HIPAA Compliance for Medical Practices
65.0K views | +1 today
Follow
 
Scoop.it!

10 common HIPAA violations and preventative measures to keep your practice in compliance

10 common HIPAA violations and preventative measures to keep your practice in compliance | HIPAA Compliance for Medical Practices | Scoop.it

The HIPAA law to protect patient health information is quite well known by personnel in most physician offices. There still remain, however, some questions regarding HIPAA's rules and regulations. Providers who are not up to date with changes in the law risk potential violation that could not only damage a practice's reputation but cause criminal and civil fines.

The Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, was established in 1996 to set national standards for the confidentiality, security, and transmissibility of personal health information.

Healthcare providers are required, under the HIPAA Privacy Rule, to protect and keep confidential any personal health information. It also sets limits and conditions on its use and disclosure without patient authorization. The Rule also gives patients rights to their health information, including rights to obtain a copy of their medical records, and request corrections.

HIPAA does have exceptions to the rule, however, such as if it hindered the ability to provide quality healthcare services. One example is discussion between two physicians who are both treating a patient. In addition, peer reviewed activities, disclosures needed by health plans to resolve billing questions, and other similar situations are exempted.

The Department of Health and Human Services defines covered entities as healthcare providers, health plans, and healthcare clearinghouses, which include hospitals, physicians, chiropractors, dentists, optometrists, schools, nonprofit organizations that provide some healthcare services, and even government agencies. However, those affected by HIPAA does not end there.

HIPAA violations can result in substantial fines to a practice ranging from $100 to $1.5 million. Healthcare providers can also be at risk for sanctions or loss of license.

We list below some of the more common reasons for HIPAA violation citations:

1. Employees disclosing information – Employees' gossiping about patients to friends or coworkers is also a HIPAA violation that can cost a practice a significant fine. Employees must be mindful of their environment, restrict conversations regarding patients to private places, and avoid sharing any patient information with friends and family.

2. Medical records mishandling – Another very common HIPAA violation is the mishandling of patient records. If a practice uses written patient charts or records, a physician or nurse may accidentally leave a chart in the patient's exam room available for another patient to see. Printed medical records must be kept locked away and safe out of the public's view.

3. Lost or Stolen Devices – Theft of PHI (protected health information) through lost or stolen laptops, desktops, smartphones, and other devices that contain patient information can result in HIPAA fines. Mobile devices are the most vulnerable to theft because of their size; therefore, the necessary safeguards should be put into place such as password protected authorization and encryption to access patient-specific information.

4. Texting patient information – Texting patient information such as vital signs or test results is often an easy way that providers can relay information quickly. While it may seem harmless, it is potentially placing patient data in the hands of cyber criminals who could easily access this information. There are new encryption programs that allow confidential information to be safely texted, but both parties must have it installed on their wireless device, which is typically not the case.

5. Social Media - Posting patient photos on social media is a HIPAA violation. While it may seem harmless if a name is not mentioned, someone may recognize the patient and know the doctor's specialty, which is a breach of the patient's privacy. Make sure all employees are aware that the use of social media to share patient information is considered a violation of HIPAA law.

6. Employees illegally accessing patient files - Employees accessing patient information when they are not authorized is another very common HIPAA violation. Whether it is out of curiosity, spite, or as a favor for a relative or friend, this is illegal and can cost a practice substantially. Also, individuals that use or sell PHI for personal gain can be subject to fines and even prison time.

7. Social breaches - An accidental breach of patient information in a social situation is quite common, especially in smaller more rural areas. Most patients are not aware of HIPAA laws and may make an innocent inquiry to the healthcare provider or clinician at a social setting about their friend who is a patient. While these types of inquiries will happen, it is best to have an appropriate response planned well in advance to reduce the potential of accidentally releasing private patient information.

8. Authorization Requirements - A written consent is required for the use or disclosure of any individual's personal health information that is not used for treatment, payment, healthcare operations, or permitted by the Privacy Rule. If an employee is not sure, it is always best to get prior authorization before releasing any information.

9. Accessing patient information on home computers – Most clinicians use their home computers or laptops after hours from time to time to access patient information to record notes or follow-ups. This could potentially result in a HIPAA violation if the screen is accidentally left on and a family member uses the computer. Make sure your computer and laptop are password protected and keep all mobile devices out of sight to reduce the risk of patient information being accessed or stolen.

10. Lack of training - One of the most common reasons for a HIPAA violation is an employee who is not familiar with HIPAA regulations. Often only managers, administration, and medical staff receive training although HIPAA law requires all employees, volunteers, interns and anyone with access to patient information to be trained. Compliance training is one of the most proactive and easiest ways to avoid a violation.

The privacy and security of patient health information should be a priority for all healthcare clinicians and medical professionals. Make sure your materials are current, update your manuals, and conduct annual HIPAA training to prevent potential violations. Most violations can be easily be prevented by implementing HIPAA regulations into practice policies and procedures and ensuring that all individuals with access to patient information receive the proper training.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com/tdr

more...
No comment yet.
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...
Scoop.it!

HIPAA Compliance Checklist and Employee Sanctions 

HIPAA Compliance Checklist and Employee Sanctions  | HIPAA Compliance for Medical Practices | Scoop.it

A HIPAA compliance checklist is the tool to turn to when imposing sanctions on employees for HIPAA privacy breaches.  It may feel like a never-ending and thankless task, but consider the alternatives.  It can be tempting to adopt a “no harm, no foul” approach to employee sanctions.  But this is not the way the Office for Civil Rights, the government agency that investigates HIPAA breaches, looks at things.  To that end, your HIPAA Compliance Checklist must also address employee sanctions.

HIPAA is all about protecting PHI

There are numerous examples of the OCR imposing penalties on organizations for not protecting PHI.  And these penalties are imposed even though there was no evidence of anyone receiving or accessing any PHI in cases where a breach occurred.

  • The OCR considers encryption of ePHI by malicious software (e.g., ransomware) to be an unauthorized disclosure not permitted under the Privacy Rule.  Even in a ransomware attack, an organization could reasonably conclude there is a low probability that the PHI has been compromised.  But if it cannot reach that conclusion,  it is required to comply with the applicable breach notification provisions.  And this is the case even if there is no evidence that the PHI was viewed by anyone else.
  • An employee of Cancer Care Group of Indianapolis left unencrypted back-up media in a bag in a car; the car was broken into and the bag stolen.  There was no evidence that any information was ever disseminated, but the OCR imposed a penalty of $750,000 on the group.
  • In 2014, the OCR imposed a fine of $400,000 on Idaho State University for a breach of unsecured ePHI.  This was because the school had left its firewalls disabled for over 10 months!   Again, there was no indication PHI was accessed by any unauthorized persons; it was simply not protecting its PHI.

These are just a few examples of settlements, some involving employees failing to follow procedures, or where there were no procedures at all.  In these case, penalties were imposed but no information was shown to have been accessed by unauthorized parties.

HIPAA compliance requirements do not explicitly link employee sanctions to reportable HIPAA breaches

It is certainly possible to have an unauthorized disclosure that is not a reportable breach.  The definition of a breach is the acquisition, access, use or disclosure of protected health information.  This is done in a manner not permitted under the regulations.  And the disclosure compromises the security or privacy of the protected health information.

These days, employees are often the source of breaches.  They include events from lost laptops to including PHI in social media posts occurring almost daily.  It is very important to include a policy on employee sanctions in your HIPAA Compliance Checklist.  An employee sanctions policy can and should take into account the potential harm from the unauthorized disclosure.  But a “no harm, no foul” approach may leave the organization open to penalties by the OCR.

A HIPAA compliance checklist for employee sanctions policies should address several issues

  1. The policy should reference Section 164.530 of the Administrative Requirements, which requires covered entities to have and apply appropriate sanctions against members of their workforce.
  2. Section 6102(b)(4)(F) of the Affordable Care Act also requires that the standards be consistently enforced through disciplinary mechanisms.
  3. Most policies utilize a Level system, tying the action of the employee and the effect on unauthorized disclosure of PHI to the sanction recommended.  Levels could start from situations where an employee did not follow procedures, but there was no unauthorized disclosure of PHI.  Levels usually top out at situations where the actions were malicious and willful, causing harm or intending to cause harm to the patient.
  4. Mitigating factors may be enumerated, and repeated patterns of violation may result in a higher level of discipline.

Employee Sanctions should be standardized

Organizations usually strive to administer most disciplinary policies in a consistent, standardized way.  Employee sanctions for HIPAA violations are no different.  Inconsistent application can carry consequences ranging from confusing messages to erosion of public trust to vulnerability to penalties and fines.

One way to increase standardization of disciplinary actions is to develop a grid, matching the riskiness of the actions to the level of sanction.

The HIPAA regulations explicitly require organizations to have and apply appropriate sanctions against workforce members who fail to comply with the privacy policies and procedures of the organization.  While sanctions can be related to the incident and the potential harm, they also need to demonstrate that the organization is taking seriously its responsibility to protect the privacy of patient information – even when there is no evidence of unauthorized disclosure or when the breach is not reportable.

Regardless of the method you choose to develop employee sanctions, make sure your HIPAA compliance checklist addresses appropriate sanctions, and implement your policies consistently!   Healthcare Compliance requirements must be truly effective.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Violation and Hospital Employee viewing PHI 

HIPAA Violation and Hospital Employee viewing PHI  | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Violation rocks hospital!  An employee at St. Charles Health system accessed over 2400 patients’ medical records over a two-year period because they were curious. We all know that curiosity killed the cat and now it may have direr consequences for this curiosity seeker and the hospital system. 

HIPAA Violation without intent to commit fraud

The employee who viewed the protected health information (PHI) without a legitimate reason to do so is in jeopardy of large civil fines, loss of their respective clinical license and criminal prosecution. Not to mention termination from their present position. The hospital system has to repair its damaged reputation while at the same time prepare to defend itself against potential civil/criminal lawsuits.  There are too many incidences were an organization is liable for HIPAA violations, even though they “didn’t do it”.

 

Now the local District Attorney has taken interest in this matter and is launching a criminal investigation. Under the HIPAA statute there is no individual right of action, however, the Attorney General of the state where the infraction took place may file charges on the individual(s) behalf.

 

The aforementioned employee signed an affidavit stating that the HIPAA violation they committed, and any of the information they accessed was not to commit fraud, however, that did not halt the criminal investigation.

