HIPAA Compliance for Medical Practices
63.7K views | +25 today
Follow
 
Scoop.it!

Bring Your Own Device (BYOD) Guidance 

Bring Your Own Device (BYOD) Guidance  | HIPAA Compliance for Medical Practices | Scoop.it

Bring Your Own Device (BYOD) Guidance

 

                   Bring Your Own Device, or BYOD, is when employers allow their employees to use their own electronic devices (phones, computers, tablets, etc.) on the organisations network.

BYOD has progressed from infrequent implementation to the norm. In 2015, Tech Pro Research released a study which reported that about 74% of respondents were already using or planning to use BYOD in their organization.¹

Despite its growth, not many organisations are completely confident in BYOD. In 2016, NueMD conducted a HIPAA survey. In this survey, they asked participants how confident they are that the devices they use in their business are HIPAA compliant, and found that only 20% of respondents were at all confident.

                  BYOD can open organisations up to serious security issues if not handled correctly. Since employees are using their own devices, they will take these devices home (and everywhere else); thus, there is more of a chance for these devices to be lost or stolen. Electronics were a lot more secure when it was the norm to leave them in the office. It was up to the company to protect those devices. Now with BYOD, employees will have to use extra caution in order to keep their devices safe.

BYOD also opens up organisations to malware. With an employee using the device for personal use as well, it is easier for a phishing email to reach the employee if the proper security software is not loaded. In addition, malware may be part of a download when unapproved applications are added by the employee. That malware would then affect everything on the device, including work related information. This puts the PHI on your network at risk.

            Obviously, there must be some positives to BYOD, or it would not be as popular as it is. The main advantage is that it cuts costs for the organization. If employees can bring their own devices, organisations can save money because they do not have pay to provide devices for employees. BYOD also results in better productivity because employees are using a device they already understand. No time is wasted on training employees how to use the device.

The implementation of BYOD has grown every year. Eventually you will need to consider BYOD and establish guidelines for implementing it on your network that respect the privacy of the user’s device. Access should only be requested for security reasons outlined in your policy. If you do choose to implement BYOD, it’s important to clearly define this decision in your policies and procedures.

First, you should have policies and procedures in place outlining the use of devices on your network. The policies and procedures should include:

  1. Acceptable uses:
    1. What apps are employees allowed to run?
    2. What websites should and shouldn’t be accessed?
    3. Can they be used for personal use during work?
  2. Acceptable devices:
    1. Will you allow laptops, phones, and tablets?
    2. What type of devices will you allow (Apple, Android, Windows, Blackberry, PC, etc)?
    3. How are you encrypting devices?
  3. Policies:
    1. Is the device configuration set up by the organisation's IT department?
    2. Is connectivity supported by IT?
    3. How often will you require a password change?
    4. Do you have a remote wipe policy?

 

Second, decide whether or not to implement Mobile Device Management (MDM).  MDM creates a single unified console through which IT can administer different mobile devices and operating systems. MDM allows an organisation's IT department to do things like remotely wipe devices, encrypt devices, secure VPN, and locate devices.

MDM allows you to selectively wipe the information lost on stolen devices. Some devices such as iPhone's have a built-in application (i.e. Find My iPhone). Android phones can be tracked and wiped using Android Device Manager. Both applications are great for individuals, but not necessarily the best option for an enterprise situation where you will need to track more than one device. Wiping a device is a heavy handed approach that may make employees hesitant to use their device on your network, as all of their personal information could be wiped along with work related data. With BYOD in place, employees know what’s expected of them when they use their personal devices at work, including the possibility that the company will use MDM to remotely wipe information as needed.

Alternatives to consider are Mobile Application Management (MAM) and Agent-less BYOD. MAM is software that controls access to mobile apps on BYOD devices. A report by Bit-glass found that only 14% of participants have adopted MAM. Accordingly, MAM never really took off, and MDM has now stagnated due to privacy concerns.³ Their solution is Bit-glass Agent-less BYOD, which protects corporate data on any device without an application. It also has an automated deployment process that does not require IT intervention. Agent-less BYOD is meant to be more secure and less strict on the employee because of its selective wiping capabilities.⁴

Finally, a BYOD policy agreement should confirm that the BYOD user understands and agrees to the policies and procedures. The user should also understand that the organization owns the work-related information on their device. Therefore, the organization has the right to take away access to the company network at any time. The BYOD agreement should be signed by the user, a department manager, and IT.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

Your Guide to Staying HIPAA Compliant When Emailing Patients 

Your Guide to Staying HIPAA Compliant When Emailing Patients  | HIPAA Compliance for Medical Practices | Scoop.it

In the age of electronic communication, there is the ever-present concern of compromised data. Data can be intercepted and accessed by third parties with their own agendas.

Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public.

In response to growing concerns of data interception, Congress passed HIPAA: the Health Insurance Portability and Accountability Act. One of the purposes of this legislation is to protect a patient’s privacy.

Email is not secure

In general, email communication is not secure for two reasons:

  1. The data isn’t encrypted by default.
  2. It’s impossible to tell if the receiver is the intended recipient.

Encryption is the process of modifying data to make it unreadable, but in a way so that it can be returned to its readable state. The reorganization requires a cipher (a code) that both sender and recipient know. Anyone without the cipher will only see gibberish.

By default, most email clients do not encrypt your communications. This includes the popular web-based email clients like Outlook, Gmail, and Yahoo. However, some of these services offer paid features that comply with HIPAA regulations.

Furthermore, there’s never a foolproof way to ensure that the intended recipient is actually the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.

Nevertheless, modern patients expect instant communication, so you can’t avoid emailing. For many patients and practices, email is becoming the preferred method of communication.

Here’s how to stay compliant with your electronic communications.

Encrypt everything

Any piece of electronic data is required to be encrypted, including physical documents scanned to a computer. It’s a simple process to have a scanned document/image sent to your storage location via encrypted email. Speak with your IT professional to set this up.

Protected health information (PHI) must be protected at rest and transit. This means it must be secured during transmission across networks or the Internet and when it’s stored in drives at workstations and servers.

The person conducting the transmission is the liable party. As a non covered entity or business associate, a replying patient isn’t bound by HIPAA regulations. You are only responsible for your emails’ security.

While HIPAA does not require that you encrypt every device and storage location, it would be silly not to. Encryption is cheap, easy, and can protect you from embarrassing mistakes and tedious litigation. Even if you technically followed the rules, you could still upset your patients if data were exposed.

It isn’t necessary to use a dedicated service to send HIPAA compliant emails. These services work, but with some added expense.

Some email clients allow for configurations that satisfy the law. For example, the desktop client Microsoft Outlook offers an encryption option under Security Settings. If you then enable Internet Message Access Protocol (IMAP) and choose to delete emails from the server (and store them solely on your local disk), you can guarantee no chance of interception.

While encryption is important, it’s worth mentioning that HIPAA doesn’t require you to encrypt interagency emails. If you send an email to a colleague on the same secure server, no encryption is necessary. However, best practice is to encrypt everything to be safe.

If a patient is unable to accept encrypted communications, they can waive their right to privately receive emails from you. In this case, you can use any means of communication that works for you and the patient. Just make sure to have them sign a consent form and save it.

Get the patient’s consent

Consent is an important part of privacy. You can ensure you have the right contact information and protect yourself from lawsuits by getting permission in writing from your patient before you correspond through email.

On the form, explain to the patient the inherent risks of electronic communication. Offer some advice on safeguarding their computer to ensure their emails aren’t accessed by other people.

I recommend having your attorney evaluate a consent form before you send it to your patients.

Here’s a template to give you an idea of what it looks like. For best results, use an online intake form with e-signature capabilities (like ours).

Once you have the consent form, be sure to keep it safe. If the patient ever blames you for a privacy breach, you’ll want to be able to show that you had their permission.

When a patient initiates an email conversation, it’s safe to assume they permit that type of communication (unless they have previously expressed otherwise). Still, you must treat secure these emails like any other.

If a patient hasn’t agreed to communicate electronically, never contact them through email.

Include a privacy statement with each email

Every email you send should conclude with a privacy statement. The statement should notify the receiver that the email is inherently insecure, express that the content is strictly confidential, and tell them who to report the email to if they are not the correct recipient.

The purpose of this statement is to remind the recipient every time that their correspondence isn’t 100% safe. If they choose to reply with confidential information, they are doing so at their own risk. Further, it encourages parties who shouldn’t read the email to report the miscommunication.

If your email needs are simple, this can be done by adding a signature to your emails through your client. If you work in a larger practice, speak with your IT professional to ensure that all emails include this statement.

That said, email disclaimers are not a substitute for properly encrypted PHI emails. The purpose of the disclaimer is simply to inform. It does not absolve you of responsibility in any way.

Use an email provider that signs a Business Associate Agreement

A Business Associate Agreement is a HIPAA requirement for email providers. There are countless services that specialize in HIPAA compliant communications for healthcare providers. Each come with their own features.These agreements do not come standard with free email clients, but many paid versions offer this service.

If a provider does not sign this agreement, they are noncompliant. Do not assume an email service provider has signed an agreement unless it is clearly advertised on their website.

Develop an office policy

It’s important to have a clearly defined policy for your staff or colleagues regarding protected health information (PHI). A casual discussion isn’t enough. You need procedures.

In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of PHI (mental health issues, for instance) to in-person meetings only.

Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not the receptionist, administrative assistant, or billing department. These restricted parties should only contact patients regarding administrative issues and immediately notify healthcare staff if a patient mentions medical information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

7 Tips for HIPAA Compliant Email

7 Tips for HIPAA Compliant Email | HIPAA Compliance for Medical Practices | Scoop.it

You can use email securely and still remain compliant with HIPAA. Here are seven tips for securely using email in a HIPAA-compliant organization.

