HIPAA Compliance for Medical Practices
77.0K views | +6 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

HIPAA Compliance Keeping Medical Records Private 

HIPAA Compliance Keeping Medical Records Private  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA (the Health Insurance Portability and Accountability Act) became law in 1996 and revolutionized requirements and practices ensuring patient rights, privacy, and security. Instead of laws that were unclear or insufficient in some cases, HIPAAbecame federally mandated and regulated. However, the healthcare businesses that must comply have to navigate complex rules and make sure regulations are being followed. 

Who needs to follow HIPAA?

The first question is, do you need to comply with HIPAA? A “Covered Entity” under HIPAA includes any person or company that provides medical, dental, or other healthcare services that transmit the protected health information (PHI) of patients electronically. That could mean sending prescriptions to pharmacies, bills to insurance companies, or emails to patients. It also includes any vendors that create, transmit, receive or store PHI for a Covered Entity.  These vendors are known as “Business Associates” and include services like EMR/EHR, information technology support, data analytics, health app developers, and in some cases, website hosting companies. Those organizations that interact or send PHI in electronic form must comply with HIPAA.

What steps do I need to take?

If you or your company is a covered entity or a business associate under HIPAA, it is your responsibility to keep protected health information secure following the HIPAA Security Standards and Implementation Specifications.  These include:

·       Developing written privacy policies – or even before this step, become familiar with the laws so that comprehensive privacy and security policies can be developed.

·       Designating a privacy and security officer – no matter how small the organization, these officers must be appointed and are responsible for HIPAA compliance.

·       Annual risk assessments – conduct a risk assessment each year and record findings. Assessments must be documented, accurate, and comprehensive in identifying vulnerabilities and threats to PHI.

·       Developing information assurance policies regarding electronic transmission of communications. This includes email and the use of mobile devices with access to PHI.

·       If you are a covered health care provider, distribute a notice of privacy practices to all new patients.

·       Using Business Associate Agreements with any outside company that will have access to PHI.

·       Developing and implementing steps to take in case of a data breach, including how to determine the timing and extent.

Demonstrating HIPAA compliance

Your organization must be able to provide proof that you and your employees are following the rules outlined by HIPAA. If there is a breach of security and PHI is improperly handled or disclosed, the investigation may determine that a penalty could be assessed or the need to enter into a settlement agreement which will include a required corrective action plan. It is important to understand the burden to demonstrate compliance will the responsibility of the organization to prove. 

You will have to show that your organization has conducted a HIPAA risk assessment, provided annual training for the whole workforce, and have a policy and procedures for protecting PHI in writing.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.

Make sure your HIT security system meets these 6 criteria to avoid medical identify theft

Make sure your HIT security system meets these 6 criteria to avoid medical identify theft | HIPAA Compliance for Medical Practices | Scoop.it

With the mandate from government across the healthcare industry to start putting all medical records online, more attention is being given to the protection of Personal Health Information (PHI). You can draw obvious conclusions about how personal and sensitive information could be misused if improperly disclosed. Some fear that it might be used to deny insurance coverage, impact employment, or lead to discrimination. The Health Insurance Portability and Accountability Act (HIPAA) establishes a baseline of protection that applies to health care providers and insurers throughout the United States. Its privacy requirements mandate the protection of sensitive personal information. However, there is another “health related” twist on the protection of sensitive information – medical identity theft.

According to the 2013 Survey on Medical Identify Theft, medical fraud has increased nearly 20 percent in the past year, affecting an estimated 1.84 million American adults and costing victims $12.3 billion in out-of-pocket medical expenditures.

Medical fraud can occur in a number of ways—including medical personnel billing a health plan for fake or inflated treatment claims, falsifying information to obtain prescription drugs, and using another individual’s information to obtain free medical care. Often, these crimes are committed through illegal purchase of Personal Identifiable Information (PII) or by unethical actions of healthcare providers. Whether accidental or purposely done, health care fraud leads to loss of trust in providers, hefty fines, and loss of license. For example, Columbia/HCA was required to pay $1.7 billion in fines, penalties, and damages for Medicare fraud.

This is perhaps the most frightening of all forms of identity theft, although not the most widely discussed. Medical identity theft occurs when someone uses a person’s name or other parts of their identity — such as insurance information — without the person’s knowledge to obtain medical services or goods. While the intention is to obtain medications, prescriptions, or to falsely bill insurance providers, the risk to the victim may be quite serious – leading to inappropriate and improper medical treatment. While this is a critically important issue, little data and research about it has been done.

In addition to the cost to each individual victim, medical identify theft creates a huge financial burden on public health systems. In May of 2009, the US Department of Justice (DOJ) and the Department of Health and Human Services (HHS) announced the creation of the Health Care Fraud Prevention and Enforcement Action Team (HEAT). Focusing primarily upon Medicaid and Medicare fraud, this program has sought to recover billions of dollars of tax payer money improperly billed against these systems – affecting not only the long term solvency of the system, but also the vulnerable population it serves. In 2011, HEAT coordinated the largest-ever federal health care fraud takedown, involving an aggregation of $530 million in fraudulent billing.