Hospital employee viewing PHI

This real-life incident demonstrates how healthcare providers and their employees can face serious trouble for viewing records inappropriately. Just remember this incident when you want to be inquisitive about a patient that you are not treating or accessing a patient’s medical records for no business purpose.

 

When performing your job function, it is not a HIPAA violation if you release and/or access a patient’s PHI for treatment, payment or health operations (TPO). When accessing and/or releasing a patient’s PHI, ask yourself does this fall under the TPO exceptions? If it does, then you should just release the minimum information necessary to complete the task and if it does not, then you may need an authorization signed by the patient or his/her representative. In the event you are unsure if you can release and/or access a patient’s PHI, contact your supervisor or your organization’s Privacy Officer.

 

Finally, this violation reaffirms the need to conduct a HIPAA Risk Analyses, including monitoring the privacy/breach rule.  Use your policies and procedures for efficient and effective training, auditing and monitoring.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Breach Notification Rule

HIPAA Breach Notification Rule | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Breach Notification Rules under the HITECH and GINA Act were issued on January 25, 2013, resulting in modifications to HIPAA Privacy, Security, and Enforcement. This is commonly known as the Omnibus Rule. The Omnibus Rule mandates covered entities (CEs) and business associates (BAs) provide the required HIPAA breach notifications following an impermissible use or disclosure of protected health information (PHI).

What is a HIPAA Breach?

A HIPAA breach notification may be required because of an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information (PHI) of an individual.  An impermissible use or disclosure is presumed to be a breach unless the CE or BA demonstrates that there is a low probability that the protected health information has been compromised.

A risk assessment must include consideration of at least the following factors:

  • The extent and nature of the PHI involved (i.e. types of identifiers and likelihood of re-identification);
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • If the PHI was viewed and/or acquired;
  • To what extent the risk to the PHI has been mitigated.

How Does a HIPAA Breach Notification Work?

(1) HIPAA Breach Notification Rule: Following a breach of unsecured PHI, CEs must notify affected individual(s) and the Secretary of Health and Human Services (HHS).”  In instances where the breach affects more than 500 residents of a State or jurisdiction, notice must be provided to prominent local media.  In addition, BAs must notify CEs that a breach has occurred.

Individual HIPAA breach notifications must occur without delay, but not later than 60 days from the date of the breach discovery.  A breach is considered to be “discovered” when at least one employee of the entity knows of the breach.  This does not include the person responsible for the breach.

(2) Covered Entities HIPAA Breach Notification: Covered entities are required to notify affected individuals following the discovery of a breach of unsecured PHI. The CE must provide the individual notice in written form by first-class mail.  Notices by email are permissible if the affected individual has agreed to receive notices electronically.

What about Business Associates?

(1) Business Associates HIPAA Breach Notification:  If a breach of unsecured PHI occurs by a business associate, the BA must notify the CE following the discovery of the breach.  A business associate must provide notice to the covered entity no later than 60 days from the day of discovery of the breach.  BAs are required to provide the identification of each individual affected by the breach.  The covered entity is responsible for ensuring the individuals are notified of a breach by a business associate even if the covered entity is charged with the responsibility of providing individual notices to the business associate.

(2) Out-of-date Information: If the CE or BA has insufficient or out-of-date information for more than 10individuals, the CE must provide a substitute individual notice by one of two methods.  It may post the notice on the home page of its website for at least 90 days.  Or it may provide the notice in major print or broadcast media where the affected individuals reside. This notice must include a toll-free number that remains active for at least 90 days.  If the CE or BA has insufficient or out-of-date information for less than 10 individuals, the covered entity may provide a substitute notice by an alternative form of written, telephone, or other means of notification.

HHS Wall of Shame

As required by section 13402(e)(4) of the HITECH Act, the Secretary posts a list of HIPAA breaches of unsecured protected health information affecting 500 or more individuals. These HIPAA breaches can range from a laptop theft to a hacking/IT incident.In 2015 there were over 113 million breaches of individual records reported, and the number of incidents related to “hacking” and “IT incidents” have doubled since 2014.   And this only includes breaches involving 500 or more individuals!

Most recently, St. Joseph Health (SJH) has agreed to settle potential violations of HIPAA Privacy and Security Rules following the report that files containing ePHI were publicly accessible through internet search engines from 2011 until 2012.  The public had unrestricted access to PDF files containing the ePHI of 31,800 individuals, including patient names, health statuses, diagnoses, and demographic information.  SJH will pay a settlement amount of $2,140,500 and adopt a comprehensive corrective action plan.  This plan requires the organization to conduct an enterprise-wide risk analysis, develop and implement a risk management plan, revise its policies and procedures, and train its staff accordingly.

The HIPAA Security Rule’s specific requirements to address environmental and operational changes are critical for the protection of patient information. Entities must not only conduct a comprehensive HIPAA risk analysis, but must also evaluate and address potential security risks when implementing enterprise changes impacting ePHI.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Medical Device Cybersecurity - 4 Steps to Take 

Medical Device Cybersecurity - 4 Steps to Take  | HIPAA Compliance for Medical Practices | Scoop.it

As if the headlines today are not scary enough, now we have to be worried – very worried, it seems – about medical device cybersecurity!  Reports of hacking and other incidents related to medical device cybersecurity are all over the news lately.  Not only does it have a financial impact, but confidentiality and HIPAA issues come up immediately!  The first 6 months of 2017 have seen an inordinate number of cybersecurity meltdowns.   In addition, other HIPAA breaches and data leaks occur much too often.

  • In April 2017, hospitals in Europe were shut down by the WannaCry ransomware.  At least two contrast agent injectors were compromised as part of that attack.
  • In 2015, three hospitals suffered data breaches when devices were infected by malware.  The devices included a blood gas analyzer and a picture archiving and communications system (PACS) system.  In these instances, the malware made its way from the device to other systems in the hospitals, leaving the hospital facing a ransom demand to cleanse its systems.  And this happened even though the hospitals had firewalls, intrusion detection and other security tools in place!
  • In August 2017, the FDA approved a firmware patch to address cybersecurity vulnerabilities in 500,000 pacemakers manufactured by Abbott.  The problems were identified over a year ago!

 

Why are medical devices vulnerable to cyber attacks?

Most of the time, the medical device cybersecurity flaws are due to external software such as Windows.  Many devices have Windows operating systems as the interface to the persons operating the equipment.  Windows is also used to interface with electronic health record systems.  If the device is connected to the internet, a pathway exists for malware to infect the Windows software on the device.  Malware can then make its way to other connected devices or applications.

But as the pacemaker issue mentioned above shows, there can also be vulnerabilities in the devices themselves.  An investment firm lit a fire when it issued a report a year ago claiming most devices had little to no built-in cybersecurity measures.

What does the government advise about medical device cybersecurity?

Two government agencies are concerned about medical device cybersecurity.  The Food and Drug Administration (FDA) has principally been concerned about patient safety.  The Office of Civil Rights (OCR)  of the Health and Human Services Department (HHS) administers the Privacy and Security HIPAA rules.

In its focus on patient safety, the FDA did not focus much on the HIPAA security issues related to medical device cybersecurity.  The FDA expanded its view of medical device cybersecurity considerations with its Postmarket Management of Cybersecurity in Medical Devices guidance issued on December 28, 2016.  This non-binding guidance advises device manufacturers to consider several strategies for reducing medical device cybersecurity risks.

  • Maintaining robust software lifecycle processes that include monitoring third party software components for new vulnerabilities.
  • Understanding, detecting and establishing communication processes with users when vulnerabilities are recognized.
  • Adopting coordinated vulnerability disclosure policies and deploying mitigation measures that address risks.

The 4 things medical device users should do

First, ask vendors how they are implementing the FDA Postmarket Management Guidance.  In this day and age, there is really no excuse for not keeping third party software like Windows up to date.

Second, expand the information you keep in your inventory of medical devices to include several factors, including:

  • The risk of each device, e.g., use of third party software, connection to the internet, etc.
  • The type of data kept on the device, whether it is static or dynamic.
  • The security controls that exist on the device, e.g., encryption, use of passwords, etc.

Third, include medical devices with third party software in the periodic HIPAA Security Rule Risk Assessment you perform.

Fourth, keep a sharp eye out for communications about vulnerabilities of your medical devices – and for patches to firmware that can improve the resistance of devices to hacking.

Medical device cybersecurity is not a particularly glamorous issue, but paying attention to it is vital in this environment.  Hospitals have long had to keep electrical/electronic equipment safe to use around patients.  Cybersecurity is just another part of that culture of safety.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Your Guide to Staying HIPAA Compliant When Emailing Patients 

Your Guide to Staying HIPAA Compliant When Emailing Patients  | HIPAA Compliance for Medical Practices | Scoop.it

In the age of electronic communication, there is the ever-present concern of compromised data. Data can be intercepted and accessed by third parties with their own agendas.

Naturally, the information between patients and their healthcare providers is quite sensitive. Neither party wants that data available to the public.

In response to growing concerns of data interception, Congress passed HIPAA: the Health Insurance Portability and Accountability Act. One of the purposes of this legislation is to protect a patient’s privacy.

Email is not secure

In general, email communication is not secure for two reasons:

  1. The data isn’t encrypted by default.
  2. It’s impossible to tell if the receiver is the intended recipient.

Encryption is the process of modifying data to make it unreadable, but in a way so that it can be returned to its readable state. The reorganization requires a cipher (a code) that both sender and recipient know. Anyone without the cipher will only see gibberish.

By default, most email clients do not encrypt your communications. This includes the popular web-based email clients like Outlook, Gmail, and Yahoo. However, some of these services offer paid features that comply with HIPAA regulations.

Furthermore, there’s never a foolproof way to ensure that the intended recipient is actually the one reading the email. Perhaps the patient checked his mail in a public place with wandering eyes or left his phone somewhere by mistake.

Nevertheless, modern patients expect instant communication, so you can’t avoid emailing. For many patients and practices, email is becoming the preferred method of communication.

Here’s how to stay compliant with your electronic communications.

Encrypt everything

Any piece of electronic data is required to be encrypted, including physical documents scanned to a computer. It’s a simple process to have a scanned document/image sent to your storage location via encrypted email. Speak with your IT professional to set this up.

Protected health information (PHI) must be protected at rest and transit. This means it must be secured during transmission across networks or the Internet and when it’s stored in drives at workstations and servers.