1) Get consent

Get a patient’s written consent before sending them email. A good email consent form will explain the risks of communicating via email, explain how and why you’ll use email, explain how patients should safeguard their computer, and get the patient’s signature.  Search the internet for “email consent form” to find lots of templates you adapt. It also can’t hurt to have your lawyer review the form before you start using it.

Do something with the patient’s consent.

Write a procedure for staff to follow when handling consent forms that patients fill out.  This is important for two reasons: (1) It’s the only way to be sure that you’re actually honoring the patient’s wishes about email communication, and (2) If you are ever audited or experience a security breach, it will be important to have a written procedure as evidence to prove that you’re handling email securely.

2) Policy: define what staff are allowed to do with email.

Your policy should define which email addresses and devices should be used to send PHI, what information should never be sent via email (e.g., mental health and substance abuse info), and who they are allowed to email (patients, other providers, etc.).

3) Have a privacy statement at the end of emails.

A privacy statement should be automatically appended to the end of every outgoing email. Your statement reminds recipients that email is inherently insecure, states that the email is privileged and confidential, and tells the recipient who to contact if they are not the right person. Speak with your email / IT provider – they should be able to set this up for you.

4) Say yes to Business Associate Agreements.

HIPAA Business Associate Agreements are required under HIPAA. Don’t use an email provider who refuses to sign HIPAA Business Associate agreements for your medical practice. Paid Google and Office365 services will sign such an agreement. Free services like free Gmail, Yahoo Mail, Hotmail/Outlook.com won’t.

5) Say no to any company that won’t sign a BAA.

Companies will give you all sorts of reasons as to why they won’t sign a Business Associate agreement. Here are a few that we’ve heard:

  • “Our lawyers say we don’t need one.”
  • “We never open your emails, so we’re not a Business Associate.”
  • “None of our thousands of customers have ever asked us to do that.”
  • “We’re a ‘conduit’, not a business associate.”

These are all nonsense. There are plenty of providers out there who are willing to sign a Business Associate agreement. If a vendor’s not, you’re either speaking to the wrong person within the company, or there’s a reason that they won’t. Walk away and go find a vendor that knows how to support healthcare organizations.

6) Encrypt email with PHI or PII.

Let’s say you’re emailing a patient with the results of a lab test. You need to be as sure as can be that your patient is actually sitting at the computer when that email is opened AND that nobody else read the email in between your computer and theirs.

Using a secure email gives you that level of assurance – the message is encrypted when it leaves your computer, and can’t be read by anyone except your patient who has a password that only she or he knows. That means anyone trying to read it along the way will only see nonsense.

7) Better yet, automatically encrypt any sensitive email.

The best systems will automatically read your email on the way out, look for sensitive terms (like social security numbers, diagnoses like “diabetes,” medication names like “Zoloft,” etc.), and automatically send these encrypted and securely. These systems are great because they remove the chance of making mistakes – emails to your spouse about dinner plans are sent normally, but emails about patients, treatments, diagnoses, and lab tests are sent securely.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Enforcement Trends for 2017

HIPAA Enforcement Trends for 2017 | HIPAA Compliance for Medical Practices | Scoop.it

Since the start of 2017 alone, HIPAA enforcement trends have indicated that this could be the most costly year for fines in history.

HIPAA, as a regulation, is managed by the Department of Health and Human Services (HHS). HHS designs and enacts policy and guidance about emerging trends in health care IT, patient privacy, and data security. The Office for Civil Rights (OCR) is the HHS body responsible for HIPAA enforcement and investigation.

HIPAA Fines by Year

OCR has been cracking down on HIPAA enforcement significantly in the past few years.

Compare these HIPAA fine totals by year:

  • 2015: $6,193,000
  • 2016: $23,504,800
  • 2017: $17,093,200

So far, in the first six months of 2017 alone, fines have increased by almost 300% over 2015’s fine total. And if the trend continues, 2017 is very likely to outpace 2016’s record-breaking $23 million as well.

Why the Increase in HIPAA Enforcement?

When OCR begins a HIPAA investigation for a violation or breach, it can take 3-4 years to reach settlement with the organization under investigation.

Four years ago in 2013, HHS released its Omnibus Rule. The Omnibus Rule made it mandatory for HIPAA business associates to be compliant with HIPAA regulation. For background: a covered entity is a health care provider, and a business associate is a vendor hired by that provider.

In the past year, many of the multi-million dollar fines levied by OCR have been the direct result of BA non-compliance. If a covered entity shares health care information with a BA without first executing a business associate agreement, the sharing of that data is considered a violation of HIPAA and is subject to significant fines. In cases where OCR detects “willful neglect” of HIPAA regulation, fines can reach up to $50,000 per incident.

With HIPAA enforcement trending toward stricter and more severe financial penalties for improper relationships with BAs, it’s no wonder why fines have been steadily increasing year after year. Now that some of the major OCR investigations involving BA non-compliance have started reaching settlement, behavioral health providers need to ensure that their relationships with their vendors are lawful under the HIPAA Omnibus Rule.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Phase 2 HIPAA Audits Will Continue in 2017

Phase 2 HIPAA Audits Will Continue in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

Phase 2 HIPAA Audits are targeting random health care practices and organizations around the country. Having an effective HIPAA compliance program is the easiest way to pass your audit–read on to find out what you can to protect your behavioral health practice!

Upcoming Phase 2 Audit Protocols

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) first announced this new round of random audits in 2016. Phase 2 is the second time in OCR’s history that it has instituted a random audit program. Phase 1 HIPAA Audits were rolled out in 2011 and affected a similar number of health care providers across the country.

OCR has designed these Phase 2 audits to target a broad selection of HIPAA-beholden health care organizations. That includes both Covered Entities (CEs) and Business Associates (BAs).

HIPAA defines a Covered Entity is any health care provider, including Behavioral Health specialists, who create protected health information (PHI). PHI is any health data that can be used to identify a patient (including name, date of birth, social security number, address, medical data, etc.). HIPAA defines a Business Associate as any organization that encounters PHI over the course of the work it has been hired to do (examples include billing firms, cloud storage providers, faxing, shredding, copying, and IT providers, to name a few).

So how do you know if your behavioral health organization has been selected for a Phase 2 HIPAA audit?

OCR will reach out to your organization via email if you have been randomly selected for an audit. You should look out for emails from “OSOCRAudit@hhs.gov“.

Once you’ve been contacted for an audit, you will have 10 days to respond to OCR’s request for information. If your organization does not respond for any reason, federal investigators will continue to contact your organization until they receive a response–this includes finding publically available information to call or contact you.

One of the first things federal investigators will ask for is a complete list of your organization’s business associates, with contact information for each. Identify your business associates now so that you’re prepared for these upcoming HIPAA audits.

Additionally, your organization must have a HIPAA compliance program in place with full documentation that can be provided for OCR investigators.

Desk Audits vs. Onsite Audits

Phase 2 HIPAA Audits consist of a number of different stages.

The first stage is desk audits, which are a series of remote audits. OCR investigators will contact your organization via email and you’ll be prompted to send the appropriate information. Investigators will not come to your physical location, but you’ll still be required to comply with the investigation.

Onsite audits are another means of investigation that OCR is set to pursue in 2017.  Onsite Phase 2 HIPAA Audits will require federal OCR investigators to come onsite to inspect your organization. They will be checking your level of compliance with HIPAA regulation.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

OCR Releases New HIPAA Breach Reporting Tool for “Wall of Shame”

OCR Releases New HIPAA Breach Reporting Tool for “Wall of Shame” | HIPAA Compliance for Medical Practices | Scoop.it

Earlier this week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a redesigned HIPAA Breach Reporting Tool on their site.

The HIPAA Breach Reporting Tool is commonly called the “Wall of Shame” because it lists all organizations that have had health care data breaches affecting more than 500 individuals that have occurred since enforcement began. The Wall of Shame is a searchable, permanent database of HIPAA violations maintained by OCR.

The new Breach Reporting Tool allows you to search the full archive of breaches, and gives access to an “Under Investigation” tab. The tool has been redesigned to make it easier than ever before to look through OCR’s investigation history. This makes the consequences of a data breach or HIPAA violation a permanent reputational issue for your organization–especially now that prospective patients are doing more and more research into behavioral health specialists they’re looking to work with.

Protecting your practice with a HIPAA compliance program is an essential way to keep your name off the Wall of Shame. Below, we take a look at exactly what the regulation requires so you know what to look for in a HIPAA compliance program for your practice.

The HIPAA Breach Notification Rule

HIPAA breach reporting and breach notification are essential parts of any organization’s HIPAA compliance. HIPAA breach reporting is regulated by the HIPAA Breach Notification Rule, which was first enacted in 2009 along with the HITECH Act.

The HIPAA Breach Notification Rule categorizes data breaches into two categories with specific requirements for follow-through on each. The two kinds of breaches that the Breach Notification Rule identifies are:

  • Minor Breach: any breach of protected health information that affects fewer than 500 individuals. Individuals must be notified of the breach within 60 days of discovery of the breach. ALL minor breaches that have occurred over the course of the year must be reported to OCR NO LATER than 60 days after the end of the calendar year. This date usually falls on March 1st or February 29th.
  • Meaningful Breach: any breach of protected health information that affects more than 500 individuals. Individuals must be notified within 30 days of the discovery of the breach, and local media must also be notified of the breach. Meaningful breaches must be reported to OCR immediately, within 60 days of the discovery of the breach itself.

Trends in HIPAA Enforcement

In January of 2017, OCR levied its first fine for a violation of the HIPAA Breach Notification Rule in the history of HIPAA enforcement.

