HIPAA Compliance for Medical Practices
69.7K views | +0 today
Follow
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

A Doctors Guide to HIPAA Compliance in 2017

A Doctors Guide to HIPAA Compliance in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance in 2017 is a key issue that many doctors are focussed on.

Since 1996, the The Health Insurance Portability and Accountability Act has been in place, giving physicians and their teams reasons to guard their patient privacy closely.

Depending upon the type of the breach, physicians can be liable for between $100 to $50,000 for each violation. The maximum HIPAA Violation is $1.5 million for identical provisions during a calendar year. Some HIPAA violations can lead to imprisonment in extreme circumstances. This is why HIPAA compliance in 2017 is such an important factor for doctors.

To ensure that your practice has effective HIPAA compliance in 2017, here are 5 steps to follow:

1) Correct Sharing of Patient Information

If your staff discuss patients’ names, addresses and or insurance plans at check-in, you are technically breaching patient confidentiality. Make sure patients and office staff have a way to discuss insurance or change of address in private. Also, create a quiet place for phone calls to occur. Even if you’re just calling a patient to setup or confirm an appointment, it is better to do this in a private area if possible.

2) Secured Paper Files

While paper charts are slowly becoming a relic, it is important that past files are stored securely.  Doctors who have moved to using an EHR for all patient records may still have old patient files that need to be transferred. Once converting from paper documents to electronic format is complete, be sure to shred any patient records before you dispose of them.

If your medical practice still uses paper documents, be sure not to leave them in unsecured or unattended areas. This includes charts, paperwork and forms that patients bring in from other practices that they are filed and stored securely.

3) Encrypted Emails

Never underestimate the importance of email encryption, even for seemingly innocent files. The use of non-encrypted email services, such as gmail, outlook, yahoo and other well known email services can cause a risk of hackers being able to access your information. For this reason, you should consider an encrypted email or file sharing service for pertinent patient information.

When sending bulk emails to patients, or many emails in a row, it is easy to overlook the address it is being sent to. You can put patients at risk and you can lose their trust, simply because you didn’t double-check your recipient address or an email attachment.

This is one of those areas where slow, steady careful checking pays off.

4) HIPAA Secured Patient Portals

If you use or are considering creating a patient portal, ensure it has secure login compliance. Any personal patient information should not be easily accessible without a username and password.

If sharing information with family members of patients, be sure to get written authorization from the patient first. A good practice is to require identity verification for password reminders. You can also remind patients to access their patient portal when they have a secure internet connection (i.e. not in public places).

5) Ensure your Telemedicine platform is HIPAA compliant

Some doctors have considered using Skype or Facetime to communicate with patients. While they are great free platforms for video chat, the reality is the weren’t designed to be HIPAA-compliant.

The challenge is that even though a doctor can ensure their Internet connection is secure, there is very little they can do to make sure everything is secure on the the patient’s receiving end.

Another alternative is to ensure the is a Business Associate Agreement in place. The same issues arise with security for text messaging, so be sure to use HIPAA compliant texting tools here as well. The solution here is to ideally use a HIPAA compliant application designed for Telemedicine.

Doctors may have several HIPAA violations without getting fined, but that doesn’t mean it isn’t a negative for your practice. Having HIPAA Compliance in 2017 is as important as it has been for the past 20 years.

When doctors treating patient information caution they can and enjoy the peace of mind that comes with being HIPAA compliant.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance When Selling Health Care Practice 

HIPAA Compliance When Selling Health Care Practice  | HIPAA Compliance for Medical Practices | Scoop.it

When considering the sale of your healthcare practice (regardless of whether you are a physician, physical therapist, dentist, optometrist, etc.), you will undoubtedly be confronted by a litany of questions:

  1. Valuation – how do I ensure I get a fair price?
  2. Type of Sale – am I selling assets or majority of stock/shares/membership interest in the entity?
  3. Due Diligence – how much research and risk assessment must I do in regards to existing liabilities (for both myself and the buyer) as well as the security/financing of the buyer?
  4. Verification of State, Federal Regulatory Compliance – who is responsible for verifying compliance with Fraud and Abuse laws, Stark Law, Anti-Kickback Statute, HIPAA, Tax Exempt Status, Anti-Trust laws, etc.?
  5. Restrictive Covenant – duration? location? key employees?
  6. Assumption of risk, indemnity – how is it expressed and covered?
  7. Holdover – how long should I remain onboard and accessible to the buyer – as an employee or an independent consultant?
  8. Termination – what will trigger cancellation of the transaction?

 

All of these questions warrant consultation with an attorney with experience in structuring such transactions. 

However, in addition to the traditional machinations of such a transaction, you will need to receive consultation from an attorney aware of additional aspects of the healthcare profession that make the sale of a practice more difficult. Namely, you need to be aware of the requirements for patient consent of the transfer of files and HIPAA Compliance.
 