The person conducting the transmission is the liable party. As a non covered entity or business associate, a replying patient isn’t bound by HIPAA regulations. You are only responsible for your emails’ security.

While HIPAA does not require that you encrypt every device and storage location, it would be silly not to. Encryption is cheap, easy, and can protect you from embarrassing mistakes and tedious litigation. Even if you technically followed the rules, you could still upset your patients if data were exposed.

It isn’t necessary to use a dedicated service to send HIPAA compliant emails. These services work, but with some added expense.

Some email clients allow for configurations that satisfy the law. For example, the desktop client Microsoft Outlook offers an encryption option under Security Settings. If you then enable Internet Message Access Protocol (IMAP) and choose to delete emails from the server (and store them solely on your local disk), you can guarantee no chance of interception.

While encryption is important, it’s worth mentioning that HIPAA doesn’t require you to encrypt interagency emails. If you send an email to a colleague on the same secure server, no encryption is necessary. However, best practice is to encrypt everything to be safe.

If a patient is unable to accept encrypted communications, they can waive their right to privately receive emails from you. In this case, you can use any means of communication that works for you and the patient. Just make sure to have them sign a consent form and save it.

Get the patient’s consent

Consent is an important part of privacy. You can ensure you have the right contact information and protect yourself from lawsuits by getting permission in writing from your patient before you correspond through email.

On the form, explain to the patient the inherent risks of electronic communication. Offer some advice on safeguarding their computer to ensure their emails aren’t accessed by other people.

I recommend having your attorney evaluate a consent form before you send it to your patients.

Here’s a template to give you an idea of what it looks like. For best results, use an online intake form with e-signature capabilities (like ours).

Once you have the consent form, be sure to keep it safe. If the patient ever blames you for a privacy breach, you’ll want to be able to show that you had their permission.

When a patient initiates an email conversation, it’s safe to assume they permit that type of communication (unless they have previously expressed otherwise). Still, you must treat secure these emails like any other.

If a patient hasn’t agreed to communicate electronically, never contact them through email.

Include a privacy statement with each email

Every email you send should conclude with a privacy statement. The statement should notify the receiver that the email is inherently insecure, express that the content is strictly confidential, and tell them who to report the email to if they are not the correct recipient.

The purpose of this statement is to remind the recipient every time that their correspondence isn’t 100% safe. If they choose to reply with confidential information, they are doing so at their own risk. Further, it encourages parties who shouldn’t read the email to report the miscommunication.

If your email needs are simple, this can be done by adding a signature to your emails through your client. If you work in a larger practice, speak with your IT professional to ensure that all emails include this statement.

That said, email disclaimers are not a substitute for properly encrypted PHI emails. The purpose of the disclaimer is simply to inform. It does not absolve you of responsibility in any way.

Use an email provider that signs a Business Associate Agreement

A Business Associate Agreement is a HIPAA requirement for email providers. There are countless services that specialize in HIPAA compliant communications for healthcare providers. Each come with their own features.These agreements do not come standard with free email clients, but many paid versions offer this service.

If a provider does not sign this agreement, they are noncompliant. Do not assume an email service provider has signed an agreement unless it is clearly advertised on their website.

Develop an office policy

It’s important to have a clearly defined policy for your staff or colleagues regarding protected health information (PHI). A casual discussion isn’t enough. You need procedures.

In your documentation, include which types of information may and may not be transmitted electronically. You may restrict certain types of PHI (mental health issues, for instance) to in-person meetings only.

Document who may and who may not send or receive confidential patient information. For instance, you would allow a doctor, nurse, or other healthcare provider to discuss health matters with a patient, but not the receptionist, administrative assistant, or billing department. These restricted parties should only contact patients regarding administrative issues and immediately notify healthcare staff if a patient mentions medical information.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

7 Tips for HIPAA Compliant Email

7 Tips for HIPAA Compliant Email | HIPAA Compliance for Medical Practices | Scoop.it

You can use email securely and still remain compliant with HIPAA. Here are seven tips for securely using email in a HIPAA-compliant organization.

1) Get consent

Get a patient’s written consent before sending them email. A good email consent form will explain the risks of communicating via email, explain how and why you’ll use email, explain how patients should safeguard their computer, and get the patient’s signature.  Search the internet for “email consent form” to find lots of templates you adapt. It also can’t hurt to have your lawyer review the form before you start using it.

Do something with the patient’s consent.

Write a procedure for staff to follow when handling consent forms that patients fill out.  This is important for two reasons: (1) It’s the only way to be sure that you’re actually honoring the patient’s wishes about email communication, and (2) If you are ever audited or experience a security breach, it will be important to have a written procedure as evidence to prove that you’re handling email securely.

2) Policy: define what staff are allowed to do with email.

Your policy should define which email addresses and devices should be used to send PHI, what information should never be sent via email (e.g., mental health and substance abuse info), and who they are allowed to email (patients, other providers, etc.).

3) Have a privacy statement at the end of emails.

A privacy statement should be automatically appended to the end of every outgoing email. Your statement reminds recipients that email is inherently insecure, states that the email is privileged and confidential, and tells the recipient who to contact if they are not the right person. Speak with your email / IT provider – they should be able to set this up for you.

4) Say yes to Business Associate Agreements.

HIPAA Business Associate Agreements are required under HIPAA. Don’t use an email provider who refuses to sign HIPAA Business Associate agreements for your medical practice. Paid Google and Office365 services will sign such an agreement. Free services like free Gmail, Yahoo Mail, Hotmail/Outlook.com won’t.

5) Say no to any company that won’t sign a BAA.

Companies will give you all sorts of reasons as to why they won’t sign a Business Associate agreement. Here are a few that we’ve heard:

  • “Our lawyers say we don’t need one.”
  • “We never open your emails, so we’re not a Business Associate.”
  • “None of our thousands of customers have ever asked us to do that.”
  • “We’re a ‘conduit’, not a business associate.”

These are all nonsense. There are plenty of providers out there who are willing to sign a Business Associate agreement. If a vendor’s not, you’re either speaking to the wrong person within the company, or there’s a reason that they won’t. Walk away and go find a vendor that knows how to support healthcare organizations.

6) Encrypt email with PHI or PII.

Let’s say you’re emailing a patient with the results of a lab test. You need to be as sure as can be that your patient is actually sitting at the computer when that email is opened AND that nobody else read the email in between your computer and theirs.

Using a secure email gives you that level of assurance – the message is encrypted when it leaves your computer, and can’t be read by anyone except your patient who has a password that only she or he knows. That means anyone trying to read it along the way will only see nonsense.

7) Better yet, automatically encrypt any sensitive email.

The best systems will automatically read your email on the way out, look for sensitive terms (like social security numbers, diagnoses like “diabetes,” medication names like “Zoloft,” etc.), and automatically send these encrypted and securely. These systems are great because they remove the chance of making mistakes – emails to your spouse about dinner plans are sent normally, but emails about patients, treatments, diagnoses, and lab tests are sent securely.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Enforcement Trends for 2017

HIPAA Enforcement Trends for 2017 | HIPAA Compliance for Medical Practices | Scoop.it

Since the start of 2017 alone, HIPAA enforcement trends have indicated that this could be the most costly year for fines in history.

HIPAA, as a regulation, is managed by the Department of Health and Human Services (HHS). HHS designs and enacts policy and guidance about emerging trends in health care IT, patient privacy, and data security. The Office for Civil Rights (OCR) is the HHS body responsible for HIPAA enforcement and investigation.

HIPAA Fines by Year

OCR has been cracking down on HIPAA enforcement significantly in the past few years.

Compare these HIPAA fine totals by year:

  • 2015: $6,193,000
  • 2016: $23,504,800
  • 2017: $17,093,200

So far, in the first six months of 2017 alone, fines have increased by almost 300% over 2015’s fine total. And if the trend continues, 2017 is very likely to outpace 2016’s record-breaking $23 million as well.

Why the Increase in HIPAA Enforcement?

When OCR begins a HIPAA investigation for a violation or breach, it can take 3-4 years to reach settlement with the organization under investigation.

Four years ago in 2013, HHS released its Omnibus Rule. The Omnibus Rule made it mandatory for HIPAA business associates to be compliant with HIPAA regulation. For background: a covered entity is a health care provider, and a business associate is a vendor hired by that provider.

In the past year, many of the multi-million dollar fines levied by OCR have been the direct result of BA non-compliance. If a covered entity shares health care information with a BA without first executing a business associate agreement, the sharing of that data is considered a violation of HIPAA and is subject to significant fines. In cases where OCR detects “willful neglect” of HIPAA regulation, fines can reach up to $50,000 per incident.

With HIPAA enforcement trending toward stricter and more severe financial penalties for improper relationships with BAs, it’s no wonder why fines have been steadily increasing year after year. Now that some of the major OCR investigations involving BA non-compliance have started reaching settlement, behavioral health providers need to ensure that their relationships with their vendors are lawful under the HIPAA Omnibus Rule.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Phase 2 HIPAA Audits Will Continue in 2017

Phase 2 HIPAA Audits Will Continue in 2017 | HIPAA Compliance for Medical Practices | Scoop.it

Phase 2 HIPAA Audits are targeting random health care practices and organizations around the country. Having an effective HIPAA compliance program is the easiest way to pass your audit–read on to find out what you can to protect your behavioral health practice!

Upcoming Phase 2 Audit Protocols

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) first announced this new round of random audits in 2016. Phase 2 is the second time in OCR’s history that it has instituted a random audit program. Phase 1 HIPAA Audits were rolled out in 2011 and affected a similar number of health care providers across the country.

OCR has designed these Phase 2 audits to target a broad selection of HIPAA-beholden health care organizations. That includes both Covered Entities (CEs) and Business Associates (BAs).

HIPAA defines a Covered Entity is any health care provider, including Behavioral Health specialists, who create protected health information (PHI). PHI is any health data that can be used to identify a patient (including name, date of birth, social security number, address, medical data, etc.). HIPAA defines a Business Associate as any organization that encounters PHI over the course of the work it has been hired to do (examples include billing firms, cloud storage providers, faxing, shredding, copying, and IT providers, to name a few).

So how do you know if your behavioral health organization has been selected for a Phase 2 HIPAA audit?

OCR will reach out to your organization via email if you have been randomly selected for an audit. You should look out for emails from “OSOCRAudit@hhs.gov“.