The fine was levied against Presence Health, one of the largest health care networks in Illinois. The organization was fined $475,000 after more than 500 individuals were implicated in a meaningful breach. Over the course of its investigation, OCR found that Presence failed to notify the individuals within the 60 days mandated by the Breach Notification Rule.

This is just one example of the recent trend in unconventional HIPAA enforcement efforts that have been targeting health care professionals of all kind across the country.

The best way to mitigate your risk of being targeted by these breaches is to adopt a total HIPAA compliance program in your organization that addresses the full extent of the law. Don’t get caught unprepared!

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why a HIPAA Manual Won’t Protect You from Audits

Why a HIPAA Manual Won’t Protect You from Audits | HIPAA Compliance for Medical Practices | Scoop.it

When the regulation was first released, HIPAA manuals were an effective way for health care professionals to address the law.

However, in the 21 years since HIPAA was first enacted, the regulatory requirements have changed significantly. These days, with all the new rules and guidance that the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released, a simple HIPAA manual is not considered an effective compliance solution for your behavioral health practice.

Protecting your practice in the 21st century takes more than a dusty HIPAA policy binder. To keep ahead of the $17.1 million in fines levied since the start of 2017 alone, healtha care professionals need to ensure that they have a HIPAA compliance program in place that addresses the full extent of the law.

Why Isn’t a HIPAA Manual Enough?

According to HIPAA regulation, HIPAA policies and procedures need to be reviewed and updated annually. Your practice goes through changes all year long–employees are hired and fired, you might open a new office, or maybe you’ve adopted a new EHR platform.

Policies and procedures must be tailored to the unique needs of your practice, so these yearly changes need to be reflected in your organization’s HIPAA policies and procedures.

If you’re utilizing a HIPAA manual, it doesn’t have the functionality you need to effectively review and update your policies and procedures. Instead, policy binders must be replaced every year in order to maintain your organization’s HIPAA compliance. HIPAA regulation also mandates that, in addition to policies being updated each year, all staff members must be trained on these new policies annually.

A HIPAA Compliance Program that Changes with Your Practice

HIPAA compliance solutions that automatically track the status of your organization’s compliance are a key way to ensure that you are keeping up with the regulatory requirements of the law.

When looking for a HIPAA compliance solution that suits the needs of your behavioral health practice, be sure to check if policies and procedures are included. These policies and procedures should be directly tied to HIPAA audits that you conduct within your own practice to expose areas where you aren’t in compliance with the law. These ‘gaps’ in compliance feed directly into your remediation plans, which then inform the extent of the policies and procedures you need to adopt in your practice.

Your potential HIPAA compliance solution should also include an employee training module based on the policies and procedures that you’ve customized and adopted in your practice. Again, make sure that the solution you’re considering sets these tasks up on an ongoing annual basis.

And of course, when it comes to HIPAA, documentation is king. The solution you’re looking at should include full documentation–preferably automated–so that you can pull yearly reports to demonstrate the status of your organization’s HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster | HIPAA Compliance for Medical Practices | Scoop.it

Over the past few years, many natural disasters have hit the United States that have had direct impacts on healthcare organizations such as the direct hit on the hospital by a tornado in Joplin, Missouri or flooding that leaked into a hospital in Duluth, Minnesota. What about a loss of power to an organization or bad network connection? Healthcare has also seen a drastic increase in the number of ransomware attacks, which block an organization’s ability to access patient data. When disasters happen and impact access to patient information, it is easy for the healthcare organization to panic and not know what to do. We all know how vital it is to treat patients with the most up to date and current information so planning becomes essential to prepare your organization for disasters and emergencies.

 

The HIPAA Security Rule requires that healthcare organizations create a contingency plan to follow in the event of a disaster or loss of access to protected health information. Under the HIPAA Security Requirement, a contingency plan should consist of the following:

  1. Data backup plan (for all systems with protected health information)
    • Document the process in which your data is being backed up. Include the location of the backup, process for backup, and frequency of back up. If you are using a third party vendor to backup data, an organization should have a process to ensure successful data backups and define a process for failed backups.
  2. Disaster recovery plan
    • Once the emergency situation is over, the disaster recovery plan defines the steps the organization must take to restore data and systems to original operating status. This will include information on what information must be added back into the system and the specific order of data to be restored.
  3. Emergency mode operations
    • Define process to ensure that critical business functions occur when the emergency is happening and information is unavailable. This includes information on how data may be accessed, how data will be documented with system unavailability, what additional security measures will be used, whom to contact and when, and how the organization will function to provide patient care. The emergency mode operations may look different depending on the disaster.
  4. Testing and revision procedures
    • The contingency plan should be regularly tested and the appropriate updates made. The revised contingency plan should be provided to the appropriate people within the organization.
  5. Applications and data criticality analysis
    • Create a list of each of the different systems that house protected health information within the organization and rank the criticality (importance) to the organization. Your output for this step is a listing of every software application that has PHI and the importance to the daily operations of your organization. The goal of this step is to understand the data and know what systems are more critical to get up and running over others.

 

The other big task with a contingency plan is to train the workforce. Your workforce should know and understand the processes in the event that the information becomes unavailable or your network is blocked off by a hacker. Workforce members should feel confident and comfortable with the process of working in emergency mode and having access to minimal, if not no information.

A contingency plan doesn’t have to be complex, but it should be written. In a recent discussion with a Senior Underwriter for Cybersecurity Insurance, he stated that he asks for the organization emergency preparedness plan when assessing and processing a cybersecurity insurance quote.

Don’t assume nothing will happen to your organization. Some plan is better than no plan so start having the conversation and creating the processes now. Also, make sure you take time to test the process to ensure that it works effectively for your organization. You want to feel confident regarding your plan so that if the unthinkable happens, you are prepared.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Use the Right Tools to Protect Patient Data and HIPAA Compliance

Use the Right Tools to Protect Patient Data and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The focus on securely storing and protecting your patients' information mandate that you use the right tools and systems to fulfill this requirement. This necessity should generate at least two questions.

  • Are you using the right tools now to protect your patient data?
  • How can you ensure that you use the best systems to securely store and protect your patient information?

Consider these suggestions to create a checklist of features your system should include to meet privacy, storage and protection guidelines. These tips will help you identify the right tools to safely protect patient data and satisfy security mandates.

 

How to Identify the Right Tools for Patient Data Security

A. Examine current administrative safeguards:

  • Perform a risk assessment.
  • Design a risk management procedure.
  • Create practice policies for safe and secure storage of patient data.

B. Evaluate Your Physical Security Measures:

  • Limit physical access to your systems that store patient information.
  • Password protect workstations that have access to patient health information (PHI).
  • Prohibit removal of electronic media with PHI from the workplace.

C. Analyze Your Technical Security Procedures:

  • Give access to PHI only to those that need it, on a "need to know" basis.
  • Create an internal audit procedure to examine your IT tools that contain PHI.
  • Ensure your electronic systems have high-level integrity to prevent others from altering, destroying or changing PHI.
  • Evaluate the security of your transmission of PHI over electronic networks.

 

Suggesttions to Have the Right Tools to Meet Meaningful Use and PHI Security Requirements

  • Display leadership by emphasizing the importance of protecting patient information to ensure privacy and security.
  • Document all policies, procedures and efforts to ensure security.
  • Evaluate your security analysis results to identify risks to PHI.
  • After analysis and evaluation, create a new action plan, if necessary.
  • Be sure your action plan and tools mitigate risks, which can be lowered to manageable levels.
  • Ensure your electronic health records (EHRs) are protected by having locked server rooms, using strong passwords, performing regular backups and having disaster plans for data recovery after server crashes.
  • Give your staff thorough education and training on protecting PHI.
  • Advise your patients their information is confidential and protected to minimize patient privacy fconcerns.
  • Ensure your "business associate agreements" contain language that mandates they remain in HIPAA privacy and security compliance.
  • Register for EHR Incentive Programs only after you can attest (with confidence) that your practice meets or exceeds meaningful use requirements, including documentation that you've performed a security risk analysis and identified potential problems with PHI security.
  • Consider using a top third-party medical documentation and billing firm, such as M-Scribe Technologies, to minimize the staff burden of compliance with regulations and better ensure practice compliance.

Hopefully, you have not made a major investment in IT systems that fall short of ensuring security and protection of patient information and EHRs. However, going through this checklist will determine if your systems and procedures are sufficient to be considered the right tools and policies to securely protect your patient data.

Understand that your objectivity in evaluating your current tools is critical to installing the best systems to ensure patient privacy and information protection. Spending time analyzing the tools now in use is more efficient than needing to fix leaked or unlawfully changed patient data. Solutions are more like putting toothpaste back into its tube or unringing a bell, than finding answers to problems: Serious damage may already been done.

Identifying the right tools to protect patient data--and yourself--will eliminate (or minimize) the need for costly solutions after a problem occurs. Once you take action to maintain security, if appropriate, or improve EHR safety, if necessary, be sure to document your efforts. Should HIPAA or other regulators ask for evidence, you'll have it, further protecting yourself from challenges.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

A Patient’s Right to Access Medical Records

A Patient’s Right to Access Medical Records | HIPAA Compliance for Medical Practices | Scoop.it

Most medical practices, healthcare organizations, and clinicians are very familiar with HIPAA rules and regulation. However, the law can be extensively complicated and is often a source of confusion and misinterpretation. According to the Office for Civil Rights (OCR), one of the most common complaints and frequently misunderstood parts of the law involves a patient’s right to access their personal medical records. Due to the recent increase of patient complaints on this subject matter the OCR has published new guidance regarding the right of access. Below are a few of the highlights. (The full text can be viewed at www.hhs.gov.)

