating the HIPAA or HITECH Act. These offenses are broken into three categories, based on the intent of violation.

 

Violations in the Did Not Know category are the only ones that may still generate a $100 fine. The change here is that the U.S. Department of Health and Human Services now has the option to charge between $100 and $50,000 for each violation, with a total fine of $1.5 million for identical offenses in a calendar year.

 

Reasonable Cause violations will start at $1,000 with the same $1.5 million caps for identical violations.

 

Willful Neglect fines fall into two categories — corrected and not corrected. Fines for corrected Willful Neglect charges will range from $10,000 to $50,000. Fines for not corrected violations start at a minimum $50,000 each.

 

HIPAA and the HITECH Act are both essential tools for ensuring the security of patient health information. Take the time to review alone or with a professional that you are in compliance with both acts so you can continue to serve your patients without the worry of massive fines for privacy violations.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA & Texting

HIPAA & Texting | HIPAA Compliance for Medical Practices | Scoop.it

In recent years, a great number of medical practices have embraced text messaging as a popular means for communicating to both patients and their internal staff members. Despite the convenience and time saving benefits, healthcare providers and staff must be aware of potential consequences when texting Electronic Protected Health Information (ePHI). Text messaging includes any communication service or application that enables the transmission of electronic written messages between two or more mobile devices. This includes both Short Message Service (“SMS”) text messaging and other service providers like iMessage, WhatsApp, etc.

The Challenges

Under HIPAA healthcare providers must maintain the confidentiality, integrity, and availability of all ePHI created, received, maintained, or transmitted by a covered entity. Unfortunately, text messaging presents multiple threats for meeting some of those requirements. Including:

  • Standard SMS messages are not encrypted
  • Sender does not have the ability to “control” if/when the message is discarded upon viewing
  • No clear path to verify the reader’s identity which opens the door to unintended recipients, AKA a HIPAA breach

Even well intended providers who find ways to implement and oversee texting security measures must also think about documentation. Any exchange between providers regarding a patient’s condition, must also make its way onto the patient’s medical record. Unless the provider integrates text messaging with their EMR, it can be difficult to ensure appropriate documentation.

What Does HIPAA Say?

Unfortunately the HIPAA laws and Office for Civil Rights (OCR) do not have anything specific outlined regarding texting requirements. Any and all forms of communication present some level of risk and it is the healthcare providers’ responsibility to ensure privacy and security while data is being exchanged.

Despite the lack of HIPAA specifications regarding texting, providers should keep in mind a general adherence to the HIPAA Privacy and Security Rules. Both have different objectives and controls for navigating the secure sending of ePHI:

  • HIPAA Privacy Rule – Limits provider disclosure of ePHI only to authorized individuals or entities.
  • HIPAA Security Rule – Requires that providers protect patient’s sensitive data from any threats to access or disclose PHI to unauthorized individuals or entities and should a breach or unauthorized disclosure occur, have a remediation plan.

Best Practices

Despite the risks, a provider can take steps to reduce the likelihood of a breach or HIPAA violation while utilizing text messaging. When texting any sensitive ePHI information that might be locally stored in a device, encryption should be applied in the event of a loss, disposal or theft. Additionally, the text might be stored at the server level (phone carrier).

The following safeguards can help protect PHI along with establishing compliant communication:


Security Risk Analysis (SRA)
– While conducting an SRA, a healthcare provider will identify where ePHI is created, received, maintained, and transmitted. For texts, ePHI will primarily be created, received, and maintained on mobile phones.

Limit PHI – Whenever possible it is best to text with limited or no PHI included in the message, examples: appointment confirmations, instructions to call the office to receive test results, etc.

Policies and Procedures – Ensure texting is included in the policies and procedures, specifically Administrative and Technical policies. It is important to outline what is acceptable to text along with an outline of steps should a text be sent to the wrong patient/incorrect recipient.

Workforce Training – A well trained workforce is any healthcare provider’s best defense against undisclosed PHI exposure. Workforce training should include the sharing of information, securing authorized devices and using secure third party apps that might permit sharing information in a secure way.

Waivers and Intake Forms – Ensure all patient forms are up-to-date with all the current HIPAA requirements. The forms should plainly state which methods the patient allows the provider to contact him/her. Additionally, forms should include who outside the patient can receive their information and what can be sent.

Notice of Privacy Practice – A Notice of Privacy should be standard operating procedure for providers and distributed to all patients. If the provider has included text messaging as part of their communication model, ensure the Notice of Privacy includes texting.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.