Once you’ve been contacted for an audit, you will have 10 days to respond to OCR’s request for information. If your organization does not respond for any reason, federal investigators will continue to contact your organization until they receive a response–this includes finding publically available information to call or contact you.

One of the first things federal investigators will ask for is a complete list of your organization’s business associates, with contact information for each. Identify your business associates now so that you’re prepared for these upcoming HIPAA audits.

Additionally, your organization must have a HIPAA compliance program in place with full documentation that can be provided for OCR investigators.

Desk Audits vs. Onsite Audits

Phase 2 HIPAA Audits consist of a number of different stages.

The first stage is desk audits, which are a series of remote audits. OCR investigators will contact your organization via email and you’ll be prompted to send the appropriate information. Investigators will not come to your physical location, but you’ll still be required to comply with the investigation.

Onsite audits are another means of investigation that OCR is set to pursue in 2017.  Onsite Phase 2 HIPAA Audits will require federal OCR investigators to come onsite to inspect your organization. They will be checking your level of compliance with HIPAA regulation.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

OCR Releases New HIPAA Breach Reporting Tool for “Wall of Shame”

OCR Releases New HIPAA Breach Reporting Tool for “Wall of Shame” | HIPAA Compliance for Medical Practices | Scoop.it

Earlier this week, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) released a redesigned HIPAA Breach Reporting Tool on their site.

The HIPAA Breach Reporting Tool is commonly called the “Wall of Shame” because it lists all organizations that have had health care data breaches affecting more than 500 individuals that have occurred since enforcement began. The Wall of Shame is a searchable, permanent database of HIPAA violations maintained by OCR.

The new Breach Reporting Tool allows you to search the full archive of breaches, and gives access to an “Under Investigation” tab. The tool has been redesigned to make it easier than ever before to look through OCR’s investigation history. This makes the consequences of a data breach or HIPAA violation a permanent reputational issue for your organization–especially now that prospective patients are doing more and more research into behavioral health specialists they’re looking to work with.

Protecting your practice with a HIPAA compliance program is an essential way to keep your name off the Wall of Shame. Below, we take a look at exactly what the regulation requires so you know what to look for in a HIPAA compliance program for your practice.

The HIPAA Breach Notification Rule

HIPAA breach reporting and breach notification are essential parts of any organization’s HIPAA compliance. HIPAA breach reporting is regulated by the HIPAA Breach Notification Rule, which was first enacted in 2009 along with the HITECH Act.

The HIPAA Breach Notification Rule categorizes data breaches into two categories with specific requirements for follow-through on each. The two kinds of breaches that the Breach Notification Rule identifies are:

  • Minor Breach: any breach of protected health information that affects fewer than 500 individuals. Individuals must be notified of the breach within 60 days of discovery of the breach. ALL minor breaches that have occurred over the course of the year must be reported to OCR NO LATER than 60 days after the end of the calendar year. This date usually falls on March 1st or February 29th.
  • Meaningful Breach: any breach of protected health information that affects more than 500 individuals. Individuals must be notified within 30 days of the discovery of the breach, and local media must also be notified of the breach. Meaningful breaches must be reported to OCR immediately, within 60 days of the discovery of the breach itself.

Trends in HIPAA Enforcement

In January of 2017, OCR levied its first fine for a violation of the HIPAA Breach Notification Rule in the history of HIPAA enforcement.

The fine was levied against Presence Health, one of the largest health care networks in Illinois. The organization was fined $475,000 after more than 500 individuals were implicated in a meaningful breach. Over the course of its investigation, OCR found that Presence failed to notify the individuals within the 60 days mandated by the Breach Notification Rule.

This is just one example of the recent trend in unconventional HIPAA enforcement efforts that have been targeting health care professionals of all kind across the country.

The best way to mitigate your risk of being targeted by these breaches is to adopt a total HIPAA compliance program in your organization that addresses the full extent of the law. Don’t get caught unprepared!

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Why a HIPAA Manual Won’t Protect You from Audits

Why a HIPAA Manual Won’t Protect You from Audits | HIPAA Compliance for Medical Practices | Scoop.it

When the regulation was first released, HIPAA manuals were an effective way for health care professionals to address the law.

However, in the 21 years since HIPAA was first enacted, the regulatory requirements have changed significantly. These days, with all the new rules and guidance that the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released, a simple HIPAA manual is not considered an effective compliance solution for your behavioral health practice.

Protecting your practice in the 21st century takes more than a dusty HIPAA policy binder. To keep ahead of the $17.1 million in fines levied since the start of 2017 alone, healtha care professionals need to ensure that they have a HIPAA compliance program in place that addresses the full extent of the law.

Why Isn’t a HIPAA Manual Enough?

According to HIPAA regulation, HIPAA policies and procedures need to be reviewed and updated annually. Your practice goes through changes all year long–employees are hired and fired, you might open a new office, or maybe you’ve adopted a new EHR platform.

Policies and procedures must be tailored to the unique needs of your practice, so these yearly changes need to be reflected in your organization’s HIPAA policies and procedures.

If you’re utilizing a HIPAA manual, it doesn’t have the functionality you need to effectively review and update your policies and procedures. Instead, policy binders must be replaced every year in order to maintain your organization’s HIPAA compliance. HIPAA regulation also mandates that, in addition to policies being updated each year, all staff members must be trained on these new policies annually.

A HIPAA Compliance Program that Changes with Your Practice

HIPAA compliance solutions that automatically track the status of your organization’s compliance are a key way to ensure that you are keeping up with the regulatory requirements of the law.

When looking for a HIPAA compliance solution that suits the needs of your behavioral health practice, be sure to check if policies and procedures are included. These policies and procedures should be directly tied to HIPAA audits that you conduct within your own practice to expose areas where you aren’t in compliance with the law. These ‘gaps’ in compliance feed directly into your remediation plans, which then inform the extent of the policies and procedures you need to adopt in your practice.

Your potential HIPAA compliance solution should also include an employee training module based on the policies and procedures that you’ve customized and adopted in your practice. Again, make sure that the solution you’re considering sets these tasks up on an ongoing annual basis.

And of course, when it comes to HIPAA, documentation is king. The solution you’re looking at should include full documentation–preferably automated–so that you can pull yearly reports to demonstrate the status of your organization’s HIPAA compliance.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster

How To Prevent A Natural Disaster From Becoming A HIPAA Disaster | HIPAA Compliance for Medical Practices | Scoop.it

Over the past few years, many natural disasters have hit the United States that have had direct impacts on healthcare organizations such as the direct hit on the hospital by a tornado in Joplin, Missouri or flooding that leaked into a hospital in Duluth, Minnesota. What about a loss of power to an organization or bad network connection? Healthcare has also seen a drastic increase in the number of ransomware attacks, which block an organization’s ability to access patient data. When disasters happen and impact access to patient information, it is easy for the healthcare organization to panic and not know what to do. We all know how vital it is to treat patients with the most up to date and current information so planning becomes essential to prepare your organization for disasters and emergencies.

 

The HIPAA Security Rule requires that healthcare organizations create a contingency plan to follow in the event of a disaster or loss of access to protected health information. Under the HIPAA Security Requirement, a contingency plan should consist of the following:

  1. Data backup plan (for all systems with protected health information)
    • Document the process in which your data is being backed up. Include the location of the backup, process for backup, and frequency of back up. If you are using a third party vendor to backup data, an organization should have a process to ensure successful data backups and define a process for failed backups.
  2. Disaster recovery plan
    • Once the emergency situation is over, the disaster recovery plan defines the steps the organization must take to restore data and systems to original operating status. This will include information on what information must be added back into the system and the specific order of data to be restored.
  3. Emergency mode operations
    • Define process to ensure that critical business functions occur when the emergency is happening and information is unavailable. This includes information on how data may be accessed, how data will be documented with system unavailability, what additional security measures will be used, whom to contact and when, and how the organization will function to provide patient care. The emergency mode operations may look different depending on the disaster.
  4. Testing and revision procedures
    • The contingency plan should be regularly tested and the appropriate updates made. The revised contingency plan should be provided to the appropriate people within the organization.
  5. Applications and data criticality analysis
    • Create a list of each of the different systems that house protected health information within the organization and rank the criticality (importance) to the organization. Your output for this step is a listing of every software application that has PHI and the importance to the daily operations of your organization. The goal of this step is to understand the data and know what systems are more critical to get up and running over others.

 

The other big task with a contingency plan is to train the workforce. Your workforce should know and understand the processes in the event that the information becomes unavailable or your network is blocked off by a hacker. Workforce members should feel confident and comfortable with the process of working in emergency mode and having access to minimal, if not no information.

A contingency plan doesn’t have to be complex, but it should be written. In a recent discussion with a Senior Underwriter for Cybersecurity Insurance, he stated that he asks for the organization emergency preparedness plan when assessing and processing a cybersecurity insurance quote.

Don’t assume nothing will happen to your organization. Some plan is better than no plan so start having the conversation and creating the processes now. Also, make sure you take time to test the process to ensure that it works effectively for your organization. You want to feel confident regarding your plan so that if the unthinkable happens, you are prepared.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Use the Right Tools to Protect Patient Data and HIPAA Compliance

Use the Right Tools to Protect Patient Data and HIPAA Compliance | HIPAA Compliance for Medical Practices | Scoop.it

The focus on securely storing and protecting your patients' information mandate that you use the right tools and systems to fulfill this requirement. This necessity should generate at least two questions.

  • Are you using the right tools now to protect your patient data?
  • How can you ensure that you use the best systems to securely store and protect your patient information?

Consider these suggestions to create a checklist of features your system should include to meet privacy, storage and protection guidelines. These tips will help you identify the right tools to safely protect patient data and satisfy security mandates.

 

How to Identify the Right Tools for Patient Data Security

A. Examine current administrative safeguards:

  • Perform a risk assessment.
  • Design a risk management procedure.
  • Create practice policies for safe and secure storage of patient data.

B. Evaluate Your Physical Security Measures:

  • Limit physical access to your systems that store patient information.
  • Password protect workstations that have access to patient health information (PHI).
  • Prohibit removal of electronic media with PHI from the workplace.

C. Analyze Your Technical Security Procedures:

  • Give access to PHI only to those that need it, on a "need to know" basis.
  • Create an internal audit procedure to examine your IT tools that contain PHI.
  • Ensure your electronic systems have high-level integrity to prevent others from altering, destroying or changing PHI.
  • Evaluate the security of your transmission of PHI over electronic networks.