The HIPAA Privacy Rule requires all covered entities to provide individuals with access to their personal health information in “designated record sets,” upon their request. A designated record set is a group of records maintained by or for a covered entity, including; medical and billing records, enrollment, payment, claims, or medical management record systems and other records used by a covered entity to make decisions about an individual’s health. 

Information that is not included is; PHI that is not part of the designated record set or used to make decisions about an individual's health, psychotherapy notes, and information compiled for a legal suit. 

Does the HIPAA rule apply to electronic medical records? 

Yes.  Patients have the right to access both paper and electronic medical records.  

Can a patient request that another individual be given access to their information? 

Yes.  A patient should sign a request that provides the recipient, which records to send, and where to send them.

Can a covered entity charge the patient a fee for copies of their medical records?

Yes. HIPAA allows a “reasonable fee.”  The covered entity can charge a minimal fee for supplies and labor. It is important to note that state law may limit the ability to charge for records. 

What form or format must the medical records be provided?

A covered entity must provide the patient with their medical records in the form and format requested, or if not available, in a readable format as agreed to by the covered entity and individual.

What is the timeframe in which a covered entity must provide a patient their requested records? 

A covered entity has 30 days from the date of request to produce the records.  One 30-day extension is permissible with a written notice to the patient and reason for the delay with the expected date of completion.

How quickly must an entity make corrections to inaccurate medical records?

When patients access a medical record and discover information they believe is inaccurate, they must file a written request for the record to be corrected.  The covered entity must then respond to the request within 60 days.  It may take an additional 30 days but must provide a written explanation for the delay and a date of completion.

What should patients do if they have difficulty obtaining a copy of their medical records?

It may be appropriate to contact the healthcare provider’s designated privacy HIPAA compliance officer. This action will document the complaint, and show that the patient has made an effort to resolve the problem. If the provider ignores the complaint, the individual may want to proceed with an HHS complaint.

Conclusion

Providing patients with access to their medical health information empowers individuals to take control over health decisions and enables them to effectively monitor chronic conditions, adhere to treatment plans, and track their progression.  Additional benefits include increased patient engagement, improved outcomes, and a more patient-centered health care system.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Risk Assessments – A Necessary Evil

HIPAA Risk Assessments – A Necessary Evil | HIPAA Compliance for Medical Practices | Scoop.it

Not only are HIPAA risk assessments a necessary evil but also a regulatory requirement. This requirement is found in the HIPAA Security Rule implementation specification, § 164.308(a)(1)(ii)(A), which states that covered entities and business associates must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the organization.

 

Guidance provided by the U.S. Department of Health and Human Services (HHS) states that “There are numerous methods of performing risk analysis and there is no single method or ‘best practice’ that guarantees compliance with the Security Rule.” The overall goal of the assessment process is to determine compliance with the HIPAA Security Standards and implementation specifications along with HITECH and applicable parts of the Omnibus Rule. This determination is vital to assessing whether or not an organization has the appropriate security measures in place to safeguard ePHI.

 

Regardless of the size of the organization or the number of patients, patient records, or how much or how little ePHI is held, a risk assessment needs to be conducted.  A checklist will not suffice.  An assessment must include a gap analysis, which is a determination of the level of risk posed by each question asked during the process.  A good risk assessment should include a mitigation plan that addresses how to fix or correct moderate to high levels of risk that were discovered.

 

So why are some healthcare organizations and business associates not conducting these requirement assessments?  My speculation is that they do not know what an accurate and thorough assessment consists of or because they are uneasy about the process.  There may not be in-house resources to conduct the assessment or there may be a reluctance to bring in a third-party consultant to provide this support. 

 

In a June 2017 HHS Office of Inspector General Report, the Centers for Medicare & Medicaid Services was recently audited to determine whether Medicare EHR incentive payments to eligible professionals was in accordance with federal requirements.  Although the sample size was small, it was used as a projection basis regarding the payments. What the report indicated was that some eligible professionals did not maintain or provide attestation support to meet core requirements. This included not conducting requirement risk assessments, which is one of those core requirements. 

 

In recent HIPAA violation settlements announced by the HHS Office for Civil Rights (OCR), a number of case press releases indicated the investigations into some of these organizations revealed that accurate and thorough risk assessments were not conducted.  This lack of assessments has been a constant theme for most organizations that settle with OCR in HIPAA violation cases.

 

What I tell potential clients who have never conducted a HIPAA risk assessment is that the first time is painful, but necessary.  Risk assessments must be done to determine vulnerabilities and threats to the ePHI that is stored, transmitted, created, and accessed.  Once we locate the weaknesses, we can work on mitigation.  A risk assessment will not be an overnight fix, but an exercise in ongoing HIPAA compliance program management.  

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Requirements – Time for a Major Regulatory Change

HIPAA Requirements – Time for a Major Regulatory Change | HIPAA Compliance for Medical Practices | Scoop.it

It is only fitting that legislation that was created in the mid 1990’s be considered, as most HIPAA experts would agree, outdated. Even with changes brought about by HITECH and the Omnibus Act, the implementation specifications remain relatively unchanged. It is still one-size-fits-all when it comes to meeting the requirements.

 

Sure, you could argue what is reasonable and appropriate for one healthcare provider is not for another. Therefore, it comes down to how each implementation specification is interpreted, how you decipher what the Code of Federal Regulation (CFR) is asking for.

 

After spending 27 years working for the Federal government and being involved in policy and regulatory oversight, even I sometimes struggle with how to make sense of a particular CFR.

For larger healthcare providers that have regulatory and compliance staff, HIPAA compliance might be a bit easier. But for the smaller providers who are required to follow all of the same requirements, albeit what is “reasonable and appropriate,” this is a colossal struggle. I can see why some small providers just throw their hands up and say, “This is way too complex for us to figure out.”

 

When the HIPAA legislation was created, the healthcare system in this country was really starting to transform. Today, with more and more specialty practices and other types of healthcare service providers tapping into this growing market, updating regulation requirements must be a priority. It cannot be a one-size-fits-all requirement anymore. The U.S. Congress needs to take into consideration how the healthcare industry has changed, in particular with the emergence of new health related mobile apps hitting the techno-sphere. HIPAA regulatory requirements must be adaptable to meet this changing environment.

 

When I conduct a HIPAA risk assessment for a smaller healthcare provider and I ask a question in an attempt to adhere to the implementation specification, often I get a non-applicable response. The hard work for me is how to get that provider covered in meeting a required implementation specification if it is non-applicable. If a provider is truly making the effort with due diligence to follow the HIPAA regulations, then that should be factored into the equation.  The process must allow for more discretion when it comes to some of the implementation specifications.

 

All of this will require legislative fixes. The U.S. Congress can rattle a few cages and give the impression there is real concern with making sure healthcare providers are doing everything they can to safeguard patient records, but until there is movement towards making necessary legislative changes, HIPAA requirements will remain as confusing to some as the U.S. tax code.

 

Back in the mid 1990’s, Senators Kasebaum and Kennedy, the sponsors of the insurance reform legislation that became known as HIPAA, clearly had a vision about the changing landscape of healthcare security in this country. Which current day senators will have that vision and want to undertake this monumental task in reforming HIPAA for the next decade remains to be seen.  The time is now to start down this road.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

10 Reasons to be HIPAA Compliant

10 Reasons to be HIPAA Compliant | HIPAA Compliance for Medical Practices | Scoop.it

Here is a reprint of a recent online article submitted by Nick McGregor and posted by CMIT Solutions. # 7 on the list calls for an increase in enforcement of HIPAA compliance by HHS. More of an incentive to make this a priority if your small practice has not done so already.

Rather than asking, “What has changed for your business in the health care realm this year?” the better question might be, “What hasn’t changed?”

The Affordable Care Act, premium increases, existing policy cancellations, enrollment period confusion, continuing IT problems with the HealthCare.gov website… Each of these minor health care earthquakes has shaken the small business community to its core.

Add in constant worries about data security and IT functionality and it can be enough to drive a business owner mad. But there’s one feature of the health care landscape that represents an even more critical decision: new HIPAA rules, regulations, and compliance requirements.

If your business has any contact with electronic health records or medical information, either as a Covered Entity (CE) — health care provider, health plan, or health care clearinghouse — or a Business Associate (BA) — any vendor or subcontractor that helps a CE carry out its activities and functions — HIPAA compliance should be of the utmost importance for you.