Health insurance and medical services organizations can help prevent medical identity fraud by implementing technology to counteract attacks and monitor their customer databases for possible data breaches. When selecting the correct technology for your organization, be sure to select a solution that can do the following:

  • Discover data across multiple information gateways in your enterprise in order to shed light on dark data and other potential sources of risk. Sensitive information may not be obvious at first glance but can open up an organization to an array of issues if leaked.
  • Scan content in motion or at rest against out-of-the-box or customized checks for a wide range of privacy, information assurance, operational security, sensitive security information, and accessibility requirements. Organizations require different levels of security based on regulations, subject matter, and size. Be sure to select a technology with a solid framework that can be customized based on your needs.
  • Drive enterprise classification and taxonomy with user-assisted and automated classification for all content.
  • Take corrective action automatically to secure, delete, move, quarantine, encrypt, or redact risk defined content. These automated actions can reduce costs by eliminating the need for increased hiring to continuously monitor information security initiatives.
  • Enhance incident tracking and management with an integrated incident management system in addition to trend reports and historical analysis to measure your organization’s improvements over time.
  • Monitor data and systems on an ongoing basis to demonstrate and report on conformance across your enterprise wide information gateways and systems.

There is much research still to be done on this subject. It’s easy to extrapolate that if there are billions of dollars in Medicare fraud, those false claims may in fact be entered into the medical records of unsuspecting individuals. We don’t yet fully understand those consequences. So while it may seem like one of those cautionary tales that are simply outrageous and could never happen to you, the best advice is to “Never say never” and do what you can to protect your information. Always remember that an ounce of prevention is worth a pound of cure.

No comment yet.

Social Media and HIPAA Compliance: What Medical Professionals Should Know 

Social Media and HIPAA Compliance: What Medical Professionals Should Know  | HIPAA Compliance for Medical Practices | Scoop.it

Social media is fast becoming one of the most impactful marketing channels for medical professionals; however, HIPAA regulations must be taken into account.

More than ever before, medical professionals are using social media every day in both their personal and professional lives. And of course this isn’t a bad thing: physicians, nurses, and other practitioners are in a unique position to engage and educate current patients and others in search of treatment. However, when used incorrectly, social media can be a veritable minefield in regards to HIPAA regulations for patient confidentiality. So in the interest of keeping those tweets flowing, let’s run through four easy ways to maintain compliance with these regulations.

1) Don’t Talk About Patients (Even When it’s Subtle)

HIPAA regulations for patient confidentiality may seem complicated, but they all essentially boil down to one key point: don’t share your patients’ personal information. Few medical professionals would post something as obviously problematic as “John Smith from Cherry Street came in last night with such-and-such medical condition,” but that’s far from the only way to incur a violation. Rather than taking the risk of accidentally broadcasting protected information like specific appointment times and diagnoses, avoid the issue altogether by never referring to an actual case or visit.

That said, medical professionals should absolutely post interesting and relevant information on their professional social media accounts. Just be sure to always keep things in broad terms — talk about specific conditions or treatment options, not specific patients.

2) Don’t Like, Share, Retweet, or Regram Your Patients’ Posts

Even if you don’t share the information yourself, it’s still possible for a physician to breach his or her patient’s confidentiality. One way to do so is by engaging with a specific patient on any social platform. Even if your patient chooses to post his or her medical information in a public forum, sharing this post with your own network could land you in hot water.

The easiest way to avoid this issue is by doing something that’s fairly intuitive: create separate accounts for your professional and personal activities.

3) Don’t Post Pictures of Patients or Their Documentation

When to comes to HIPAA compliance, one key mistake that should always be avoided is posting pictures of real-life patients. Even if you’re celebrating something as meaningful as a patient’s recovery from a serious illness or injury, sharing a photo of their likeness still counts in HIPAA’s eyes as a forbidden personal identifier. Another thing to keep in mind when posting photos from around the office or clinic: a patient’s files can accidentally get caught in the background. Always triple-check that your image is free of any potentially confidential paperwork or other materials.

It may sound easier to rule out photos of your workplace altogether, but warm, engaging imagery bolsters patient trust in your medical brand — in some cases increasing conversion rates by as much as 95%. Just be smart about the photos you share with your network.

4) Don’t Send Confidential Information Through Direct Messages

Switching over to direct messages might seem like an easy loophole in all of the regulations outlined above, as the interface of any social media platform would have you think that such messages are private and confidential. However, doing so would risk violating another one of HIPAA’s major tenets: the Security Rule, which mandates that all electronic protected health information (ePHI) is stored in such a way that it is secure from potential data breaches, leaks, or any other form of unwanted disclosure. Most social media messaging services do not meet HIPAA’s standard for compliance with this rule, and thus they should never be used to share patient data or health records with colleagues or even the patients themselves.

Luckily, a number of medical industry apps — such as DrFirst’s Backline — offer secure messaging platforms that are in compliance with HIPAA’s Security Rule. So keep the sharing away from Twitter DMs and Facebook Messenger and stick to the software and services that guarantee both compliance and conversions.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004

No comment yet.