 

Suggesttions to Have the Right Tools to Meet Meaningful Use and PHI Security Requirements

  • Display leadership by emphasizing the importance of protecting patient information to ensure privacy and security.
  • Document all policies, procedures and efforts to ensure security.
  • Evaluate your security analysis results to identify risks to PHI.
  • After analysis and evaluation, create a new action plan, if necessary.
  • Be sure your action plan and tools mitigate risks, which can be lowered to manageable levels.
  • Ensure your electronic health records (EHRs) are protected by having locked server rooms, using strong passwords, performing regular backups and having disaster plans for data recovery after server crashes.
  • Give your staff thorough education and training on protecting PHI.
  • Advise your patients their information is confidential and protected to minimize patient privacy fconcerns.
  • Ensure your "business associate agreements" contain language that mandates they remain in HIPAA privacy and security compliance.
  • Register for EHR Incentive Programs only after you can attest (with confidence) that your practice meets or exceeds meaningful use requirements, including documentation that you've performed a security risk analysis and identified potential problems with PHI security.
  • Consider using a top third-party medical documentation and billing firm, such as M-Scribe Technologies, to minimize the staff burden of compliance with regulations and better ensure practice compliance.

Hopefully, you have not made a major investment in IT systems that fall short of ensuring security and protection of patient information and EHRs. However, going through this checklist will determine if your systems and procedures are sufficient to be considered the right tools and policies to securely protect your patient data.

Understand that your objectivity in evaluating your current tools is critical to installing the best systems to ensure patient privacy and information protection. Spending time analyzing the tools now in use is more efficient than needing to fix leaked or unlawfully changed patient data. Solutions are more like putting toothpaste back into its tube or unringing a bell, than finding answers to problems: Serious damage may already been done.

Identifying the right tools to protect patient data--and yourself--will eliminate (or minimize) the need for costly solutions after a problem occurs. Once you take action to maintain security, if appropriate, or improve EHR safety, if necessary, be sure to document your efforts. Should HIPAA or other regulators ask for evidence, you'll have it, further protecting yourself from challenges.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

A Patient’s Right to Access Medical Records

A Patient’s Right to Access Medical Records | HIPAA Compliance for Medical Practices | Scoop.it

Most medical practices, healthcare organizations, and clinicians are very familiar with HIPAA rules and regulation. However, the law can be extensively complicated and is often a source of confusion and misinterpretation. According to the Office for Civil Rights (OCR), one of the most common complaints and frequently misunderstood parts of the law involves a patient’s right to access their personal medical records. Due to the recent increase of patient complaints on this subject matter the OCR has published new guidance regarding the right of access. Below are a few of the highlights. (The full text can be viewed at www.hhs.gov.)

The HIPAA Privacy Rule requires all covered entities to provide individuals with access to their personal health information in “designated record sets,” upon their request. A designated record set is a group of records maintained by or for a covered entity, including; medical and billing records, enrollment, payment, claims, or medical management record systems and other records used by a covered entity to make decisions about an individual’s health. 

Information that is not included is; PHI that is not part of the designated record set or used to make decisions about an individual's health, psychotherapy notes, and information compiled for a legal suit. 

Does the HIPAA rule apply to electronic medical records? 

Yes.  Patients have the right to access both paper and electronic medical records.  

Can a patient request that another individual be given access to their information? 

Yes.  A patient should sign a request that provides the recipient, which records to send, and where to send them.

Can a covered entity charge the patient a fee for copies of their medical records?

Yes. HIPAA allows a “reasonable fee.”  The covered entity can charge a minimal fee for supplies and labor. It is important to note that state law may limit the ability to charge for records. 

What form or format must the medical records be provided?

A covered entity must provide the patient with their medical records in the form and format requested, or if not available, in a readable format as agreed to by the covered entity and individual.

What is the timeframe in which a covered entity must provide a patient their requested records? 

A covered entity has 30 days from the date of request to produce the records.  One 30-day extension is permissible with a written notice to the patient and reason for the delay with the expected date of completion.

How quickly must an entity make corrections to inaccurate medical records?

When patients access a medical record and discover information they believe is inaccurate, they must file a written request for the record to be corrected.  The covered entity must then respond to the request within 60 days.  It may take an additional 30 days but must provide a written explanation for the delay and a date of completion.

What should patients do if they have difficulty obtaining a copy of their medical records?

It may be appropriate to contact the healthcare provider’s designated privacy HIPAA compliance officer. This action will document the complaint, and show that the patient has made an effort to resolve the problem. If the provider ignores the complaint, the individual may want to proceed with an HHS complaint.

Conclusion

Providing patients with access to their medical health information empowers individuals to take control over health decisions and enables them to effectively monitor chronic conditions, adhere to treatment plans, and track their progression.  Additional benefits include increased patient engagement, improved outcomes, and a more patient-centered health care system.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

The Bottom Line on HIPAA Compliance and Your Email 

The Bottom Line on HIPAA Compliance and Your Email  | HIPAA Compliance for Medical Practices | Scoop.it

Email is everywhere, and it’s not going away anytime soon. Social media, texting, and other forms of electronic communication have had an important and notable rise recently, but about half of the world now uses email, and that figure is increasing. In medicine, approximately 50% of patients either use or want to use email to contact their healthcare providers, and about a third of clinics are actually making it possible for them to do so.

 

Email, however, was invented well before either HIPAA or our society’s modern appreciation for the importance of strong online security. Because of this, in its most basic and typical form, email has no credible controls to ensure sender and recipient identity, to protect message integrity, or, perhaps most importantly, to prevent third-party snooping. These deficiencies intersect particularly poorly with the legal and ethical demands on healthcare communication, which turns the situation into a powder keg.

In short, email in medicine can be a HIPAA disaster. But it doesn’t have to be.

Let’s talk about the problem and what you can do to solve it.

What HIPAA Compliance Demands from Email

If your healthcare activities are covered by HIPAA and you want to use email to store or transmit protected health information (PHI), then two important sections of the HIPAA regulations will apply to you: the Privacy Rule and the Security Rule.

We’ve discussed these rules before in more detail, but the one-sentence summary is that the Privacy Rule governs how all PHI must be treated, while the Security Rule provides additional regulations for PHI that is in electronic form (ePHI).

The HIPAA Privacy Rule and email

When it comes to email and the HIPAA Privacy rule, the U.S. Department of Health and Human Services (HHS), which administers HIPAA, has actually weighed in with specific guidance. Here’s a snippet of their position:

 

Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?

 

Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c).

Sounds like great news! For reference, the 45 CFR § 164.530(c) that they referenced is just a citation for a section of the actual HIPAA regulations, and it simply requires that you “have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information.”

Of course, when it comes to email, the definition of an “appropriate technical safeguard” becomes important. HHS weighs in on this, as well:

Covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.

So that brings us to the Security Rule…

The HIPAA Security Rule and email

The 45 CFR Part 164, Subpart C, which HHS referenced above is actually quite long and contains many of the foundational aspects of the HIPAA Security Rule. Instead of going through all of it, we’re going to assume that you already have a functioning HIPAA compliance program in place, and we’ll spend this section highlighting just a few key regulations that are especially important when it comes to email. If you need a more thorough rundown on the Security Rule first, check out our earlier complete guide to HIPAA compliance.

Within the Security Rule, much of the important technical guidance shows up in 45 CFR § 164.312, a section on “technical safeguards.” Let’s take an abridged look at some of this section’s requirements as they apply to email:

  • Access control
    Only those people with appropriate access rights should be able to access ePHI. This means that you should use strict security measures for your email account, including a strong password and two-factor authentication. However, you should also consider this requirement as it applies to emails once they leave your email provider’s server and travel across the Internet; if they are unencrypted, then you can’t control access to them as they pass through other servers.
  • Unique user identification and identity verification
    Users on systems with ePHI must be uniquely identified, and their identities must be verifiable. This means no shared logins for email accounts, and it also means that the identity of every person sending or receiving ePHI should be verifiable. Basic email does not have sender or recipient identity verification capabilities.
  • Data integrity
    Systems must protect ePHI from improper alteration or destruction, both at rest and in transit. Technical measures to guard against data loss or corruption need to be in place, and basic email does not include integrity controls.
  • Encryption and decryption
    A mechanism should be used to encrypt and decrypt ePHI. Basic email does not employ encryption.
  • Transmission security
    Technical measures must guard against unauthorized access to ePHI that is being transmitted. Basic email transmission protocols include no guarantee of secure transit.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Breach Disclosure Requirements

HIPAA Breach Disclosure Requirements | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Breach Disclosure Letter

In the event of a HIPAA breach, the disclosure letter to the person(s) affected must include the following information:

  • Brief description of what happened and when it happened, to include the date of the breach and the date it was discovered;
  • Description of the types of unsecured PHI involved in the breach (e.g., date of birth, diagnosis, address, social security number);
  • Steps individuals should take to protect themselves from potential harm as a result of the breach;
  • Brief description of what the involved covered entity is doing to investigate the breach, mitigate losses, and protect against any further breaches;
  • Contact procedures for individuals to ask questions or learn additional information.

HIPAA Breach Media Notices

If the HIPAA breach affects more than 500 residents of a State or jurisdiction, in addition to notifying the affected individuals, a press release must be provided by the covered entity (CE) to appropriate media outlets serving the affected area.  Media notices must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.  The media notice must include the same information required for the individual notices.

HIPAA Breach Disclosure to the HHS Secretary

The HIPAA Breach Notification Final Rule requires covered entities to provide the Secretary of HHS with notice of breaches of unsecured protected health information (45 CFR 164.408). The number of individuals affected by the breach determines when the notification must be submitted to the Secretary. Covered entities must notify the Secretary by visiting the HHS website filling out and electronically submitting a breach report form.

 

HIPAA Breach affecting 500 or more Individuals

If a breach affects 500 or more individuals, a covered entity must provide the Secretary with notice of the breach without unreasonable delay and in no case later than 60 days from discovery of the breach.  This notice must be submitted electronically.

 

HIPAA Breach affecting fewer than 500 Individuals

For breaches that affect fewer than 500 individuals, a CE must provide the Secretary with a report annually.  All disclosure notifications of breaches occurring in a calendar year must be submitted within 60 days of the end of the calendar year in which the breaches occurred. The notice must be submitted electronically. A separate form must be completed for every breach that has occurred during the calendar year.