Why? The following 10 reasons provide a good start:

  1. The HITECH Act and HIPAA Omnibus Rule have substantially increased civil penalties for non-compliance. The penalty cap for HIPAA violations was increased from $25,000/year to $1,500,000/year per violation. Willfully ignoring or failing to be compliant means mandatory investigations and penalties can be initiated by any complaint, breach, or discovered violation.
  2. New Breach Notification rules will increase the number of HIPAA violations determined to be breaches. The HIPAA Omnibus Rule expands the definition of a breach and the consequences of failure to address it properly. Providing proper notification can trigger federal investigations and eventual fines and penalties.
  3. The mandated deadline for new HIPAA compliance rules has already passed. All Covered Entities and Business Associates were required to update their HIPAA policies, procedures, forms, and Notices of Privacy Practices by September 23, 2013.
  4. All Covered Entities must have documented policies and procedures regarding HIPAA compliance. Recently, a dermatology practice in Concord, MA, learned this lesson the hard way, getting slapped with a $150,000 fine for allowing the health information of just 2,200 individuals to be compromised via a stolen thumb drive. The company also had to incur the cost of implementing a corrective action plan to address Privacy, Security, and Breach Notification rules.
  5. Business Associates are now required to be compliant with HIPAA Privacy and Security Rules. Business Associates will be held to that standard by Covered Entities, who are now responsible for ensuring their BAs are compliant.
  6. While Meaningful Use incentives for Electronic Health Records (EHR) are optional, HIPAA compliance is not. If you manage Protected Health Information (PHI), you must comply with federal regulations or face substantial civil and criminal penalties. If a Covered Entity accepts Meaningful Use funding, a Security Risk Analysis is required — and any funding may have to be returned if adequate documentation is not provided upon request.
  7. The Department of Human & Health Services’ (HHS) Office of Civil Rights (OCR) is expanding its Division of Health Information Privacy enforcement team. The federal bureau is stepping up hiring for HIPAA compliance activities calling for professionals with experience in privacy and security compliance and enforcement.
  8. State Attorney Generals are getting involved in HIPAA enforcement. HHS has even posted HIPAA Enforcement Training for State Attorneys General agendas on its www.HHSHIPAASAGTraining.com website.
  9. HIPAA compliance requires staff privacy and security training on a regular basis. All clinicians and medical staff that access PHI must be trained and re-trained on proper HIPAA procedures. Documentation of provided training is required to be kept for six years.
  10. Protecting your practice means avoiding the HIPAA “Wall of Shame.” The list of health care organizations reporting major breaches and receiving substantial penalties is growing at an alarming rate. The details of these breaches are widely available to the general public — and widely reported in the media.
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Top 10 Myths of HIPAA Risk Analysis

Top 10 Myths of HIPAA Risk Analysis | HIPAA Compliance for Medical Practices | Scoop.it

The following is a top 10 list distinguishing fact from fiction when it comes to conducting A HIPAA Security Risk Analysis.

  1. The security risk analysis is optional for small providers. False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.
  2. Simply installing a certified EHR fulfills the security risk analysis Meaningful Use requirement. False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.
  3. My EHR vendor took care of everything I need to do about privacy and security. False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.
  4. I have to outsource the security risk analysis. False. It is possible for small practices to do risk analysis themselves but can be time consuming. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.
  5. A checklist will suffice for the risk analysis requirement. False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.
  6. There is a specific risk analysis method that I must follow. False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.
  7. My security risk analysis only needs to look at my EHR. False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data.
  8. I only need to do a risk analysis once. False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections.
  9. Before I attest for an EHR incentive program, I must fully mitigate all risks. False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.
  10. Each year, I’ll have to completely redo my security risk analysis. False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period.
Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA: It’s not as black and white as you first thought

HIPAA: It’s not as black and white as you first thought | HIPAA Compliance for Medical Practices | Scoop.it

2016 was a record-breaking year for healthcare data breaches affecting 500 individuals or more, with the Office for Civil Rights (OCR) reporting a 22% increase year-on-year. Compared with five years ago, this increase is more significant still at 66%. It’s too early to tell whether 2017 will be better or worse for data breaches, but it remains a fact that HIPAA compliance issues will always be high on healthcare organizations’ agendas – regardless of size or stature.

With OCR’s phase 2 audits currently in full swing, there’s no better time for healthcare professionals to reassess their organization’s HIPAA policies in accordance with its privacy and security rules. Maintaining a HIPAA compliant organization is a challenge at the best of times – particularly with the rapid growth of mobile and BYOD in recent years – but as the following points demonstrate, there’s more to HIPAA than meets the eye.

1. HIPAA goes beyond healthcare industry

The definition of a covered entity as defined by HIPAA is somewhat ambiguous and therefore open to misinterpretation. It’s often assumed the rules only apply to businesses that directly provide health services – such as hospitals, physician practices, clearinghouses etc. – when in reality, many other industries are affected too.

Complications are likely to arise if an organization believes it doesn’t need to concern itself with HIPAA compliance, as illustrated in the 2015 Verizon Protected Health Information Data Breach Report. It  linked around 20 different industries to a protected health information (PHI) data breach, including manufacturing, retail and education.

2. Business Associates and conduit exception rule

Any organization or individual that creates, receives, maintains or transmits PHI on behalf of its service delivery to a covered entity is classed as a Business Associate (BA). Covered entities should have a Business Associate Agreement (BAA) in place with each of their BAs, and if a BA uses subcontractors for their services, a BAA should be executed with them, too.

Complications emerge when a BA claims to be a “conduit for information”, citing the conduit exception rule, to get out of signing a BAA. It’s vital covered entities understand the conduit exception rule only applies to a few organizations, such as the United States Postal Service, internet service providers (ISPS) and couriers. If any organization that creates, receives, maintains or stores PHI won’t sign a BAA, questions should be asked about their commitments to HIPAA compliance.

3. When PHI isn’t PHI

In a process known as de-identification, health information that has particular identifiers removed in accordance with Section 164.514(a) of the HIPAA Privacy Rule is no longer classed as PHI and can therefore be made publicly available. The National Center of Health Statistics is one such example of a data source that publishes de-identified health information.

Complete de-identification of PHI is a mammoth task to carry out. Any organization that wishes to make health information publicly available should appoint an expert to manage the process for them, as getting it wrong would likely have grave consequences. Even if managed properly, there is an overarching risk the data in question could be found to link back to the individual it relates to.

4. Addressable isn’t the same as optional

To help ensure the confidentiality of patient information and prevent a data breach, HIPAA outlines physical, administrative and technical safeguards. The technical safeguards are broken down into six standards focused on the technology that protects and controls access to PHI. Under these six standards, there are nine key areas organizations are required to implement.

However, the classification of these standards are split into two categories “required” and “addressable”. Any covered entity or BA that doesn’t pay attention to the addressable standards is opening itself up to fines for noncompliance and an increased risk for breaches. To confirm, addressable doesn’t mean optional.

5. HIPAA penalties

Failure to comply with HIPAA can result in both civil and criminal penalties. Civil penalties are monetary, varying from $100 to $1.5 million, and enforced by OCR. Criminal penalties can result in imprisonment for 10 years or more, as enforced by the U.S. Department of Justice.

With laws differing from state to state, there’s often confusion around the criminal charges, fines and prison sentences an individual might be up against for noncompliance. These discrepancies are heightened by the fact some, but not all state and federal laws, allow individuals to sue in court for privacy violations, which can lead to additional fines or damages awards.

For covered entities and their BAs, particularly those who operate across multiple states, understanding the rules of HIPAA is just the tip of the iceberg. The consequences of noncompliance that lie below this surface can be crippling.

6. Digital and electronic signatures

An electronic signature is the action of signing electronically during a digital transaction, while a digital signature is the underlying technology that helps verify the authenticity of the transaction.

Used correctly, the security benefits of these technologies can help organizations to maintain compliance of the Security Rule through:

  • protecting the integrity of messages throughout their entire lifecycle, through digital encryption
  • providing user authentication, helping to ensure sensitive information doesn’t end up in the wrong hands, and
  • ensuring non-repudiation (assurances that a person who signs something cannot later deny that they furnished the signature) by providing digital audit trails.

However, OCR offers very little guidance on the topic of digital and electronic signatures and their use certainly doesn’t ensure HIPAA compliance. Organizations should assess every situation with caution, and use digital signatures as an additional security measure where appropriate.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

10 Steps for Ensuring HIPAA Compliance 

10 Steps for Ensuring HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

1. Development of privacy policies. Healthcare organizations must develop, adopt and implement privacy and security policies and procedures. They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.

2. Appointment of privacy and security officers. Healthcare organizations should appoint a privacy and security officer. This could either be the same or different individuals. This person should be conversant in all HIPAA regulations and policies.

3. Conducting regular risk assessments. Healthcare organizations should regularly conduct risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of protected health information. It is important to remediate any identified risks and revise policies, if necessary, to minimize risk.

4. Adoption of email policies. Healthcare organizations should adopt policies regarding the use of e-mail. "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication," HIPAA does not prohibit the use of email for transmitting protected health information and it does not require that the email be encrypted. But, it is best to encrypt email if possible. If your organization can't encrypt email, make sure that your patients are aware of the risks they are facing if they ask for their health information over email. 

5. Adoption of mobile device policies. Healthcare organizations should adopt strict policies regarding the storage of protected health information on portable electronic devices, and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices, and healthcare organizations should be familiar with it.

6. Training. Training all employees who use or disclose protected health information and documenting that training, is an essential step to ensuring HIPAA compliance. Healthcare organizations should also conduct refresher courses and train the employees in new policies and procedures.

7. Notice of Privacy Practices. A Notice of Privacy Practices should be correctly published and distributed to all patients. It should also be displayed on the organization's website, and the organization should obtain acknowledgement of receipt from all their patients,that the notice should be updated whenever policies are revised. It will need to be updated now to reflect the provisions of the Omnibus Final Rule. 

8. Entering into valid agreements. Healthcare organizations should ensure that they are entering into valid business associate agreements with all business associates and subcontractors. Any existing business associate agreements will have to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of liability of business associates.

9. Adoption of potential breach protocols. A protocol for investigating potential breaches of protected health information is a must. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.

10. Implementation of privacy policies. Privacy and security policies must be properly implemented by healthcare organizations, and they should sanction employees who violate them.

 

These 10 steps will help healthcare organizations ensure that they remain HIPAA compliant, but organizations are also encouraged to check the resources available on the Office of Civil Rights website, such as sample business associate agreements and audit protocols.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Risk Assessment Requirements

HIPAA Risk Assessment Requirements | HIPAA Compliance for Medical Practices | Scoop.it

Understanding your need for a HIPAA risk assessment is one of the best ways that behavioral health practices can defend against HIPAA fines.

In order to be HIPAA compliant you must address all elements of the law, but one of the most essential places to start is by fulfilling your mandatory HIPAA risk assessments. But how do you know what your HIPAA risk assessment requirements are under the law?