Notification Requirement to Patients

 

Pursuant to state and federal regulations, patients must be given the option to choose another health care provider and/or have a copy of their medical records sent to the physician of their choice. Specifically, medical records and other personal health information should not be transferred to another health care practitioner or practice without the patient’s informed consent. As such, when moving forward with a contemplated sale of practice, it is important that the mechanics of informing patients of the contemplated sale and providing them the option to choose their own provider is incorporated into the timing of the transaction. 

Unfortunately, this often leads to the sale of the practice taking much longer than what might be within the parties' expectations. 
 

Sharing Patient Files and Medical Records through Business Associate Agreement


As the above transition is unavoidable, buyers and sellers can and should embrace it. This can be accomplished by ensuring there is either a holdover of the old practitioner within the new practice–as an employee or an independent contractor. Furthermore, the seller is permitted to then share his or her patient files and medical records (i.e. PHI) with the buyer pursuant to a HIPAA-compliant Business Associate Agreement. This is permitted because the buyer, as a business associate, is using the PHI from the seller for “health care operations”, a permitted use under HIPAA. “Health care operations” include business management and general administrative operations of the entity, including the sale, transfer, merger or consolidation of all or part of the covered entity with another covered entity.
 

The American Medical Association provides further guidance for the transfer of patient records upon the sale of a medical practice. Ethical Opinion 7.04 states, “The transfer of records of patients is subject, however, to the following: (1) All active patients should be notified that the physician (or the estate) is transferring the practice to another physician who will retain custody of their records and that at their written request, within a reasonable time specified in the notice, the records or copies will be sent to any other physician of their choice… (2) A reasonable charge may be made for the cost of duplicating records.”

 

Priming or Retaining Medical Records


Practitioners should also check state and federal regulations regarding recordkeeping requirements and/or retention. When selling or closing a practice, practitioners should review their medical records to ensure that the records contain all information and documentation as required by state and federal law.  
 

Medical record ownership is established by state law, licensing regulations, and judicial decisions.  Generally, the practitioner's patient file and medical record is owned by the practitioner or corporate entity responsible for compiling and maintaining it, who also serve as the custodian of its contents. The Health Insurance and Portability Act of 1996 (“HIPAA”) expanded patients’ right to access, audit and amend their protected health information (“PHI”) pursuant to the HIPAA Privacy Standards. As custodian, the practitioner is responsible for providing their patient with informed written consent regarding their role as well as how the patient may access and transfer its contents at will to desired third-party practitioners.  Practitioners, in this dual role as custodian and owner, must take special care regarding the destruction, retention, or transfer of medical records when their practice is sold or closed.

Practitioners who are selling or closing their practice should ensure that the control, ownership and patient’s right to access their medical records is specifically addressed prior to transferring or storing any medical records in order to be in compliance with the applicable state law. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Patients willing to share health data, but only for a good reason

Patients willing to share health data, but only for a good reason | HIPAA Compliance for Medical Practices | Scoop.it

Patients are becoming more willing to share their health information publicly, but there is one caveat: It has to be for a good reason.

The purpose for which their information would be used was even more important to the more than 3,000 respondents of a recent study, published in the Annals of Internal Medicine, than being asked their consent for the information.

David Grande, the study's lead researcher from the University of Pennsylvania Perelman School of Medicine in Philadelphia, called that finding "surprising," according to a Reuters article.

But, in fact, another recent study shows that a majority of patients would be willing to share their healthcare information with researchers, employers, health plans, and their doctors, FierceHealthIT previously reported.

Scenarios for how the information would be collected and used in the study varied, according to Reuters. In one instance, the respondents were asked if it is OK for drug companies to use people's health information to learn who uses their products. In another, they were asked if using patients' records to find which ones had diabetes in order to improve care would be an acceptable practice.

Many of the participants did not find the use of health information for marketing purposes acceptable, but were more approving of using the data to improve care or for research purposes.

"Although approaches to health information sharing emphasize consent, public opinion also emphasizes purpose, which suggests a need to focus more attention on the social value of information use," the study's authors concluded.

In addition, there is also an underlying current of fear about security when sharing information that could make patients think twice about the cause for which the information is being used. A recent example is the cyberattack on Sony Pictures that exposed the health information of many of the company's employees and their loved ones.



more...
No comment yet.
Scoop.it!

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility? 

What Happens If a HIPAA Breach Affects Fewer than 500 Individuals at a Healthcare Facility?  | HIPAA Compliance for Medical Practices | Scoop.it

If your healthcare practice must comply with the Health Insurance Portability and Accountability Act (HIPAA) regulations, a breach of protected health information may require patient and government notifications.  

HIPAA provides data privacy and security provisions for safeguarding medical information, and if that information is compromised either through a breach of your information system or sheer carelessness on the part of an employee, you may be subject to heavy monetary penalties.

But what qualifies as a HIPAA breach, what happens if it affects a limited number of your patients, and what are you required to do?