When a covered entity has submitted a breach notification form to the Secretary and discovers that there is additional information to report, the CE can submit an additional form, checking the appropriate box for an updated submission.

The Burden of Proof

CEs and BAs have the burden of proof to demonstrate that all required HIPAA Breach disclosures have been provided or that a use or disclosure of unsecured protected health information did not constitute a breach.  The covered entity must also comply with several other provisions of the Privacy Rule with respect to breach notification. For instance, CEs must have written policies and procedures, and must develop and apply sanctions against workforce members who do not comply with these policies and procedures.

There are HIPAA Breach Exceptions

There are three exceptions to the definition of “breach:”

  • Unintentional acquisition, access, or use of protected health information by  a workforce member or a person acting under the authority of a CE or BA, if such acquisition, access, or use was made in good faith and within the scope of the person’s authority.
  • Inadvertent disclosure of protected health information by a person authorized to access PHI at a CE or BA to another person authorized to access PHI at the CE or BA, or at an organized health care arrangement in which the covered entity participates.  In both cases the information cannot be further used or disclosed in a manner not permitted by the Privacy Rule.
  • If the covered entity or business associate has a good faith belief that the unauthorized person to whom the impermissible disclosure was made, would not have been able to retain the information.

CEs must be prepared to defend their decision to claim an exception to the breach definition, so keep the documentation that supports your decision!

The Takeaways

Avoiding breaches require constant vigilance.  Employees lose laptops, visit websites that contain malware, and sometimes just forget the rules.  Whenever the Office of Civil Rights comes to investigate a HIPAA breach at your organization, it will look for 4 things: (1) Your Policies and Procedures, (2) Your recent HIPPA Risk Assessment, (3) Your evidence of training of employees, and (4) Your HIPAA Breach Disclosure documentation.

Plan to have all four available!

 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA and Email: there are rules

HIPAA and Email: there are rules | HIPAA Compliance for Medical Practices | Scoop.it

Email has been widely used by both business and the general public for much of the last twenty years, and reliance on it has found its way into the daily lives of millions.  Recently, email has become even more accessible with the introduction of the smartphone.  However, leave it to healthcare to throw a curve ball to this cozy relationship.  The fact is, HIPAA and email have long been at odds.

HIPAA Privacy and Security rules are concerned with email and the web in general

Across the board, healthcare providers are increasingly

  • using, or
  • are considering using, or
  • are being asked to use,

email to communicate with patients about their medical conditions.  If you find yourself described here, then it bears repeating that the Internet, and things like an email sent over the Internet, is not secure.  Although it is unlikely, there is a possibility that information included in an email can be intercepted and read by other parties besides the person to whom it is addressed.  And it’s that “possibility” that becomes the area of focus.

HIPAA and email can coexist … it’s a matter of understanding the rules

So what do the Privacy and Security rules allow – or prohibit – when it comes to HIPAA and email?

Under many of the HIPAA regulations, the standards call for reasonable safeguards, reasonable approaches, reasonable policies, etc.  But what is considered reasonable?  The Office of Civil Rights (OCR) of the Department of Health and Human Services includes several statements on its HIPAA FAQs page.  Notably …

“The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message.”

 

What if a patient initiates communications with a provider using email?  The OCR says:

“Patients may initiate communications with a provider using e-mail. If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual. If the provider feels the patient may not be aware of the possible risks of using unencrypted e-mail or has concerns about potential liability, the provider can alert the patient of those risks, and let the patient decide whether to continue e-mail communications.”

 

Must providers acquiesce to use of email for communications with patients?

Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.

 

The OCR also interprets the HIPAA Security Rule to apply to email communications.

“The Security Rule does not expressly prohibit the use of email for sending e-PHI. However, the standards for access control (45 CFR § 164.312(a)), integrity (45 CFR § 164.312(c)(1)), and transmission security (45 CFR § 164.312(e)(1)) require covered entities to implement policies and procedures to restrict access to, protect the integrity of, and guard against unauthorized access to e-PHI.

 The standard for transmission security (§ 164.312(e)) also includes addressable specifications for integrity controls and encryption. This means that the covered entity must assess its use of open networks, identify the available and appropriate means to protect e-PHI as it is transmitted, select a solution, and document the decision. The Security Rule allows for e-PHI to be sent over an electronic open network as long as it is adequately protected.”

To summarize the rules that apply to HIPAA and email …

  • Email communications are permitted, but you must take precautions;
  • It is a good idea to warn patients about the risks of using email that includes patient health information (PHI);
  • Providers should be prepared to use email for certain communications, if requested by the patient, but must ensure they are not exposing information the patient does not want to be shared; and
  • Providers must take steps to protect the integrity of information and protect information shared over open networks.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Compliance for Email

HIPAA Compliance for Email | HIPAA Compliance for Medical Practices | Scoop.it

Are Emails HIPAA Compliant?

HIPAA compliance for email has been a hotly debated topic since changes were enacted in the Health Insurance Portability and Accountability Act (HIPAA) in 2013. Of particular relevance is the language of the HIPAA Security Rule; which, although not expressly prohibiting the use of email to communicate PHI, introduces a number of requirements before email communications can be considered to be HIPAA compliant(*).

HIPAA email rules require covered entities to implement access controls, audit controls, integrity controls, ID authentication, and transmission security have to be fulfilled in order to:

  • Restrict access to PHI
  • Monitor how PHI is communicated
  • Ensure the integrity of PHI at rest
  • Ensure 100% message accountability, and
  • Protect PHI from unauthorized access during transit

Some HIPAA covered entities have put forward the argument that encryption is sufficient to ensure HIPAA compliance for email. However, HIPAA email rules do not just cover encryption. Encryption alone does not fulfill the audit control requirement of monitoring how PHI is communicated or the ID authentication requirement to ensure message accountability.

Furthermore, some required functions – such as the creation of an audit trail and preventing the improper modification of PHI – are complex to resolve. So, although emails can be HIPAA compliant, it requires significant IT resources and a continuing monitoring process to ensure that authorized users are communicating PHI in adherence with policies for HIPAA compliance for email.

(*) HIPAA compliance for email is not always necessary if a covered entity has an internal email network protected by an appropriate firewall.

HIPAA Email Encryption Requirements

HIPAA email rules require messages to be secured in transit if they contain ePHI and are sent outside a protected internal email network, beyond the firewall.

As previously mentioned, encryption is only one element of HIPAA compliance for email, but it will ensure that in the event of a message being intercepted, the contents of that message cannot be read, thus preventing an impermissible disclosure of ePHI.

It should be noted that encryption is an addressable standard in the HIPAA Security Rule for data at rest and HIPAA compliance for email. That means encryption is not ‘required,’ but that does not mean encryption can be ignored. Covered entities must consider encryption and implement an alternative, equivalent safeguard if the decision is taken not to use encryption. That applies to data and rest and data in transit.

A covered entity must decide on whether encryption is appropriate based on the level of risk involved. It is therefore necessary to conduct a risk analysis to determine the threat to the confidentiality, integrity, and availability of ePHI sent via email. A risk management plan must then be developed, and encryption or an alternative measure implemented to reduce that risk to an appropriate and acceptable level. The decision must also be documented. OCR will want to see that encryption has been considered, why it has not been used, and that the alternative safeguard that has been implemented in its place offers an equivalent level of protection.

Encryption is an important element of HIPAA compliance for email, but not all forms of encryption offer the same level of security. Just as the method of encryption is not specified in HIPAA to take into account advances in technology, it would not be appropriate to recommend a form of encryption on this page for the same reason. For example, a covered entity could have used the Data Encryption Standard (DES) encryption algorithm to ensure HIPAA compliance for email, but now that algorithm is known to he highly insecure.

HIPAA-covered entities can obtain up to date guidance on encryption from the National Institute of Standards and Technology (NIST), which at the time of writing, recommends the use of Advanced Encryption Standard (AES) 128, 192 or 256-bit encryption. That could naturally change, so it is important to check NISTs latest guidance before implementing encryption for email. NIST has published SP 800-45 Version 2 – which will help organizations secure their email communications.

How Secure Messaging Resolves Issues with HIPAA Compliance for Email

Secure messaging is an appropriate substitute for emails as it fulfills all the requirements of the HIPAA Security Rule without sacrificing the speed and convenience of mobile technology. The solution to HIPAA compliance for email uses secure messaging apps that can be downloaded onto any desktop computer or mobile device.

Authorized users have to log into the apps using a unique, centrally-issued username and PIN number that then allows their activity to be monitored and audit trails created. All messages containing PHI are encrypted, while security mechanisms exist to ensure that PHI cannot be sent outside of an organization´s network of authorized users.

Administrative controls prevent unauthorized access to PHI by assigning messages with “message lifespans”, forcing automatic logoffs when an app has not been used for a predetermined period of time, and allowing the remote deletion of messages from a user´s device if the device is lost, stolen or otherwise disposed of.

The Benefits of Secure Messaging

The primary benefit of secure messaging when compared to email is the speed at which people respond to text messages. Studies have determined that 90% of people read a text message within three minutes of receiving it, whereas almost a quarter of emails remain unopened for forty-eight hours.

The communications cycle is further accelerated by the mechanisms to enforce message accountability. These significantly reduce phone tag, allowing employees more time to attend to their duties. In a healthcare environment, this means less time waiting by a phone and more time providing healthcare for patients.

This acceleration of the communications cycle also reduces the time it takes to admit or discharge a patient, how long it takes for prescription errors to be resolved, and the length of time it may take for invoices to get paid. Ultimately, secure messaging is a lot more effective than email, and less trouble to implement than resolving HIPAA compliance for email.

Encrypted Email Archiving for PHI

Inasmuch as the implementation of a secure messaging solution is an appropriate alternative to email, covered entities are required to retain past communications containing PHI for a period of six years. Depending on the size of the covered entity, and the volume of emails that have been sent and received during this period, the retention of PHI can create a storage issue for many organizations. The solution to this potential problem is encrypted email archiving for PHI.

Vendors providing an email archiving service are regarded as Business Associates, and have to adhere to the same requirements of the HIPAA Security Rule as covered entities. Therefore, their service has to have access controls, audit controls, integrity controls, and ID authentication in order to ensure the integrity of PHI. In order to comply with HIPAA email rules on transmission security, all emails should be encrypted at source before being sent to the service provider’s secure storage facility for archiving.