What’s a HIPAA Risk Assessment?

Let’s start with a simple explanation of the risk assessments required for HIPAA compliance.

A HIPAA risk assessment is an audit of your practice to assess the status of your compliance. HIPAA risk assessments give you a better understanding of the gaps that you currently have in your compliance program, so that you can build remediation plans to fix them.

HIPAA regulation outlines that you must conduct Physical, Administrative, and Technical risk assessments within your practice in order to be HIPAA compliant. These risk assessments will measure your practice against HIPAA regulatory standards.

Beyond HIPAA Risk Assessments

Once you’ve completed your risk assessments, you’ll have a clear understanding of which HIPAA standards you need to address.

Remediation plans help organize your compliance program so that you can understand where to focus your efforts to become HIPAA compliant. By completing your remediation plans with HIPAA policies and procedures, you help protect your behavioral health practice from liability in the event of a HIPAA violation in the future.

HIPAA risk assessments are only the first step among many that you need to take to become compliant with the law. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has an online HIPAA risk assessment tool that health care providers across the industry can access.

However, HHS does not have a tool for following up on these risk assessments with remediation plans, policies and procedures, employee training, documentation, business associate management, and breach management. Finding a HIPAA compliance solution to address the remainder of the federally mandated HIPAA standards should be your next step for protecting your practice from breaches and fines.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA and Ransomware: What You Need to Know

HIPAA and Ransomware: What You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA and ransomware, there are some key responsibilities that health care professionals have when handling an incident. Following the regulation is essential to keeping your behavioral health practice out of the headlines and mitigating the risk to patients’ sensitive health data.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has yet to release new regulation specifically in regards to HIPAA and ransomware. However, in 2016 after a string of ransomware attacks impacted hospitals and health services across North America, guidance was released about how to handle a ransomware incident should one impact your practice.

What is Ransomware?

Ransomware is a type of malware that infects your computer or network. The malicious software automatically encrypts your data, and then the hackers responsible demand a ransom in exchange for access.

Sometimes, the ransomware will even give health care providers a countdown: pay the ransom within the time allotted, or face permanently losing access to this electronic protected health information (ePHI). ePHI is any health care data that can be used to identify a patient that is stored in electronic format, such as electronic health records systems (EHRs).

How to Handle HIPAA and Ransomware

In the event of a ransomware incident, the first thing you should do is report the incident to local law authority. HHS guidance on the matter even goes so far as to include contacting the FBI, though this is only fully necessary for larger organizations such as hospital systems.

If you have reason to believe that ePHI has been accessed by the hackers, then you must also report the breach to OCR. If your organization already has an effective HIPAA compliance solution in place, then you should have full documentation in place that can prove to OCR investigators that you’ve done everything possible to prevent breaches.

Having a HIPAA compliance program in place can’t prevent a ransomware attack from occurring, but it’s your best defense against heavy federal fines in the event that a breach does occur. HIPAA fines have already reached $17.1 million in 2017 alone, which is set to outpace 2016’s record breaking $23.5 million.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA compliance patient engagement strategy

HIPAA compliance patient engagement strategy | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance as a patient engagement strategy is becoming more and more appealing for health care professionals of all kind. Behavioral health professionals in particular can capitalize on an effective HIPAA compliance program as another means of developing a patient engagement strategy–attracting new patients who care about the integrity of their health care data.

Developing a patient engagement strategy is an essential way to attract new patients to your practice. Common methods that you can capitalize on include developing a social media presence or creating a newsletter to highlight industry updates or services you offer.

But HIPAA compliance gives you a unique way to address patients’ needs for data privacy, all while satisfying the regulatory requirements put forth by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

HIPAA Compliance as a Differentiator

By implementing an effective HIPAA compliance program in your practice, you can be directly involved in ongoing national conversations about data privacy and security. With ransomware incidents in the news week after week, and new concerns about data breaches reaching unprecedented levels, HIPAA compliance is the perfect way to address these concerns for your prospective patients.

Think of it this way: in the same way that concerned buyers will shop around for the perfect laptop to meet their needs, a discerning patient will shop around for a behavioral health practice that works for them. Data security-minded individuals are a growing demographic of health care consumers, especially among millennials in today’s market.

Adopting a HIPAA compliance program can allow you to address these concerns, and give you a new way to market your business. You can make your practice stand out from others in your area, all while protecting the sensitive health data that you come into contact with daily.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

You Have an EHR- But are you HIPAA Compliant?

You Have an EHR- But are you HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

Adopting an EHR platform is an important step into the digital age, but are you protecting your behavioral health practice with HIPAA compliance?

For many behavioral health practices, choosing an EHR–or electronic health records–platform has been becoming more pressing. National conversations about health data moving away from paper files have been growing since the HITECH Act was first passed in 2009.

Many EHR platforms advertise that their services are HIPAA compliant. This is an excellent measure that should be used to judge the safety and integrity of the data being stored in the EHR system.

However, there is a major misconception surrounding the use of HIPAA-compliant EHR systems and having a HIPAA-compliant behavioral health practice.

It’s important to remember that just because you use a HIPAA-compliant EHR vendor, it does not mean that your practice is in any way HIPAA compliant.

What Does HIPAA Compliance Require?

HIPAA compliance for behavioral health specialists includes an extensive series of privacy and security standards as outlined by federal HIPAA regulation. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has strict guidelines, which health care providers must adhere to in order to be HIPAA compliant.

Some of these requirements include:

  • Self-Audits – HIPAA requires you to conduct annual audits of your practice to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
  • Remediation Plans – Once you’ve identified gaps, you must implement remediation plans to reverse compliance violations.
  • Policies, Procedures, Employee Training – To avoid compliance violations in the future, you’ll need to develop Policies and Procedures corresponding to HIPAA regulatory standards. Annual staff training on these Policies and Procedures is required.
  • Documentation – Your practice document efforts you take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS.
  • Business Associate Management – You must document all vendors with whom you share protected health information (PHI), and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability.
  • Incident Management – If your practice has a data breach, you must have a process to document the breach and notify patients that their data has been compromised.

Once again, the importance of having a HIPAA-compliant EHR system is invaluable–especially in the age of Meaningful Use incentives and federal guidance moving away from paper records. It’s essential that you adopt a complete HIPAA compliance solution in your practice in order to fully prevent against the data breaches and OCR fines that are growing year-by-year.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 Essential Steps to Ensure an Effective HIPAA Program

5 Essential Steps to Ensure an Effective HIPAA Program | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance is a term that is often thrown around the healthcare industry; however, I commonly ask myself – is the meaning of HIPAA Compliance the same throughout the industry? The answer is NO! Walking into a healthcare organization in the last month, the HIPAA Privacy Officer was excited to tell me that they are fully HIPAA compliant and don’t have any on-going concerns with meeting the regulations. A quick review of the documentation requirements and auditing practices indicated that there were many missing holes in their HIPAA Compliance Program. As I spoke with the HIPAA Privacy Officer, she provided me with the tool she used to get to their current state with HIPAA. Needless to say, the tools were missing core components of documentation requirements and didn’t have specific essentials for on-going maintenance for compliance. This left the organization at risk for a HIPAA data breach or unauthorized use or disclosure of health information!

Trying to achieve a satisfactory level of HIPAA compliance at an organization can be a frustrating and daunting task. Sitting down looking at the rule can be overwhelming. Digging through the pages of information in a HIPAA manual or diving into the Federal Register can be impossible with all the other tasks assigned within a job. In addition, it is easy to want to sit down and solve the HIPAA compliance issue you have in one day or one week; however, this often leads to failure and inability to create a program that protects your patient information.

We don’t wake up one morning, decide to run a marathon and go out and accomplish the overwhelming 26.2 miles (well most of us). Normally if you are going to run a marathon, you find a training program that lasts 16-18 weeks, create a plan for cross training activities within your training program, and ask for support and help along the way. That concept and mindset can transferred to HIPAA compliance as well!

One of the most effective ways to properly implement a solid HIPAA program is creating an action plan for compliance and assigning small regular tasks to get through entire HIPAA regulation. It is very important that HIPAA is an on-going process within the organization. It is not just a ‘one and done’ type of regulation due to the nature of work that we do in healthcare and the vast changes within our technologies used.

To help with HIPAA Compliance – here are 5 Essential Steps that must be taken to achieve a solid HIPAA Compliance Program.

 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Assess Practice Risk to HIPAA and the HITECH Act?

How to Assess Practice Risk to HIPAA and the HITECH Act? | HIPAA Compliance for Medical Practices | Scoop.it

Since President Obama signed the HITECH Act (Health Information Technology for Economic and Clinical Health Act) in February 2009, the relationship between and influence of the Act on HIPAA (Health Information Portability and Accountability) has drawn physician and practice manager attention to effective risk assessment.

 

American Health Lawyers Association Recommendation

This group recommends that practice professionals approach risk assessment regarding HIPAA and HITEC as a component of an Enterprise Risk Management (ERM) program. ERM, used by public and private corporations around the globe, is an ongoing decision-making program. In the healthcare industry, the board of directors or executive administrators typically design, install and use their plan to assess and reduce risk of all areas of patient care, compliance and to maximize the return on investment.

The Association reminds executives and administrators that Section 6401 of the Affordable Care Act requires that medical providers establish a compliance program as a condition of enrollment in the coming affordable healthcare legislation.

 

Risk Assessment Parameters

The core fundamentals of risk assessment programs, common to most businesses, regardless of industry, are familiar to many veteran executives. Components include the following items.