Rules That Apply

The HIPAA Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third party service providers.

A breach is an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.  Such impermissible use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least these factors:

1.     The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

2.     The unauthorized person who used the protected health information or to whom the disclosure was made;

3.     Whether the protected health information was actually acquired or viewed; and

4.     The extent to which the risk to the protected health information has been mitigated.

Those affected by this rule have discretion to provide the required breach notifications without performing a risk assessment to determine the probability that the protected health information has been compromised.

There are three exceptions to the definition of “breach.” The first applies to “the unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or business associate, if such acquisition, access, or use was made in good faith and within the scope of authority.”

The second exception involves” the inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or organized health care arrangement in which the covered entity participates.”

In both cases, the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.

The final exception applies “if the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.”

In addition to notifying affected individuals and the media (when appropriate), you must notify the Office of Civil Rights (OCR) of breaches of unsecured protected health information. by visiting the Health and Human Services (HHS) web site and filling out and electronically submitting a breach report form. If the breach affects 500 or more individuals, covered entities must notify the OCR without unreasonable delay and no later than 60 days following the breach.

Deadline Approaching

If the breach affects fewer than 500 individuals, your practice has no later than 60 days after the end of the calendar year in which the breach is discovered.  This means that if your practice has experienced a breach of fewer than 500 individuals and it has not been reported yet, you have until March 1, only a few days away to file the notification.

If you experience a breach affecting more than 500 residents of your State or jurisdiction you must provide notice to media outlets serving the State or jurisdiction, as well as notifying the affected individuals.  This notification will likely be in the form of a press release to the appropriate media outlets and must be provided no later than 60 days following the discovery of the breach and must include the same information required for the individual notice.

Don’t Leave Anything to Chance

As you can see, HIPAA breach notification requirements are quite stringent and can be complex. If your practice has experienced a breach, the HIPAA compliance experts and former criminal investigators at Colington Consulting can rapidly respond on-site to assist your practice in conducting a HIPAA breach investigation.  Their investigative process uses systematic approach to quickly determine how the breach was caused. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA’s Role in Fostering Trust between Patients and Providers

HIPAA’s Role in Fostering Trust between Patients and Providers | HIPAA Compliance for Medical Practices | Scoop.it

The following scenario is true, but some of the details have been changed to protect the innocent, and the guilty. The setting is the cramped reception area of a small dental practice. The office manager, who also works the front desk, is on the phone there with a patient.

 

“Julie Jones? This is Dr. Burton’s office. Your lab results are in and they indicate you’ve tested positive for an STD. You’ll need to schedule an appointment as soon as possible with your primary care physician.”

 

Her voice drifts over into the nearby waiting room. A few people look up from the magazines they’ve been flipping through. One of them, who happens to be a neighbor of Ms. Jones, arches an eyebrow and softly clucks her tongue. Information that should be confidential between this office and patient is now dangerously close to public knowledge. With this particular neighbor in the know, people in Julie’s cul-de-sac will probably hear these results well before her current boyfriend.

 

Informing patients of test results is a normal and necessary part of the workday at every office that deals in healthcare. But in this case, having that conversation where it can be overheard violates Ms. Jones’ right to privacy. A right protected by the law known as HIPAA.

 

Privacy. A fundamental patient right.

 

With so much involved in running a successful healthcare practice today, it’s easy to understand how HIPAA has come to be viewed as more of a nuisance than a necessary part of good care. But at its core, HIPAA isn’t about extra logistical hassles or additional work, it’s really about best practices — and creating and maintaining a professional environment that protects every patient’s rights.

 

The relationship patients have with healthcare professionals is one that involves openness, honesty, and a deep level of trust. Patients tell their providers things about themselves that few others know, intimate details of their lives and health histories.

And they expect that their privacy will be respected – by their doctors and dentists, staff members, and other providers such as labs, XRAY services, and anyone and everyone involved in their treatment. Patients expect that outsiders will not be able to access their information, and that those who need to know will be able to view only the information that’s necessary for treatment.

 

This way of dealing with health information is more than professional courtesy, it’s a fundamental patient right – the very issue that HIPAA speaks to, ensuring that patients will know when their rights have been violated and can feel confident that the law will be enforced and violations punished.

 

If patient information isn’t protected, the effects can be far-reaching. In the wrong hands, a person’s health information can be used to tarnish his or her reputation or cause financial harm. In some cases, compromised information can even negatively impact care.

 

HIPAA helps keep patient data safe

Modern technology has facilitated the quick dispersal of information among various entities; HIPAA helps keep all that data safe. From installing firewalls in the office’s computer system to training employees in the proper protocols when contacting patients, HIPAA, in essence, is all about safeguarding every patient’s right to privacy, security and respect.

 

Ensuring a patient’s right to privacy is essential to the practice of good healthcare — and a vital part of the covenant between providers and patients. Implementing the mandates of HIPAA plays an important role in building and maintaining patient trust and a thriving practice.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.