The biggest advantage of encrypted email archiving for PHI is that, as the emails and their attachments are being encrypted, the content of each email is indexed. This makes for easy retrieval should a covered entity need to access an email quickly to comply with an audit request or to advance discovery. Other advantages include the releasing of storage space on a covered entities servers and that encrypted email arching for PHI can be used as part of a disaster recovery plan.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA: It’s not as black and white as you first thought

HIPAA: It’s not as black and white as you first thought | HIPAA Compliance for Medical Practices | Scoop.it

2016 was a record-breaking year for healthcare data breaches affecting 500 individuals or more, with the Office for Civil Rights (OCR) reporting a 22% increase year-on-year. Compared with five years ago, this increase is more significant still at 66%. It’s too early to tell whether 2017 will be better or worse for data breaches, but it remains a fact that HIPAA compliance issues will always be high on healthcare organizations’ agendas – regardless of size or stature.

With OCR’s phase 2 audits currently in full swing, there’s no better time for healthcare professionals to reassess their organization’s HIPAA policies in accordance with its privacy and security rules. Maintaining a HIPAA compliant organization is a challenge at the best of times – particularly with the rapid growth of mobile and BYOD in recent years – but as the following points demonstrate, there’s more to HIPAA than meets the eye.

1. HIPAA goes beyond healthcare industry

The definition of a covered entity as defined by HIPAA is somewhat ambiguous and therefore open to misinterpretation. It’s often assumed the rules only apply to businesses that directly provide health services – such as hospitals, physician practices, clearinghouses etc. – when in reality, many other industries are affected too.

Complications are likely to arise if an organization believes it doesn’t need to concern itself with HIPAA compliance, as illustrated in the 2015 Verizon Protected Health Information Data Breach Report. It  linked around 20 different industries to a protected health information (PHI) data breach, including manufacturing, retail and education.

2. Business Associates and conduit exception rule

Any organization or individual that creates, receives, maintains or transmits PHI on behalf of its service delivery to a covered entity is classed as a Business Associate (BA). Covered entities should have a Business Associate Agreement (BAA) in place with each of their BAs, and if a BA uses subcontractors for their services, a BAA should be executed with them, too.

Complications emerge when a BA claims to be a “conduit for information”, citing the conduit exception rule, to get out of signing a BAA. It’s vital covered entities understand the conduit exception rule only applies to a few organizations, such as the United States Postal Service, internet service providers (ISPS) and couriers. If any organization that creates, receives, maintains or stores PHI won’t sign a BAA, questions should be asked about their commitments to HIPAA compliance.

3. When PHI isn’t PHI

In a process known as de-identification, health information that has particular identifiers removed in accordance with Section 164.514(a) of the HIPAA Privacy Rule is no longer classed as PHI and can therefore be made publicly available. The National Center of Health Statistics is one such example of a data source that publishes de-identified health information.

Complete de-identification of PHI is a mammoth task to carry out. Any organization that wishes to make health information publicly available should appoint an expert to manage the process for them, as getting it wrong would likely have grave consequences. Even if managed properly, there is an overarching risk the data in question could be found to link back to the individual it relates to.

4. Addressable isn’t the same as optional

To help ensure the confidentiality of patient information and prevent a data breach, HIPAA outlines physical, administrative and technical safeguards. The technical safeguards are broken down into six standards focused on the technology that protects and controls access to PHI. Under these six standards, there are nine key areas organizations are required to implement.

However, the classification of these standards are split into two categories “required” and “addressable”. Any covered entity or BA that doesn’t pay attention to the addressable standards is opening itself up to fines for noncompliance and an increased risk for breaches. To confirm, addressable doesn’t mean optional.

5. HIPAA penalties

Failure to comply with HIPAA can result in both civil and criminal penalties. Civil penalties are monetary, varying from $100 to $1.5 million, and enforced by OCR. Criminal penalties can result in imprisonment for 10 years or more, as enforced by the U.S. Department of Justice.

With laws differing from state to state, there’s often confusion around the criminal charges, fines and prison sentences an individual might be up against for noncompliance. These discrepancies are heightened by the fact some, but not all state and federal laws, allow individuals to sue in court for privacy violations, which can lead to additional fines or damages awards.

For covered entities and their BAs, particularly those who operate across multiple states, understanding the rules of HIPAA is just the tip of the iceberg. The consequences of noncompliance that lie below this surface can be crippling.

6. Digital and electronic signatures

An electronic signature is the action of signing electronically during a digital transaction, while a digital signature is the underlying technology that helps verify the authenticity of the transaction.

Used correctly, the security benefits of these technologies can help organizations to maintain compliance of the Security Rule through:

  • protecting the integrity of messages throughout their entire lifecycle, through digital encryption
  • providing user authentication, helping to ensure sensitive information doesn’t end up in the wrong hands, and
  • ensuring non-repudiation (assurances that a person who signs something cannot later deny that they furnished the signature) by providing digital audit trails.

However, OCR offers very little guidance on the topic of digital and electronic signatures and their use certainly doesn’t ensure HIPAA compliance. Organizations should assess every situation with caution, and use digital signatures as an additional security measure where appropriate.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

10 Steps for Ensuring HIPAA Compliance 

10 Steps for Ensuring HIPAA Compliance  | HIPAA Compliance for Medical Practices | Scoop.it

1. Development of privacy policies. Healthcare organizations must develop, adopt and implement privacy and security policies and procedures. They must also make sure that they are documenting all their policies and procedures, including steps to take when a breach occurs.

2. Appointment of privacy and security officers. Healthcare organizations should appoint a privacy and security officer. This could either be the same or different individuals. This person should be conversant in all HIPAA regulations and policies.

3. Conducting regular risk assessments. Healthcare organizations should regularly conduct risk assessments to identify vulnerabilities. This will help ensure the confidentiality and integrity of protected health information. It is important to remediate any identified risks and revise policies, if necessary, to minimize risk.

4. Adoption of email policies. Healthcare organizations should adopt policies regarding the use of e-mail. "The Office of Civil Rights does not look too kindly on organizations who haven't established policies regarding mobile devices and email communication," HIPAA does not prohibit the use of email for transmitting protected health information and it does not require that the email be encrypted. But, it is best to encrypt email if possible. If your organization can't encrypt email, make sure that your patients are aware of the risks they are facing if they ask for their health information over email. 

5. Adoption of mobile device policies. Healthcare organizations should adopt strict policies regarding the storage of protected health information on portable electronic devices, and they should regulate the removal of those electronic devices from the premises. HHS has issued guidance regarding the use of mobile devices, and healthcare organizations should be familiar with it.

6. Training. Training all employees who use or disclose protected health information and documenting that training, is an essential step to ensuring HIPAA compliance. Healthcare organizations should also conduct refresher courses and train the employees in new policies and procedures.

7. Notice of Privacy Practices. A Notice of Privacy Practices should be correctly published and distributed to all patients. It should also be displayed on the organization's website, and the organization should obtain acknowledgement of receipt from all their patients,that the notice should be updated whenever policies are revised. It will need to be updated now to reflect the provisions of the Omnibus Final Rule. 

8. Entering into valid agreements. Healthcare organizations should ensure that they are entering into valid business associate agreements with all business associates and subcontractors. Any existing business associate agreements will have to be updated to reflect the changes to HIPAA under the final rule, such as the expansion of liability of business associates.

9. Adoption of potential breach protocols. A protocol for investigating potential breaches of protected health information is a must. The Risk of Harm Standard and the risk assessment test can be used to determine if a breach has occurred. If a breach has occurred, it is essential that the healthcare organization document the results of the investigation and notify the appropriate authorities.

10. Implementation of privacy policies. Privacy and security policies must be properly implemented by healthcare organizations, and they should sanction employees who violate them.

 

These 10 steps will help healthcare organizations ensure that they remain HIPAA compliant, but organizations are also encouraged to check the resources available on the Office of Civil Rights website, such as sample business associate agreements and audit protocols.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA Risk Assessment Requirements

HIPAA Risk Assessment Requirements | HIPAA Compliance for Medical Practices | Scoop.it

Understanding your need for a HIPAA risk assessment is one of the best ways that behavioral health practices can defend against HIPAA fines.

In order to be HIPAA compliant you must address all elements of the law, but one of the most essential places to start is by fulfilling your mandatory HIPAA risk assessments. But how do you know what your HIPAA risk assessment requirements are under the law?

What’s a HIPAA Risk Assessment?

Let’s start with a simple explanation of the risk assessments required for HIPAA compliance.

A HIPAA risk assessment is an audit of your practice to assess the status of your compliance. HIPAA risk assessments give you a better understanding of the gaps that you currently have in your compliance program, so that you can build remediation plans to fix them.

HIPAA regulation outlines that you must conduct Physical, Administrative, and Technical risk assessments within your practice in order to be HIPAA compliant. These risk assessments will measure your practice against HIPAA regulatory standards.

Beyond HIPAA Risk Assessments

Once you’ve completed your risk assessments, you’ll have a clear understanding of which HIPAA standards you need to address.

Remediation plans help organize your compliance program so that you can understand where to focus your efforts to become HIPAA compliant. By completing your remediation plans with HIPAA policies and procedures, you help protect your behavioral health practice from liability in the event of a HIPAA violation in the future.

HIPAA risk assessments are only the first step among many that you need to take to become compliant with the law. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has an online HIPAA risk assessment tool that health care providers across the industry can access.

However, HHS does not have a tool for following up on these risk assessments with remediation plans, policies and procedures, employee training, documentation, business associate management, and breach management. Finding a HIPAA compliance solution to address the remainder of the federally mandated HIPAA standards should be your next step for protecting your practice from breaches and fines.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA and Ransomware: What You Need to Know

HIPAA and Ransomware: What You Need to Know | HIPAA Compliance for Medical Practices | Scoop.it

When it comes to HIPAA and ransomware, there are some key responsibilities that health care professionals have when handling an incident. Following the regulation is essential to keeping your behavioral health practice out of the headlines and mitigating the risk to patients’ sensitive health data.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has yet to release new regulation specifically in regards to HIPAA and ransomware. However, in 2016 after a string of ransomware attacks impacted hospitals and health services across North America, guidance was released about how to handle a ransomware incident should one impact your practice.

What is Ransomware?