  • Written policy and procedure manuals.
  • Designating a Compliance Officer and/or Compliance Committee.
  • Providing staff with thorough training and education.
  • Disciplinary standards that are clearly defined.
  • A workable monitoring and auditing program.
  • Written response plan to mitigate losses.

Your risk assessment and compliance program should be as specific as you can make it. While it is impossible to address every possible eventuality, noting every potential risk you can identify in your policy and procedure manuals helps your staff manage their daily responsibilities more efficiently—with less risk.

Have the Compliance Officer or Committee monitor staff to be sure they follow the procedures your program mandates. Spend the time to write a plan to respond to increased risks your Compliance Officer discovers. This encourages fast action by your Compliance Officer or Committee to lower losses and quickly solve perceived risk issues.

The CMS (Centers for Medicare & Medicaid Services) Manual outlines the risk assessment compliance program guidelines, which emphasize the following issues.

  • Prevention, detection and correction of non-compliance conditions.
  • Identifying and reducing fraud, abuse and waste.

 

Evaluating Risk Involving HIPAA and the HITECH Act

Compliance program guidelines specify three assessments providers should conduct. These actions also fit ERM parameters and guidelines, along with being specified by the Code of Federal Regulations (C.F.R.).

  • Security Evaluation. This is required under the Security Rule section and applies to providers, business associates or partners and subcontractors alike. All must “perform periodic technical and nontechnical evaluations . . .” when responding to environmental or operational changes affecting the security of electronic health information protected by law.
  • Risk Assessment of Specific Items. This is required under Security Rule stated at 45 C.F.R. (Code of Federal Regulations), section 164.308(a)(a)(ii)(A). Highly technical, this requirement should be performed per NIST SP800-30, Revision 1 Guide for Conducting Risk Assessments.
  • Risk of Harm Assessment. A requirement of the Breach Notification Rules, the practice must address “the implications and notification requirements” that are part of its ERM program.

The bottom line is that physicians must complete these three assessments and design an overall ERM plan that addresses as many risk issues as they can identify for their specific practices. It is vital that all medical providers create an organizational risk assessment program that encourages long-term compliance with HIPAA, the HITECH Act and all other regulations that apply.

Designing an ERM plan, as described, makes assessing potential practice risk of and avoiding HIPAA, HITECH Act and other regulation violations become normal operating procedure instead of compliance or loss practice crises.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Requirements – Still Posing a Challenge for Healthcare Organizations and Business Associates

HIPAA Requirements – Still Posing a Challenge for Healthcare Organizations and Business Associates | HIPAA Compliance for Medical Practices | Scoop.it

Last fall, during the HIPAA Security Conference in Washington, DC, statistics were released by the HHS Office for Civil Rights detailing the types of security breaches that were reported. The biggest takeaway was that 80% of the reported breaches were caused by human error. That astonishing figure clearly indicates that one of the primary reasons these breaches are occurring is due to the lack of employee training in HIPAA requirements and safeguards.

 

The reported breaches were caused by theft, loss, unauthorized access or disclosure, and improper disposal of protected health information. All, if not most of the causes are preventable. The HIPAA Security Rule mandates that if your organization is a Covered Entity or a Business Associate, you must have a HIPAA Security Awareness Training Program in place.

 

The HIPAA Security Rule specifically states that a Covered Entity or a Business Associate must provide training that meets the requirements of the Code of Federal Regulation, as follows:

 

  • The training for a Covered Entity or Business Associate must cover all policies and procedures with respect to safeguards for electronic protected health information;
  • Each member of the Covered Entity's or Business Associate’s workforce must receive the training;
  • The training must occur within a reasonable period of time after the new staff member joins the Covered Entity's or Business Associate’s workforce;
  • A Covered Entity or Business Associate must document that the training was provided;
  • Training must occur on an annual basis, at minimum.

 

Keeping a workforce educated and aware of how to prevent HIPAA regulation breaches is critical to any compliance program. Training a workforce must be ongoing and comprehensive and not just ticket punching to meet the annual regulatory requirement. The use of periodic security reminders is vital. Discuss best practices to safeguard protected health information on a regular basis, such as during staff meetings or through email reminders.

 

Reinforcing an organization’s HIPAA Sanction Policy can highlight the serious repercussions, including disciplinary actions or termination, if someone in your workforce violates policy and procedures.

 

Protenus, an organization that advocates patient privacy protection, recently released a white paper that examined the cost of data breaches to healthcare companies. The costs reported in the paper are staggering, e.g., “Breach notification costs $560,000 on average;” and “for each data breach, healthcare organizations average $3.7 million in lost revenue.”

 

Among 2016’s HIPAA settlements, there were three substantial fines in the amounts of $5.5, $3.9, and $2.75 million. This year began with another large settlement of $2.2 million in a case involving the theft of an unencrypted USB drive containing the protected health information of 2209 individuals.

 

HIPAA training and education is cost effective and plays a critical role in reducing or even eliminating breaches caused by human error  that can result in substantial fines. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Protecting PHI: Managing HIPAA Risk with Outside Consultants

Protecting PHI: Managing HIPAA Risk with Outside Consultants | HIPAA Compliance for Medical Practices | Scoop.it

The rising complexity of healthcare, particularly as it relates to providers’ growing technical needs, is increasingly prompting healthcare organizations to seek the help of outside consultants. In engagements with healthcare entities, thought IT consultants try to minimize interaction with patient data, they often have access to protected health information (PHI). When working with HIPAA Covered Entities, consultants are treated as “business associates” and are required to comply with Privacy Rules designed to protect PHI.

Managing HIPAA compliance when engaging outside consultants requires that consultants enter into a Business Associate Agreement (BAA). The BAA must:

  • Describe the permitted and required uses of PHI by the business associate in the context of their role
  • Provide that the business associate will not use or further disclose the PHI, other than as permitted or required by the contract or by law
  • Require the business associate to use appropriate safeguards to prevent a use or disclosure of the PHI, other than as provided for by the contract

Here are several best practices to follow to ensure the protection of PHI in consulting arrangements.

 

FTE Mentality

During the contract period, the expectation is that consultants act as if they were an employee of the hospital or provider organization and therefore treat PHI in this manner. It is important to know that consultant business associates could be held liable or equally responsible for a PHI data breach in the same way a full-time employee could be.

 

Role-Based Access Rules

Limit access to PHI based on role to ensure that only the parties that need PHI have access to it. An IT strategist, for example, does not need to see live patient data. Associates leading implementation projects, on the other hand, may need access to live PHI. Typically, this occurs late in the implementation process, when the time comes to test a system with live, identifiable patient data.

 

Safeguard Access Points

If a hospital wants a consultant to have regular access to PHI, it would be preferable that the hospital provides the consultant with a computer or device with appropriate access authorizations and restrictions in place. Avoid the use of personal devices whenever possible. Make sure that only approved and authorized devices can be used inside the firewall and require multi-factor authentication during log-in. Avoid inappropriate access to PHI by way of shared or public data access points. Don’t allow private access to PHI where others could intervene.

 

Keep it Local

Don’t take PHI away from the source of use. Consultants should avoid storing PHI on personal devices, including smart phones, which are particularly susceptible to theft and loss. Devices used to store or access PHI must be registered. Best practices often include controls giving IT staff advance permission to remotely wipe or lock a stolen registered device. Avoid leaving registered devices in cars or unprotected areas.

 

Paper-based reports also pose threat of PHI leak. Documents you take home over the weekend, for example, could be accessed by family members, lost, or stolen. Electronic, paper, verbal and image-based PHI should all be confidently secured. Of course the regulations also relate to visual and verbal protections. When accessing PHI avoid allowing others to view your screen over your shoulder. When discussing PHI make sure only those who need to know and have appropriate authority can hear the conversation.

 

The healthcare industry is making great strides in establishing digital infrastructure, much of which is cloud-based, putting new onus on providers and their business partners to ensure the security of that information. No one wants to make headlines for the latest data breach, least of all the IT consultants hired by providers to help guide their data management efforts. Rigorous attention to HIPAA Privacy Rule guidelines is not only required – it’s imperative to maintaining trust in the healthcare ecosystem.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know

4 Steps to Mitigate a HIPAA Breach and Other Tips You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

Have you been the victim of a breach? Maybe not, but perhaps you know someone who has. Either way, deciding what to do next can be challenging if you're unprepared. 

First, it's important to determine whether the incident is truly a breach or simply a false alarm, then follow these guidelines to quickly respond.

What is Considered a Breach?
The Department of Health and Human Services (HHS) defines a breach as:

“The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.”

The reason I bring this up is that the definition was updated with the latest Omnibus Ruling which no longer includes the “Harm Standard.” This means if you have a release of information of any kind, be it a fax or email to the wrong person, malware attack, loss of unencrypted device, etc., you have a breach. This is different from the early version of the law which required you to prove the information had been compromised. Now, it’s presumed a breach unless proven otherwise.

Steps to Mitigating a Breach
When responding to a breach, HHS expects you to have your response protocol in place BEFORE a breach happens, so we highly recommend including this as part of your HIPAA Compliance Plan. This is the best way to protect yourself if and when a breach does occur. To get started, follow these four steps: 

Step 1: Perform A Risk Analysis
This first step is important and is required by HIPAA. Your Risk Analysis needs to be conducted quickly and should be as thorough as possible. Here's what to look for:

  1. When did the breach start and end?
  2. What date did you discover the breach?
  3. Approximately how many individuals are affected?
  4. What type of breach has occurred?
    • Hacking/IT Incident
    • Improper disposal of PHI
    • Loss 
    • Theft 
    • Unauthorized Access/Disclosure
  5. Where did the breach occur?
  6. What type of PHI is involved?
    • Clinical
    • Demographic
    • Financial
    • Other

As you review this information, you will have a better idea of what happened and whether or not a breach actually took place.

Step 2: Contact the Authorities
At this point, if you’ve discovered that indeed this is a breach, and if you determine a criminal act has transpired, contact your local authorities. For malware issues, you may be referred to the FBI to file an official complaint. 

Step 3: Notification of Patients
Each patient must be notified of the breach by U.S. Mail, unless you have clearly outlined in your Notice of Privacy Practices that notifications will be sent by email. However, if you determine notifications will be sent electronically, all patients must agree and sign off on this method of communication. This can save you a lot of time and money, so we highly recommend including this clause in your compliance plan. To add this clause, contact your lawyer, or the team at Total HIPAA to make sure this is properly laid out.

The Substitute Notice: This is required when you cannot reach 10 or more individuals. You now have two options: 1) You may post the Notice on your website for 90 days, or 2) You can contact local media outlets and have them post the breach notification.

What is Required to be in the Patient Notification?

  1. A brief description of what happened, the date of the breach and the date the breach was discovered.

  2. A description of the types of unsecured PHI involved in the breach (name, address, date of birth, SSN, health information, treatment codes, etc.)

  3. The steps individuals should take to protect themselves from potential harm. The action could be different for each incident.

  4. A brief description of what the covered entity involved is doing to investigate the breach, to mitigate damage, and to protect against future breaches.

  5. Contact procedures for individuals to ask questions or learn additional information, a phone number, an email address, website or postal address.

Step 4: Notifying HHS of the Breach, or The Rule of 500

Under 500 Patients Affected
If you have a breach of fewer than 500 patients’ information, you are not required to notify HHS at the time the breach is discovered. You will however need to document all the items described above and report the breach to HHS at the end of the calendar year. Notifications must be submitted to HHS within 60 days of the last day of the year and can be filed online using the OCR's notification portal.

Over 500 Patients Affected
If you have a breach affecting more than 500 patients’ information, you are required to notify HHS immediately. You should also verify the HIPAA breach notification rules for your respective state, as these may vary. In several states, such as California, you are also required to notify the Office of the Attorney General. As always, check with your attorney if you have any questions about your specific state’s notification requirements.

What Happens if You Don’t Self-Report a Breach?
If you are chosen for a HIPAA audit and the auditor discovers you have not self-reported breaches, this falls under the Willful Neglect provision, and you may be fined starting at $10,000 per violation. As you can see self-reporting is the better action here.

Exceptions to Notification Rules
Law enforcement officials may ask the Covered Entity to refrain from posting any notification if they believe it could impede a criminal investigation or may cause damage to national security.

What Happens if your Business Associate is responsible for a Breach?
Unfortunately, this is happening more and more, and though you have a Business Associate Agreement in place, this could still open you up to an audit from HHS as a result of the Common Agency Provision in the Omnibus Ruling.

We recommend that you have a clause in your Business Associate Agreement that states you will be notified within 15 days of a suspected breach of information. Since you are the Covered Entity, it's best that you take the lead on patient notification. Make sure you get a full report from your Business Associate, and what they are doing to mitigate the breach. It’s important to communicate all relevant information to your patients so they can protect themselves.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.   

Medical Identity Thefts Account for 43% of all Reported Identity Theft Cases in U.S.    | HIPAA Compliance for Medical Practices | Scoop.it

You may want to ask your medical or dental provider what measures they are taking to protect your electronic health records. In some cases, the answer may surprise you. Here is a recent article from USA Today that will get your attention.

Nearly half of identity thefts in U.S. are medical info.

Story Highlights

  • Medical records of between 27.8 million and 67.7 million have been breached since 2009
  • Thieves have used stolen medical information for all sorts of nefarious reasons
  • Perpetrators use different methods to obtain information, from stealing laptops to hacking into computer networks

If modern technology has ushered in a plague of identity theft, one particular strain of the disease has emerged as most virulent: medical identity theft.

Last month, the Identity Theft Resource Center produced a survey showing that medical-related identity theft accounted for 43% of all identity thefts reported in the United States in 2013. That is a far greater chunk than identity thefts involving banking and finance, the government and the military, or education. The U.S. Department of Health and Human Services says that since it started keeping records in 2009, the medical records of between 27.8 million and 67.7 million people have been breached.

The definition of medical identity theft is the fraudulent acquisition of someone's personal information – name, Social Security number, health insurance number – for the purpose of illegally obtaining medical services or devices, insurance reimbursements or prescription drugs.

"Medical identity theft is a growing and dangerous crime that leaves its victims with little to no recourse for recovery," said Pam Dixon, the founder and executive director of World Privacy Forum. "Victims often experience financial repercussions and worse yet, they frequently discover erroneous information has been added to their personal medical files due to the thief's activities." The Affordable Care Act has raised the stakes. One of the main concerns swirling around the disastrous rollout of federal and state health insurance exchanges last fall was whether the malfunctioning online marketplaces were compromising the confidentiality of Americans' medical information. Meanwhile, the law's emphasis on digitizing medical records, touted as a way to boost efficiency and cut costs, comes amid intensifying concerns over the security of computer networks.

Edward Snowden, the former National Security Agency contractor who has disclosed the agency's activities to the media, says the NSA has cracked the encryption used to protect the medical records of millions of Americans.

 

MULTIPLE MOTIVES

Thieves have used stolen medical information for all sorts of nefarious reasons, according to information collected by World Privacy Forum, a research group that seeks to educate consumers about privacy risks. For example:

  • A Massachusetts psychiatrist created false diagnoses of drug addiction and severe depression for people who were not his patients in order to submit medical insurance claims for psychiatric sessions that never occurred. One man discovered the false diagnoses when he applied for a job. He hadn't even been a patient.
  • An identity thief in Missouri used the information of actual people to create false driver's licenses in their names. Using one of them, she was able to enter a regional health center, obtain the health records of a woman she was impersonating, and leave with a prescription in the woman's name.
  • An Ohio woman working in a dental office gained access to protected information of Medicaid patients in order to illegally obtain prescription drugs.
  • A Pennsylvania man found that an imposter had used his identity at five different hospitals in order to receive more than $100,000 in treatment. At each spot, the imposter left behind a medical history in his victim's name.
  • A Colorado man whose Social Security number, name and address had been stolen received a bill for $44,000 for a surgery he not undergone.

Perpetrators use different methods to obtain the information, ranging from stealing laptops to hacking into computer networks, according to Sam Imandoust of the Identity Theft Resource Center. "With a click of a few buttons, you might have access to the records of 10,000 patients. Each bit of information can be sold for $10 to $20," he said.

According to HHS, the theft of a computer or other electronic device is involved in more than half of medical-related security breaches. Twenty percent of medical identity thefts result from someone gaining unauthorized access to information or passing it on without permission. Fourteen percent of breaches can be attributed to hacking.

"We say encrypt, encrypt, encrypt," said Rachel Seeger, a spokesman for HHS's Office For Civil Rights, which is charged with investigating breaches of medical records in health plans, medical practices, hospitals and related institutions.

 

RELYING ON THE HONOR SYSTEM

The records in a laptop that a fired employee lifted from the North County Hospital in Newport, Vt., last year had not been encrypted. The laptop contained the records of as many as 550 patients. Around the time that breach was uncovered, HHS cited the hospital for a second breach involving two employees gaining access to records without authorization. Those cases are ongoing.

Wendy Franklin, director of development and community relations at North County, said the hospital generally does encrypt its records. Franklin also noted that North County requires all of its employees to sign agreements not to disclose medical records and to undergo training in confidentiality laws and procedures. She also said the hospital has instituted an audit to track access to private health records. But, in the end, Franklin said, the hospital largely has to rely on the honor system.

Two federal laws govern the confidentiality of medical records: the Health Insurance Portability and Accountability Act (HIPAA), originally passed in 1996, and the Health Information Technology (HITECH) Act of 2009. Together they lay out what health care providers and affiliated businesses are required to do to protect confidentiality of patients.

According to James Pyles, a Washington, D.C., lawyer who has dealt with health issues for more than 40 years, all 50 states have their own privacy laws and 46 of them require consumer notification when there is a security breach of private records.

HHS can impose a civil fine of between $100 and $50,000 for each failure of a business, institution or provider to meet privacy standards, up to a maximum of $1.5 million per year. A person who knowingly violates HIPAA faces a criminal fine of $50,000 and up to a year in prison. If the perpetrator tried to sell the information for "commercial advantage, personal gain or malicious harm," he or she could face a $250,000 fine and up to 10 years in prison.

The HIPAA law includes exceptions that allow a provider to share medical information without a patient's permission. A common example is when hospital business offices share information for the purpose of seeking payment. But there are also exceptions for "public health activities," "health oversight activities," "law enforcement purposes," and other purposes. No wonder, Pyles said, some patients are reluctant to disclose to a medical provider that they have a sexually transmitted disease or a mental illness unless they have to.

Under the HITECH law, a medical provider, health plan or medical institution must notify patients when a breach of their medical records is discovered. HHS must also be contacted. HHS discloses breaches involving 500 or more patients.

Discovery of the breach is useful but doesn't correct the mischief that may have happened. Although patients can have corrected information put in their files, it's difficult to get fraudulent information removed because of the fear of medical liability.

"It's almost impossible to clear up a medical record once medical identity theft has occurred," said Pyles. "If someone is getting false information into your file, theirs gets laced with yours and it's impossible to segregate what information is about you and what is about them."

Pyles describes the status quo as "the worst of two worlds," he said. The U.S. has "a regulated industry that is saddled with laws with so many loopholes that they don't know what they are responsible for, and a public that doesn't believe their health information is being protected."

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.