Ransomware is a type of malware that infects your computer or network. The malicious software automatically encrypts your data, and then the hackers responsible demand a ransom in exchange for access.

Sometimes, the ransomware will even give health care providers a countdown: pay the ransom within the time allotted, or face permanently losing access to this electronic protected health information (ePHI). ePHI is any health care data that can be used to identify a patient that is stored in electronic format, such as electronic health records systems (EHRs).

How to Handle HIPAA and Ransomware

In the event of a ransomware incident, the first thing you should do is report the incident to local law authority. HHS guidance on the matter even goes so far as to include contacting the FBI, though this is only fully necessary for larger organizations such as hospital systems.

If you have reason to believe that ePHI has been accessed by the hackers, then you must also report the breach to OCR. If your organization already has an effective HIPAA compliance solution in place, then you should have full documentation in place that can prove to OCR investigators that you’ve done everything possible to prevent breaches.

Having a HIPAA compliance program in place can’t prevent a ransomware attack from occurring, but it’s your best defense against heavy federal fines in the event that a breach does occur. HIPAA fines have already reached $17.1 million in 2017 alone, which is set to outpace 2016’s record breaking $23.5 million.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

HIPAA compliance patient engagement strategy

HIPAA compliance patient engagement strategy | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA compliance as a patient engagement strategy is becoming more and more appealing for health care professionals of all kind. Behavioral health professionals in particular can capitalize on an effective HIPAA compliance program as another means of developing a patient engagement strategy–attracting new patients who care about the integrity of their health care data.

Developing a patient engagement strategy is an essential way to attract new patients to your practice. Common methods that you can capitalize on include developing a social media presence or creating a newsletter to highlight industry updates or services you offer.

But HIPAA compliance gives you a unique way to address patients’ needs for data privacy, all while satisfying the regulatory requirements put forth by the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).

HIPAA Compliance as a Differentiator

By implementing an effective HIPAA compliance program in your practice, you can be directly involved in ongoing national conversations about data privacy and security. With ransomware incidents in the news week after week, and new concerns about data breaches reaching unprecedented levels, HIPAA compliance is the perfect way to address these concerns for your prospective patients.

Think of it this way: in the same way that concerned buyers will shop around for the perfect laptop to meet their needs, a discerning patient will shop around for a behavioral health practice that works for them. Data security-minded individuals are a growing demographic of health care consumers, especially among millennials in today’s market.

Adopting a HIPAA compliance program can allow you to address these concerns, and give you a new way to market your business. You can make your practice stand out from others in your area, all while protecting the sensitive health data that you come into contact with daily.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

You Have an EHR- But are you HIPAA Compliant?

You Have an EHR- But are you HIPAA Compliant? | HIPAA Compliance for Medical Practices | Scoop.it

Adopting an EHR platform is an important step into the digital age, but are you protecting your behavioral health practice with HIPAA compliance?

For many behavioral health practices, choosing an EHR–or electronic health records–platform has been becoming more pressing. National conversations about health data moving away from paper files have been growing since the HITECH Act was first passed in 2009.

Many EHR platforms advertise that their services are HIPAA compliant. This is an excellent measure that should be used to judge the safety and integrity of the data being stored in the EHR system.

However, there is a major misconception surrounding the use of HIPAA-compliant EHR systems and having a HIPAA-compliant behavioral health practice.

It’s important to remember that just because you use a HIPAA-compliant EHR vendor, it does not mean that your practice is in any way HIPAA compliant.

What Does HIPAA Compliance Require?

HIPAA compliance for behavioral health specialists includes an extensive series of privacy and security standards as outlined by federal HIPAA regulation. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has strict guidelines, which health care providers must adhere to in order to be HIPAA compliant.

Some of these requirements include:

  • Self-Audits – HIPAA requires you to conduct annual audits of your practice to assess Administrative, Technical, and Physical gaps in compliance with HIPAA Privacy and Security standards.
  • Remediation Plans – Once you’ve identified gaps, you must implement remediation plans to reverse compliance violations.
  • Policies, Procedures, Employee Training – To avoid compliance violations in the future, you’ll need to develop Policies and Procedures corresponding to HIPAA regulatory standards. Annual staff training on these Policies and Procedures is required.
  • Documentation – Your practice document efforts you take to become HIPAA compliant. This documentation is critical during a HIPAA investigation with HHS.
  • Business Associate Management – You must document all vendors with whom you share protected health information (PHI), and execute Business Associate Agreements to ensure PHI is handled securely and mitigate liability.
  • Incident Management – If your practice has a data breach, you must have a process to document the breach and notify patients that their data has been compromised.

Once again, the importance of having a HIPAA-compliant EHR system is invaluable–especially in the age of Meaningful Use incentives and federal guidance moving away from paper records. It’s essential that you adopt a complete HIPAA compliance solution in your practice in order to fully prevent against the data breaches and OCR fines that are growing year-by-year.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

5 Essential Steps to Ensure an Effective HIPAA Program

5 Essential Steps to Ensure an Effective HIPAA Program | HIPAA Compliance for Medical Practices | Scoop.it

HIPAA Compliance is a term that is often thrown around the healthcare industry; however, I commonly ask myself – is the meaning of HIPAA Compliance the same throughout the industry? The answer is NO! Walking into a healthcare organization in the last month, the HIPAA Privacy Officer was excited to tell me that they are fully HIPAA compliant and don’t have any on-going concerns with meeting the regulations. A quick review of the documentation requirements and auditing practices indicated that there were many missing holes in their HIPAA Compliance Program. As I spoke with the HIPAA Privacy Officer, she provided me with the tool she used to get to their current state with HIPAA. Needless to say, the tools were missing core components of documentation requirements and didn’t have specific essentials for on-going maintenance for compliance. This left the organization at risk for a HIPAA data breach or unauthorized use or disclosure of health information!

Trying to achieve a satisfactory level of HIPAA compliance at an organization can be a frustrating and daunting task. Sitting down looking at the rule can be overwhelming. Digging through the pages of information in a HIPAA manual or diving into the Federal Register can be impossible with all the other tasks assigned within a job. In addition, it is easy to want to sit down and solve the HIPAA compliance issue you have in one day or one week; however, this often leads to failure and inability to create a program that protects your patient information.

We don’t wake up one morning, decide to run a marathon and go out and accomplish the overwhelming 26.2 miles (well most of us). Normally if you are going to run a marathon, you find a training program that lasts 16-18 weeks, create a plan for cross training activities within your training program, and ask for support and help along the way. That concept and mindset can transferred to HIPAA compliance as well!

One of the most effective ways to properly implement a solid HIPAA program is creating an action plan for compliance and assigning small regular tasks to get through entire HIPAA regulation. It is very important that HIPAA is an on-going process within the organization. It is not just a ‘one and done’ type of regulation due to the nature of work that we do in healthcare and the vast changes within our technologies used.

To help with HIPAA Compliance – here are 5 Essential Steps that must be taken to achieve a solid HIPAA Compliance Program.

 
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to Assess Practice Risk to HIPAA and the HITECH Act?

How to Assess Practice Risk to HIPAA and the HITECH Act? | HIPAA Compliance for Medical Practices | Scoop.it

Since President Obama signed the HITECH Act (Health Information Technology for Economic and Clinical Health Act) in February 2009, the relationship between and influence of the Act on HIPAA (Health Information Portability and Accountability) has drawn physician and practice manager attention to effective risk assessment.

 

American Health Lawyers Association Recommendation

This group recommends that practice professionals approach risk assessment regarding HIPAA and HITEC as a component of an Enterprise Risk Management (ERM) program. ERM, used by public and private corporations around the globe, is an ongoing decision-making program. In the healthcare industry, the board of directors or executive administrators typically design, install and use their plan to assess and reduce risk of all areas of patient care, compliance and to maximize the return on investment.

The Association reminds executives and administrators that Section 6401 of the Affordable Care Act requires that medical providers establish a compliance program as a condition of enrollment in the coming affordable healthcare legislation.

 

Risk Assessment Parameters

The core fundamentals of risk assessment programs, common to most businesses, regardless of industry, are familiar to many veteran executives. Components include the following items.

  • Written policy and procedure manuals.
  • Designating a Compliance Officer and/or Compliance Committee.
  • Providing staff with thorough training and education.
  • Disciplinary standards that are clearly defined.
  • A workable monitoring and auditing program.
  • Written response plan to mitigate losses.

Your risk assessment and compliance program should be as specific as you can make it. While it is impossible to address every possible eventuality, noting every potential risk you can identify in your policy and procedure manuals helps your staff manage their daily responsibilities more efficiently—with less risk.

Have the Compliance Officer or Committee monitor staff to be sure they follow the procedures your program mandates. Spend the time to write a plan to respond to increased risks your Compliance Officer discovers. This encourages fast action by your Compliance Officer or Committee to lower losses and quickly solve perceived risk issues.

The CMS (Centers for Medicare & Medicaid Services) Manual outlines the risk assessment compliance program guidelines, which emphasize the following issues.

  • Prevention, detection and correction of non-compliance conditions.
  • Identifying and reducing fraud, abuse and waste.

 

Evaluating Risk Involving HIPAA and the HITECH Act

Compliance program guidelines specify three assessments providers should conduct. These actions also fit ERM parameters and guidelines, along with being specified by the Code of Federal Regulations (C.F.R.).

  • Security Evaluation. This is required under the Security Rule section and applies to providers, business associates or partners and subcontractors alike. All must “perform periodic technical and nontechnical evaluations . . .” when responding to environmental or operational changes affecting the security of electronic health information protected by law.
  • Risk Assessment of Specific Items. This is required under Security Rule stated at 45 C.F.R. (Code of Federal Regulations), section 164.308(a)(a)(ii)(A). Highly technical, this requirement should be performed per NIST SP800-30, Revision 1 Guide for Conducting Risk Assessments.
  • Risk of Harm Assessment. A requirement of the Breach Notification Rules, the practice must address “the implications and notification requirements” that are part of its ERM program.

The bottom line is that physicians must complete these three assessments and design an overall ERM plan that addresses as many risk issues as they can identify for their specific practices. It is vital that all medical providers create an organizational risk assessment program that encourages long-term compliance with HIPAA, the HITECH Act and all other regulations that apply.

Designing an ERM plan, as described, makes assessing potential practice risk of and avoiding HIPAA, HITECH Act and other regulation violations become normal operating procedure instead of compliance or loss practice crises.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.